precedence: bulk Subject: Risks Digest 22.59 RISKS-LIST: Risks-Forum Digest Weds 26 February 2003 Volume 22 : Issue 59 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: Star Wars exempt from OVERSIGHT, REPORTING, AND TESTING requirements? (PGN) "Bugsplat"--collateral damage simulator (Daniel P.B. Smith) Scientology critic fined for undeclared file (Mark Thorson) eBay: Big Brother is watching you, and documenting (Monty Solomon) Telepathy used to defend voting systems? (Rebecca Mercuri) Voting machine engineer sues, alleges machine design flaws (Susan Marie Weber) Latest spam scam (Jim Griffith) Nigerian slain over e-mail scam (John F. McMullen) Spain - Vodafone sees its network crash after maintenance (Henry Baker) An unexpected bill (Geoffrey Brent) Re: Surgeons transplant mismatched organs (K P) Re: Deadly input validation? (Ed Ravin) REVIEW: "Building Secure Wireless Networks with 802.11", Khan/Khwaja (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 24 Feb 2003 14:46:49 -0800 (PST) From: "Peter G. Neumann" Subject: Star Wars exempt from OVERSIGHT, REPORTING, AND TESTING requirements? Noted deep in the White House's proposed FY2004 budget, the administration is proposing to exempt the Pentagon's controversial national missile defense system from operational testing legally required of every new weapons system in order to deploy it by 2004. The requirements are of course intended to prevent the production and fielding of weapons systems that don't work [many of which have been the subject of discussion in RISKS in the past]. Last year, the Missile Defense Agency was already given managerial autonomy and removed procurement procedures that were intended to ensure new weapons programs remain on track and within budget. [From the RISKS perspective of having observed systems that do not work properly even with extensive oversight and testing, this seems like a very unwise approach.] [Source: Missile Defense Waiver Sought; White House wants to exempt the Pentagon's controversial weapons system from operational testing rules, a first for a major program, by Esther Schrader, *Los Angeles Times*, 24 Feb 2003; PGN-ed] http://www.latimes.com/news/nationworld/nation/ la-na-missile24feb24,1,5024689.story?coll=la%2Dhome%2Dheadlines ------------------------------ Date: Sat, 22 Feb 2003 09:48:12 -0500 From: "Daniel P.B. Smith" Subject: "Bugsplat"--collateral damage simulator [Best code name since "carnivore." DPBS] US military planners hope to reduce the potential for civilian casualties in war by using a new computer program called Bugsplat. Instead of drawing concentric circles representing blast effects, Bugsplat generates blob-like images ("resembling squashed insects") that supposedly more precisely model expected damage. The hopes are that this program will help reduce collateral damage. QUOTE: "Because the program hasn't been used for actual targeting, this will be 'learn as you go.'" [Source: 'Bugsplat' program gives planners hope, By Bradley Graham, *The Washington Post*, 22 Feb 2003; PGN-ed] ------------------------------ Date: Thu, 20 Feb 2003 19:06:41 -0800 From: Mark Thorson Subject: Scientology critic fined for undeclared file A prominent French critic of Scientology has been fined 901 euros for maintaining a Web site that contained the name of a Scientologist in quotations from two published articles. The Scientologist sued, claiming his religious rights had been violated. A 1978 French law intended to protect privacy requires computer files containing names of people (even one name) to be declared with the National Commission of Computers and Liberties (CNIL). On 18 Feb 2003, Roger Gonnet became the first person disciplined under this law for his Web site, http://www.antisectes.net, which has been operating since March 1997. The judgment against Gonnet was 450 euros for violating the law, 450 euros for plaintiff's legal costs, and 1 euro for damages to plaintiff. (Plaintiff had been asking for 15,000 euros.) Gonnet says, "At least 20 million French people are guilty of the same 'crime': they have individual names in their organizers, electronic agendas, computers, laptops, CD Roms, DVD roms, hard disks, memory cards, and even in their cell-phone memories, WAPs, texts, and Web sites, as well as the employers and commercial employees or sellers have lists of their employees, clients, associates, etc." ["What's In A Name?" Oui! "What Name is In?" Non!!! PGN] ------------------------------ Date: Thu, 20 Feb 2003 17:34:28 -0500 From: Monty Solomon Subject: eBay: Big Brother is watching you, and documenting "I don't know another Web site that has a privacy policy as flexible as eBay's," says Joseph Sullivan, director of the "law enforcement and compliance" department at eBay.com, reportedly the world's largest retailer. Sullivan was speaking to senior representatives of numerous law-enforcement agencies at "Cyber Crime 2003". His lecture was closed to reporters, but, in a recording obtained by Haaretz, Sullivan says that eBay is willing to hand over