precedence: bulk Subject: Risks Digest 22.08 RISKS-LIST: Risks-Forum Digest Wednesday 22 May 2002 Volume 22 : Issue 08 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: SPAM-demon-ium overload countermeasure (PGN) AT&T's e-mail filter filters AT&T's e-mail (NewsScan) Air-traffic control software reliability (Peter B. Ladkin) Disk crash destroys law-enforcement mug shots in Michigan (Thomas Insel) WashDC database crash linked to a death by a falling tree (Przemek Klosowski) Fun with fingerprint readers (Bruce Schneier via Monty Solomon) "Medication errors could be eliminated ..." (Dr. David Alan Gilbert) Copy Protected CDs -- risk of selling marker pens (Doug Sojourner) Re: Apple: break your new PC with a copy-protected CD ... (Bill Bumgarner) FBI does not care about standards, nor getting that information (Peter Ha*kanson) 2 unsolved telephone mysteries - software faults? (Andrew Goodman-Jones) Candy machine punishes the quick-thinking (Fredric L. Rice) Compaq issues refunds for one-cent PCs (Tudor Bosman) Re: Your bash has Alzheimer's (Bob Bramwell) REVIEW: "CISSP Exam Cram", Mandy Andress (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Weds, 22 May 2002 10:12:43 PDT From: RISKS List Owner Subject: SPAM-demon-ium overload countermeasure I was away from the RISKS directory for almost a week, and went an overly long 10 days between RISKS-22.06 and 22.07. Out of over 1000 e-mail messages in a 6-day period, there were about 20 potential contributions, and one message from a would-be subscriber whose mailer had mistakenly sent his "accept" response to RISKS rather than replying to majordomo. About *98 percent* of the RISKS e-mail during that period was spam that I deleted unseen based only on the subject message or the From: address. (Excuse me if I accidentally deleted one of your legitimate submissions!) The RISKS spam rate has enormously increased over the past year (when I mentioned it in RISKS-21.39, one year ago, it had just reached 50% for the first time). At 98%, it has now reached absolutely ridiculous proportions and necessitates some draconian action. For example, we could use some sort of challenge-response confirmation technique and hope that your mail systems will be able to cope with it; however, as we have read here in the past, such schemes can create further risks. CONSEQUENTLY, as a simpler measure, we have just installed SpamAssassin (free software from spamassassin.org), and in the first few minutes it is *already* a huge success as the spam pours into another mailbox that I hopefully will seldom look at. Of course, SpamAssassin may also filter out some of your legitimate mail, without letting you know. So, if you have sent in an absolutely marvelous contribution or an urgent request and believe that I may never have seen it, please send an out-of-band message to that effect. Incidentally, the annual seasonal RISKS slowdown will begin as usual this year in mid-June, which means just a few issues now and then over the northern hemisphere's summer. Let's hope there are not too many disasters needing to be reported during that period. Stay tuned. PGN ------------------------------ Date: Wed, 22 May 2002 08:27:09 -0700 From: "NewsScan" Subject: AT&T's e-mail filter filters AT&T's e-mail An example of foot-in-mouth filtering? AT&T Broadband offered its high-speed Internet users an e-mail software filter to block spam, but later found out that it had blocked its own messages to customers notifying them of a rate increase. An AT&T executive tried to put the best face on it: "If there is a silver lining, it appears our spam filtering system works so well that it even deletes mass e-mails from our own company." The company will resend customer notices of the rate increases. [AP/*USA Today* 2002; NewsScan Daily, 22 May 2002] http://www.usatoday.com/life/cyber/tech/2002/05/22/e-mail-filter.htm ------------------------------ Date: Wed, 15 May 2002 10:03:39 +0200 From: "Peter B. Ladkin" Subject: Air-traffic control software reliability An article in *Aviation Week and Space Technology*, "Why Controllers Are Skeptics Regarding New Technology", by Bruce Nordwall, 6 May 2002, pp.50-51, tells the following tale recounted recently at an air-traffic controllers' conference by Philippe Domogola, supervisor at the Maastricht Upper Area Control Center. "Some years ago," a new European ATC center installed software specified as "99.99% reliable", which apparently meant 99.99% availability in each calendar year, or a maximum of roughly 52 minutes down-time per year. The software "failed" a couple of months after installation, and suffered 20 hours down-time. "The manufacturer's conclusion was: human error that will not happen again" (come to think of it, any specific software bug can be put down to "human error that will not happen again"). Someone