Daily Telegraph (UK) Thursday 13th May 1999 - Connected (IT pullout) p.2Singaporean Internet provider SingNet has apologised to its subscribersafter scanning their PCs without their knowledge. SingNet asked theSingaporean Home Affairs Ministry to help check the computers of its 200,000subscribers in the wake of the damage caused by the CIH virus.Unfortunately for SingNet an anti-hacking program being used by a customerpicked up scanning, which was reported to the police. The scan was tracedback to the government. The company says it did not look at any confidentialfiles but did find that 900 subscribers have virus- infected computers.Andrew Brydon, Systems & Software Safety Analyst

From AAP via Sydney Morning Herald, Monday may 17, 1999, p4with insertions by JC in [ ].Many St George Bank [Australia's fifth largest bank] customers were leftshort at the weekend when automatic teller machines gobbled up their cashcards as the bank installed a new computer system.The bank refused to say how many customers lost their cards.  [The bankprobably do not know how many cards were 'gobbled' yet because they wereclosed from their normal Saturday morning trading in preparation for thechangeover.]A spokesman said the problem occurred because of the expiry dates on certaincards.  Canberra resident, Mr Steve Pye, who lost his card on Saturday, saidthere would be no replacements until Wednesday for "people like me with nomoney in my pocket . . .  "I'm as mad as hell about it."John Colville, University of Technology, SydneyBroadway, NSW, Australia, 2007  colville@socs.uts.edu.au  +61-2-9514-1854

This happened to me the other month: an interesting interaction between twoconvenience features in web browsers and operating systems.Where I work there is an internal server (let's call it 'qqq') thatmaintains some data used by the group I work in.  The machine generates testdata and serves dozens of report pages all hyperlinked together andaccessible via a web client.  Because it's on a corporate intranet, alldesktop machines that can access the server happen to be configured suchthat they are able to use the short version of the server's name, ratherthan the long version of the name.  So instead of typing "qqq.example.com",users can just type "qqq" and the client's OS configuration for DNS lookupswill find the right host.  This is a convenient, time-saving feature.On the public Internet, by contrast, there is a widespread convention for aweb server owned by "The Example Corporation" to be named "www.example.com".No doubt this convention was influenced by Netscape's decision toautomatically expand bare hostnames typed into the "Location" field byprepending "www." and appending ".com".  So instead of typing"www.example.com", a user can just type "example".  This is a convenient,time-saving feature.Some months ago, the nameservers here at my employer were slightly amnesic,and kept forgetting the DNS entry for our server.  So some mornings we wouldtype 'qqq' into the Location: field of Netscape, and we would get "serverdoes not have a DNS entry," because neither 'qqq' nor 'qqq.example.com' nor'www.qqq.com' existed.  Although Netscape only reports 'qqq' in the dialog,it does report the other names it tries in the status bar.  This is mostlyharmless.One day, somebody set up a web site under the name 'www.qqq.com'.From then on, whenever my employer's DNS server forgot the IP address of'qqq.example.com' but could find 'www.qqq.com', Netscape would decide thatwhen I typed 'qqq' I must have meant 'www.qqq.com', since neither 'qqq'itself nor 'qqq.example.com' exist, and would proceed with its request usingthe new host name.To make matters worse, Netscape can sometimes do this even after it hasalready done the DNS lookup on the host name.  If this happens at just thewrong time, it means that the remote system with the similar name gets allthe information we would have sent to our own server: names and passwordsused to authenticate with the local server, any cookies set by programs onthe server, and usually a few user ID's and file names in the URLs.If our clients were point-of-sale terminals, this data could have includedeverything from credit card numbers and purchase details to complete credithistories from applications for financing.Interestingly enough, this problem never happened at one of my formeremployers, which has a different policy for corporate host names.  Theyinsist on naming all hosts according to a company-wide encoding system thatincludes machine type, function, location, partial encoding of the IPaddress, and a check digit, which results in tens of thousands of machineswith host names like "n3rndghh" or "amhjrxml".  To date I know of nobody whohas ever registered the domain name "www.n3rndghh.com", nor any other .comdomain name that is valid in the scheme used by my former employer, so therehave probably been no such collisions to date (although of course it'salways possible to cultivate one).Zygo Blaxell, Linux Engineer, Corel Corporation.  zygob@corel.ca (work) orzblaxell@furryterror.org (play).

