[risks] Risks Digest 21.57

From: RISKS List Owner (riskoat_private)
Date: Tue Aug 07 2001 - 09:04:28 PDT

  • Next message: RISKS List Owner: "[risks] Risks Digest 21.58"

    RISKS-LIST: Risks-Forum Digest  Tuesday 7 August 2001  Volume 21 : Issue 57
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/21.57.html>
    and by anonymous ftp at ftp.sri.com, cd risks .
    
      Contents:
    WEP insecurity (Avi Rubin)
    European Union strives for openness (Stephen A. Boyd)
    WinXP blocks some versions of some programs (B. Elijah Griffin)
    Cyanide for Code Red (Jeremy)
    I am virus generator? (Bob Frankston)
    AT&T Worldnet exposes all user passwords (Una Smith)
    Password changes -- SIGH! (Jim Horning)
    The risks of online order tracking (Darryl Smith)
    Mixing advertising and credit-card activation (Bob Green)
    Techs must report child pornography (Brien Webb)
    Re: Dutch government and virtual child pornography (Christian Reiser)
    Re: Super-accurate atomic clock hates Sundays (Phil Kos)
    What is your area code, really? (Andrew Koenig)
    Online advertising: Fraud, false positives and a novel DOS attack 
      (John O'Connor)
    Re: Even a fatal error can't kill it (Terry Brugger, Joe Thompson, 
      John M. Hayes)
    Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Tue, 07 Aug 2001 05:56:27 -0400
    From: Avi Rubin <rubinat_private>
    Subject: WEP insecurity
    
       [Read it and WE(E)P, unless you already WEPt.  PGN]
    
    We have a new paper:
    
    Using the Fluhrer, Mantin, and Shamir Attack to Break WEP
    by
    Adam Stubblefield, John Ioannidis, and Aviel D. Rubin
    
    We implemented an attack against WEP, the link-layer security protocol for
    802.11 networks.  The attack was described in a recent paper by Fluhrer,
    Mantin, and Shamir. With our implementation, and permission of the network
    administrator, we were able to recover the 128-bit secret key used in a
    production network, with a passive attack. The WEP standard uses RC4 IVs
    improperly, and the attack exploits this design failure.  This paper
    describes the attack, how we implemented it, and some optimizations to make
    the attack more efficient. We conclude that 802.11 WEP is totally insecure,
    and we provide some recommendations.
    
    The paper is available at http://www.cs.rice.edu/~astubble/wep/
    
    Avi Rubin, AT&T Labs - Research  http://avirubin.com/
    White-Hat Security Arsenal:  http://white-hat.org/
    
    ------------------------------
    
    Date: Fri, 3 Aug 2001 13:01:18 EDT
    From: "Stephen A. Boyd" <UncleHonusat_private>
    Subject: European Union strives for openness
    
      The European Commission issued a White Paper last week that aims to
      address widespread public dissatisfaction with politics by increasing the
      openness and accountability of European Union institutions.
    
      "Many Europeans feel alienated from the Union's work," according to the
      White Paper, and they "no longer trust the complex system to deliver what
      they want."
    
      The White Paper identifies five principles that define "good governance"
      Openness, Participation, Accountability, Effectiveness, and Coherence.
      The Paper goes on to identify proposed changes in European Union policy
      derived from these principles.
    
      "We simply cannot go on as we are," said European Commission President
      Romano Prodi.  "The White Paper is not an instant cure for everything, but
      it is a serious attempt to address the concerns that many people have."
    
      To a American reader, the White Paper's diagnosis of public disenchantment
      with politics is familiar.  Its prescription, however, may seem a little
      naive in its faith that political life can be reinvigorated through
      procedural changes.  Even so, it is a refreshing reminder that political
      institutions are not simply inherited, but are also maintained and can be
      recreated by regular people.
    
