precedence: bulk Subject: RISKS DIGEST 19.82 RISKS-LIST: Risks-Forum Digest Saturday 20 June 1998 Volume 19 : Issue 82 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://catless.ncl.ac.uk/Risks/19.82.html <<<<< ANNUAL RISKS SEASONAL SLOWDOWN TIME. >>>>> Contents: [Happy World Juggling Day. Here are a few more risks to juggle.] Air-traffic control glitch again under Air Force Two (Doneel Edelson) Being Extra #$@% Careful Brings Extra #$#$@Q (Peter Wayner) World shipping full-speed ahead to beat Y2K torpedo (Keith Rhodes) Digital Wins Product Liability Suit (Edupage) California has dueling lawsuits filed over Deadbeat Dads/Moms (Keith Rhodes) Who is leaving the security doors open in Japan? (Keith Rhodes) Severed MCI cable cripples the Net (Doneel Edelson) Will we have power on 1 Jan 2000? (Doneel Edelson) Fire risks compounded by loss of residential power (Jeremy Erwin) Double points from supermarket loyalty-card system (Paul Howlett) Re: Exchange/Outlook plug-in for PGP bypasses crypto (Joshua R. Poulson) Re: Navy stops teaching celestial navigation (Kurt Cockrum) Meaconing (Ralph Hoefelmeyer, Henry Spencer) Re: 15th century time machine and Y2K (Steve King) Privacy Digests (PGN) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 17 Jun 1998 15:22:18 -0500 From: "Edelson, Doneel" Subject: Air-traffic control glitch again under Air Force Two On 7 Jun 1998, and again on 17 Jun, both times when VP Al Gore was in Air Force Two flying over New Jersey, air-traffic controllers lost flight information from radar screens. The first time they lost AF-Two for 24 seconds, whereas the second time AF-Two was not among those planes blipped out. As usual, reports said there was no danger. (As you recall, this is considered a normal occurrence -- see RISKS-19.63 and .79 for cases involving Air Force One.) [Source: USA Today, 17 Jun 1998; PGN Abstracting, incorporating a news item from 9 Jun 1998.] ------------------------------ Date: Wed, 17 Jun 1998 15:58:21 -0400 From: Peter Wayner Subject: Being Extra #$@% Careful Brings Extra #$#$@Q The 17 Jun 1998 *Wall Street Journal* reports (B1) that a software program that reads to kids would occasionally toss in foul swear words. Apparently the product would grab text from the screen and send it to the voice synthesizer. While I haven't checked up on the reporting, the article seems to make it clear that the problem occurs because the company tried to be extra careful. It built in a filter that would check for four letter words and prevent them. Apparently the sort of pointer twisting bugs that made C famous, causes this program to swap the list of filterable words with the list of words to be spoken. Voila, the voice synthesizer starts spouting words from the forbidden list. [The software is called Secret Writer's Society, from Matsushita's Panasonic Interactive Media. PGN] ------------------------------ Date: Wed, 17 Jun 98 08:30:25 -0500 From: rhodesk.aimd@gao.gov (Keith Rhodes) Subject: World shipping full-speed ahead to beat Y2K torpedo Reuters reports that world shipping is at risk from the Y2K problem, with much work yet to be done. Many aspects of merchant shipping are now highly dependent on computers, many of which are not yet Y2K compliant. The increased computerization has resulted in sharp cutbacks in crew sizes, but also leaves a shortage of people familiar with old-style backups (sextants, Morse code, etc.). Malcolm Gosling, who heads Electrical Services at Royal Dutch's Shell Trading and Shipping Company, said that Shell had tested systems on Very Large Crude Carriers, and found Y2K-related failures in seven areas including radar system mapping, ballast monitoring, and ships performance monitoring. Gas carrier computer systems had also tested badly. At airports where Shell delivered supplies, failures due to Year 2000 problems included flow metering, fire alarms, and climate control. [Source: Reuters News Service, 16 June 1998; PGN Stark Abstracting] ------------------------------ Date: Thu, 18 Jun 1998 11:58:55 -0400 From: Edupage Editors Subject: Digital Wins Product Liability Suit A New York jury has found Digital Equipment not liable for the repetitive stress injuries suffered by nine workers who claimed Digital keyboards caused their problems. Digital said that although the workers did have medical problems, they were attributable to a host of other health issues and complications. "A