precedence: bulk Subject: Risks Digest 21.83 RISKS-LIST: Risks-Forum Digest Weds 26 December 2001 Volume 21 : Issue 83 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: Error at Board of Studies (Pete Mellor) Wiretapping equipment compromised: FBI, CALEA (Michael E. Goldsby) Security problems in Microsoft and Oracle software (NewsScan) Latest Windows versions vulnerable to unusually serious attacks (Monty Solomon) Software glitch grounds new Nikon camera - Tech News - CNET.com (Craig Mautner) Secure in, insecure out (Jeremy Epstein) Assume no safety ... (Peter Houppermans) Re: Identity theft without prior knowledge of SSN (Brett Harmond) Mersenne prime exponent wrong (Ken Knowlton) Re: Computer will drive 820 passengers at 68 mph (Ian Entecott, Jonathan Thornburg, Curt Sampson, Jeff Jonas, Jacob Sparre Andersen, Anthony W. Youngman, Andrew Roberts, Jens Braband, Jerrold Leichter) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 15 Dec 2001 15:26:41 +0000 (GMT) From: Pete Mellor Subject: Error at Board of Studies The following was sent to the Dean (Cc the School) by one Head of Department last Friday. I thought it might provide a little Christmas cheer! > Please give my apologies to the Board for the error > in my last report. I had written, > "There should be a rewording of BSc CS's position .. " > My spellchecker challenged "CS's". Unfortunately I > clicked 'Replace' rather than 'Skip' without noticing. > The default substitute for "CS's" is "Chihuahuas". Peter Mellor, Centre for Software Reliability, City University, Northampton Square, London EC1V 0HB +44 (0)20 7040 8422 [NEW] [The spelling checker must have been a little dogged in its persistent challenging. But it would be even more delightful if a Chihuahuan with a BSc degree had applied for the position. PGN] ------------------------------ Date: Thu, 20 Dec 2001 00:59:00 +0000 From: "michael e. goldsby" Subject: Wiretapping equipment compromised: FBI, CALEA A recent series of four newscasts on the Fox Network alleged that U. S. telephone call records have been falling into the hands of international organized crime. Call records allow traffic analysis but do not disclose the contents of the conversations. However, the newscasts further alleged that the equipment used by the FBI to do the wiretaps authorized by the CALEA legislation (1994) has been compromised. It is said to contain back doors that allow unauthorized persons to obtain access to the contents of telephone conversations. The back doors were not put there by the FBI and are not under their control. Partial transcripts of the newscasts are available at http://foxnews.com/story/0,2933,40684,00.html http://foxnews.com/story/0,2933,40747,00.html http://foxnews.com/story/0,2933,40824,00.html http://foxnews.com/story/0,2933,40981,00.html The second newscast cites an example of a 1997 Los Angeles drug case in which access to telephone call records was used to "completely compromise the communications of the FBI, the Secret Service, the DEO [sic] and the LAPD." ------------------------------ Date: Fri, 21 Dec 2001 08:47:58 -0700 From: "NewsScan" Subject: Security problems in Microsoft and Oracle software Two top companies have issued new statements acknowledging security flaws in their products: Microsoft (Windows XP) and Oracle (the 9i application server, which the company had insisted was "unbreakable." Resulting from a vulnerability called "buffer overflow," both problems could have allowed network vandals to take over a user's computer from a remote location. Microsoft and Oracle have released software patches to close the security holes, and a Microsoft executive says: "Although we've made significant strides in the quality of the software, the software is still being written by people and it's imperfect. There are mistakes. This is a mistake." (San Jose Mercury News 21 Dec 2001; NewsScan Daily, 21 December 2001) http://www.siliconvalley.com/docs/news/svfront/secur122101.htm ------------------------------ Date: Fri, 21 Dec 2001 01:21:03 -0500 From: Monty Solomon Subject: Latest Windows versions vulnerable to unusually serious attacks Microsoft's newest version of Windows, billed as the most secure ever, contains several serious flaws that allow hackers to steal or destroy a victim's data files across the Internet or implant rogue computer software. ... A Microsoft official acknowledged that the risk to consumers was unprecedented because the glitches allow hackers to seize control of all Windows XP operating system software without requiring a computer user to do anything except connect to the Internet. Microsoft made available on its Web site a free fix for both home and professional editions of Windows XP and forcefully urged consumers to install it immediately. ... Ted Bridis, Associated Press, 20 Dec 2001 http://digitalmass.boston.com/news/2001/12/20/microsoft.html [The vulnerabilities involve the universal plug-and-play features, and were discovered by a team at eEye Digital Security Inc. of Aliso Viejo, Calif., led by Marc Maiffret. There were also subsequent reports that the free fix was not adequate. By the way, the free fix can arrive automatically