precedence: bulk Subject: Risks Digest 22.44 RISKS-LIST: Risks-Forum Digest Sunday 29 December 2002 Volume 22 : Issue 44 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: Accidental alert spooks Vermont Yankee neighbors (Robin Wheeler) Pioneer 10 still alive, 30 years later (PGN) More UK air-traffic woes (Ursula Martin) Russian firm cleared in U.S. copyright case (NewsScan) DEA data thief sentenced to 27 months (PGN) Computer programmer faces U.S. fraud charge in virus attack (Monty Solomon) O Big Brother, where art thou? -- everywhere (NewsScan) The Total Information Awareness program is a RISK! (Edward G. Nilges) Old mechanical voting machines also break, but have audit trails (Danny Burstein) Electronic vote machines open to tampering - report (Derek Harnett) Is a cleared check really like money in the bank? (Sidney Markowitz) Baffling ATM behavior (Bill Bumgarner) Re: Crackers steal 52,000 university passwords (Harald Hanche-Olsen) Why you should read Mitnick's book: The risks of seeing the trees and not the forest (Don Norman) Surgical tool left in woman's stomach for 4 months (Keith Rhodes) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 27 Dec 2002 10:17:31 -0500 From: Robin Wheeler Subject: Accidental alert spooks Vermont Yankee neighbors Christmas Day was rough on people in the Northeastern U.S., with snow and nasty weather conditions. One very tired National Weather Service forecaster had worked 24 hours straight, into the following day, because relief could not make it to the Albany NY work site, with up to three feet of snow on the ground. He accidently clicked on an icon that triggered a high-alert general site emergency to neighbors of the Vermont Yankee nuclear power station, just one level below the evacuation order. That alert went via special tone-alert radios only to people who cannot hear the urban-centered emergency sirens. The alert was canceled shortly thereafter, after the VT Emergency Management Office checked with the power plant. There is a five-minute delay on such alerts going out to the general radio audiences, so this particular alert never made it more widely than the special alert system. Reportedly, the software will be modified to make this type of erroneous message less likely. [Source: Susan Smallheer, *Rutland Herald* (Vermont), 27 Dec 2002; susan.smallheer@rutlandherald.com; PGN-ed] http://timesargus.nybor.com/Story/58206.html; ------------------------------ Date: Wed, 18 Dec 2002 20:15:39 -0800 (PST) From: Peter Neumann Subject: Pioneer 10 still alive, 30 years later "A distant Pioneer whispers to Earth": Like the Energizer Bunny, Pioneer 10 is still going after 30 years -- sort of. Silent since March 2002, now 7.5 billion miles away, or 11 hours at the speed of light, faint signals were received but could not be locked on, and no scientific information could be obtained. http://www.cnn.com/2002/TECH/space/12/18/pioneer.contact/index.html [or http://reuters.com/newsArticle.jhtml?type=topNews&storyID=1921184 ?] [typo corrected in archive copy, alternative URL suggested as well. PGN] ------------------------------ Date: Thu, 19 Dec 2002 08:39:17 GMT From: Ursula Martin Subject: More UK air-traffic woes The UK National Air Traffic Control Centre at Swanwick (RISKS-21.98, 22.02,03,09,12,13) is still having ``potentially catastrophic'' problems, including erratic communications breakdowns between controllers and pilots, unclear screen images, etc. http://news.bbc.co.uk/2/hi/uk_news/2589247.stm ------------------------------ Date: Wed, 18 Dec 2002 09:00:59 -0700 From: "NewsScan" Subject: Russian firm cleared in U.S. copyright case ElcomSoft Co. Ltd., based in Moscow, has been found *not guilty* of criminal charges that it violated the 1998 U.S. Digital Millennium Copyright Act by selling a software program designed to circumvent the digital locks used to enforce copyright protections on Adobe Systems e-book software. The two-week trial was the first criminal prosecution under the controversial DCMA, which prohibits the sale of technology that can be used to break the code that "locks" digitally formatted movies, music and other software. The case hinged on whether ElcomSoft had "willfully" violated U.S. law, an intent the defendants denied. "They never intended to violate the law," said defense attorney Joseph Burton. ElcomSoft president Alexander Katalov pointed out that the program was legal in Russia and was not meant to be used for electronic books that had not been legally purchased. He said he didn't know that the software was illegal under U.S. law. [Reuters, 17 Dec 2002; NewsScan Daily, 18 December 2002] http://shorl.com/degreryliprujy ------------------------------ Date: Wed, 18 Dec 2002 09:19:01 -0500 From: Peter Neumann Subject: DEA data thief sentenced to 27 months Emilio Calatayud, who worked for the U.S. Drug Enforcement Administration (DEA) for 14 years, has now been sentenced to 27 months in prison and a $5,000 fine for selling information on claimants in more than 1000 workers' compensation cases to Triple Check Investigative Services. He used his authorized access to the FBI's National Crime Information Center (NCIC), the California Law Enforcement Telecommunications System (CLETS), and