keyboard is a tool. It is not more dangerous than a bricklayer's trowel, a piano, or even a pen," said the general counsel and senior VP at Compaq, which acquired Digital last week. "We applaud the jurors' wisdom and common sense." Digital hopes this victory will discourage more keyboard liability lawsuits. "Judges and juries have rejected keyboard product liability claims 30 out of 31 times," says Digital's trial counsel. "It would be unfortunate if the courts were forced to spend valuable time hearing more cases that obviously have no merit." (Reuters, 17 Jun 1998; Edupage, 18 June 1998) [To subscribe to Edupage: send mail listproc@educom.unc.edu, with one line, subscribe edupage (with your first and last names) [Earlier items on RSI liability involve Apple and IBM (RISKS-16.86). Digital's cases were noted in RISKS-18.66 (three awards, largest $5.3M) for arm, wrist, hand injuries attributed to Digital's LK201 keyboard, but a judge later overturned all but smallest verdict (RISKS-19.14). (Various references on RSI were noted in RISKS-18.68.) PGN] ------------------------------ Date: Mon, 15 Jun 98 17:03:34 -0500 From: rhodesk.aimd@gao.gov (Keith Rhodes) Subject: California has dueling lawsuits filed over Deadbeat Dads/Moms The state of California and Lockheed Martin Information Management Systems Corporation are suing each other over the cancellation of the $103M California deadbeat parents' database system, although this is apparently a procedural maneuver prior to an alternative dispute resolution. In March 1998, a state auditor identified as flawed decisions and incompetent management on both sides. (See RISKS-19.12, .43, and .47 for earlier reports on the California system.) [Source: Cathleen Ferraro, Sacramento Bee, reported by Nando.net/Scripps-McClatchy Western, 13 Jun 1998; PGN Stark Abstracting] ------------------------------ Date: Thu, 18 Jun 98 10:19:52 -0500 From: rhodesk.aimd@gao.gov (Keith Rhodes) Subject: Who is leaving the security doors open in Japan? A 1996 survey of 2,000 Japanese companies conducted by an institute affiliated with the Ministry of Industrial Trade and Industry revealed that only 17.1 percent had a security manager in charge of preventing unauthorized access to their computer networks; 14.3 percent offered security education; 7 percent used firewalls. More than half of the respondents said they didn't take necessary protective measures because they don't know what to do. [NOTE: Source: a rather revealing editorial in the "CYBERIA" section of *The Japan Times*, 18 Jun 1998; PGN Stark Abstracting] ------------------------------ Date: Tue, 16 Jun 1998 16:37:17 -0500 From: "Edelson, Doneel" Subject: Severed MCI cable cripples the Net A fiber optics cable was severed under 42nd Street in the Bronx, affecting Internet service and long-distance phone calls to much of the East Coast on 11 Jun 1998. MCI workers spliced the cable, but are still searching for the exact cause of the break. [Source: MSNBC, 11 June 1998, PGN Abstracting] ------------------------------ Date: Tue, 16 Jun 1998 16:37:17 -0500 From: "Edelson, Doneel" Subject: Will we have power on Jan. 1, 2000? A Senate Y2K committee (whose chairman believes that if today were 1 Jan 2000, the nation's power grid would collapse) heard testimony from utility experts who were not able to promise that power would remain available in the U.S. when the Y2K date rolls around. [Source: MSNBC, 12 June 1998, PGN Abstracting. Incidentally, a House hearing on 16 June 1998 considered the Y2K threats to the telecommunications networks.] ------------------------------ Date: Wed, 17 Jun 1998 13:34:07 -0400 From: jerwin@antioch-college.edu (Jeremy Erwin) Subject: Fire risks compounded by loss of residential power *The Washington Post* reported (15 June 1998) that a residential fire recently killed one 13 year old boy and seriously burned four others, when, during a power outage caused by severe thunderstorms that night, candles were used to provide lighting. A candle tipped over and ignited a chair, but the occupants were not immediately warned of the resulting flames because the smoke detector ran off the house's electrical grid. When members of the household smelled smoke, they could not immediately call for help because their cordless phone required AC power to run. The Risks: Although the fire could have been prevented by more prudent choice of "emergency" or