with "drizzle", which allows MS to upgrade for you. PGN SAYS BEWARE OF MECHANISMS THAT OFFER AUTOMATIC UPGRADES, no matter how convenient they may seem. The article also quotes Microsoft's departing corporate security officer, Howard Schmidt, who is about to join Richard Clarke in the White House, expressing frustration about continuing threats from overflows. "I'm still amazed that we allow these things to occur." PGN] ------------------------------ Date: Thu, 20 Dec 2001 15:29:22 -0800 From: "Mautner, Craig" Subject: Software glitch grounds new Nikon camera - Tech News - CNET.com >From the article http://news.cnet.com/news/0-1006-200-8246450.html ?tag=pt.msnbc.feed..ne_8246450: "...Given certain circumstances, the glitch can come into play if a person switches on the camera without first removing the lens cap. Depending on what position the zoom lens was in when the camera was last used, the lens cap will block the lens from automatically extending back to that position, resulting in an error that cannot be cleared by the owner..." The risks? No doubt some user missed taking the one picture that would have won them a Pulitzer. Mere aggravation for all other users affected. Nikon is out a bunch of $$'s (or yen) involved in the cycle of recall, debug, reprogram a bunch of cameras. Craig Mautner, Wind River Services, 10505 Sorrento Valley Road #1, San Diego, CA 92121-1608 1-858-824-3065 craig.mautner@windriver.com ------------------------------ Date: Wed, 26 Dec 2001 09:27:48 -0500 From: Jeremy Epstein Subject: Secure in, insecure out As readers of RISKS know, many Internet users think that HTTPS is equivalent to security. Here's an example where that went badly wrong. My employer uses an online service to handle signups for the flexible spending plan (*). It uses an HTTPS form to collect the usual personal info: name, address, social security number, and amount to be deducted. So far, so good. I don't know what it does with the information (presumably puts it in a database, which has it's own issues). Then they e-mail the information back to the user for confirmation, including the SSN. Interestingly, *someone* at the company understood the risks, because their "security and privacy" policy on their home page notes that unencrypted e-mail is not safe. (**) Whoever wrote that policy obviously wasn't working with the people building the system. The response when we pointed the problem out was "we use HTTPS, so we're secure". After several rounds of back-and-forth with the vendor, they admitted the problem, and proposed to fix it early next year. Since this is software that gets used once a year (to meet the Dec 31st deadline), that was clearly a silly proposal, since all users would be forced into using the incorrect version. So after some arm-twisting, they changed the confirmation message to eliminate all but the last 4 digits of the SSN. A big improvement. The risk here is that this is a commercial system that's presumably used by many other companies besides ours. How many other companies use this flawed system and never objected? And how many other equivalent systems are there out on the net? If I were looking for an easy way to commit identity theft, I'd be monitoring e-mails coming out of that company... chances are there's a lot of good info! (Which is why I'm not giving their name or URL!) ----- (*) A flexible spending plan is established by US tax law to allow tax-free deductions from salary into an account which can then be used to pay for medical or child care expenses. By law, you have to decide by December 31st how much money will be deducted in the following year, and you (generally) can't change that decision once it's made. Also, any unspent money is not returned to the employee, so it's important to estimate accurately. Because of the legal Dec 31st deadline, it wasn't possible/feasible to wait for a more appropriate resolution of the problem. (**) I did a Google search on the actual phrase used on their Web page to see if it would disclose who the vendor is. They were the only vendor of their type who used the particular phrase, which is why I haven't quoted it verbatim, but it seems to be a catch phrase used in MANY security and privacy policies. So perhaps they just cut & pasted it without having a clue what it meant. --Jeremy P.S. Yes, I understand there are a lot of other risks in this system besides just sending the SSN unencrypted. This was just particularly egregious. ------------------------------ Date: Mon, 17 Dec 2001 16:43:01 -0000 From: Peter Houppermans Subject: Assume no safety ... I came across an ad in *Computing* for the new Samsung GT9000Pro notebook, one of the laptops following the trend to have a fingerprint scanner built in. Envisage: switch on the machine, press thumb and you're logged in (for the sake of Administrators thumbs, I hope they allow a file update for a mass rollout, but I digress ;-). Now, after this highly sophisticated, technically advanced piece of biometric technology has reliably authenticated, you can immediately start to work on your Corporate network .. .. via its built-in Wireless LAN network card. Duh. The