FC: Risks Digest: Pi, Microsoft woes, Weatherbug privacy analysis

[Declan McCullagh <declan () well com>]

[Some excerpts from Peter Neumann's latest Risks-Forum Digest, Volume 21, 
Issue 42. --Declan]

------------------------------

Date: [not included]
From: "Keith F. Lynch" <kfl () KeithLynch net>
Subject: Converting Pi to binary: DON'T DO IT! (via Russ Perry Jr.)

Newsgroup: alt.math.recreational

WARNING:  Do NOT calculate Pi in binary.  It is conjectured that this
number is normal, meaning that it contains ALL finite bit strings.

If you compute it, you will be guilty of:

* Copyright infringement (of all books, all short stories, all
  newspapers, all magazines, all web sites, all music, all movies,
  and all software, including the complete Windows source code)
* Trademark infringement
* Possession of child pornography
* Espionage (unauthorized possession of top secret information)
* Possession of DVD-cracking software
* Possession of threats to the President
* Possession of everyone's SSN, everyone's credit card numbers,
  everyone's PIN numbers, everyone's unlisted phone numbers, and
  everyone's passwords
* Defaming Islam.  Not technically illegal, but you'll have to go
  into hiding along with Salman Rushdie.
* Defaming Scientology.  Which IS illegal -- just ask Keith Henson.

Also, your computer will contain all of the nastiest known computer
viruses.  In fact, all of the nastiest POSSIBLE computer viruses.

Some of the files on my PC are intensely personal, and I for one
don't want you snooping through a copy of them.

You might get away with computing just a few digits, but why risk it?
There's no telling how far into Pi you can go without finding the secret
documents about the JFK assassination, a photograph of your neighbor's six
year old daughter doing the nasty with the family dog, or a complete copy of
the not-yet-released Pearl Harbor movie.  So just don't do it.

The same warning applies to e, the square root of 2, Euler's constant, Phi,
the cosine of any non-zero algebraic number, and the vast majority of all
other real numbers.

There's a reason why these numbers are always computed and shown in decimal,
after all.

------------------------------

Date: Fri, 25 May 2001 15:03:17 -0700 (PDT)
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: ``The Wind Done Gone'' ban done gone -- with abandon, gone

Although it is not directly computer relevant, this case is nonetheless
noteworthy in RISKS, where April-Fools' spoofs and parodies are an old
tradition.  A U.S. appeals court in Atlanta today overturned a lower-court
ruling that Margaret Mitchell's estate could block the publication of ``The
Wind Done Gone'', an apparent parody of ``Gone With the Wind'' that is
written from the point of view of black slaves.  [Source: Karen Jacobs,
Reuters, 25 May 2001, PGN-ed]

------------------------------

Date: Thu, 24 May 2001 09:32:40 -0700
From: "NewsScan" <newsscan () newsscan com>
Subject: FBI arrests dozens for Internet fraud

The Federal Bureau of Investigation has in the past ten days charged 88
individuals with Internet crimes, including wire and mail fraud and money
laundering. A government prosecutor said: "Internet fraud -­ whether it's in
the form of securities and other investment schemes, online auction and
merchandising schemes, credit card fraud and identity theft -­ has become
one of the fastest-growing and most pervasive forms of white-collar crime."
(Bloomberg News/*The Washington Post*, 24 May 2001; NewsScan Daily, 24 May
2001; http://washingtonpost.com/wp-dyn/articles/A67744-2001May23.html)

------------------------------

Date: Fri, 11 May 2001 23:39:05 -0400
From: Monty Solomon <monty () roscom com>
Subject: What they know or don't know about you!

