University of Bielefeld -  Faculty of technology
Networks and distributed Systems
Research group of Prof. Peter B. Ladkin, Ph.D.
Back to Abstracts of References and Incidents Back to Root
This page was copied from:

Previous Issue Index Next Issue Info Searching Submit Article

The Risks Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 19, Issue 23

Thursday 26 June 1997


o U.S. Supreme Court rules on Communications Decency Act
o RSA's DES challenge achieved
o McCain-Kerrey Secure Public Networks Act
o Revised Internet Regulation in China Announced
Li Gong
o "Hackers" get into Ramsay case computer
Jonathan Corbet
o Backhoe-attack cable thief disables phone service in Russia
Betty G.O'Hearn
o Malfunction Causes Motor Melee
Scott Lucero
o 1998-1999 Leonids may damage satellites
Jonathan Nash
o Unix path risks -- well-known, but still amusing
Michael Patrick Jackson via Alan Wexelblat
o Microsoft Web site Interrupted by cracker
o MS Outlook sends e-mail on Ctrl-Enter when editing with Word
Michael Passer
o Malepropylene Microdictus
Stephen Speicher
o Re: Software Problems with new UK ATC Center
Andres Zellweger
o Old risks, new villains... when will they learn?
Quinn Yost
o 7-Eleven Big Brother
Mich Kabay
o UK Government proposes ID numbers for 4-year-olds
Gary Barnes
o Chip Theft by Home Invasion
David Kennedy
o Re: Company blackmails Netscape for details of browser bug
Dorothy Denning
o Netscape vs. Cabocomm
Andy Waldis
o "Secret Power" claims to expose secret international spying networks
Betty G.O'Hearn
o Abridged info on RISKS

U.S. Supreme Court rules on Communications Decency Act

"Peter G. Neumann" <>
Thu, 26 Jun 97 8:12:48 PDT
     Seven* Justices (in the majority opinion written by Justice Stevens) ruled
     that the Communications Decency Act violated free-speech rights in
     attempting to protect children from sexually explicit material on the
     Internet.  The remaining two Justices (in an opinion written by Justice
     O'Connor, with Chief Justice Rehnquist concurring) agreed that the CDA was
     unconstitutional, but wrote that they would invalidate the law only insofar
     as it interferes with the First Amendment rights of adults.
       [The decision opinions are on-line at,, and
       See RISKS-17.71,72,74, and RISKS-18.20 for earlier background.  
       Similar state laws in NY and Georgia were also recently overturned.  PGN]
          [* Typo (nine) fixed in Archive copy.  NINE thought it
          unconstitutional.  Two had caveats.  PGN]

RSA's DES challenge achieved

"Peter G. Neumann" <>
Thu, 26 Jun 97 8:12:57 PDT
     After four months and exhaustion of about one fourth of the 72 quadrillion
     possible keys, the RSA challenge for the 56-bit DES key was successful.
     The *brute* in *brute force* is becoming more Godzilla-like.
     [See for the status of the other RSA challenges.]

McCain-Kerrey Secure Public Networks Act

"Peter G. Neumann" <>
Thu, 26 Jun 97 8:13:03 PDT
     The McCain-Kerrey bill calls for extensive key-recovery infrastructures for
     encryption used in storage and communications.  The wording also seems to
     require key recovery for authentication and certificate authorities as well,
     which would seem to introduce enormous potential risks above and beyond
     those previously addressed in RISKS.  The bill was slipped through the
     committee as a substitute for ProCode, with essentially no discussion.
     It appears that there are many lurking issues that were not adequately
     understood by the Senators.  Serious study seems urgently needed.
       [See and for text and analyses of the
       bill.  Senate Judiciary Committee hearings on this subject were scheduled 
       for yesterday (25 Jun), but were postponed at the last minute because
       of other Senate action.  You will find my would-have-been testimony on my
       web page.  PGN]