the DEA Narcotics and Dangerous Drug Information System (NADDIS). He was paid at least $22,500 from 1993 to 1999 for these extracurricular services. On the first day of his trial in February 2002, he fled to Mexico, but was later caught. [Source: Kevin Poulsen, SecurityFocus Online, 18 Dec 2002; klp@securityfocus.com; http://www.securityfocus.com/; PGN-ed; Courtesy of Richard M. Smith http://www.theregister.co.uk/content/55/28621.html] ------------------------------ Date: Wed, 18 Dec 2002 22:34:20 -0500 From: Monty Solomon Subject: Computer programmer faces U.S. fraud charge in virus attack A formerUBS PaineWebber computer expert was indicted on federal charges of trying to manipulate the stock price of the brokerage's parent company last spring by disseminating a computer virus among over 1,000 systems used by PW brokers. He had reportedly been hoping to gain from the resulting stock price drop. [Source: article by Robert Hanley, *The New York Times*, 18 Dec 2002; PGN-ed] http://www.nytimes.com/2002/12/18/technology/18SABO.html ------------------------------ Date: Mon, 23 Dec 2002 09:31:58 -0700 From: "NewsScan" Subject: O Big Brother, where art thou? -- everywhere In order to monitor the U.S. civilian population in its effort to detect terrorists, the government's Total Information Awareness program will rely almost completely on data collection systems that are already in place -- e-mail, online shopping and travel booking, ATM systems, cell phone networks, electronic toll-collection systems and credit card payment terminals. Technologists say that what the government plans to do in data sifting and pattern matching in order to flag aberrant behavior is not very different from programs already in use by private companies. For instance, credit card companies use such systems to spot unusual spending activities that might signal a stolen card. The early version of Total Information Awareness uses a commercial software collaboration program called Groove, which was developed in 2000 by Ray Ozzie, inventor of Lotus Notes. Groove enables analysts at various government agencies to share intelligence data instantly, and links programs that are designed to detect suspicious patterns of behavior. However, some computer scientists question whether such a system can really work. "This wouldn't have been possible without the modern Internet, and even now it's a daunting task," says cryptology expert Dorothy Denning, a professor in the Department of Defense Analysis at the Naval Postgraduate School. Part of the challenge, she says, is knowing what to look for. "Do we really know enough about the precursors to terrorist activity? I don't think we're there yet." [*The New York Times*, 23 Dec 2002; NewsScan Daily, 23 December 2002] http://partners.nytimes.com/2002/12/23/technology/23PEEK.html ------------------------------ Date: 26 Dec 2002 15:34:36 -0800 From: spinoza1111@yahoo.com (Edward G. Nilges) Subject: The Total Information Awareness program is a RISK! In *The New York Times* for 23 Dec 2002, John Markoff and John Schwartz find that "Many tools of Big Brother are up and running." In this article, they describe how the Total Information Awareness or TIA program hopes to use the eXtended Markup "Language" (XML) as a form of Krazy Glue to create the mathematical union of existing and wildly disparate data sets. Quite apart from genuine concerns about privacy, the real problem may be correctness. This is because the "end user's" vision of a data base, as opposed to a large program, is relatively optimistic. Intelligent end users know in some way the Turing pessimism: that there is no automated procedure, and often no practical procedure, for determining whether a large software artifact "halts" or more generally arrives at a desirable state. But what they may not know is that modern data bases including Oracle and SQL Server include meta-data that in effect transforms the non-Turing-complete (and therefore controllable) data base into a very large Turing machine. This meta-data traditionally consisted of format declarations, which do not in themselves present the Turing problem, but also consists of "stored procedures." These are modally small but sometimes large programs written in a Turing-complete programming language that have the ability to form part of the semantics of the data base. For example, a yes/no flag (indicating "probable terrorist involvement") may be accessed via an automated trigger that returns not its raw value, but its value, ANDed with another flag that overrides the raw flag. The latter flag may indicate an explanatory condition such as association with organizations already known to be neutral (such as the Red Crescent), which association lowers the probability of the original condition. And, although traditional meta-data (such as the use of Long or 32-bit representation for an integer value) does not make a data base Turing incomplete it may (or may not) represent a statement about the data. The selection of 32 bits may represent a decision that the value in question ranges between -2**31 and -2**31-1, or it may represent ONLY the absence, at the time the data base was created, of a 64 bit architecture. The problem is that eXtended