When Richard Smith (Privacy Foundation's CTO) obtained his FBI file from
Choicepoint in Georgia, he discovered that he had died in 1976, and had had
aliases with Texas convicts known as Ricky or Rickie.  This is apparently
the kind of info that the FBI now depends on.  In 1998, a Chicago woman with
no criminal record was fired after Choicepoint info mistakenly indicated she
was a shoplifter and convicted drug dealer.  Choicepoint info was also
involved in thousands of Floridians being mistakenly identified as felons
and disenfranchised in the November 2000 election.  Choicepoint blames that
on a data aggregator, DBT.
  [Source: Julia Scheeres, What They (Don't) Know About You, 11 May 2001
    http://www.wired.com/news/privacy/0,1848,43743,00.html; PGN-ed]

    [With regard to flagrant data mining of incorrect information,
       What's yours is mined.  PGN]

------------------------------

Date: Thu, 17 May 2001 13:14:01 -0400
From: Dave Weingart <dave.weingart () us randstad com>
Subject: EU considers retaining *all* telecom traffic

According to an article in The Register, the Council of the European Union
is considering implementing rules that call for storing all telecom traffic
(all phone calls, all Net usage, every e-mail) and making this data
accessible for at least seven years.  This will be done in the name of
"public safety and law enforcement," no doubt.

http://www.theregister.co.uk/content/5/19003.html

Technical considerations aside (the concept of server farms the size of
France comes to mind), the whole thing is just a dreadful idea.

Dave Weingart, Randstad North America  dave.weingart () us randstad com
1-516-682-1470

------------------------------

Date: Thu, 24 May 2001 09:32:40 -0700
From: "NewsScan" <newsscan () newsscan com>
Subject: CERT subjected to "just another attack"

The Web site of the federally funded Computer Emergency Response Team (CERT)
was clogged by a "denial of service" attack that lasted 30 hours this
week. CERT, which is located at Carnegie Mellon University in Pittsburgh,
has a mission of providing warnings about computer attacks and viruses. An
official of the organization said: "We get attacked every day.  This is just
another attack. The lesson to be learned here is that no one is immune to
these kinds of attacks. They cause operational problems, and it takes time
to deal with them." [AP/*USA Today*, 24 May 2001; NewsScan Daily, 24 May 2001
  http://www.usatoday.com/life/cyber/tech/2001-05-24-cert-hacked.htm]

------------------------------

Date: Tue, 15 May 2001 12:35:09 -0400
From: Robert Moskowitz <rgm () icsalabs com>
Subject: Great DoS attack for cell phones

  (by way of David Kennedy)

Courtesy of the FAA:

The FAA has this neat airport traffic website:

http://www.fly.faa.gov/flyFAA/index.html

where you can check out conditions at any airport.  Well, recently they
added the option to get e-mail on airport conditions:

http://www.fly.faa.gov/Notify_Signup/notify_signup.html

with a warning to be careful not to select all airports as that would be a
lot of mail.

Now the way this works is you put in an e-mail address and a password.  this
is the password to make changes on the FAA's site.  Then they ask you what
airports and how many characters your e-mailer can handle.

I have selected DTW and for days I will get no mail.  This morning I have
already gotten 3 messages about various delays due to different thunderstorms.

SO if someone does not like someone else, they just set this system to mail
bomb the other person's cell phone.  Imagine how annoying it will be with a
phone constantly going off and not knowing how to stop the  mail.  would
most people figure out how to get this stopped?  **I** have not contacted
my cellular provider on how to stop SMS spam, so I doubt if there is much
experience here.  there will be before this year is done.

Robert Moskowitz, Senior Technical Director  rgm () icsa net
ICSA Labs, a division of the TruSecure Corporation   (248) 968-9809

------------------------------

Date: Wed, 23 May 2001 15:10:44 -0400
From: Jonathan Arnold <jdarnold () buddydog org>
Subject: Office XP modifies what you type: Peter Deegan in Woodyswatch

[From Woody's Office Watch (http://www.woodyswatch.com)]

  4. IN OFFICE XP, THE LINK YOU TYPE AIN'T WHAT YOU GET
  Remember when I asked you to send me your rants about Office XP?
  Editor-in-Chief Peter Deegan has a great one:

  I didn't believe it when it first happened to me, but now Microsoft
  arrogantly and shamelessly confirms the bug.  When you type a hyperlink in
  FrontPage 2002, Word 2002, Excel 2002, PowerPoint 2002, or Outlook 2002
  (using Word as your email editor), the Office application will alter what
  you've typed, without notifying you or giving you an opportunity to undo
  the "correction." In fact, in most cases, you can't override the
  "correction" at all: you're stuck with FP, Word or Excel's version of what
  you typed.  Tough luck Charlie.