Revised Internet Regulation in China Announced

Li Gong <gong@crypto.Eng.Sun.COM>
Sat, 14 Jun 1997 11:49:39 -0700
     The overseas edition of the *People's Daily* (June 9, 1997, p.2) gave
     details of the 17-clause revised regulation regarding the establishment and
     operation of any computer network that is connected to the Internet.
     Highlights include:
     Clause 6. All networks with direct international connections must go through
     public access networks managed by the Post and Telecommunication Ministry.
     Clause 7. Existing networks are to be reorganized and managed by the
     following 4 institutions: Post and Telecommunication Ministry, Electronics
     Ministry, National Council of Education, and the Chinese Academy of
     Clause 9.3 All operators (ISPs and their clients) must have security and
     secrecy regulations in place and must have adequate technical protection
     Clause 13.  All operators and personnel must abide by laws regarding
     national security, criminal activities, ..., and the spread of pornography.
     Clause 9.3 seems to have gone beyond the normal expectation of an
     operator in the west.
     Li Gong, JavaSoft, Sun Microsystems, Inc.

"Hackers" get into Ramsay case computer

Jonathan Corbet <>
Fri, 13 Jun 1997 09:53:10 -0600
     I assume most of the civilized world has heard about the Jon-Benet Ramsay
     murder case.  Here in Boulder, where it's a local story, our newspaper
     reports on it daily, while chiding the tabloids for doing the same thing.  I
     long since stopped reading these stories, which seemed to offer little of
     The top of page 1 today, however, reads "Hackers Invade Ramsay Case File."
     The real problem appears to be that somebody got into the "war room" where
     the computer lives, and somehow messed with the machine.  The investigators
     are now going through a process of comparing electronic documents with
     printed versions, looking for things that have been changed.
     The article doesn't say anything about backups.  What do you bet they were
     in the same room, if they exist at all?  Manually comparing with printed
     documents seems like a poor recovery strategy.  Meanwhile they have no idea
     of what information may have been taken out of the room.
     The risks: information on your computer will never be safe if you allow
     physical access to the machine.  And an environment where a burglar becomes
     a "hacker" does not help in identifying the real problems.
     The story can be found at 

Backhoe-attack cable thief disables phone service in Russia

"Betty G.O'Hearn" <>
Thu, 19 Jun 1997 13:30:33 -0400
     "Ron Eward has been saying this for years! The backhoe attack is the
     low-tech efficient way to shut down telecomm services without the help of
     hackers.  See what happened in Moscow?"  Winn Schwartau
     A thief removed 60 meters of cable from the center of the remote Russian
     city of Ulan-Ude (the capital of the Republic of Buryatiya, near Mongolia),
     which shut down external communications for five hours on 19 Jun 1997.  The
     incident affected military and other communications in the region and caused
     an estimated loss of 800 million rubles ($135,000).  Apparently, the
     criminal or criminals may have been harvesting precious metal from the
     lines.  (Earlier this week two thieves were electrocuted in eastern
     Kazakhstan as they tried to steal copper wires from a high-voltage power
     transmission line.)  [Source: Itar-Tass news, 19 Jun 1997]
       [Warning: *To backhoe* may be dangerous to your health! 
       (In the second case, the copper got them in the end.)  PGN]

Malfunction Causes Motor Melee

"lucero" <>
Wed, 18 Jun 97 15:02:36 EST
     The United States Auto Club (USAC) declared a new winner in the True Value
     500 on 8 June 1997 when an electronic device in five of the cars failed to
     record the laps where cars pull into the pit stop.  Although there are two
     forms of manual backup, neither were used until hours after the race was
     complete even though the officials received notice of the malfunction during
     the race.  USAC officials are considering fining A.J. Foyt and Arie
     Luyendyk, who turned out to be the winner following the audit, after they
     got into a victory circle scuffle.  The malfunction came with 19 laps
     remaining, not leaving much time to change over manual methods.  Race
     officials counted on the malfunction not affecting the outcome of the race.
     The USAC Chief Stewart said this is the first major malfunction since the
     devices were introduced in 1990.  The RISK is believing that, just because
     it hasn't happened in the past, doesn't mean that it isn't happening now.
     Scott Lucero