had forgotten about leap years. It failed at 23:59 on February 28. Some controllers suggested that since the software was "99.99% reliable" and it had failed for 20 hours, it follows there were going to be no more failures for the next 25 years. They were right. It does follow. Peter B. Ladkin, University of Bielefeld, Germany http://www.rvs.uni-bielefeld.de ------------------------------ Date: Sat, 11 May 2002 12:56:07 -0700 (PDT) From: Thomas Insel Subject: Disk crash destroys law-enforcement mug shots in Michigan On 11 May 2002, *The New York Times* (page A13 of the National Edition) reported that the Macomb County, Michigan, sheriff's department lost over 50,000 photographs of criminals on a crashed hard drive. Not particularly exciting, except that they had wisely made hardcopy backups of some of the photos. The issue of electronic backups was never even raised. Perhaps many computer users no longer realize such a thing is possible? http://www.nytimes.com/2002/05/11/national/11BRFS.html ------------------------------ Date: Sat, 18 May 2002 23:15:08 -0400 From: Przemek Klosowski Subject: WashDC database crash linked to a death by a falling tree Among the world cities, the beautiful Washington DC is probably right up there in terms of a number of parks and wooded neighborhoods; it is possible to drive into the center of the city on roads that are visually completely surrounded by trees. Unfortunately, the DC city government is still struggling with many municipal services; the city is sometimes few stray blocks short of Mary Poppins' proper child nursery. Tree maintenance is a particular problem: many trees have dead branches, and some are sick or dead. In the recent wave of violent spring storms, quite a number of trees were partly or completely felled, causing significant property damage, some injuries, and at least one death: http://www.washingtonpost.com/wp-dyn/articles/A17238-2002May14.html Part of the reason for this is the usual lack of funds and bureaucratic inertia, but there's also a computer angle: "One major obstacle for the city is that its database of public trees that needed pruning or removal crashed in 2000 and couldn't be restored. At that time, the city had a backlog of 5,000 dead trees that needed to be removed. Now, it doesn't know how many it has." ------------------------------ Date: Fri, 17 May 2002 17:27:36 -0400 From: Monty Solomon Subject: Fun with fingerprint readers Excerpted from Bruce Schneier's CRYPTO-GRAM, May 15, 2002 Tsutomu Matsumoto, a Japanese cryptographer, recently decided to look at biometric fingerprint devices that attempt to identify people based on their fingerprint. For years the companies selling these devices have claimed that they are very secure, and that it is almost impossible to fool them into accepting a fake finger as genuine. Matsumoto, along with his students at the Yokohama National University, showed that they can be reliably fooled with a little ingenuity and $10 worth of household supplies. [...] http://www.counterpane.com/crypto-gram-0205.html#5 [They were able to spoof *all* of the machines, 80% or more of the time. PGN (corrected in archive copy)] ------------------------------ Date: Sun, 19 May 2002 19:52:48 +0100 From: "Dr. David Alan Gilbert" Subject: "Medication errors could be eliminated ..." *The Pharmaceutical Journal* (a journal for U.K. Pharmacists) Vol 268, page 697, in an article on the sixth annual conference on electronic prescribing and medicines administration, has a picture of a health professional using a computer with the caption: 'Medication errors could be eliminated by the use of electronic prescribing systems' The accompanying article (and another in the same issue) is more careful to say 'reduce' errors; but it is another example of the danger of what a computer can be expected to do. Dr. David Alan Gilbert gro.gilbert @ treblig.org http://www.treblig.org ------------------------------ Date: Mon, 20 May 2002 13:13:17 -0700 From: Doug Sojourner Subject: Copy Protected CDs -- risk of selling marker pens > ``Copy-Proof'' CDs Cracked with 99-Cent Marker Pen, 20 May 2002, > By Bernhard Warner, European Internet Correspondent > Technology buffs have cracked music publishing giant Sony Music's > elaborate disc copy-protection technology with a decidedly low-tech > method: scribbling around the rim of a disk with a felt-tip marker. Given that marking pens can be used to overcome Sony's CD protection scheme, will it now become illegal to sell pens? ------------------------------ Date: Sun, 19 May 2002 10:43:54 -0400 From: Bill Bumgarner Subject: Re: Apple: break your new PC with a copy-protected CD ... (R 22 07) Is it a car company's fault if you put sugar water in the gas tank and it destroys the engine? Is it a printer manufacturer's fault if you put toilet paper