      "European Governance -- A White Paper" was adopted by the European
      Commission on July 25 and published for public comment here:
      http://europa.eu.int/comm/governance/white_paper/index_en.htm
    
    First, the source: This commentary was copied and pasted directly from
    *Secrecy News*, a digest (but not a forum) written by Steve Aftergood, an
    employee of the Federation of American Scientists (http://www.fas.org).
    
    Second, the irony: It is ironic that, on one hand, the EU ministers would
    issue statements like this, while on the other hand, they are pursuing the
    ECHELON continental-wide wireless surveillance and monitoring network.  I
    guess "openness", the ministers contend, must go both ways, regardless of
    any privacy issues the EU's constituency may have.
    
    Third, the RISK: I believe this veil of purported openness is a valid RISK,
    since it seems the EU chiefs are making a push for pulling the wool over
    their constituents eyes.  The issue Mr. Aftergood astutely mentions of
    "public disenchantment" is not only reinforced, it seems, but gives
    Americans no more confidence in our own government with respect to privacy
    and auto-accountability issues, since the same game is being played here.
    I'm all for good government and a solid nation, but only when the members of
    those governments are accountable to their bosses (i.e., the People).
    
    Stephen
    
    ------------------------------
    
    Date: Thu, 2 Aug 2001 16:33:13 -0400 (EDT)
    From: "B. Elijah Griffin" <eliat_private>
    Subject: WinXP blocks some versions of some programs
    
    *The Register* reports that WinXP 'Release Candidate 2' has a driver block
    that will prevent a number of programs from running.  Some people are
    apparently worried that MS might become too bossy about what software their
    OS can run.
    
    The full story:
    http://www.theregister.co.uk/content/4/20805.html
    
    Elijah
    
    ------------------------------
    
    Date: Mon, 6 Aug 2001 10:55:07 +0800
    From: "Jeremy" <jeremyat_private>
    Subject: Cyanide for Code Red
    
    Code Red may or may not be the major disaster that CERT predicted.  It is
    certainly present and apparently mutating already.
    
    What does not seem to have happened is the production of an effective
    stopper for the Code Red.  Present prophylactic activities involve getting
    as many systems as possible updated with 'the fix'.  This of course will not
    work as a large number of systems are run out of the box by people with
    little to no technical training.  They won't even know how to recognise they
    have the worm, let alone fix it.
    
    One simple fix is a passive worm that sits on a target machine and when a
    Code Red attack arrives, infects the attacker using the same technique that
    Code-Red uses (by definition, an attacking machine must be vulnerable to the
    attack).  The passive worm could disinfect the attacker, and then sit
    waiting for further attacks on the original machine plus on the newly
    disinfected attacker.  The rate of spread of the passive worm would be
    directly proportional to the spread of Code-Red.  The passive worm cannot
    spread at all unless Code-Red is operating.
    
    The passive worm would almost certainly disable the IIS service, in fact it
    might be a good idea to have it produce a default web page stating so,
    together with instructions on how to download the security fix.  An improved
    version may even apply the fix itself.
    
    The question arises as to whether a passive worm is illegal in any way.
    
    The arguments for a passive worm are that the system it is defending is
    under attack and it is taking steps to stop that attack.  As a by-product,
    the attacker is unable to attack any other systems.  The attacker does not
    suffer any damage as a result of the disinfection.
    
    The argument against it is that the defender places and executes code on the
    hostile machine.  This may well breach any number of anti-virus laws.
    
    The real test of the argument will be when a very dangerous worm, say like
    Code-Red but 100 times as potent, is unleashed.  The various Governments
    will be left in the serious dilemma as to whether to allow a vital national
    resource be destroyed, or to unleash a probably illegal antidote.
    
    The time scale to make such a decision could be a matter of hours from first
    discovery to Internet meltdown.  Governments (and Microsoft) must have a
    contingency plan in place.  I wonder what it is?
    
