[risks] Risks Digest 21.74

From: RISKS List Owner (riskoat_private)
Date: Sun Nov 11 2001 - 18:52:00 PST

  • Next message: RISKS List Owner: "[risks] Risks Digest 21.75"

    RISKS-LIST: Risks-Forum Digest  Sunday 9 November 2001  Volume 21 : Issue 74
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/21.74.html>
    and by anonymous ftp at ftp.sri.com, cd risks .  
    
      Contents:
    Programming error scrambles election results (Geoff Kuenning)
    Yet another Internet voting risk (Rebecca Mercuri)
    Election problems before the election in Virginia (Jeremy Epstein)
    Possible radiation therapy risk (Herbert Kanner)
    Risks of belief in identities (PGN)
    Stealing MS Passport's Wallet (Mike Hogsett)
    Security hole in cash machines (Andrew Brydon)
    UK: liberties fears over mobile-phone details (Monty Solomon)
    Dutch police 'bombard' stolen cell phones with SMS (Monty Solomon)
    Australian computer hacker jailed for two years (Peter Deighan)
    Even professional organizations forget about certificate expiration
      (Jeremy Epstein)
    Children's medical records released on the Web (Conrad Heiney)
    Glitch in iTunes Deletes Drives (Monty Solomon)
    Dates in Visual Basic (John Sullivan)
    Excel and non-decimal dots (magical via Mark Brader)
    Sweden's public radio reportedly bans SETI from office computers 
      (Ulf Hedlund via Declan McCullagh)
    Random failures (Andrew Brydon)
    Re: Another SRI-wide Power Outage (Marcus L. Rowland)
    Re: Kids' learning game site becomes porn site (Daniel P. B. Smith,
        Ian Young, Paul Bowers
    Re: DeCSS is Speech (Amos Shapir)
    Re: DoS attack on Mac OS9 (William Kucharski, Carl Maniscalco)
    Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Sat, 10 Nov 2001 14:16:27 -0800
    From: Geoff Kuenning <geoffat_private>
    Subject: Programming error scrambles election results
    
    A San Bernardino County election last Tuesday was counted incorrectly due to
    a programming error.  According to the *Los Angeles Times*, a veteran county
    employee claimed to have tested his code, but apparently had not actually
    done so.  Some ballots were counted starting at the middle (sounds like an
    uninitialized loop variable); others were counted "from the bottom up"
    (don't ask me how).  The unnamed employee has been suspended from
    programming duties.  A consulting firm has now been brought in to verify the
    software for this and all future elections, something that should have been
    standard practice all along.
    
    In some races, heavily favored incumbents "lost" to unknowns who hadn't
    campaigned at all.  The error was uncovered when officials noticed that the
    count for one race showed no votes counted.
    
    Especially telling is the following paragraph in one the Times stories:
    
      "County officials said the good news is that using a card-counting system
      means that ballots are still around to be recounted.  If the same error
      had occurred with an electronic voting system, there would be no paper
      record, West said."
    
    We've been telling them for years.  But I doubt they'll learn their lesson.
    
    Geoff Kuenning   geoffat_private   http://www.cs.hmc.edu/~geoff/
    
      [The results of 33 races were seriously in doubt, and all 85,000 ballots
      for 82 races will be recounted.  Also noted by Erann Gat.  PGN]
    
    ------------------------------
    
    Date: Tue, 6 Nov 2001 14:50:56 -0500 (EST)
    From: Rebecca Mercuri <Mercuriat_private>
    Subject: Yet another Internet voting risk
    
    I was working at the polls in Mercer County NJ during the 6 Nov 2001
    election and heard from a number of people whose spouses and/or children had
    applied for absentee ballots (since they would not be able to vote at the
    polls) but did not receive them.  Mercer County is in the midst of the
    Anthrax mailing zone, with 3 post offices affected.  Apparently, in some of
    the cases, the application for the absentee ballot was not received in time,
    and in other cases the absentee ballots were not received by the voters in
    time.
    