RISK: assuming that a fancy front-end (the scanner) implies a completely secure system. Peter Houppermans, PA Consulting Group Ltd ------------------------------ Date: Mon, 17 Dec 2001 09:20:32 -0800 (PST) From: Brett Harmond Subject: Re: Identity theft without prior knowledge of SSN A few years ago I had the pleasure of writing a program to pull credit reports electronically. During my testing, I learned that one only needs two of the following three pieces of information: Name (defined by last name and only the first three characters of the first name), SSN, and Address. Given any two of the three and making up the third, you can obtain a legitimate credit report. Considering how easy it is to find anyone's name and address, this makes it a piece of cake to get their social security number and other interesting information. ------------------------------ Date: Sun, 16 Dec 2001 20:26:19 EST From: KCKnowlton@aol.com Subject: Mersenne prime exponent wrong (RISKS-21.82) (On the RISK of manually inputting digits:) That new Mersenne prime as given on the cited Web page is 2^(13,466,917) - 1, not 2^(12,466,917) - 1. Shall we call this another off-by-one error, or off-by-two-to-the-millionth? Ken Knowlton ------------------------------ Date: Mon, 17 Dec 2001 08:29:01 -0500 From: Ian.Entecott@tas.alcatel.ca Subject: Re: Computer will drive 820 passengers at 68 mph (Norton, R 21-82) The train control system being installed at JFK Airport is a SELTRAC system made by the Transport Automation division of Alcatel Canada Inc. Alcatel have installed several such systems around the world including the Docklands Light Railway, London, UK; the SkyTrain, Vancouver, BC, Canada and the LRT2, Kuala Lumpur, Malaysia. All operate to similar specifications given in Daniel Norton's posting; the DLR carries 130,000 passengers a day using 30 single and double vehicle driverless trains and has been in operation since 1993 without an accident to passengers or staff. Regular readers of RISKS will already being saying to themselves that operating software problem free for several years is no guarantee that there are no problems waiting to be revealed but I hope Alcatel's record in developing automatic train control systems will reassure Daniel that the AirTrain will provide safe, reliable transport for the passengers and staff of JFK Airport. Ian Entecott, Alcatel Canada Inc., Transport Automation Systems, 1235 Ormont Drive, Weston, Ontario, L3X 1N2, Canada. ------------------------------ Date: Sun, 16 Dec 2001 15:37:10 +0100 From: Jonathan Thornburg Subject: Re: Computer will drive 820 passengers at 68 mph (R-21.82) Vancouver, Canada's "Skytrain" light rail transit system has been operational since 1986, and currently carries an average of 110,000 people per day at cruising speeds of 72 km/hr, with a fleet of 150 cars on 29 km of track, (A major extension is currently under construction.) The system is fully computer-controlled: there are *no* drivers or (apart from roving fare checkers and security guards) any other transit personnel in the cars. Indeed, there are no driver's cabs in the cars. Further details at http://city.vancouver.bc.ca/commsvcs/planning/atoz/A_ALRT.htm http://www.questercorp.com/transit/index.html I lived in Vancouver during the system's initial commissioning and for some years thereafter, and I don't recall any serious problems being reported in the local press. Jonathan Thornburg, Max-Planck-Institut fuer Gravitationsphysik (Albert Einstein Institut), Golm, Germany http://www.aei.mpg.de/~jthorn/home.html ------------------------------ Date: Mon, 17 Dec 2001 13:38:34 +0900 (JST) From: Curt Sampson Subject: Re: Computer will drive 820 passengers at 68 mph The biggest RISK here is lack of even basic research on the part of a worried person, I'd say. [... some duplication on Alcatel deleted. PGN] As it turns out, for many of the safety systems, the technology is not even that new, or even computer-related. I asked a friend of mine who worked on this Alcatel system for his comments. He said: > Well, most automated systems use some kind of physical interlocking > system that guarantees safety. The trains are driven by computer, but > because of the nice tidy one dimensional network problem, it's fairly > easy to contain the safety critical portion into this interlocking. > In some systems it's actually completely mechanical, with the computer > (I kid you not) driving the motion of metal bars pneumatically. An > unsafe route cannot be set without one iron bar passing through > another iron bar. > > I guess the point is that this interlocking is present whether the > system is human controlled or computer controlled: the only real > difference is that in an automated system it's a computer paying > attention to the signals and there is a mechanism to halt the train if > a signal is ignored. In a human operated system an unsafe route still > can't be set because of the interlocking, but a human can skip a > signal and human systems usually don't include very effective > mechanisms for forcing a stop when a signal is blown. > > Short version: we have hundreds of years of experience building