supplemental lighting systems-- e.g. flashlights, the fact that their smoke detector required outside power to run does point to a risk in the residential building code. Electrical power losses are common here, in Virginia Summers, either because of sizable loads-- air conditioners-- or because of frequent electrical storms. Additionally, I'm not sure that AC powered smoke detectors are necessarily reliable in the case of an electrical fire. The cordless phone also contributed to the risks. Although a standard phone may have allowed the victims to call for help more quickly, phones that require supplemental AC power may well become more common, especially as POTS is replaced by digital standards. Full details are available at http://washingtonpost.com/wp-srv/WPlate/1998-06/15/123l-061598-idx.html Jeremy Erwin ------------------------------ Date: Wed, 17 Jun 1998 11:46:46 +0100 From: Paul Howlett Subject: Double points from supermarket loyalty-card system A leading UK supermarket chain have been found to have a hole in their loyalty-card system which allows customers to claim twice as many points as those earned. The hole becomes apparent only if two customers, both using a loyalty card attached to the same points account, pay for their shopping simultaneously at different checkouts. The lack of any file locking in the system allows both customers to claim for points from the same account. The result being that the points are claimed from the account twice. Paul Howlett +44 171 477 8469 paulh@cs.city.ac.uk http://www.cs.city.ac.uk/homes/paulh/ ------------------------------ Date: Tue, 16 Jun 1998 19:44:12 -0700 From: "Joshua R. Poulson" Subject: Re: Exchange/Outlook plug-in for PGP bypasses crypto (Choe, R-19.81) I've also be berating PGP, Inc. (now NAI) because PGP 5.5.3 also does not always correctly sign messages I send with Outlook 98. Their support side has practically disappeared since the buy-out. In the same lines as risky behavior because you believe your transport is safe, there was a recent exploit discovered in versions of ssh prior to 1.2.25 where third parties could insert data into the stream that would be unencrypted and trusted on the destination end. Insert a "^Zrm *" at the right time and boom. ------------------------------ Date: Tue, 16 Jun 1998 12:16:19 -0700 From: Kurt Cockrum Subject: Re: Navy stops teaching celestial navigation Perhaps things have "advanced" to the point where manipulating a sextant might be considered an activity more suitable for a technician, i. e. an enlisted person, than "an officer and a gentleperson". Certainly a quartermaster would have this skill. I can't help wondering what effect this would have on the respectful relations between enlisted folk and officers that is necessary for effective leadership, though. There are a number of navigation/nautical skills that exist, that all tend to complement each other, such as dead-reckoning, compass navigation, sailing, and the like. If we lived in a sane world, GPS would simply be regarded as another valuable navigation tool, to be added to an already well-stocked toolbox; but we wouldn't foolishly throw away the rest of the tools just because we had GPS. ------------------------------ Date: 16 Jun 98 14:16:56 EDT From: Ralph Hoefelmeyer/CSP/BSM/MCI Subject: Meaconing (Re: Navy celestial navigation, RISKS-19.79) *meaconing*: A system of receiving radio beacon signals and rebroadcasting them on the same frequency to confuse navigation. The meaconing stations cause inaccurate bearings to be obtained by aircraft or ground stations. In the context of GPS, spurious signals sent to a receiver to indicate a different location. Interesting idea. Ralph S. Hoefelmeyer, MCI Ralph.Hoefelmeyer@MCI.com ------------------------------ Date: Wed, 17 Jun 1998 13:15:04 -0400 (EDT) From: Henry Spencer Subject: Meaconing (Re: Navy celestial navigation, RISKS-19.79) > The real problem to this ex-GI is that what happens when war breaks out > and we find the GPS signal either jammed or, worse, meaconed[*] ... For those not up on WW2 electronic-countermeasures history, "meaconing" is the word that was coined to describe masking of German radio beacons by receiving the signals of the genuine beacons and rebroadcasting them at high power from transmitters in Britain. The GPS signals are really very low-powered and it would be easy to swamp them. Some of the smarter military GPS