    How this relates to Internet balloting -- most schemes, including the one
    outlined by the California Task Force, would require the validation process
    and issuance of the Internet voting password to be issued by postal mail.  A
    mail hold-up such as the one we are experiencing in New Jersey could
    adversely affect the process.
    
    In short, the best way to validate voters is in person.
    
    ------------------------------
    
    Date: Wed, 31 Oct 2001 09:05:50 -0500
    From: Jeremy Epstein <jepsteinat_private>
    Subject: Election problems before the election in Virginia
    
    Like almost all U.S. states (*), Virginia is undergoing redistricting as a
    result of the 2000 census.  As a result, some people got new polling places.
    According to
      http://www.washingtonpost.com/wp-dyn/articles/A14523-2001Oct30.html 
    Fairfax County sent electronic updates to the state for inclusion in the
    state's database to reflect local redistricting, and the state sent a new
    master database back, which lost about 18,000 of the updates.
    Unfortunately, Fairfax County used the erroneous data to send out voter
    information, and had to send out a second set of instructions.
    
    There's the predictable finger-pointing as to who's at fault for the snafu.
    
    All goes to prove that there are plenty of computer-related risks in
    elections, and that's before you even get to the polling place!
    
    (*) There may be some states where there's no redistricting.  For example,
    Wyoming only has one representative, so there's no need for statewide
    redistricting, although there may be local redistricting.
    
    ------------------------------
    
    Date: Sat, 10 Nov 2001 11:59:32 -0800
    From: Herbert Kanner <kannerat_private>
    Subject: Possible radiation therapy risk
    
    As a patient being irradiated by a Varian linear accelerator, it interested
    me to be told by a technician that when they are behind schedule it is
    usually because of a computer crash.  He said that the accelerator is
    controlled by "three computers that talk to each other."  I inquired further
    and found out that they are PCs running Windows 2000.  Not exactly
    confidence inspiring!
    
    Herbert Kanner <kannerat_private>  650-326-8204
    
    ------------------------------
    
    Date: Sat, 10 Nov 2001 11:54:17 PST
    From: "Peter G. Neumann" <neumannat_private>
    Subject: Risks of belief in identities
    
    For those of you who might believe that national ID cards might be a good
    idea, check out the December 2001 *Commun.ACM* Inside Risks column by me 
    and Lauren Weinstein, previewed on my Web site
      http://www.csl.sri.com/neumann/insiderisks.html 
    in anticipation of a U.S. House hearing next Friday on that subject.
    
    It is not just the cards themselves that would entail risks, but even moreso
    all of the supporting infrastructures, widespread accessibility to
    networking, monitoring, cross-linked databases, data mining, etc., and
    particularly the risks of untrustworthy insiders issuing bogus
    identification cards -- as happened a few years back on a large scale in the
    Virginia state motor vehicle agency (RISKS-11.41).
    
    The latest item on the ease of getting phony or illegal or unchecked
    identification papers is found an article by Michelle Malkin (Creators
    Syndicate Inc.), which I saw in the *San Francisco Chronicle* on 10 Nov
    2001: Abdulla Noman, employed by the U.S. Department of Commerce, issued
    bogus visas in Jeddah, Saudi Arabia, in one case in 1998 charging
    approximately $3,178.  The article also notes a variety of sleazy schemes
    for obtaining visas, in some cases without ever appearing in person and
    without any background checks, and in other cases for ``investments'' of a
    hundred and fifty thousand dollars.  The article concludes with this
    sentence: ``Until our embassy officials stop selling American visas blindly
    to every foreign investor waving cash, homeland security is a pipe dream.''
    I'm not sure that conclusion is representative of the full nature of the
    problem of bogus identification, but the problem is clearly significant.
    A driver's license or a passport or a visa or a National ID card is not
    really proof of identity or genuineness or anything else.
    