1998-1999 Leonids may damage satellites

Jonathan Nash <>
Thu, 26 Jun 1997 01:36:23 -0400 (EDT)
     An article in the 9 Jun 1997 issue of *Science News* warned that the Leonid
     meteor showers in 1998 and 1999 may damage satellites.  The Leonid meteor
     shower occurs around the middle of November and usually 100 meteors an hour
     may be visible. In the Far East in 1998, 100,000 meteors an hour may be
     visible. In 1999 there will also be a very heavy Leonid shower in Western
     "A Leonid storm occurs every 33 years, when Earth passes through the
     meteoroid storm shortly after Temple-Tuttle has neared the sun and spewed
     fresh particles. On 17 Nov 1998, Earth will hit the Leonid stream just 9
     months after the comet has passed closet to the sun.  In that short
     interval, the torrent of new meteoroids won't have had time to spread out.
     Our planet will encounter a dense swath of debris, creating a veritable
     "The dust particles are tiny, so chance collisions with spacecraft aren't
     the prime worry of scientists. Rather, researchers express concern about the
     potential of these particles to create localized clouds of electric charge,
     or plasma, that can penetrate satellites and short-circuit equipment.
     "The high speed of a Leonid meteoroid - about 72 kilometers per second, more
     than three times that of an average meteoroid - favors the production of
     clouds of charged material, notes Brown. These can generate lightninglike
     discharges inside satellites, zapping fragile electric components.
     "Another meteor storm, this one associated with a swath of cometary debris
     known as the Perseids, is credited with taking a satellite out of commission
     in 1993 (SN: 2 Oct 1993, p. 217). However, the potential for damage is highly
     uncertain...  Come 1998, 'everyone is going to go through this test, whether
     they like it or not.'"

Unix path risks -- well-known, but still amusing

Graystreak <>
Wed, 25 Jun 1997 23:13:38 -0400
     Date: Wed, 25 Jun 1997 21:39:14 -0400
     >From: Michael Patrick Johnson <>
     Subject: insane bug
     This bug is one for the record books.  It's just too funny.  If only all
     bugs could make me laugh.
     I was trying to show someone how to use emacs rmail to read mail today.  We
     got the stuff setup.  We are using some kerberized pop program for movemail,
     not default movemail.  Fine.  We try to incorporate mail and suddenly this
     3D OpenGL spinning BEAVER HEAD program pops up!!  My god, what the hell was
     going on?  Did someone spawn that accidentally?  No, it goes away when I
     C-g. Incorporate again, IT'S BACK!
     OK, I am thinking SOMEONE is playing with this poor new student, someone
     hacked a dotfile on his somewhere.  No, nothing this insidious.  As it turns
     out, the beaver head program was a program he wrote to learn OpenGL.  The
     question was, how the hell was it running?  Long story short, the movemail
     program was actually a script which did a lot of string munging and happened
     to use the unix function "head" in it.  A bad dotfile had put . (dot) first
     in his path.  His beaver program was called head.  So we got his beaver
     head, not the real head.
     Moral: To not lose your head, put . in your path!
     Michael Patrick Johnson MIT Media Lab

Microsoft Web site Interrupted by cracker

Edupage Editors <>
Wed, 25 Jun 1997 01:03:42 -0400 (EDT)
     Microsoft's Web site was disrupted briefly by a computer cracker who broke
     into the site's server computers by exploiting a flaw in the Microsoft
     Internet server software.  The site was down only about 10 minutes, but
     company officials say users may have experienced more problems because the
     company currently is upgrading its servers.  Microsoft has posted a fix for
     the flaw on its Web site, and a marketing director says all that was needed
     to get the machines going again was a reboot.  (*Wall Street Journal*,
     23 Jun 1997;; Edupage, 24 June 1997)