receivers are capable of figuring out that they are being jammed and reconfiguring their antennas to minimize the effects, but it is not clear whether rebroadcasting of genuine GPS signals would trigger this countermeasure, and in any case a lot of receivers aren't that smart. > Now imagine you've got a unit which has become dependent on the GPS and > have allowed their land navigation skills to atrophy... I would speculate that current policies are heavily influenced by the Gulf War experience, in which it became clear that traditional land-navigation skills are fairly useless (at least to the average soldier) in featureless desert with out-of-date maps. GPS, vulnerabilities and all, really was a godsend there. > If I was a unit commander, I'd lock up the GPS's in the supply room and do > all my field training without them. If the balloon goes up and they work, > fine, If not, we are ready. While this is not a bad idea in general, one does have to train enough with the new gadgets to be handy with them and to know their limitations. According to Aviation Week, there were a number of cases in the Gulf War when one of the senior commanders got a visit from people who told him about a wonderful ultra-secret gadget that could be made available and would make his job easier, and he told them to get lost, because he couldn't use it effectively without the opportunity to train his people with it first, and there wasn't time for that any more. Henry Spencer henry@spsystems.net or henry@zoo.toronto.edu ------------------------------ Date: Wed, 17 Jun 1998 10:05:02 +0100 From: Steve King Subject: Re: 15th century time machine and Y2K (RISKS-19.79,81) The London Times of Monday June 15 1998 has further details of this device, including a picture. Archive copy available at http://www.the-times.co.uk/ . Steve King, Dept of Computer Science, University of York, Heslington, York YO10 5DD UK king@cs.york.ac.uk phone 01904 433068 [Original URL not valid. Changed in archive copy. PGN] ------------------------------ Date: 17 Apr 1997 From: RISKS moderator Subject: Privacy Digests Periodically I remind you of TWO useful digests related to privacy, both of which are siphoning off some of the material that would otherwise appear in RISKS, but which should be read by those of you vitally interested in privacy problems. RISKS will continue to carry general discussions in which risks to privacy are a concern. * The PRIVACY Forum is run by Lauren Weinstein. It includes a digest (which he moderates quite selectively), archive, and other features, such as PRIVACY Forum Radio interviews. It is somewhat akin to RISKS; it spans the full range of both technological and nontechnological privacy-related issues (with an emphasis on the former). For information regarding the PRIVACY Forum, please send the exact line: information privacy as the BODY of a message to "privacy-request@vortex.com"; you will receive a response from an automated listserv system. To submit contributions, send to "privacy@vortex.com". PRIVACY Forum materials, including archive access/searching, additional information, and all other facets, are available on the Web via: http://www.vortex.com * The Computer PRIVACY Digest (CPD) (formerly the Telecom Privacy digest) is run by Leonard P. Levine. It is gatewayed to the USENET newsgroup comp.society.privacy. It is a relatively open (i.e., less tightly moderated) forum, and was established to provide a forum for discussion on the effect of technology on privacy. All too often technology is way ahead of the law and society as it presents us with new devices and applications. Technology can enhance and detract from privacy. Submissions should go to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. There is clearly much potential for overlap between the two digests, although contributions tend not to appear in both places. If you are very short of time and can scan only one, you might want to try the former. If you are interested in ongoing discussions, try the latter. Otherwise, it may well be appropriate for you to read both, depending on the strength of your interests and time available. PGN ------------------------------ Date: 31 Mar 1998 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 18" for volume 18] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS ------------------------------ End of RISKS-FORUM Digest 19.82 ************************