Markup Language CAN represent all these subtleties in principle but WILL NOT in practice owing to time pressures. Already in the literature one finds a split. Managerial articles on XML promise complete control, while in the same journal, programmers and system administrators are assured that XML is permissive and will allow the representation of values as ASCII strings...without type constraints. XML is no Pascal but is instead in the tradition of C, which allows the developer to make forensic decisions on his own without oversight. The manager believes that everything is under control, while in the server room it is decided, modally in an undocumented way, that a citizen who posts long articles on the Internet is a potential troublemaker. The problem is that the artifact resulting will be an uncontrollable, because Turing complete, PROGRAM that will form its own documentation. As a form of de facto electronic law, it will result in even more Constitutional mischief than we've seen enough of already in the war against terrorism. ------------------------------ Date: Sat, 7 Dec 2002 18:15:11 -0500 (EST) From: danny burstein Subject: Old mechanical voting machines also break, but have audit trails We've got a curious case in White Plains, NY (about 20 miles north of NYC) in which one of the older mechanical voting machines broke down - leading to a great deal of messiness as to who won the election. The allegation is that the lever for one candidate jammed, so people couldn't readily vote for him. The good thing here is that there was feedback to the voters that they weren't getting through and that these concerns were, indeed, taken seriously. (We all know far too well the problems with more "modern" systems). For various legal reasons the losing candidate doesn't have direct standing, but has to defer to the Attorney General. Mr. Spitzer's office investigated, and has now filed the court paperwork. to quote from the AG's press release: "In March, Delgado requested that the Attorney General consider bringing a *quo warranto* action. Following long-standing office policy, the Attorney General's Office convened a panel of three seasoned assistant attorneys general to investigate the White Plains Common Council election. During its six-month investigation, the panel interviewed Delgado and Hockley, as well as officials from the Westchester Board of Elections and poll workers. "Information uncovered in the investigation showed that the voting machine in the 18th Election District had, in fact, jammed only on the line with Delgado's name, preventing votes for him from being recorded. In the investigation, the panel received 103 sworn affidavits from White Plains voters who said they voted for Delgado on the voting machine in the 18th Election District. The investigation also determined that those voters had signed in and voted at the 18th Election District. Those 103 votes would have been more than needed to overcome the 47-vote differential between the candidates. [...] So while it's taking much longer than I'm sure anyone would like, the process is clearcut and making its way through. further details at: http://www.oag.state.ny.us/press/2002/dec/dec03c_02.html ------------------------------ Date: Mon, 9 Dec 2002 13:34:44 -0000 From: Derek Harnett Subject: Electronic vote machines open to tampering - report In the last couple of elections/referenda here we've had a few pilot schemes here for electronic voting. The plan is to introduce electronic voting countrywide in the next couple of years. The system is one that does not have an paper audit trail etc. Despite commissioning an report on the integrity/security of the systems used, the government department responsible seems set on ignoring the results of the report and will continue to roll out the process. >From the 'Irish Independent' 9 Dec 2002: Electronic vote machines open to tampering - report A PRIVATE report for the Department of the Environment has cast doubt on the security of the ballot in new electronic voting machines. The "powervote" machines, deployed in seven constituencies at the last general election and due to be used countrywide for the local and European elections in 2004, are vulnerable to tampering, the report claimed. Consultants Zerflow told the department that it would be easy to paste a dummy ballot paper over the face of the machine, rearranging the list of candidates, in a bid to attract votes away from someone perceived as likely to be the most popular candidate. The examination team also successfully obtained a key to operate one of the machines and copied it at a local shopping centre - raising the scenario of tamperers armed with many keys reactivating the machines after close of voting to engage in the electronic equivalent of ballot-stuffing. The Department of the Environment has rejected many of the concerns, pointing out that the machines' integrity is protected by a scrutineer who remains by each machine during voting. Fine Gael spokesman Bernard Allen said last night that the Minister for the Environment, Martin Cullen, must now publish the full facts relating to the Zerflow report. He said he would be asking the Chairman of the Oireachtas Environment Committee