  Try it yourself. In Office XP, choose Insert | Hyperlink then type in this
  fake hyperlink
    http://www.fred.com/trial//2345/
  Hit enter, and the double slash is unceremoniously converted to a single
  slash. You aren't notified. You aren't given a chance to change it. In
  fact, with one exception, you can't even *override* Office's ham-handed
  mangling of your carefully constructed hyperlink.

  The exception: in FrontPage 2002 you can fix the link by going into HTML
  mode and overtyping - but there's no such option in Word, Excel
  PowerPoint, or Outlook.  Even Microsoft can't suggest a workaround.

  It's even worse than you might imagine. The text appears in the document
  the way you typed it - that is, you'll see
    http://www.fred.com/trial//2345/
  in your document. But the link itself - the part behind the scenes that
  controls where you go when you click on the text - is altered to
    http://www.fred.com/trial/2345/
  without any notice. Don't believe me? Follow these instructions, then
  right-click on the hot text and pick Edit Hyperlink. Look in the Address
  box. See that?

  While a double slash is unusual, it is a valid hyperlink used in the real
  world, most commonly as a delimiter between parameters. Microsoft has no
  right to arbitrarily change a link I've typed, especially if there's no
  way to override the change.

  We put this problem to Microsoft's PR folks with a series of questions to
  help clarify the situation. Their response was among the most arrogant and
  obfuscatory we've seen in many years of dealing with the company - a
  dismissive response not designed to help or reassure prospective Office XP
  purchasers. In fact, it has only made a bad situation worse.

  Microsoft says it's not an issue at all!  The change is done intentionally
  for (you gotta love this) "cleanliness and consistency." Oy. Apparently
  the accuracy of a hyperlink is secondary to it looking nice.

  Microsoft dismisses the double-slash change problem saying they "don't
  know of any servers which deal with a double slash in the path component
  any way other than to treat it as a single-slash". C'mon. Call
  1-800-GET-A-CLUE guys.  Double slashes are used all the time. More than
  that, it isn't Microsoft's job to decide whether the URLs I type are
  politically correct.

  Microsoft goes on to say "some older servers did not like to have the
  double-slashes in the path and had difficulties with double slashes."
  Well, OK, that may be true but there are plenty of other typing errors
  that can make a link break. Double-slashes may be a problem in some cases,
  but in others they are necessary.

  I really wanted to hURL when the 'Softies said, "we don't change the
  parameter data, only the path part of the URL."  Good grief. This comes
  from a company that assumes everyone uses the Microsoft method of passing
  information through links. In the Microsoft world you pass data to a web
  page by adding a question mark to the end of the link then adding the
  variables. Incredibly, not everyone uses Microsoft servers, and there are
  other ways to pass information through a web link. One of the ways we've
  found includes having double-slashes. Microsoft Office XP now blocks those
  uses with no recourse.

  Even if you accept the logic that double-slashes in hyperlinks are
  non-existent or bad, that doesn't change the more general principal that
  the user is entitled to type in something and have it stick, unchanged. If
  Microsoft wants to make a change for "cleanliness and consistency" they
  should build in a warning to the user and a way to reverse the change. A
  Smart Tag would work nicely. But in this case neither of these basic
  design courtesies is honored. The company has gone too far in compulsory
  changes to the link with no warning to the user or any workaround to fix
  the Autocorrect.

  Adding injury to insult, there's no documentation on these changes in the
  help file. Microsoft has declined to provide details of any other
  compulsory changes made to hyperlinks in Office XP nor have they suggested
  any workaround for those affected, or some way to switch off this
  behavior.  The Microsoft arrogance shows through: it's not a problem, so
  why bother fixing it?

  The fact that Microsoft has declined to detail what changes are
  arbitrarily made to links makes us even more concerned.  Office XP users
  don't know what compulsory changes will be made to their links. Chances
  are they'll find out the way I did - the hard way.

Jonathan Arnold  jdarnold () smartdrops com  Senior Product Developer
Integrated Delivery Systems  http://www.smartdrops.com

------------------------------

Date: Tue, 22 May 2001 17:31:03 -0500
From: James Garrison <jhg () athensgroup com>
Subject: Weatherbug

Someone recently sent me a reference to a program called Weatherbug and
asked me to evaluate it from the perspective of a network admin for a small
company where some employees are using it.