    Jeremy
    
    ------------------------------
    
    Date: Fri, 3 Aug 2001 14:50:28 -0400
    From: "Bob Frankston" <RMFx18at_private>
    Subject: I am virus generator?
    
    Norton Anti-Virus 2001 has decided that the script I use to backup my
    files is a virus. It says "Unable to repair this file OK" (no option for
    "Not OK")! In trying NAV2002 (beta) I found that it seems to label all
    scripts as viruses but, at least, it gives me an option of enabling them
    one by one by one. The trend to treat programming as a criminal act and
    put the onus on me to prove each action is not a crime is very
    worrisome. Outlook has the same attitude towards attachments, even URLs.
    It doesn't even deign to let me decide -- it just hides them. 
     
    I guess it goes along with viewing PEDs as terrorist devices. (For those who
    haven't been following the issue in RISKS -- Personal Electronic Devices
    seem to be viewed as too dangerous to allow on airplanes, at least during
    safety-critical portions of a flight such as taxiing to the terminal.)
     
    Bob Frankston  http://www.Frankston.com <http://www.frankston.com/> 	
     
    ------------------------------
    
    Date: Fri, 3 Aug 2001 17:27:59 -0600
    From: Una Smith <unaat_private>
    Subject: AT&T Worldnet exposes all user passwords
    
    I called AT&T Worldnet customer support to ask a question about my bill.  My
    question was entirely impersonal but nonetheless I was required to identify
    myself.  I gave my name and current telephone number.  The service rep then
    asked me for the number I had when I signed up; when I hesitated, she
    volunteered it.  Then she asked for my e-mail password.  When I refused she
    informed me my password is not a secret, and that *all passwords* connected
    to my Worldnet account (a Worldnet account can have up to 6 e-mail accounts)
    are *visible* on her screen.
    
    Una Smith, Los Alamos National Laboratory MS K-710, Los Alamos, NM 87545
    
    ------------------------------
    
    Date: Fri, 3 Aug 2001 12:12:52 -0700 
    From: Jim Horning <horningat_private>
    Subject: Password changes -- SIGH!
    
    > From: 	<HR Department>  
    > Sent:	Friday, August 03, 2001 10:12 AM
    > To:	<US Employees>
    > Subject:	IMPORTANT <HR Database> INFORMATION - PLEASE READ
    > 
    > We want to make you aware that <HR Database> will be unavailable from 6pm
    > (PT) on Friday, August 3 to 11:59pm (PT) on Sunday, August 5 due to server
    > upgrades.  During this time, you will not be able to access the website. 
    > In <Outsourced supplier>'s ongoing effort to improve site performance,
    > these upgrades are occurring to load balance and increase site stability. 
    > Part of this site upgrade includes a password change.  ALL USERS WILL HAVE
    > A PASSWORD OF "change123" as of 12:01am PT Monday, August 6th, 2001.  Once
    > you enter the system for the first time on or after August 6th, you will
    > be required to change your password and answer a secret question.  In the
    > future, you will be able to use the answer to the question to reset your
    > own password.
    > If you experience problems, please contact the whereiwork help desk at
    > support@<Outsourced supplier>.
    
    ------------------------------
    
    Date: Mon, 30 Jul 2001 17:51:49 +1000
    From: "Darryl Smith" <darryl@radio-active.net.au>
    Subject: The risks of online order tracking
    
    I have just purchased a computer from Dell Computer. My experiences are
    interesting.
    
    1. When I entered the 'E Code' to select the right configuration and price,
    the price given did not include the $500 discount that I should have
    received. I ordered by phone and got the substantial discount.
    
    RISK: Paying $500 more on line.
    
    2. Knowing that I might have problems with my credit (debit card) I
    specifically asked the credit union what my limit was per day. They told me
    that it was whatever my balance was. When I went to purchase this computer
    the purchase was declined. When I contacted the credit union by phone they
    informed me about a $1000 per day limit unless it is up-ed but ONLY for the
    period that it was needed. I was to ring back as soon as the transaction was
    completed.
    