through your printer and completely destroy the print heads? No -- is the consumer's fault in those cases. In the case of the copy protected CDs, things aren't so clear. It still isn't the computer manufacturers fault-- at the time of design and manufacture, they cannot predict changes in technology and they certainly can't predict and account for changes in technology that are designed to break their products! The problem with the copy protected audio CDs is that the CD manufacturer has purposefully designed a CD to be incompatible with computer hardware. They have purposefully violated a standard that hardware manufacturers have been manufacturing to for nearly two decades (since 1983/1984). Let's rephrase the question slightly: Should it be legal for antitheft devices to destroy property? In particular, should it be legal to destroy property in contexts where it is not 100% guaranteed that a theft was actually in progress? That is exactly what the audio CD manufacturers (to be fair, the folks mastering the CDs) are doing. They are purposefully creating a piece of media that, when inserted into a computer, can cause data loss [a number of PCs outright crash when faced with these CDs] or even changes to the hardware that require relatively nasty fixes (as is the case with the Macs -- it doesn't hurt it, just leaves it such that there is no way to get the damned disk out). Sure -- it may be the fault of the consumer for actually sticking the CD into their computer. But it would seem that the folks that created the format in direct violation of published standards should share some of the blame and resulting liability. ------------------------------ Date: Sun, 19 May 2002 11:22:58 +0200 From: peter h Subject: FBI does not care about standards, nor getting that information A few days ago I noticed that one of my children got spam in his mailbox. Browsing through it,it looked very nasty, advertizing child-pornography. As this is a crime both in my country and in Maryland, USA, I decided to report it. Finding www.fbi.gov was easy. Finding an e-mail address was difficult. In fact, I failed finding an e-mail address. What was available was one of those Webforms that never really is appropriate for the task in hand. As the Webform was the only alternative, I tried to register my complaints, hoping that someone would contact me via e-mail so all details could be reported. Within hours there was an attempt, I say attempt because my mailserver is configured to reject connections from abusive and rfc-ignorant sites. A common technique that spammers hide behind is sending e-mail from a domain that does not exist. Those mails can never be replied to, nor complained about. Guess what? the connection attempt was from I see two problems with FBI'S attitude. The serious one is that they will miss some tips and e-mails with data (not everyone has an explorer browser available). The other problem is that their IT-responsibility seems to be totally clueless. What's most important? To get those tips - or to make sure that everyone uses Microsoft Explorer whenever they contact FBI. I have my opinion, but unfortunately I cannot vote in the US. I also sent a copy of the same mail to the Swedish police, where I could find e-mail addresses, but they seem to have ignored the report. ------------------------------ Date: Thu, 23 May 2002 00:48:22 +1000 From: "Andrew Goodman-Jones" Subject: 2 unsolved telephone mysteries - software faults? It's 5am. My mum gets woken by one ring on her home phone. It stops before she can answer it. Being her curious and paranoid self (wonder where she gets that from?), she gets up anyway and checks the Caller ID unit. The number is her own mobile. Her mobile is in her bedroom on the table. It has a flip down panel that covers the keypad (which prevents accidental dialing by bumping the buttons). She checks the recent outgoing calls list (after asking me how to view it). Her home number is in the list. How did her mobile phone make a call by itself at 5am? It is believed that no-one else intervened in this situation (i.e., cat-burglars, children etc) Anyone have any ideas? (BTW, it's a Samsung GSM phone if that helps. I have the same model and this has never happened to me, that I know of.) This is the second on my list of Weird Stuff. First on the list is: Back in 1996 when I went to NYC, a call was made from my phone in my office in Sydney a few days after I had left. Ok, not too weird - it was probably the other guy I was sharing the office with. Here's the weird bit: A call at a very similar time was made on my HOME phone to the same number (which I don't recognise at all). No-one from the office had any association at all with my home. Different bills, different suburbs, different exchanges etc. I have no idea at all what happened here. I