everything it knows about its Web users when asked by investigators. [Source: Yuval Dror, Haaretz; PGN-ed] http://www.haaretz.com/hasen/pages/ShArt.jhtml?itemNo=264863 ------------------------------ Date: Tue, 28 Jan 2003 13:50:51 -0500 From: "Rebecca Mercuri" Subject: Telepathy used to defend voting systems? The Canadian Broadcasting Corp. reported that balloting at the 25 Jan 2003 NDP leadership convention in Toronto was disrupted by the SQL Slammer DDoS attack. The system that was being used was one provided by election.com -- one of the vendors also vying for Internet voting contracts in the USA. Apparently election.com's Earl Hurd thought it was a laughing matter when he told the CBC: "Unless he died in the last few minutes because of the evil thoughts in my brain, he or she is still out there." http://www.cbc.ca/cgi-bin/templates/print.cgi?/2003/01/25/ndp_delay030125 ------------------------------ Date: Sun, 23 Feb 2003 09:26:12 -0800 (PST) From: SusanMarieWeber@earthlink.com Subject: Voting machine engineer sues, alleges machine design flaws Bev Harris, Black Box Voting , 21 Feb 2003 Dan Spillane, a voting machine test engineer, filed a lawsuit against his former employer, DRE touch-screen voting machine manufacturer VoteHere. Georgia recently approved VoteHere's machines, and the military is considering them for overseas voting. The company does business also in Sweden and England, and appears to be manufacturing, or planning to manufacture, components for other voting machine companies. Spillane alleges in his lawsuit that he reported over 250 errors in the system, including critical errors of "severity 1" which include errors that may prevent the machines from correctly registering the votes. He sought meetings with company officials to express concerns about system integrity flaws, and created logs and reports of such flaws. His complaint indicates that VoteHere did not address the flaws, and that the VoteHere system was certified by independent testing labs despite known flaws. Just when the testing lab began its examination of system integrity, VoteHere fired Spillane. VoteHere's board of directors includes former CIA director Robert Gates. VoteHere's Chairman is Admiral Bill Owens, who was senior military assistant to Secretaries of Defense Frank Carlucci and Dick Cheney. Carlucci, of course, now heads the Carlyle Group and Cheney is Vice President. I will retrieve a copy of the lawsuit early next week, case # 03-2-18779-85SEA, filed in King County, Washington. If possible we will post it later in the week. Bev Harris ------------------------------ Date: Mon, 24 Feb 2003 21:10:21 -0500 From: griffith@dweeb.org (Jim Griffith) Subject: Latest spam scam I just received the following: From: dlj4tbad5@hotmail.com (Former NetGaming Programmer) Subject: Please help me Hello dear friend, I'm the developer who made the software for the NetGaming Casino. But since they still did not paid me for last six month of work I decided to reveal the backdoor in that casino I made for myself. This backdoor allow easily win the roulette. So: What do you need to win? Read below: 1. Go to the following secret link:: http://www.[deleted]/?affiliate_id=230083&campaign_id=20016 2. Open an account (click "Join Now"). 3. Play roulette until "13" turn out. That's it! The next turn will be "27"! I'll be happy if you ruin them by winning lots of money. Either it's legitimate, in which case the Web site is totally screwed, or (far more likely) it's the most recent devious way to attract unsuspecting suckers. ------------------------------ Date: Sat, 22 Feb 2003 11:11:05 -0500 (EST) From: "John F. McMullen" Subject: Nigerian slain over e-mail scam Nigeria's consul in the Czech Republic, Michael Lekara Wayid, was shot and killed by a Czech citizen at the Nigerian Embassy in Prague on 19 Feb 2003. The suspect had been victimized by a now-classical Nigerian scam, which resulted in the contents of his bank account vanishing. [Source: Michelle Delio, Wired News; PGN-ed] http://www.wired.com/news/culture/0,1284,57760,00.html?tw=wn_ascii [This type of scam still seems to sucker in enough people to make it worth the effort to keep the e-mail solicitations flowing. In the past week alone, SpamAssassin has picked out 150 Nigerian scam spams in my mailbox, out of 2400 redirected spams; in the past two weeks, it has trapped over 300 such scam spams addressed to RISKS, out of almost 1500 spams in all. So it is definitely a booming industry. PGN] ------------------------------ Date: Fri, 21 Feb 2003 11:10:50 -0800 From: Henry Baker Subject: Spain - Vodafone sees its network crash after maintenance FYI -- 'Causative Maintenance' ? Vodafone Spain's network virtually collapsed for almost 7 hours on 21 Feb 2003, following what was thought to be basic maintenance work. The company has 8.7 million customers. No substantial explanation has been given. ------------------------------ Date: Sun, 23 Feb 2003 19:27:05 +1100 From: Geoffrey Brent Subject: An unexpected bill A friend of mine who is a postgraduate