    RISK: Not having access to my money.
    
    3. When I contacted DELL to let them know that the transaction could go
    ahead I was told that it would be a while for the transaction to occour - in
    other words they could not immediately process the transaction but it would
    be hours.
    
    RISK: There was increased potential for fraud because my account limit was
    upped for longer than I would have liked.
    
    4. Sydney is 10 hours ahead of GMT at the moment, meaning that most parts of
    the world are behind us. When I logged onto the tracking WWW site at 7AM I
    was told that what the status was at 8PM that day, or 13 hours ahead. But
    that night I checked it at 5PM and was told that the status was at 4AM that
    day, or 11 hours behind.
    
    This does not make sense, unless the time is 11 hours behind at all times,
    and that the WWW site is reporting the clients day and the server time.
    
    RISK: Times and Dates should be based on either the clients date and time,
    or the servers, but not a combination of the two.
    
    5. The tracking WWW site notes that computer is in 'Delivery Prep' and has
    been for about 5 days and about to be shipped. When I checked up with DELL
    the computer had been shipped to Australia, and was at the Sydney warehouse
    for final delivery.
    
    RISK: When relying on online order status systems, work out what the results
    mean before relying on them
    
    Darryl Smith, VK2TDS   POBox 169 Ingleburn NSW 2565 Australia
    Mobile Number 0412 929 634 [+61 4 12 929 634 International]
    
    ------------------------------
    
    Date: Mon, 30 Jul 2001 21:39:07 -0400
    From: Bob Green <rgreenat_private>
    Subject: Mixing advertising and credit-card activation
    
    I recently received a new AT&T Universal Card Visa Card.  The card came with
    a security callback activation feature where you call an 800 number and
    enter your card number.  If you are calling from home (and presumably have
    not blocked the caller ID feature), this call activates the card.
    
    The part of the procedure that surprised me was that after typing in my card
    number, the voice response system:
    
      - cautioned me to stay on the line until I heard a confirmation that my
        card was activated
    
      - launched in to 30 second advertisement for a form of disability
        insurance. The insurance is sold with a 3 month trial period after which
        the insurance is automatically charged to your card.
    
      - asked me to type "1" to purchase the insurance or "2" to not purchase
        the insurance
    
      - asked me a second time to to type "1" to purchase the insurance!
    
      - finally, after two "2" responses, the voice confirmed activating my card
    
    Besides being quite annoyed at being solicited in this manner, I had a
    moment of panic at the first question. Voice response systems that ask you
    to enter "1" to confirm a request are very common. Was this confirmation
    request to activate the card or to purchase the insurance? It took a moment
    of reflection to assure myself that I was saying no to the insurance.
    
    The risks are that one might 
    
     - accidentally purchase insurance they don't want
     - feel forced to buy insurance in order to activate the card
     - hang up too soon and not activate the card
    
    Given the confusion that is often intentionally introduced by creative
    marketing, mixing advertising and a security procedure seems a very poor
    practice.
    
    -Bob Green
    
    ------------------------------
    
    Date: Mon, 30 Jul 2001 20:00:02 -0700
    From: "Brien Webb" <bwebbat_private>
    Subject: Techs must report child pornography
    
    Source: Associated Press
      http://www.washingtonpost.com/wp-srv/aponline/20010727/aponline203146_000.htm
    
    In South Carolina, a new law on education standards for day-care workers has
    a requirement that private technicians tell police if they find child
    pornography when servicing computers.
    
    Think of the possibilities.  You're servicing computers, and you get the
    idea to have some fun.  You take a client's computer, roll the date back,
    access some child pornography web site(s), reset the date, and call the
    cops.
    
    Carrying it one step further, imagine that this as a political "dirty
    trick".  It might just be the mayor or some legislative representative who
    gets victimized.
    
    Who would believe any protestations of innocence?
    