    ------------------------------
    
    Date: Fri, 02 Nov 2001 14:51:52 -0800
    From: Mike Hogsett <hogsettat_private>
    Subject: Stealing MS Passport's Wallet 
    
      From : http://www.wired.com/news/technology/0,1282,48105,00.html
    
    By cobbling together a handful of browser-based bugs with flaws in
    Passport's authentication system, Slemko developed a technique to
    steal a person's Microsoft Passport, credit card numbers -- and all,
    simply by getting the victim to open a Hotmail message.
    
    ------------------------------
    
    Date: Fri, 9 Nov 2001 05:53:32 +0000
    From: Andrew Brydon <andrewat_private>
    Subject: Security hole in cash machines
    
    http://news.bbc.co.uk/hi/english/sci/tech/newsid_1645000/1645552.stm
    By BBC News Online technology correspondent Mark Ward
    
    A serious weakness has been discovered in the methods used by banks to
    protect the number that lets you get money from a cash machine.  Researchers
    from the University of Cambridge have found that the computer systems which
    check that these numbers are valid are easy to defeat.  They warn that
    unscrupulous insiders could exploit these weaknesses to raid customer
    accounts.  The researchers have called on banks to revise their security
    arrangements and use more open procedures to protect customers' cash.
    
    ... The physical construction of the cryptoprocessors is certified to a high
    standard to ensure that the boxes cannot be forced to give up the keys they
    use to scramble data.  Any physical tampering with the box makes them
    destroy the keys they use.  [However,] security researchers Michael Bond and
    Richard Clayton have found serious weaknesses in the software
    cryptoprocessors use to handle the encryption keys as they talk to different
    programs.  ... using the clues provided by the leaky software, the cracking
    time can be reduced to just 24 hours.
    
    Andrew Brydon, Systems & Software Safety Analyst, Lancashire, UK
    
    ------------------------------
    
    Date: Tue, 30 Oct 2001 21:02:14 -0500
    From: Monty Solomon <montyat_private>
    Subject: UK: liberties fears over mobile-phone details
    
    Records which map out users' whereabouts held indefinitely
    Stuart Millar and Paul Kelso, *The Guardian*, 27 Oct 2001
    
    One of the fastest growing mobile phone providers is indefinitely storing
    information that allows its customers' movements over the last two years to
    be mapped to within a few hundred metres.  As the government rushes through
    emergency anti-terror legislation that would require vast amounts of
    electronic communications data to be retained in the name of national
    security, *The Guardian* has established that Virgin Mobile has been storing
    the location records of its 1 million customers since the network launched
    in November 1999.  Last night, the privacy watchdog, the information
    commissioner, told the Guardian that it would be investigating the practice
    to establish whether it contravenes regulations governing retention of
    communications data.  [...]
    
    http://www.guardian.co.uk/mobile/article/0,2763,581763,00.html
    
    ------------------------------
    
    Date: Tue, 6 Nov 2001 10:03:47 -0500
    From: Monty Solomon <montyat_private>
    Subject: Dutch police 'bombard' stolen cell phones with SMS
    
    Dutch Police 'Bombard' Stolen Cell Phones With SMS
    By Andrew Rosenbaum, Special to Newsbytes, AMSTERDAM, NETHERLANDS, 05 Nov 2001
    
    The Amsterdam police have been using short messaging system (SMS) missives
    to block the use of stolen cell phones, and while the campaign has been
    successful, mobile providers are concerned about the cost and bandwidth
    strain of the campaign.
    