safety > critical train systems and in most cases these systems are still in > use to protect the train and passengers---even when a computer is > doing the driving. (Actually, I've seen some pretty effective systems for making sure that human-driven trains stop. On the New York subways, there is a lever on the tracks at each signal that pops up when the light is red. If the driver attempts to pass the signal when this lever is up, the lever will trigger a switch under the car that turns on the brakes. If you stand at the middle or the head end of a subway platform in NYC, you can see this system in operation.) Getting out of the safety area, I suppose the RISKSs might include loss of service due to computer failures. But then again, given the level of train automation we're using even in systems with drivers, the risk appears not significantly different. (A severe computer failure in the train control systems on a system with drivers still brings the entire system to a halt; drivers rely on the signaling to make sure that they are taking safe actions.) So to this reader at least, the risks are not at all obvious. We've had automated systems shuttling around groups of "820 people at 68 mph" for a long, long time now, with an excellent safety record and, overall, a significant improvement in the number of people a system can move as compared to one with human drivers. Curt Sampson +81 90 7737 2974 http://www.netbsd.org ------------------------------ Date: Fri, 14 Dec 2001 22:57:29 -0500 (EST) From: "Jeff Jonas" Subject: Re: Computer will drive 820 passengers at 68 mph (Norton, R-21.82) The Port Authority of NY & NJ already operates such train-systems: * The PATH system mostly crosses the Hudson river, linking NY to NJ (the link to lower Manhattan was at the World Trade Center, a temporary station might open in 2 years). It looks like a subway system: high tech signalling and communications but the train's still totally under the motorman's control. * The monorail around Newark airport seems fully or highly automated. It was recently extended to the Northeast Corridor train lines (N.J. Transit and Amtrak trains) [PS: I think the Port Authority of NY/NJ also owned/operated the World Trade Center. Related to this: after the first bombing, the twin towers were criticized for not meeting New York City fire codes since it was not accountable to NYC being a Port Authority project! Also related: before 9/11, there were efforts to "privatize" the New York City airports but now with the move towards federal oversight, the Port Authority might keep control] * The Delaware River Port Authority of Pennsylvania and New Jersey operates PATCO: a tiny train system similar to PATH: see http://www.drpa.org/patco/ I remember the PATCO Hi-Speedline has an operator sitting in a little platform with a curtain, more like a bus-driver than the usual booth for a train engineer. Under normal operation, the train runs hands free, the operator just opens and closes the doors. The operator seems to take full control of the train when running on the alternate tracks. In Miami Florida, there's some elevated people-mover that's fully automated, no operators on the little trolley-like monorail-like system. But it moves slowly. See: http://www.co.miami-dade.fl.us/transit/ Miami-Dade Transit http://www.fta.dot.gov/library/technology/apm/apmrev.html AUTOMATED PEOPLE MOVER APPLICATIONS: A WORLDWIDE REVIEW http://faculty.washington.edu/~jbs/itrans/detroit.htm Detroit Downtown Peoplemover http://faculty.washington.edu/~jbs/itrans/miami.htm Miami Metromover - The First Automated Downtown Peoplemover in the U.S. [The shuttle between Grand Central and Times Square in New York City was fully automated MANY years ago. PGN] ------------------------------ Date: Sun, 16 Dec 2001 17:24:56 +0100 From: Jacob Sparre Andersen Subject: Re: Computer will drive 820 passengers at 68 mph The Paris metro line 14 is fully automated, and does not seem to have any special problems. The automated train control system for line 14 was implemented in Ada (a programming language designed with the goal of getting reliable software), and the implementation was tested using a theorem proof system. The future Copenhagen airport metro is supposed to be fully automated, but nobody knows if it is going to work or not (yet). I definitely prefer the Paris metro line 14 to the roads of Copenhagen and Paris. Jacob ------------------------------ Date: Mon, 17 Dec 2001 13:24:58 -0000 From: "Anthony W. Youngman" Subject: Re: Computer will drive 820 passengers at 68 mph (Norton, R-21.82) Well, there's always the Docklands Light Railway (DLR) in London which works fine and, as far as I know, has never had an accident. [SEE PGN NOTE BELOW.] And the engineers comment that there is *less* likelihood of an accident with an automated system, which sounds right given the fact that we've had several very nasty accidents due to drivers ignoring signals recently. Mind you, that "drivers ignoring signals" is another example of RISKy behaviour. The sequence of signals from danger to safe is "red", "single yellow", "double yellow", "green". Given that due to crowding most