    --Brien Webb
    
    ------------------------------
    
    Date: Mon, 30 Jul 2001 11:53:16 +0200
    From: Christian Reiser <C.Reiser@internet-security.at>
    Subject: Re: Dutch government and virtual child pornography (Dinwiddie, R-21.47)
    
    A comment to a quite old posting, but it might still be interesting:
    
    George Dinwiddie brought up the issue, how difficult it is, to guess a
    person's age.  This is a problem, when the definition of child pornography
    depends on the age of the person on the picture.
    
    In Austrian legislation the definition of child pornography does not depend
    on the age of the person, but something is child pornography, when one or
    more persons involved in pornography look as if they were under 14. This
    solves the problem of finding out the age, but obviously raises some others.
    
    Christian Reiser, ASSIST, 1190 Wien, Nussdorfer Laende 29-33    
    C.Reiser@internet-security.at,  priv: Christianat_private  +43 1 370 94 40    
    
    ------------------------------
    
    Date: Tue, 31 Jul 2001 17:28:53 -0700
    From: Phil Kos <PhilKat_private>
    Subject: Re: Super-accurate atomic clock hates Sundays (Knowlton, RISKS-21.55)
    
    Ironically enough, when I went to *The NYTimes* online to check out the
    article on AT&T's new speech synthesis software (also mentioned in
    RISKS-21.55), I noticed an article on a new type of atomic clock currently
    under development at NIST. The article quotes Dr. Alan Madej of the National
    Research Council, Ottawa, as saying "It certainly is a very big advance for
    atomic clocks."
    
    Presumably the display problems can be fixed now that MS has (finally, after
    at least three years) fixed the 4/1 DST bug. Or do you suppose the NRC's
    display software had their very own equivalent to MS's mis-implementation of
    DST? After all, any error that can be made once can be made again and again
    (buffer overruns are a good example).
    
    ------------------------------
    
    Date: Sun, 29 Jul 2001 20:00:15 -0400 (EDT)
    From: Andrew Koenig <arkat_private>
    Subject: What is your area code, really?
    
    This evening, I wanted to connect a laptop to the Internet to download
    updated virus definition files.  I tried placing a call, then realized that
    didn't know whether the machine was set up correctly for my present
    location, so I cancelled the call.  After checking the machine, I thought it
    looked reasonable, so I tried again.
    
    Five minutes later, two police officers showed up at my door, saying
    that they had received a 911 (emergency) call from my home.
    
    It took me a while to piece together what had happened:
    
       1. Because I wanted to update the virus definition files, I called
          from "Administrator" rather than from my own account.
    
       2. The last time I dialed out on that machine as "Administrator" was
          from a hotel room in San Antonio.
    
       3. On the other hand, the phone number to dial for the ISP had since
          been changed to back home in New Jersey.
    
       4. The default area code for a dial-up connection is 1, which
          happens to be the same as the country code for USA.  Therefore,
          when setting the ISP's phone number, I had mistakenly assumed
          that the area code would go along with the phone number and
          specified an area code of 1 (which I thought was the (correct)
          country code of 1) and a phone number if 908 yyy yyyy (instead
          of yyy yyyy as it should have been).
    
       5. The network dialer, which still thought I was in a hotel room,
          dialed 9 (for an outside line), 1 (for a toll call), 1 again
          (for what it thought was the area code), and then 908 yyy yyyy
          (which was ignored).
    
    I suppose the risks are obvious...
    
    Andrew Koenig <arkat_private>
    
    ------------------------------
    
    Date: Fri, 27 Jul 2001 11:49:15 
    From: "John O'Connor" <jpocat_private>
    Subject: Online advertising: Fraud, false positives and a novel DOS attack
    
    There has been some comment, in recent editions of risks, on the subject of 
    online advertising as seen from the perspective of a Web surfer.
    