It's a Windows program that places a local temperature icon in your taskbar
and then continuously monitors local weather data from the AWS Weathernet.
If you click on the taskbar icon it displays a panel showing local weather
data updated in near-real- time.

The service and Weatherbug executable are free and the whole thing is
supported by advertising that is displayed in the Weatherbug window.  I was
curious about the security implications so I downloaded and installed
Weatherbug with the intention of monitoring the IP traffic it generates with
a packet sniffer.

The first thing that happens during install is you are asked if you want to
also install two additional tools, "Gator" and "Offer Companion".  Here's
the blurb on the install dialog:

   By including Gator and its OfferCompanion Software with
   Weatherbug, we're making your computer smarter!

   Gator and OfferCompanion are among the web's most popular
   products.  Gator fills in your passwords and online forms
   automatically - with no typing! And OfferCompanion delivers
   great offers to you based on web sites you visit!

The checkbox indicating that you want to install these "products" is checked
by default.  Needless to say, I did NOT allow it to install them (but then
how do I know whether it listened to me or not ;-).  Gator is clearly
dangerous.  I assume it keeps a database of previously seen web forms and
the data you entered previously, and then re-enters the same data the next
time you visit the same page.  Regular RISKS readers should be cringing
visibly by now :-)

Anyway, I started up Weatherbug and monitored its traffic:

1) During registration you are asked to provide quite a bit of
   personal info, including name, address, and income.  Luckily
   (or I wouldn't have proceeded) all data is optional except
   for your Zip code, so it can locate weather stations nearby.
   The registration data is sent to a Weatherbug server in
   an HTTP GET request.

2) After you register, the software sends an HTTP POST to
   216.33.111.107, which does not seem to have a reverse DNS
   entry.  The POST data is:

      InstallType=Full+Install&GatorStatus=Opt-Out&BCheck=

3) It appears to do everything over HTTP, so it's totally "pull"
   based.  It does not *appear* to open any persistent
   connections. Also it seems to issue only GET requests in normal
   operation.  I didn't see any POSTs other than the one described
   above. Of course, it's quite possible to send any data as
   parameters in a GET, so the absence of POST shouldn't be taken
   as implying anything positive.

4) In addition to retrieving weather data from the location you
   configured (any of over 5000 AWS sites located mainly at
   schools), it downloads ad gifs from doubleclick.net.

5) During registration you are assigned a registration ID that is
   sent to the Weatherbug server at various times.  I did not see
   any evidence that the registration ID is sent to sites other
   than Weatherbug (i.e. ad requests didn't include the
   registration ID)

6) Every time Weatherbug starts up, my Win2K machine issues a
   single NETLOGON request to the PDC with a blank username, which
   is rejected. I don't know enough about MS authentication
   protocols to know if Weatherbug is doing this or it's just a
   byproduct of how Windows works.

7) When the main window is hidden (to a taskbar icon), most IP
   traffic stops.  I still checks the weather data about once a
   minute but does not appear to load ads.

8) If you uninstall and re-install Weatherbug you are not asked to
   register again.  The uninstall does not delete registry keys,
   so in order to completely remove it you must manually edit the
   registry.

I found no evidence that Weatherbug is "spyware", but then this was a very
cursory examination.  It does seem to limit its data capture to your direct
interactions with its GUI, but the possibilities for abuse are so high that
I would not personally use it on an ongoing basis.  It include an automatic
software update capability and there's no guarantee that future versions
won't quietly slip in some "enhanced" data gathering techniques.  When the
capability is there, the temptation to use it has got to be tremendous.

Beyond the obvious security risks I'm also concerned about Weatherbug's
bandwidth usage. When the main window is open and updating both weather data
and ads in real time, it consumes about 20 kilobits/second. If you're a
small company depending on an ISDN, DSL or fractional T1 link, it doesn't
take very many of these to adversely affect other users.

I'm curious to know if anyone else has conducted a more thorough
evaluation and analysis of Weatherbug.

James Garrison, Athens Group, Inc., 5608 Parkcrest Dr, Austin, TX 78731
jhg () athensgroup com    1-512-345-0600 x150  http://www.athensgroup.com

------------------------------




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if it remains intact.
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------