to convene a meeting to examine the situation in detail. The report's authors and the minister would be invited to discuss the matter. "There should be no further consideration given to extending electronic voting until such time as the system can be guaranteed to be secure," he said. The report identified several "high level" risks to the integrity of the vote, and suggested that results obtained under the current system could be open to legal challenge. Powervote said its machines have been operating in Germany and the Netherlands for over a decade without problems. ------------------------------ Date: Thu, 19 Dec 2002 00:41:15 +1300 From: "Sidney Markowitz" Subject: Is a cleared check really like money in the bank? Wired has an article on a new Nigerian scam http://www.wired.com/news/culture/0,1284,56829,00.html The con can be abstracted into these steps: 1. Con artist sends you a cashier's check as payment for something. 2. Some reason you find plausible is given for you to send back a portion of the money once you are sure that the check has cleared 3. You deposit the check, wait until the bank says it has cleared, and send some part of the money to the con artist 4. Bank informs you some days or weeks later that the check was a counterfeit and you owe them the full amount they paid you There seems to be a really big RISK here, aside from the Nigerian scam: It is common for check transactions to be held until the check clears, to ensure that the check is good. Now we see that the time it takes for a check to clear is determined by US law that sets a limit on how long a bank can delay paying for a deposited check. But that limit does not make it any faster for the bank to really determine if the check is good. The unintended consequence of the law is that a cleared check may not be a cleared check, with the depositor being the one who is liable if something goes wrong. ------------------------------ Date: Wed, 11 Dec 2002 15:03:27 -0500 From: Bill Bumgarner Subject: Baffling ATM behavior Yesterday, I stopped by an ATM to pick up a bit of cash and experienced a truly stupid bit of interaction with the ATM. I inserted and retrieved my card, typed my PIN, typed the amount of money I wanted, agreed to pay the vig, and hit enter to receive my cash. Nothing. No warning, no beeping, no error message, no cash. No feedback whatsoever. Then I noticed that the machine had the previous customer's receipt sticking out of the printer slot. Assuming it wouldn't help, I removed the receipt. Lo and behold, the machine coughed up my cash, coughed up a receipt (that I didn't ask for), and the transaction was concluded. The risks should be obvious: - Machine enters a 'locked' state after concluding the transaction internally, but before cash is delivered to user - Zero feedback of what is holding up transaction completion - Spitting out a receipt when the user explicitly asks NOT to receive a receipt I would assume that the system completes the transaction with the user's account immediately prior to dispensing cash. As such, the cash to be dispensed is "in the queue" and no longer in the account? The potential scam is much more nefarious. It would be trivially easy to use a razor to cut off the receipt in the printer slot after a transaction is completed. Once done, the thief merely has to wait for someone who tries to obtain cash, but isn't aware that the machine will lock up in the fashion described above. The user will eventually walk away-- maybe pressing cancel, more likely not (I didn't test that the 'cancel' would really 'cancel' the transaction). Given that the ATM is on the side of the bank that owns the ATM, it is quite likely the user will step into the bank for assistance. As soon as the user steps away, the thief merely has to extract the old receipt to cause the machine to spit cash. It would be hard to even prove that the thief was actually a thief and not someone who just lucked into completing the transaction. I'm certainly going to check twice that the printer slot is clear before using any ATM, but I can think of a number of situations where a blockage wouldn't be visible. [Correction inserted in archive copy. PGN] ------------------------------ Date: Sun, 01 Dec 2002 01:00:19 +0100 From: Harald Hanche-Olsen Subject: Re: Crackers steal 52,000 university passwords (RISKS-22.39) Regarding the break-in where crackers stole the password file from the University of Oslo [RISKS 22.39], the mere fact that they managed this isn't half as interesting as the reason they could pull it off. Apparently, the crackers got in via a computer used for testing a new administrative system for the telephone exchange. As it turns out, this system is based on the MS SQL server, a fact unknown to the people installing the software. Now they had installed the latest security patches for the whole system, except for the SQL server - since they were not aware that it was running. And that provided the crackers' opportunity. ------------------------------ Date: Wed, 18 Dec 2002 02:46:21 -0600 From: "Don Norman" Subject: Why you should read Mitnick's book: The risks of seeing the trees and not the forest In an apparent coincidence, in RISKS 22.43, in the article that