MS Outlook sends e-mail on Ctrl-Enter when editing with Word

Michael Passer <>
Thu, 26 Jun 1997 10:55:11 GMT
     When using Microsoft Outlook (part of their Office 97 suite) to compose an
     e-mail message yesterday, I attempted to get rid of some unwanted text
     formatting by inserting a page break.  Under normal circumstances, Word
     recognizes the key combination Ctrl-Enter as a command to insert a page
     break.  (WordPerfect also treats the key combination this way.)  However,
     when Word is launched by Outlook as an e-mail editor, Ctrl-Enter causes the
     e-mail message to be sent--immediately, with no confirmation.
     This behavior is documented on the File menu, where Send has the keyboard
     accelerator label "Ctrl-Enter" right next to it.  Perhaps I should have RTFM
     (Read The Fine Menu).  However, I don't think co-opting a key with a fairly
     common editing function was an optimum user interface design decision.
     The RISK?  Sending e-mail unintentionally, before it is completely edited,
     can cause problems ranging from trivial (e,g., mild embarrassment at having
     sent a message that wasn't done yet) to catastrophic (e.g., abrupt
     unemployment as a result of having fired off an unedited missive to an
     executive at one's company before one has cooled off).

Malepropylene Microdictus

<Stephen Speicher>
Thu, 19 Jun 1997 13:36:37 -0700 (PDT)
     Whoever is the genius in the advertisement deptartment at Microsoft, they
     have done it this time. Anybody seen the IE ads on TV lately? The one with a
     very effective choral music playing in the background?  Well, the background
     music is the Confutatis Maledictis from Mozart's Requiem (Mass for the
     dead).  And the words of the final blast of music which accompanies "Where
     do you want to go today?" are saying "confutatis maledictis, flammis acribus
     addictis..." which means "the damned and accused are convicted to flames of
     Is this the right message for an ad?
     Stephen Speicher, Internex Information Services
       [Depends on what you *really* think of your product?  PGN]

Re: Software Problems with new UK ATC Center (Ladkin, RISKS-19.18)

"Andres Zellweger" <>
Tue, 17 Jun 97 13:30:02 -0500
     Peter Ladkin, in his report on NERC (New En Route Centre) is absolutely 
     correct in pointing out the problem of "scaling up" is much more serious 
     that just fixing bugs.  To my knowledge, no one has yet been successful in 
     building a modern distributed ATC system that has scaled to the size needed 
     for NERC or one of the US En Route ATC Centers. In most cases, the problems 
     have come from the various mechanisms put in place for achieving high 
     availability and reliability.
     As an aside, NERC, located in Swanick, is in a beautiful new building where 
     all of the controller work stations, with their 20x20 inch 2000 line 
     resolution color displays, have been installed for months.  Interestingly 
     enough, there is a lot of extra space because when the architects planned 
     the building they didn't realize that the powerful workstations would not 
     require the support of a large main frame computer with its own computer 
     room etc!
     Dres Zellweger
       [Typo fixed in archive copy.  Back ref to 19.18.  PGN]

Old risks, new villains... when will they learn?

Quinn Yost <>
Wed, 25 Jun 1997 02:34:21 +0100
     The story below is not one that will cause many of you to rush to lessen
     it's impact on you. Instead, it simply demonstrates how (despite our best
     efforts and their best intentions) some companies just don't quite get our
     The story begins a few months ago when I relocated to a new city.  In the
     process of arranging utility type services the local phone company made
     their standard offer of issuing a phone card.  Much to my delight, they
     offered to send a card with just my name and not my access number printed on
     Two weeks later, the card arrives.  As I opened it, I was amused to see that
     it had what appeared to be a generic number (knowing it wasn't the number I
     had requested and appeared far too blatant) as my pin.  Weeks later when I
     finally had a need to use it, I was somewhat surprised to hear the "The
     account number - pin combination you have entered is incorrect" message.
     After returning home, I promptly called the company and requested to have my
     pin changed.  Which they happily did without asking for any identifying
     information (I can only hope they used caller-id to make an assumption that
     I was indeed who I claimed).  I also asked what the old pin was (assuming a
     typo had been made or my memory was failing) and learned that the number
     printed on my card was not some generic number, but instead the actual pin.
     Again, two weeks later, the card arrives.  This time, not only does it have
     my name and pin imprinted apon it, it also has instructions on how to
     determine the unprinted portion of the access number.
     The risks here I assume are obvious to us all.