When the Melissa virus hit, everyone in our R&D software lab updated theirvirus checkers and went into inoculation and quarantine mode.  Several weekslater, I tried to run one of my old utility applications written inMicrosoft Visual Basic (VB) and compiled into a .exe, and it was suddenlyflagged as a "Backdoor.Trojan" virus.  While the UNIX & Java in me saw greathumor in it, I was no longer able to run a useful app.Debugging the situation, I found that some function calls from a VB app intoa Visual C++ COM object resulted in some VB .exe code that looked like avirus. Changing the type, order and number of parameters in a function calland/or changing the location from which the function call was made wouldinfluence whether or not the resulting .exe looked like a virus.  For thoseinterested, I spent most of my time reproducing the problem with:   .idl:    ... HRESULT test([in] BSTR foo, [in] int bar)   .h:     STDMETHODIMP(test)(/*[in]*/ BSTR foo, /*[in]*/ int bar)   .cpp  STDMETHODIMP MyClass::test(BSTR foo, int bar)   .bas   mc.test "Hi", 2I reported the problem to the virus checker company, and they confirmed some"false detection" cases. Fortunately for both of us, their latest virusdefinition update contained a fix for this problem.  Unfortunately for someother folks in our lab, they ran into the same false virus alert with theirVB apps and they removed them without question.Clearly viruses and the code to detect them are getting extremely complex,so the opportunity for false alerts will do nothing but rise.  It alsooccurred to me that the publication of false alert notices has its own setof risks.Thomas Gilg, R&D Software Engineer, Hewlett-Packard  thomas_gilg@hp.com

I was told the following story by an associate who is managing a largedistributed IT installation.  The administrators at one site installed ananti-virus product on a machine running the Microsoft Exchange e-mailserver.  Exchange keeps all incoming mailboxes in a monolithic databaseof a proprietary format.  The administrators enabled a parameter of thevirus scan program to automatically clean the virus-infected files.  Thevirus scanner detected an instance of the CAP macro virus in a mailattachment WITHIN the Exchange database and proceeded to "clean" the file byperforming an in-place modification on it.  As a result the database wascorrupted, users could not access their mail, and subsequent attempts torepair the database using the facilities provided by Exchange failed.Eventually the database was recovered from a backup resulting in lost e-mailmessages.  There are many lessons that can be drawn from this story; I wouldlike to emphasise the risks of proprietary, opaque, or gratuitouslycomplicated file formats such as those used by Microsoft Word documents, andthe Exchange database.  Architecting and implementing an efficient,extensible, and functional file format and interface can be difficult andexpensive.  However, the cost is most cases justified the resultingrobustness, openness, usability, and extensibility of the system.Diomidis Spinellis, University of the Aegean

In MS Visual J++, Microsoft will sometimes use a single carriage return as aline terminator.  As pointed out by Daniel Graifer, this can introduce bugswhen moving the source code to a different compiler - EVEN ON THE SAMEPLATFORM (ex. Semantic's Visual Cafe and the Sun's Java SDK on MS Windows)This looks like either an attempt to lock a developer into one set of toolsor very sloppy design.The two workarounds I have found are to either load the source file into aneditor that recognized "\n", "\r", & "\r\n" as line terminators (ex. PFE)then resave the file, or to write a filter to handle the translation.Roy Wright, Cisco Systems royw@cisco.com 1-512-378-1234

All the risks that Bruce Wampler mentions for misaddressed e-mail have beenpresent for centuries with misaddressed paper mail.  Mangle one digit of astreet address and your envelope can quietly go to the wrong place.  It'sthen up to the good graces of the inadvertent recipient to reroute it and torespect its confidentiality.The only difference I note is that important but misaddressed paper mail hasa noteworthy appearance to distinguish it from bulk commercialadvertisements, and is therefore less likely than e-mail to be discardedunnoticed.Andrew Klossner (andrew@pogo.wv.tek.com)

It's worse than he thinks.  First, I spoke with a friend who works atHotmail and they currently have about 43 million subscribers.  Surprisingly,about 1/3 log in every day.  Assuming yahoo! and the rest are in the sameballpark, then Dan is off by an order of magnitude.  Furthermore, people atthese sites frequently get mail that was meant for the same username atanother site.  I.e. jsmith@hotmail gets mail meant for jsmith@yahoo.com.Their friends just can't remember what site they are at.  (I have thisproblem with my kids, who all have free accounts SOMEwhere).  Lastly, Iwould have thought that I could get an account with my name (thayne) butcould not.  I got forbes_thayne, but was surprised to learn that there isactually someone else on the net with the same combination of slightlyunusual names.  I guess the lesson is that when you are dealing withmillions of monkeys, anything is possible.