    About four months ago, the Amsterdam police began cooperating with the
    national telecommunications provider, KPN Telekom. When stolen phones are
    reported, the police asked KPN to use the phone to locate the telephone
    number. Then, every three to five minutes, the police sent SMS messages to
    the telephone saying, "Warning, this is a stolen telephone, using it is
    against the law -- stealing it is a felony."  ...
    
    http://www.newsbytes.com/news/01/171836.html
    
    ------------------------------
    
    Date: Wed, 31 Oct 2001 20:03:45 +1100
    From: Peter Deighan <deighanpat_private>
    Subject: Australian computer hacker jailed for two years
    
    This from Australian Broadcasting Corporation web site, 31 Oct 2001
    URL = http://www.abc.net.au/news/newslink/nat/newsnat-31oct2001-96.htm
    
      Vitek Boden, a computer hacker who hacked into the sewage control computer
      and intentionally released caused thousands of litres of raw sewage into
      creeks and parks on the lower Queensland Coast (and the grounds of the
      local Hyatt Regency), has been jailed for two years by a Maroochydore
      District Court jury.  [PGN-ed]
    
    An unexpected Risk?  Wonder what the design decision was: perhaps to save on
    call-back costs for control staff?
    
      [also noted by Derek Ross and George Michaelson.  PGN]
    
    ------------------------------
    
    Date: Mon, 5 Nov 2001 09:23:29 -0500
    From: Jeremy Epstein <jepsteinat_private>
    Subject: Even professional organizations forget about certificate expiration
    
    If you visit https://swww2.ieee.org/ (the site used for on-line renewal of
    IEEE membership), you'll learn that the certificate expired on Oct 31st
    2001.  I reported this on Nov 1st to IEEE, and as of today (Nov 5th), it
    hasn't been fixed.
    
    I'm curious how many other people noticed/reported it, or if everyone just
    clicked through due to the vast quantity of similar problems on the
    Internet.  What good is certificate expiration if it gets ignored by users?
    
    ------------------------------
    
    Date: Wed, 7 Nov 2001 10:45:58 -0800
    From: Conrad Heiney <conradat_private>
    Subject: Children's medical records released on the Web
    
    The University of Montana released confidential psychological records of
    children on the World Wide Web, according to the *Los Angeles Times*:
      http://www.latimes.com/news/nationworld/nation/la-110701private.story
    
    Four hundred pages of documents about at least 62 children were posted,
    including in some cases complete name and address information along with
    results of psychological testing. According to the times, the data was
    available for eight days starting October 29 and included confidential and
    detailed summaries of patients' psychiatric conditions in much more detail
    than in previous similar accidental releases of information. The University
    indicated that errors by students or technical employees were likely to be
    at fault.
    
    The obvious Risk of electronic medical records is once again proved in an
    especially painful way.
    
    Conrad Heiney  conradat_private  http://fringehead.org
    
    ------------------------------
    
    Date: Tue, 6 Nov 2001 09:58:07 -0500
    From: Monty Solomon <montyat_private>
    Subject: Glitch in iTunes Deletes Drives
    
    Glitch in iTunes Deletes Drives, By Farhad Manjoo, 5 Nov 2001
    
    Some Macintosh users who rushed to download the latest version of iTunes --
    Apple's popular digital-music player --were singing a song of woe on
    Friday. A bug in the installation procedure caused the application to
    completely delete their computers' hard drives.  Apple issued an alert and a
    fixed version of iTunes 2 on Saturday morning, and the company urged people
    to remain calm.  [...]
    
    According to Mac experts who examined the code of the buggy iTunes
    installer, the problem arose from a very tiny programming mistake -- a
    forgotten quote mark.
    
    Instead of typing the line "$2Applications/iTunes.app", a bleary-eyed 
    coder had instead typed the disastrous $2Applications/iTunes.app, 
    according to a message on MacSlash.  [...]
    
    http://www.wired.com/news/technology/0,1282,48149,00.html
    
    ------------------------------
    
    Date: Fri, 9 Nov 2001 16:56:45 +0000
    From: John Sullivan <john.sullivanat_private>
    Subject: Dates in Visual Basic
    
    I was just writing a test-harness in Visual Basic (VB6 SP5) when I noticed
    the following annoying and potentially downright dangerous behaviour.
    
    Part of the code generated a series of dates, and I'd entered the start date
    as a literal date of the form #2001-11-08#. This worked fine as I expected
    and as it wasn't at all important at this stage so I didn't look twice at
    what I'd just typed.
    