7-Eleven Big Brother

"Mich Kabay [NCSA]" <>
Wed, 25 Jun 1997 22:18:24 -0400
     > 7-Eleven Operators Resist System To Monitor Managers
     > By Norihiko Shirouzu and Jon Bigness
     >  Staff Reporters of The Wall Street Journal (Dow Jones  16 Jun 1997)
     > Your neighborhood 7-Eleven store may soon feature a new Japanese export: a
     > draconian system that allows the company to monitor store managers' every
     > keystroke.
     Summary of the writers' key points:
     * Japanese 7-11 franchise owners must use their point-of-sale (POS)
     computers throughout the day to perform inventory analysis and track sales.
     * The inventory and just-in-time (JIT) ordering system is crucial
     to the Japanese operations management.
     * Fresh food is delivered three times a day to each store in accordance
     with local traffic.
     * "Headquarters ranks stores by how often their operators use the
     * Managers are under enormous pressure; one reported, "It's like being
     under 24-hour surveillance; it's like being enslaved."
     * Upper management argues that these strict demands and computer-based
     monitoring are responsible for improving turnover of products from 100% per
     25 days to 100% per 7 days.
     M. E. Kabay, PhD, CISSP (Kirkland, QC) / Director of Education,
     National Computer Security Association (Carlisle, PA) /

UK Government proposes ID numbers for 4-year-olds

Gary Barnes <>
Thu, 26 Jun 1997 10:54:54 +0100 (BST)
     *The Times* today (26 Jun 1997) reports that the UK government plans to give
     every child a national identification number at the age of four, to plot
     pupils' progress through school.  The intention is to make the official
     national league tables of schools' a more accurate reflection of a schools
     performance, by taking into account the fact that some schools take in more
     clever pupils than others, which naturally reflects in the current figures.
     According to *The Times*, David Hawker, the man responsible for developing
     this new scheme gave the reassurance: "We are looking at setting up a
     national pupil number. It is nothing to be frightened of because pupil
     information is covered by the Data Protection Act."
     I am not reassured by this, and neither is Andrew Puddephat, director of
     civil rights pressure group Charter 88 who warned that this could be a step
     towards a national identity card system. The Labour Government was opposed
     to a national identity card scheme when it was in Opposition.
     While this may seem to be more of a privacy issue than a computing RISKS
     issue, the blind faith that David Hawker has that there is no need for
     concern thanks to the Data Protection Act seems a bit misplaced, especially
     when no mention is made of what technical measures might be used to assure
     the security and integrity of the information stored about pupils.
     Gary Barnes

Chip Theft by Home Invasion

David Kennedy <>
Thu, 26 Jun 1997 17:47:58 -0400
     Courtesy of United Press International via CompuServe's Executive News
     3 at large in home invasion robbery (UPI)
     >   HACIENDA HEIGHTS, Calif., June 20 (UPI) -- Two men have been arrested
     > and three others are at large after they allegedly held a family hostage
     > while the father was forced to go to his business and turn over $800,000
     > in computer chips.
     > Police say five heavily armed men drove up to the Hacienda Heights home of
     > the unidentified victim at about 10:30 p.m.  Thursday. When they got
     > inside, they herded a woman, her 11-year-old son and 14-year-old daughter
     > into one room, and forced the husband to drive to his business in the City
     > of Industry.
     o Someone called the police, SWAT shows up (special weapons and tactics
     police unit specializing in high-risk police operations), after t= wo hours,
     2 gunmen surrender.
     o Three who went with the business owner are at large.  They tied h= im up
     in his business and left him there.
     Dave Kennedy [CISSP] Research Team Chief, National Computer Security Assoc.

Re: Company blackmails Netscape for details of browser bug

Dorothy Denning <>
Fri, 13 Jun 1997 14:42:29 -0400
     I read the document at the cited URL and it says .
       "Cabocomm said it would accept "reasonable compensation" for the technical
       information -- or they can send a Netscape representative and get it for
     That doesn't sound like blackmail to me.
     Dorothy Denning
       [Apparently Netscape was able to get a copy of the script of the demo
       session and from that infer what the flaw was.  No money changed hands.  PGN]