    From the viewpoint of a Webmaster seeking ad income, there are some 
    interesting aspects including what seems to be a novel form of DOS attack.
    
    I'll focus on one particular advertising model known as Cost Per Click or 
    CPC.
    
    In this mechanism, a Web site will display a banner for an advertiser and,
    when a surfer clicks on the banner, the advertiser will pay a small sum to
    the publisher of the Web site. Thus the publisher will receive an income
    dependent on the CPC multiplied by the Click Through Ratio or CTR.
    
    A simple click may cost an advertiser somewhere between two and fifty US 
    cents and there is normally an agency of some sort between the two parties 
    to see fair play, count the clicks, handle payments etc.
    
    One fairly obvious risk is that an advertiser who wants brand awareness and 
    not clicks can get free advertising by running ads that will not get clicked 
    but which will enhance brand recognition.
    
    From the advertisers viewpoint, fraud is the main risk. A Web site owner may
    use an automated system to generate bogus clicks to claim money that was not
    properly earned. There are thousands of http proxy servers that suffer from
    the same weakness that allows spam e-mail to exploit open smtp relays. Using
    these, a Web site owner bent on fraud can generate thousands of bogus mouse
    clicks.
    
    Of course, advertisers or, more commonly, the agencies with whom they deal 
    take whatever steps they can to combat such fraud. One route used by many is 
    just to have a cut off point for the CTR and say that a Web site with a high 
    CTR will be automatically barred for fraud. Clearly this leads to the normal 
    risk of false positives where a legitimate site with a high CTR is excluded. 
    Interestingly, the false positives will here work to exclude the sites which 
    are the best ones for the advertiser to use. For example, suppose that a 
    dating agency, specialising in women from Russia seeking men from the West, 
    uses an agency to run its banner ads on the Web sites represented by the 
    agency. Most of the time, such ads will attract a CTR of about 0.2%. But 
    what if one of the sites in the ad agency network happens to specialise in 
    advice on exactly this topic? (Fiancee visas, how to address a letter to a 
    country the uses the Cyrillic alphabet etc.) That site may see a CTR of over 
    5% which will rapidly earn it exclusion for fraud. Of couse, that is exactly 
    the site on which the advertiser would like to run its ads.
    
    And the novel DOS attack?
    
    Recent reports on the Web publisher forums at geekvillage.com have focussed
    on another problem. Suppose that two sites are in competition as they cover
    the same subject area and target the same pool of surfers and advertisers.
    Site A runs banner ads and site B would like to get those ads for itself and
    perhaps even close down site A and get the surfers too. The operator of site
    B could set up a click-bot to cause open proxy servers to send thousands of
    clearly false clicks to the advertiser: seemingly on behalf of site A. Site
    A will soon be flagged for fraud and will lose its advertising income and
    may well close.
    
    John O'Connor  http://www.jpoc.net
    
    ------------------------------
    
    Date: Sun, 22 Jul 2001 10:45:38 -0700
    From: Terry Brugger <zowat_private>
    Subject: Re: Even a fatal error can't kill it (Haynes, RISKS-21.53)
    
    I recently had a similar experience with Ticketmaster's on-line ordering
    system. I was buying a ticket to a show by my favourite artist as soon as
    the tickets went on sale (I wanted a good seat). Unfortunately, the group
    has MANY other fans in the Bay Area, so the system was quite sluggish and
    timed out frequently. I selected the seat I wanted, entered in all my info
    and submitted it. After waiting a minute or two it came back with an error
    message to the effect of, "Unable to confirm your order - hit the back
    button and resubmit it." When I did so I was informed that my session timed
    out and that I should try again from the beginning. So I did, five times
    before the order went through and was confirmed. Everyone knows what
    happened next: I ended up with five tickets. Ticketmaster was nice enough
    about it, but I was still left with the task of mailing them the unwanted
    tickets in order to receive my refund.
    