    When I came back to it today, I noticed it read #11/8/2001#. Now, I never
    code dates in non-ISO format if possible, and being in the UK with my locale
    set to UK never, ever, use US mm/dd format unless I know it's the only
    format a broken program accepts. Retyping it showed that the date was
    changed in front of my eyes:
    
      #2001-11-08# becomes #11/8/2001#  (2001-11-08)
      #11/8/2001#  becomes #11/8/2001#  (2001-11-08)
      #8/11/2001#  becomes #8/11/2001#  (2001-08-11)
      #15/11/2001# becomes #11/15/2001# (2001-11-15)
    
    It changes as soon as the cursor left the line. So you type it, check it,
    find it correct, go off somewhere else, blam!
      
    The first has reduced the comprehensibility of the code. The second and
    third give no feedback that they're not conforming to the current locale.
    The last two show that VB is not even being consistent in its parsing.
    
    The Risks:
    
    Dumb programs thinking they're smart enough to change a programmer's code
    can lead to unpredictable behaviour. If you assume that what you type is
    what gets saved then you may not even notice, and errors in strings of
    numbers are immediately less obvious than structural or logical errors.
    
    If I (or a colleague) came back to the first example in a few months time,
    will we know whether it means 8th Nov or 11th Aug? It would be natural to
    assume it's using the current locale, but in this case it isn't. What I
    actually typed was unambiguous.
    
    I use VB, and dates in VB, so rarely that I may not even remember this
    behaviour myself a year or two down the line. Thankfully I don't have to use
    this noddy little toy for writing Real Programs in.
    
    ------------------------------
    
    Date: Wed, 7 Nov 2001 13:43:25 -0500 (EST)
    From: msbat_private (Mark Brader)
    Subject: Excel and non-decimal dots
    
    * From: magicalat_private
    * Newsgroups: alt.usage.english
    * Subject: Re: Telephone Area Code
    * Message-ID: <7bqiutgjqqg1tu29qd6ak615c14pbcfavoat_private>
    * Date: Wed, 07 Nov 2001 17:07:08 GMT
    
    On Wed, 07 Nov 2001 07:54:15 GMT, in alt.usage.english, David
    Hecht <davidhechtat_private> created
    
    > The US convention (AAA)BBB-CCCC is not just evolving into AAA-BBB-CCCC;
    > now I'm seeing more and more of the "international" style: AAA.BBB.CCCC
    > .  This appears in some "chic" guidebooks.
    
    I tried using that format, until I pulled a text file into Excel and it
    changed all the phone numbers into "real numbers" and deleted terminal
    zeros.  Excel also has this annoying habit with IP addresses, changing
    10.0.0.10 to 10.0.0.1.  I can't find a way, in the *import* function, to
    define these numbers as "text" so that Excel will leave them alone upon
    import.  Sigh.
    
    ------------------------------
    
    Date: Thu, 08 Nov 2001 15:22:14 -0500
    From: Declan McCullagh <declanat_private>
    Subject: Sweden's public radio reportedly bans SETI from office computers
    
    SETI homepage:
    http://setiathome.ssl.berkeley.edu/
    
    Date: Thu, 08 Nov 2001 21:10:05 +0100
    To: declanat_private
    From: Ulf Hedlund <guruat_private>
    Subject: Swedish national radio bans SETI software
    
    Conspiracy theory has reached the state owned public service radio in
    Sweden, "Sveriges Radio" (www.sr.se). They have banned all use of the SETI
    software and says that three of the technicians from the IT department are
    going to be relocated. According to the head of human resources, Per
    Thorsell, this is due to the fact that they don't know if the software is
    actually performing search for extraterrestrial life. "The software could be
    used by some service for other purposes, e.g., calculation of missile
    ballistics", he says.
    
      http://www.sr.se/ekot/index.asp?article=22761 [in Swedish;
      translation tinkered slightly after consulting Ulf Lindqvist, who
      suggests they should be equally paranoid about other black-box
      software they might be running.  PGN]
    
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    
    ------------------------------
    
    Date: Tue, 6 Nov 2001 22:31:18 +0000
    From: Andrew Brydon <andrewat_private>
    Subject: Random failures (Re: Bank Canada, Sokskiewicz, RISKS-21.73)
    
    >I think that sometimes we are better off accepting such "random" occurrences
    
    Rather we should be analysing our systems for random failures and
    interactions due to these random occurrences, designing out or mitigating to
    limit the effects of such failures. To do any less may be unprofessional,
    and in many cases illegal.
    