Netscape vs. Cabocomm

Andy Waldis <>
Mon, 16 Jun 1997 15:50:31 -0700 (PDT)
     Regarding the finding of a defect in Netscape's browser by the Danish company
     Cabocomm, I find it disturbing that so many reports use the terms "blackmail"
     and "extortion" to describe Cabocomm's actions.  The use of these terms imply
     that Cabocomm was obligated to report the defect it had found and should not
     expect to be compensated for their trouble.  This suggests a risk of using
     software that I had not been aware of: that we are obligated to report any 
     defects we find and have no right to expect compensation.  I guess I should be
     reading those license agreements a little more carefully.
     Cabocomm did not create the problem, Netscape did.  Cabocomm proposed a
     solution which Netscape was free to accept or reject.  This wasn't a case of
     blackmail, just good old-fashioned capitalism.  Regards,
     Andy Waldis

"Secret Power" Claims to Expose Secret International Spying Networks

"Betty G.O'Hearn" <>
Thu, 26 Jun 1997 15:18:21 -0400
     "Secret Power" by Nicki Hagar 
     The International Spying Networks UKUSA and ECHELON
     301pp ISBN: 0-908802-35-8 
     According to this remarkable book, that has somehow escaped the flames of
     book banners crying "national security," the United States NSA and the
     United Kingdom's GCHQ (Government Communications Headquarters) operate a
     global spying network called UKUSA. To listen in on conversations across the
     planet, a massive eavesdropping apparatus was built, with tentacles which
     reach into dozens of different countries beyond the shores of either the US
     or UK as well as across the skies.
     Describing the nature of UKUSA, its global affiliations, and operations
     represents a huge effort on the part of author Nicki Hager. He states early
     on in 'Secret Power':
       "Many people are vaguely aware that a lot of spying occurs, maybe even on
       them, but how do we judge if it is ubiquitous or not a worry at all? Is
       someone listening every time we pick up the telephone? Are all of our
       Internet or fax messages being pored over continuously by shadowy figures
       somewhere in a windowless building?
       "What follows explains as precisely as possible - and for the first time
       in public - how the worldwide [spy] system works, just how immense and
       powerful it is and what it can and cannot do.
       "The global system has a highly secret codename: ECHELON."
     And that is the foundation of a tremendous amount of research that describes
     in detail how the vast global spying network "collects all the telephone
     calls, faxes, telexes, Internet messages and other electronic communications
     that its computers have been pre-programmed to select," and then analyzes
     the contents and distributes it to members UKUSA and ECHELON partners
     The operational details of how the US (NSA), UK (GCHQ), Canada (CSE),
     Australia (DSD) and New Zealand (GCSB) intercepts signals, throws high power
     computing behind ECHELON 'KeyWord' dictionary attacks and what they do with
     that information is potentially alarming; especially since so much of this
     decades old practice has been kept under the wraps of security.
     Secret Power names the names, provides the dates and the technical details
     on the world's largest, best financed and coordinated global spying
     apparatus ever conceived. Full of pictures, maps and charts, the reader will
     get a complete picture of just how much effort and resources go into
     international security, long distance eavesdropping, and spying.
     From the Cold War to today, UKUSA and ECHELON have been fascinating and
     powerful intelligence functions to spy both on enemies and friends. "Secret
     Power" provides the first peek inside the world's most secretive and
     powerful electronic spy organization.
     "Secret Power" reads like a thriller, except that it's true. It should be
     read by everyone with an interest in intelligence, espionage and the
     technology that modern spies use.
     "An astonishing number of people have told him [author Nicki Hager] things
     that I, as Prime Minister in charge of the intelligence services, was never
     told...It is an outrage that I and other ministers were told so little."
             -David Lange, Prime Minister of New Zealand 1984-89 
     "...the most detailed and up to date account of the work of any signals
     intelligence agency in existence. It is a masterpiece of investigative
     reporting, and provides a wealth of information."
     	-Jeffrey T. Richelson, leading authority on United States
     intelligence agencies and author of America's Secret Eyes in the Sky, and
     co-author of 'The Ties that Bind.'

Previous Issue Index Next Issue Info Searching Submit Article

Report problems with the web pages to
This page was copied from:
Last modification on 1999-06-15
by Michael Blume