    The risk: If you're going to build a system with the primary task of selling
    tickets to popular events:
    
    1. Make sure it can handle the load when those events go on sale and
    2. Make sure it correctly reports on the completion of transactions.
    
    "Zow" Terry Brugger <zowat_private>   http://bruggerink.com/~zow
    
    ------------------------------
    
    Date: Thu, 19 Jul 2001 23:45:44 -0400
    From: Joe Thompson <joe@orion-com.com>
    Subject: Re: Even a fatal error can't kill it (RISKS 21.53)
    
    jhaynesat_private noted in RISKS 21.53:
    
    > No doubt there are other systems out there which have the possibility of
    > completing a transaction and then telling the user that there has been a
    > fatal error.  Maybe a whole lot of them.
    
    I recently had just such an incident with my bank (Chevy Chase Bank, based 
    in Maryland).  I used the online banking tools to transfer some funds from 
    one account into another.  Later that day I had a need to stop payment on 
    a check, so again I logged on and transferred enough money back into the 
    first account to cover the stop-payment fee.
    
    Later that night I withdrew some funds from the second account at an ATM, 
    and my receipt showed the correct balance.  The next night I did the same 
    (total withdrawals $60.00 for the 2 transactions).  The following day at 
    lunch I tried to make a withdrawal at an ATM and was denied -- with the 
    receipt showing a balance of approximately -$60.00 in the second account!
    
    You guessed it -- the online transfers I made had disappeared from the 
    system, and my balances had "snapped back" to what they would have been had 
    they never happened.
    
    Chevy Chase customer support, fortunately, believed me (in part because 
    it's impossible to have a negative balance in a savings account without 
    some really odd goings-on), and later that week it turned out to be a good 
    thing because the chaos of those few days resulted in two checks that were 
    currently going through the system "bouncing".  CC refunded my insufficient-
    funds fees -- and the payees never knew because the two payments were made 
    via Chevy Chase online payment, which sends the equivalent of a cashier's 
    check (it can't bounce).
    
    The RISK, of course, is the old story: adding new systems adds complexity 
    and can have entirely unexpected results. -- Joe
    
    ------------------------------
    
    Date: Fri, 20 Jul 2001 10:59:35 -0400
    From: "John M. Hayes" <john.hayesat_private>
    Subject: Re: Even a fatal error can't kill it
    
    The software that prevents duplicate transactions can be a problem in and of
    itself.  I recently attempted to make hotel reservations through an online
    travel agency. On this particular site, there was no provision for reserving
    multiple rooms. So after making the first reservation, I went back and
    attempted to reserve a second room.  The watchdog software would not allow
    me to reserve a second room in my name. I ended up having to use a different
    name in order to make a reservation for the second room.  Eventually, this
    website does allow you to consolidate multiple reservations, but that was
    not at all clear as I struggled with their system.
    
    Note: For the trip home, I decided to just phone the hotel directly and talk
    to an operator in order to make similar reservations. It was MUCH easier.
    
    John Hayes (john.hayesat_private)
    
    ------------------------------
    
    Date: 12 Feb 2001 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
    
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) 
     if possible and convenient for you.  Alternatively, via majordomo, 
     send e-mail requests to <risks-requestat_private> with one-line body
       SUBSCRIBE [or UNSUBSCRIBE] 
     which requires your ANSWERing confirmation to majordomoat_private .  
     [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
     this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
     Lower-case only in address may get around a confirmation match glitch.
       INFO     [for unabridged version of RISKS information]
     There seems to be an occasional glitch in the confirmation process, in which
     case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
       .MIL users should contact <risks-requestat_private> (Dennis Rears).
       .UK users should contact <Lindsay.Marshallat_private>.
    => The INFO file (submissions, default disclaimers, archive sites, 
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All 
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 20" for volume 20]
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a 
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing, 
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    
    ------------------------------
    
    End of RISKS-FORUM Digest 21.57
    ************************
    



    This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 09:51:30 PDT