    >Sometimes I feel that RISKS readers expect to live in a perfect world.
    
    I think we should expect all reasonable care to be taken over developing and
    implementing the systems which we use, as for any other consumer product or
    service. The difference with, say a toaster, is that there are far fewer
    interactions and controls to consider, but we still expect it to turn bread
    to toast without error.
    
    Andrew Brydon, Systems & Software Safety Analyst, Lancashire, UK
    
    ------------------------------
    
    Date: Tue, 30 Oct 2001 23:02:37 +0000
    From: "Marcus L. Rowland" <mrowlandat_private>
    Subject: Re: Another SRI-wide Power Outage
    
    A couple of weeks ago I spent three hours trying to find out why one of our
    laboratories (see various previous comp.risks digests) was tripping out its
    circuit breakers again, despite the system having been overhauled.
    
    We eventually realised that someone had put a box of equipment down on top
    of a stool that wobbled slightly, so that it pressed against the emergency
    cut-out button whenever someone brushed past it...
    
    Marcus L. Rowland
    http://www.ffutures.demon.co.uk/     http://www.forgottenfutures.com/
    
      [VERY OLD problem.  In the Multics days in the later 1960s at Bell Labs, 
      sitting down in a particular chair in the computer room would often
      crash the system, due to the under-floor wiring.  PGN]
    
    ------------------------------
    
    Date: Mon, 05 Nov 2001 20:11:49 -0500
    From: "Daniel P. B. Smith" <dpbsmithat_private>
    Subject: Re: Kids' learning game site becomes porn site (RISKS-21.73)
    
    In the interest of becoming a well-informed netizen, I took a look at 
    http://www.moneyopolis.org and http://www.moneyopolis.com.  Imagine my 
    disappointment^h^h^h^h^h^h^h^h^h^h^h^h^h^h^h relief, to find that as of 
    11/5/2001 these sites appear to be ... an online interactive children's 
    game produced as a public service by Ernst and Young.
    
    Daniel P. B. Smith <dpbsmithat_private>
    
      [Quite a few RISKS readers noted this.  So, either the WashPost and NYT
      (which ran its own story) got it wrong, or E&Y quickly repaired its image
      by re-acquiring the .org domain -- presumably at an indecent markup.  PGN]
    
    ------------------------------
    
    Date: Tue, 6 Nov 2001 09:58:17 -0000
    From: Ian Young <ianat_private>
    Subject: Re: Kids' learning game site becomes porn site (RISKS-21.73)
    
    You won't be surprised to hear that Ernst & Young (no relation) are not the
    only people to have been affected by this scheme.  I got some moderately
    irate E-mail recently from users of a small site I run because one of the
    sites I had linked to had apparently converted to a porn site in the way the
    *Post* describes.
    
    However, in this case:
    
    * the registration was by a different company: someone out of Tbilisi,
    Georgia instead of Yerevan, Armenia.
    
    * The new site contained a single page containing an _advertisement_ for
    "Euro Teen Sluts", plus half a dozen post-close pop-ups for similar sites,
    but also offered to sell you the domain name in question!
    
    Obviously, buying up random dead domains is a cheap way of getting
    advertising space, as long as you don't care who sees the adverts in
    question.
    