trains go through most signals on double yellow, all too often they go through a single yellow without realising it (the in-cab warning is IDENTICAL for both). So a train going at near full speed suddenly realises the signal in front is red, having missed the single yellow "slow down" warning, and is at serious risk of overrunning the red because it can't stop in time (or even worse, misses the red completely, and then cancels the cab warning because, again, IT IS THE SAME IN-CAB SIGNAL!). [In RISKS-5.29, Mark Brader notes a Docklands crash on 10 Mar 1987, at the Island Gardens station. The train crashed through the station buffers and hung off the end of the elevated track. Required modifications that would have prevented the accident had not yet been installed. PGN] ------------------------------ Date: Mon, 17 Dec 2001 12:39:59 +0100 From: Andrew Roberts Subject: Re: Computer will drive 820 passengers at 68 mph This sounds very similar to the system at STN London Stanstead. There, the main terminal is separate from satellites where the gates are located. A fully automated, driverless guided busway runs between these, going underground to reach the satellites. I say busway because the vehicles have rubber tyres rather than running on rails. Carriages (originally 1, but now 2 coupled together, I think there's room for 3 at the stations) travel at up to 40mph (my estimate), and carry similar number of passengers as the JFK system. This has been in operation since the early nineties, without a single breakdown when I've been on it (unlike the rest of the UK railway system). Andrew Roberts, The Automation Partnership(Cambridge) Ltd, York Way, Royston, Herts, SG8 5WY, UK http://www.automationpartnership.com ------------------------------ Date: Wed, 19 Dec 2001 20:40:41 +0100 From: Subject: Re: Computer will drives 820 passengers at 68 mph (Norton, R-21.82) While the risk of automatic guided transport is obvious, it is nothing new. Automatic systems have been in operation since the early 80's mainly in metros and airport shuttles. For example, the Web site of the market leader, Matra Transport (http://www.matra-transport.fr/) shows this clearly with systems being realised all over the world. It must also be acknowledged that the automatic guided transport systems seem to have a clean safety record so far and that also high-speed trains, although not being fully automated, have to rely to a great extent on computer guidance. [Matra is also responsible for the Ariane 5 and Taipei subway system (which suffered a computer crash, but no accidents, on 3 Jun 1986). See RISKS-18.17 and 18.19. PGN] ------------------------------ Date: Sun, 23 Dec 2001 17:55:14 -0500 (EST) From: Jerrold Leichter Subject: Re: Computer will drive 820 passengers at 68 mph (Norton, R-21.82) Such systems are common, and have been common for many years. The commonality may not be obvious because of a difference in physical orientation: The ones in wide use have tracks running vertically. We call them elevators. Granted, elevators don't attain the same rate of speed - about 15 mph seems to be the limit - but a falling car could easily exceed it. And granted few if any elevator cars carry 820 passengers - but there are certainly many large buildings whose entire elevator system, during peak periods, carries much greater passenger loads. Ah, but elevators just go up and down a single isolated shaft. Actually, first of all that's not true in modern buildings; second, the JFK rail system appears to follow pretty much the same model. (This is based on personal observation of the system as it's being built. It will run on a pair of tracks built over a highway, completely isolated from all other traffic.) A large, complex system of trains on various interconnected tracks poses difficult problems which we probably aren't ready to deal with fully automated controls. A simple back-and-forth system with no external connections and a limited number of trains is quite a different story. Will this system be hazard- and problem-free? Only time will tell - but there's no reason I can see to believe that it would be safer so if a human being - whose ability to respond quickly and accurately after months of numbing routine going back and forth between the same 5 or 6 stations would surely be severely taxed - were standing at the controls. Actually, as many years of experience has shown, a human being - unaided - would do very badly at this kind of job. That's why railroad systems have various safety automated safety devices. For that matter, so do elevators - and they introduced them when "elevator operator" was still a job description. If there's reason to believe that the JFK system has scrimped on such systems, that's another issue - but my reaction would be no different from hearing that a new digitally-controlled elevator had eliminated the mechanical emergency brakes that have been standard for the better part of a century. ------------------------------ Date: 12 Feb 2001 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 20" for volume 20] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 21.83 ************************