followed my recommendation that RISK readers read the new book by Mitnick & Simon, Rod Slade did his standard "this book has no merit" review of the book. Slade is wrong: you should read this book. Slade criticizes each individual tree, and thereby misses the forest. His critique of the individual trees is correct. Are the stories repetitive? Yes. (you know, each tree looks just like the other, and after awhile, it gets boring.) Is the book self-serving? Yes. Is Mitnick reformed or still a scoundrel (guess). Is the advice he gives rather pedestrian or even worthless? Yes. Are there any new, profound insights, well, no, not if you keep your head down and only focus on the trees. But individual trees add up to a forest, and there is value in studying forests. I'm a student of human psychology. That's what I do for a living. Technology and people. Among other things, I read books by ex-criminals: Thieves, bank robbers, con-artists. I learn a lot. This is not the first such book I have read. And it won't be the last. I learned a lot from Mitnick. I was impressed by his approaches. They are not as simple and easy to do as a quick reading would make them appear. After the fact, everything always looks obvious. But I, for example, would find it difficult to even think of the schemes, let alone carry them out successfully. As with all great confidence operators, he knows a lot about practical, human psychology. He knows how to set up the mark. How to make multiple phone calls or visits, each to a different person, each asking for help, and each time picking up one little piece of information that, by itself, does not seem important. How to win confidence. And then, put the little bits together, and you sound like a legitimate employee, supplier, or customer in an unfortunate situation, where just a little help would be useful. It's classic con-artist, and he does it very well. I believe that many readers of RISKS would learn a lot -- and be very bothered by what was learned; it would be very easy to fall for some of those ruses. (As Mitnick points out, even good con artists will sometimes fall for other people's cons.) This is a really good antidote to all those technical approaches to security. Slade also can't decide how to treat Mitnick: as a weak technologist (hey, most of his cons don't involve technology, so what's the big deal) or as too good a technologist (to do one fraud, you need to reprogram a DMS-100 switch). That last fraud, by the way, is quite interesting: Go out and buy a used switch -- or just get access to someone else's -- and you can make the telephone caller ID say anything you want it to. So don't trust caller ID to show that the caller is someone you know, or from your own company. Is this news to professionals? No. Is it good to know? Yes. Would a serious person trying to steal company secrets, or money, use the trick? Gee, I would -- wouldn't you? Of course they would. Can I program the switch? No, but I could learn, or more easily, just hire someone to do it for me. Slade complains that this is not a technology book, "this is a book about how to fool people." Well, yeah, duh, that's the point. Put up all the technology you want, it isn't that secure because I'll break in from inside, or fool people into giving me the information I seek. So, if you are a security professional, you can ignore the book. Maybe. You already know all this stuff. You could probably write a better book yourself. If you aren't such an expert, read the book. Its an easy read. Big print. Lots of stories. No big words or deep thoughts. Very repetitive. But I found it revealing -- and frightening. On one thing Slade and I agree: "Chapter four tells you to distrust everyone--which would probably be more damaging to society than social engineering." Yup, this was precisely the point of my posting in RISKS 22.43. It is already becoming more damaging. Read Mitnick & Simon. Don't take their recommendations seriously -- they are lightweight, sometimes wrong or irrelevant, and probably there for legal reasons -- to impress the court that this is a prevention book, not a "how-to" book. It's a great how-to book, and if you read it, you will become better at prevention. Maybe. Don Norman, Computer Science, Northwestern University http://www.jnd.org Nielsen Norman Group http://www.nngroup.com norman@nngroup.com ------------------------------ Date: Tue, 17 Dec 2002 08:31:52 -0800 (PST) From: Keith Rhodes Subject: Surgical tool left in woman's stomach for 4 months An airport metal detector was triggered by a Canadian woman, although no metal was evident. Noting that she had been suffering from persistent stomach pains ever since abdominal surgery, she went for an x-ray the next day. A four-inch surgical retractor was discovered in her abdomen. [CNN.com, PGN-ed] [BROKEN URL: http://www.cnn.com/2002/WORLD/americas/12/16/canada.woman.stomach.reut/index.html TRY http://www.hon.ch/News/HSN/510912.html which says it was a 33-centimeter retractor. NOTE ADDED in archive copy. PGN] ------------------------------ Date: 29 Mar 2002 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 21" for volume 21] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 22.44 ************************