    Risk 1: links are sometimes seen as endorsements.  That's a problem for me,
    but it is presumably also a problem for people like Google, whose rating
    system depends on seeing that particular sites are linked _to_ by other
    sites.  I wonder how they cope with this?  I can see that they do, because
    the site I linked to still has a lot of links to it, but no longer appears
    in a Google search with any of the obvious keywords...
    
    Risk 2: automatic link checkers will tell you there is something there, but
    they won't tell you what it is.  You actually have to visit your links once
    in a while to check they haven't turned into something else.
    
    ------------------------------
    
    Date: Mon, 5 Nov 2001 21:11:49 -0500
    From: "Paul Bowers" <pbowersat_private>
    Subject: Re: Kids' learning game site becomes porn site (RISKS-21.73) 
    
    On a similar theme, one of my visitors pointed out to me that a link from my
    site was now resolving to some cyber-babe page.  Apparently, exicom.org
    recently changed owners.
    
    The articles I had linked from the site were good technical pages.
    
    ------------------------------
    
    Date: Tue, 06 Nov 2001 14:37:22 +0200
    From: Amos Shapir <amosat_private>
    Subject: Re: DeCSS is Speech (Tyre, RISKS-21.73)
    
    May I point out that the original purpose of ALGOL -- the granddaddy of all
    structured programming languages -- was to create a common set of notations
    which would enable people to converse about algorithms.  ALGOL code was not
    meant to be compiled into executable object code, and its first
    specification (of 1960, IIRC) had no defined means for I/O.
    
    Amos Shapir
    
    ------------------------------
    
    Date: Sun, 11 Nov 2001 07:31:51 -0700
    From: "William Kucharski" <kucharskat_private>
    Subject: Re: DoS attack on Mac OS9 (Gat, RISKS-21.73)
    
    The risk in MacOS 9 is not surprising, and not really a RISK.  Not unless
    you're expecting the Multiple Users feature of MacOS 9 to provide anything
    more than rudimentary security.
    
    Sure, you can change passwords if you have physical access to the machine.
    You can also boot any Mac with a MacOS 9 CD and completely circumvent all
    protection.
    
    The biggest RISK here is believing a feature meant largely to provide
    different environments for different family members or to prevent clueless
    users from damaging the system (i.e. dragging crucial system control panels or
    extensions to the trash) provides any TRUE degree of security...
    
    William Kucharski <kucharskat_private>
    
    ------------------------------
    
    Date: Sun, 11 Nov 2001 16:51:33 -0800
    From: Carl Maniscalco <camannospamat_private>
    Subject: Re: DoS attack on Mac OS9 (Gat, RISKS-21.73)
    
    The Multiple Users control panel in OS 9 *is* a pretty ugly hack but the
    security risk isn't quite as bad as Mr. Gat makes it out to be. To effect a
    password change that would "render that machine useless," the malicious user
    would have to gain access to a Mac where someone has already logged on to
    the admin account. In my opinion, anyone who leaves a computer unattended in
    that state in an insecure environment probably deserves whatever he gets.
    
    Carl Maniscalco, Deus Ex Macintosh, Mac Consultants, San Diego, CA
    
    ------------------------------
    
    Date: 12 Feb 2001 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
    
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
     if possible and convenient for you.  Alternatively, via majordomo,
     send e-mail requests to <risks-requestat_private> with one-line body
       subscribe [OR unsubscribe]
     which requires your ANSWERing confirmation to majordomoat_private .
     [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
     this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
     Lower-case only in address may get around a confirmation match glitch.
       INFO     [for unabridged version of RISKS information]
     There seems to be an occasional glitch in the confirmation process, in which
     case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
       .MIL users should contact <risks-requestat_private> (Dennis Rears).
       .UK users should contact <Lindsay.Marshallat_private>.
    => The INFO file (submissions, default disclaimers, archive sites,
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 20" for volume 20]
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing,
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    
    ------------------------------
    
    End of RISKS-FORUM Digest 21.74
    ************************
    



    This archive was generated by hypermail 2b30 : Sun Nov 11 2001 - 20:08:31 PST