student at the University of New South Wales recently logged on to the university Web site to check the fees due for Semester 1, 2003. He was rather surprised to be told that his debt was slightly in excess of three million Australian dollars - by a strange coincidence, the sum owed was exactly equal to his student number. Perhaps a little range-checking is in order? ------------------------------ Date: Mon, 24 Feb 2003 05:47:51 -0800 (PST) From: K P Subject: Re: Surgeons transplant mismatched organs (RISKS-22.58) Patients who need transplants are entered into the national transplant waiting list maintained by United Network for Organ Sharing (UNOS, Richmond VA) through a federal contract. The list includes many items including blood type, height and weight, how sick they are, and the hospital where they are waiting. Nationally, more than 80,000 people are waiting for hearts, lungs, kidneys, livers and pancreases. When donor organs become available, information about blood type, size and location of the donor are entered into the computer generating a "match run" -- a list of all patients who are a medical match for that donor. They are listed in order of priority, determined by a complex calculation including components of illness and how near they are to the donor. A completed match run can range from tens of thousands to fewer than 10. Some organs are placed on the first call; others take hours. According to news reports, in Jesica's case, Duke officials say transplant coordinators called to offer the heart to two of their patients. The heart was the wrong size for one, and the other was not medically ready for a transplant. Jesica's doctor then asked about giving the heart and lungs to Jesica. Although she was not listed on the match run, the transplant coordinator said OK. Neither the coordinator nor the doctor realized that she was not the right blood type - the reason she was not on the computer's list of possible patients. The UNOS systems didn't make the mistake. Humans intervened and ultimately caused the mistake. It's sad that Jesica died as a result. But we will never know who else died because they didn't get the organs they should have in the first place. [Dan Graifer noted that lengthy articles appeared in *The Washington Post*. PGN] http://www.washingtonpost.com/wp-dyn/articles/A56656-2003Feb24.html http://www.washingtonpost.com/wp-dyn/articles/A2700-2003Feb25.html ------------------------------ Date: Sun, 23 Feb 2003 12:42:37 -0500 (EST) From: "Ed Ravin" Subject: Re: Deadly input validation? (Adams, RISKS-22.58) [Although the original item was only marginally computer-related, we include this item to correct the archival record. PGN] Some corrections and clarifications: * It was four teenagers in the rowboat, not two. * The phone call from the distressed teenagers lasted about 12 seconds -- the 911 operator only heard that they were in a boat on Long Island Sound and were taking in water before the call was cut off. * The correct thing for the 911 operator to have done was to have assigned the call to the police harbor unit. The operator did not know this information, so he or she went to the supervisor for guidance. * All supervisors had previously received a notice clarifying what to do with marine distress calls -- but this supervisor apparently had forgotten about that and also didn't know what to do with the call. * The supervisor is getting departmental charges, and could be demoted or dismissed. The operator received a "letter of instruction" but was not otherwise disciplined. * The cops claim that even if the harbor unit had been notified in time, with the scant amount of information available it was unlikely they would have found the boys in time. More details at: http://www.nynewsday.com/news/local/wire/ny-bc-ny--missingteens0218feb18.story And no doubt in other NYC-area daily newspapers. Despite what the cops say, things might have been different if they had properly logged the call - for example, the calling number for the cell phone should have been recorded, and had the police looked for the owner of the cell phone they might have been able to find one of the boys' parents and gotten a better idea of what was going on. However, given that the call was received on a frigid January evening, there probably wasn't much else that could be done until the next morning. ------------------------------ Date: Tue, 25 Feb 2003 07:47:39 -0800 From: Rob Slade Subject: REVIEW: "Building Secure Wireless Networks with 802.11", Khan/Khwaja BKBSWNW8.RVW 20030208 "Building Secure Wireless Networks with 802.11", Jahanzeb Khan/Anis Khwaja, 2003, 0-471-23715-9, U$40.00/C$62.95/UK#29.95 %A Jahanzeb Khan %A Anis Khwaja %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2003 %G 0-471-23715-9 %I John Wiley & Sons, Inc. %O U$40.00/C$62.95/UK#29.95 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0471237159/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0471237159/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0471237159/robsladesin03-20 %P 330 p. %T "Building Secure Wireless Networks with 802.11" As with any hot topic, there are lots of people willing (eager!) to tell you about the security of wireless local area networks, without first making sure that they really know the subject. Part one is an introduction to wireless LANs. Chapter one is a history of networks, an outline of topologies (concentrating on cabling, interestingly enough), and a review of the TCP/IP (actually OSI, [Open Systems Interconnection] protocol stack. The last page gives too little information for an exercise in setting up a home LAN. Terms in regard to wireless technology are listed in chapter two, but the material is verbose without being informative. The explanations given for spectrum multiplexing are unclear, and seem to be delivered by rote without any understanding. The discussion does not build on that from chapter one to, for example, point out that ad hoc wireless networks are similar to bus topologies, while infrastructure networks are more akin to stars. The various IEEE (Institute of Electrical and Electronics Engineers) 802.11 standards are listed in chapter three. However, there is a great deal of material repeated from prior text (the discussion of spectrum is reprised almost word for word), and, other than some frequency and maximum bandwidth information, there is little additional detail. (Repetition and duplication is rife throughout the book, as well as a good deal of space wasted with pointless figures and graphics. On page 125 we are told that "The 40- bit shared key is concatenated with a 24-bit long initialization vector" and referred to figure 6.1. Figure 6.1 tells us "Concatenated-Key = Shared-Key + IV." Not very helpful.) Chapter four is supposed to help you decide whether a wireless LAN is right for you, but only has some vague opining, a little content on wireless ISPs (Internet Service Providers: hardly suitable for LAN discussions), and almost no analysis or details. Part two purports to emphasize secure wireless LANs. Chapter five has random topics regarding network security. Most of it is irrelevant to the specific needs of wireless situations or is not discussed in terms of the particular needs of wireless networks. (Physically securing the components of a wireless LAN has some importance in overall security, but may be pointless if someone driving by can take over the network). Securing the IEEE 802.11 wireless LAN is not reviewed well in chapter six. There is more duplication of content, few details about WEP (Wired Equivalent Privacy), and some clear evidence of misunderstanding of the base technologies. (If you are going to talk about 40 bit keys at the low level, higher level security should be 104, rather than 128, bit. And a 128 bit key is *not* equivalent to 64 characters, in anybody's representation.) When security aspects are discussed, often they relate to issues that are beyond the control of the user, such as moderation of signal strength. Part three collects topics related to the building of secure wireless LANs. Chapter seven is a simplistic overview of generic LAN planning. Shopping for the right equipment is important, but the list of product specifications in chapter eight fails to address vital areas, such as driver availability, default key length, and the existence of default accounts. More space is devoted to where you can buy equipment than how to evaluate it. The installation instructions, in chapter nine, pretty much ignore security considerations. Chapter ten supposedly deals with advanced wireless LANs, including security, but has little new material aside from screenshots of Microsoft Windows utilities with some relationship to VPNs (Virtual Private Networks). Part four covers troubleshooting and maintenance. Chapter eleven touches on a number of possibly wireless connectivity problems. A collection of text repeated from prior chapters is in chapter twelve. There is a glossary included with the book. It is quite limited, and, in particular, does not deal well with acronyms. In fact, the book is full of TLAs (Three Letter Acronyms) and other abbreviations that get used before they are defined, and do not appear in either the glossary or the index. This can be quite aggravating, particularly in cases where the acronyms aren't standard. (The authors use "PHY" to refer to the physical layer of the OSI model, which is not commonly so represented in either communications or security literature.) The text of the book is excessively padded with useless verbiage and irrelevant material. The actual content pertinent to the security of wireless LANs is barely enough to fill a decent magazine article. Overall, the book is poorly structured, limited in detail, and bloated with meaningless or repetitious content. copyright, Robert M. Slade, 2003 BKBSWNW8.RVW 20030208 ------------------------------ Date: 29 Mar 2002 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 21" for volume 21] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 22.59 ************************