reckon that both events were software faults. The first in the mobile phone's firmware, the second at the billing dept. of the phone company. Andrew Goodman-Jones ------------------------------ Date: Thu, 09 May 2002 13:12:03 From: "Fredric L. Rice" Subject: Candy machine punishes the quick-thinking While picking up my company snail mail, I observed a guy shove a dollar bill into a candy vending machine, slowly look over the selections, and then punch in a choice. He was rewarded with not only candy but also change for his buck. Good deal; everybody walked away happy. There were some mints in the machine that I wanted so I walked up, shove my dollar into the machine, and punched D2 only to be rewarded with an "ERROR: Cost $.70" message and no sign of my dollar. After a minute or two of pounding, kicking, and yelling at the machine (I'm a programmer) I tried again (I'm also a sucker) only this time I shoved in the dollar and waited for the display to show "Credit: $1.00." When I made my selection -- D2 again -- this time I got my mints and my change. It turns out that there's a period of time between when you shove in your buck and get the "Credit: $1.00" message that if you make a selection the machine will eat the dollar and then swear up and down you never gave it one. Funny, though, that people who know exactly what they want in life before they pay their money are the ones who get rooked the most while the people who shove in their buck and then examine the variety of available choices life has to offer are the ones who get rooked less. The risks? I suspect that the software that went in to the machine was tested by the programmer and not tested in the field before being released -- though the only way to find out would be to ask. Not doing real-world testing is a common risk but this fault was dumb and should have been easy to catch before the software was released. [Just wait until the thing starts accepting debit and credit cards. More good ways to make the software fail! }:-} ] [So, we need atomic transactions from a candy machine! PGN] ------------------------------ Date: Sat, 11 May 2002 12:16:49 -0700 From: Tudor Bosman Subject: Compaq issues refunds for one-cent PCs The RISK is obvious. From http://zdnet.com.com/2100-1106-903686.html: Despite its initial denials, Compaq Australia now admits that it did in fact process the payments of customers who bought Presario laptops for just one cent as a result of an online pricing hiccup. [...] Compaq is still adamant, however, that it is not obligated to honor the accidental one-cent pricing, despite mounting industry criticism and ongoing threats of a customer-initiated class action law suit. [...] "As this was a genuine error, Compaq canceled all orders from the system. In instances where 1 cent was debited from customers accounts it will be refunded." ------------------------------ Date: Sun, 19 May 2002 03:28:08 +0000 (GMT) From: Bob Bramwell Subject: Re: Your bash has Alzheimer's (Maziuk, RISKS-22.07) Interestingly enough, not merely is my bash mentally deficient, but so is ksh, sh, csh, and tcsh. This is on a SunBlade 100 running Solaris 8. Now, what does this say about Korn, Bourne, Joy, and Grevstad I wonder? Methinks it is a little unfair to single out Larry Wall for such criticism, but I appreciate the "heads up"! Bob Bramwell, ProntoLogical, 60 Baker Cr. NW, Calgary, AB T2L 1R4, Canada +1 403/861-8827 ------------------------------ Date: Mon, 13 May 2002 11:56:34 -0800 From: Rob Slade Subject: REVIEW: "CISSP Exam Cram", Mandy Andress BKCISPEC.RVW 20020321 "CISSP (Exam Cram)", Mandy Andress, 2001, 1-58880-029-6, U$34.99/C$53.99/UK#24.49 %A Mandy Andress %C 14455 N. Hayden Road, Suite 220, Scottsdale, AZ 85260 %D 2001 %G 1-58880-029-6 %I Coriolis %O U$34.99/C$53.99/UK#24.49 800-410-0192 fax: 602-483-0193 %P 265 p. %T "CISSP (Exam Cram)" It is interesting, and somewhat disturbing, to note that while there are a number of effusive quotes on and inside the cover extolling the virtues of the Exam Cram series, none specifically mention this book. Bound into the inside front cover is a cram sheet, with 50 points on it that are obviously supposed to be vitally important to the exam. Leaving aside both the simplistic nature of the information presented, and the difficulty of answering a 250 question exam with a mere 50 points, we only have to get to the third point on the sheet before we run into rather significant errors. (Role-based access control is not an alternative to discretionary or mandatory controls, but can implement either.) This does not bode well. The introduction explains the CISSP (Certified Information Systems Security Professional) designation. The text makes frequent references to the (ISC)^2 web site, but, since the recent site redesign, all these URLs are incorrect. There is also a short self- assessment section, intended to help you determine whether or not you are prepared for the exam, but the vague and generic metrics suggested are unlikely to help determine your readiness. Chapter one's discussion of the exam, and techniques for writing the exam, does contain some useful recommendations (if you don't know, answer anyway), but other advice is problematic, and may be detrimental. Access control, in chapter two, is the first of the ten domains of the Common Body of Knowledge (CBK) of the CISSP. The material is presented as a list of key terms and phrases, and the presentation might be helpful to the exam candidate were it not for the extremely limited nature of the deliberation and frequent errors. For some reason a significant amount of space is given to topics (like SYN floods) that do not belong in this domain. There is a brief list of questions at the end of the chapter, with answers and discussion presented immediately afterward. Unfortunately, these questions are so simplistic that they cannot be said to represent, in any way, the exam itself, and the wording is so careless that it is often impossible to say whether the answers given are, in fact, right or wrong. Chapter three provides an almost random assortment of topics related to telecommunications and networking. (There is a modicum of structure in that subjects are grouped together, but there is no logical flow: IPsec is discussed before the base IP concepts are covered.) There are many problems with the material: it is difficult to say whether the definition of a "circuit gateway" firewall means anything, let alone is right or wrong, and we are told that SSL (Secure Sockets Layer) is only used for host-to-host communications and resides in the session layer. (The book contradicts itself: chapter six does note that SSL is used between client browser and web server.) Again, many irrelevant topics are included while important areas are missed. (PPP (Point-to-Point Protocol) is listed, PPTP (Point-to-Point Tunnelling Protocol) is not.) Security management practices are not covered in chapter four: the vital areas of policies and risk analysis are given brief mention at the end of a meandering and incomplete list of management concerns. Another haphazard catalog of terms takes the place of the applications development domain in chapter five. (The definition of a virus is that of a trojan and the definition for a worm seems to fit payload.) That the author is unfamiliar with basic concepts of cryptography is obvious when, in chapter six, "strong encryption" is defined as the use of a 128-bit key. (In the discussion of triple DES (Data Encryption Standard), the "meet-in-the-middle" attack is obviously confused with "man-in-the-middle.") Chapter seven's review of security architectures contains another arbitrary list of computer architecture topics. There is some material that is security related, but in the discussion of the Bell-La Padula model, about the only reliable information is that it involves security levels. Operations security is fairly straightforward, so chapter eight doesn't make any glaring errors. (The content is, however, very terse.) Much the same holds true for business continuity and disaster recovery in chapter nine. Aside from an over-emphasis on US legislation, chapter ten does not do a really bad job with law, investigation, and ethics. Chapter eleven collates some checklists related to physical security, but has numerous gaps in the discussion of the overall topic. About the best that can be said for this book is that most of the items in the common body of knowledge get a mention at some point. Beyond that, the material is too scattered and unreliable to be used either to study for the CISSP exam (unless you want to play "spot the error"), or even as a quick guide for those charged with security. copyright Robert M. Slade, 2002 BKCISPEC.RVW 20020321 rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade [Perhaps Coriolis can Force you to pass the exam? Quite a spin! PGN] ------------------------------ Date: Mon, 20 May 2002 10:43:19 -0700 From: Alex Walker Subject: 11th USENIX Security Symposium (excerpted for RISKS) 11th USENIX Security Symposium August 5-9, 2002, San Francisco, California http://www.usenix.org/sec02 Register online by July 10, 2002, and SAVE up to $400! KEYNOTE SPEAKER, Whitfield Diffie, Distinguished Engineer, Sun Microsystems speaking about "Information Security in the 21st Century" Simon D. Byers, ATT Labs - Research Professor Edward W. Felten, Princeton University. Paul Kocher, Cryptography Research, Inc. ------------------------------ Date: 29 Mar 2002 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 21" for volume 21] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 22.08 ************************