precedence: bulk Subject: Risks Digest 22.72 RISKS-LIST: Risks-Forum Digest Saturday 10 May 2003 Volume 22 : Issue 72 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://catless.ncl.ac.uk/Risks/22.72.html and by anonymous ftp at ftp.sri.com, cd risks . Contents: Software bug sent Soyuz off course (Tom Van Vleck) Microsoft admits Passport was vulnerable (Monty Solomon) E-mail hoax at University of Maryland (Paul Kafasis) Pair held in plot to steal thousands of identities (Monty Solomon) "Jeff Jackboot" -- more spelling-checker follies? (Daniel P. B. Smith) Misquoting Google (Monty Solomon) T-Mobile Hotspot uses SSN for passphrase (Conrad Heiney) Making it harder for prying eyes (Monty Solomon) Re: Friendly Fire (Matt Jaffe) Re: Patriots and Friendly Fire (Peter B. Ladkin) Re: OpenBSD release protects against buffer-overflow attacks (Jeremy Ardley) Re: Pilots fail exams (Don Lindsay, Vince Mulhollon, Toby Gottfried) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 5 May 2003 19:42:58 -0400 From: Tom Van Vleck Subject: Software bug sent Soyuz off course A mysterious software fault in the new guidance computer of the Soyuz TMA-1 spacecraft was the cause of the high-anxiety off-course landing over the weekend, NASA sources tell MSNBC.com. ONCE IDENTIFIED, the error should be easy to fix in the computer of the Soyuz TMA-2, which is now attached to the International Space Station to provide the new two-man crew with a way to return to Earth..." [Source: James Oberg, NBC News Space Analyst, 5 May 2003] http://www.msnbc.com/news/909677.asp [I like that "should." THVV] [Also noted by James Paul and Nancy Leveson. PGN] [The autopilot suddenly reported it had ``forgotten where it was and which way it was headed'' -- whereupon it switched to backup. The result was a twice-as-rapid deceleration and premature landing. PGN] ------------------------------ Date: Fri, 9 May 2003 01:42:20 -0400 From: Monty Solomon Subject: Microsoft admits Passport was vulnerable Muhammed Faisal Rauf Danka, a computer researcher in Pakistan discovered how to breach Microsoft Corp.'s security procedures for its popular Internet Passport service, designed to protect customers visiting some retail Web sites, sending e-mails and in some cases making credit-card purchases. Microsoft acknowledged the flaw affected all its 200 million Passport accounts but said it fixed the problem early Thursday, after details were published on the Internet. Product Manager Adam Sohn said the company was unaware of hackers actually hijacking anyone's Passport account, but several experts said they successfully tested the procedure overnight. In theory, Microsoft could face a staggering fine by U.S. regulators of up to $2.2 trillion. Under a settlement with the Federal Trade Commission last year over lapsed Passport security, Microsoft pledged to take reasonable safeguards to protect personal consumer information during the next two decades or risk fines up to $11,000 per violation. The FTC said it was investigating this latest lapse. The agency's assistant director for financial practices, Jessica Rich, said Thursday that each vulnerable account could constitute a separate violation _ raising the maximum fine that could be assessed against Microsoft to $2.2 trillion. ... [Source: Ted Bridis, Associated Press, 8 May 2003] http://apnews.excite.com/article/20030508/D7QTDPQ03.html http://finance.lycos.com/home/news/story.asp?story=34127595 ------------------------------ Date: Sun, 4 May 2003 13:28:07 -0400 From: "Paul Kafasis" Subject: E-mail hoax at University of Maryland It appears that a gaping security hole at the University of Maryland led to an unexpected "canceling" of classes for Friday, April 11th. One or more students sent an e-mail to an address on campus which sent out to 3500 students and had no protection on it. From speaking to students at the school, it appears that they were signed up for an e-mail list without their knowledge, a list which accepted submissions from anywhere. Thursday night (4/10), they began receiving confusing e-mails from each other, trying to unsubscribe from the list. Before the OIT department shut it down, a virus and a hoax e-mail canceling classes for the following day due to "budget cuts" had been sent out. The culprits even went so far as to spoof the format of other letters sent out campus wide, as well as the headers and reply-to address. As their OIT spokewoman said: "E-mail is one of the most easily forged or compromised mediums," she said. "Always verify anything that looks suspicious or strange." Of course, if the students are correct that this was an open list sending mail to 3500 people, they were just asking for trouble. http://www.inform.umd.edu/News/Diamondback/archives/2003/04/14/news2.html It looks like the culprits were making a Catch-22 reference to Colonel Cathcart, but no one at the school got it. I found that to be the funniest part of the article. ------------------------------ Date: Mon, 5 May 2003 01:07:26 -0400 From: Monty Solomon Subject: Pair held in plot to steal thousands of identities Federal authorities have arrested an Irvington, New Jersey, man and woman who allegedly schemed to steal the identities of as many as 3,700 clients at one of the nation's largest mortgage companies. FBI agents found credit reports, fake licenses, and recently purchased high-tech equipment. Each bore the names of customers at Weichert Financial Services, the Morris Plains-based company that operates as a partner to Weichert Realtors. One of the suspects has worked as an administrative assistant for the company since May 2001. A federal complaint released yesterday said she and her roommate used a high-speed Internet connection from their home to access more than 500 credit reports of Weichert clients between 11 Jan and 7 Feb 2003. [Source: Article by John P. Martin, Feds charge Irvington couple used the Internet to illegally access credit reports from mortgage firm, *Newark Star-Ledger*, 2 May 2003; PGN-ed] http://www.nj.com/news/ledger/jersey/index.ssf ?/base/news-3/1051857944181440.xml ------------------------------ Date: Sat, 03 May 2003 20:10:18 -0400 From: "Daniel P. B. Smith" Subject: "Jeff Jackboot" -- more spelling-checker follies? Googling for news, I ran across an opinion piece in an Australian publication by someone styling himself "Jeff Jackboot." This didn't sound like a real surname, and I assumed it to be some kind of curious nom de plume. The dictionary meanings of "jackboot" are "a stout military boot that extends above the knee," "a person who uses bullying tactics, especially to force compliance," and "the spirit sustaining and motivating a militaristic, highly aggressive, or totalitarian regime or system," and I wondered why this columnist would want readers to make such associations. On reading further, the piece seemed oddly familiar... and Jeff Jackboot was identified as "a columnist with *The Boston Globe*." I suddenly realized that this was, in fact, *Globe* columnist Jeff Jacoby. The Age has not answered my e-mail inquiry about the error. I suspect this was probably a spelling-checker error, although my copy of Microsoft Word does not not make this correction. http://www.theage.com.au/handheld/articles/2003/04/25/1050777406269.htm (or just do a Google search for "Jeff Jackboot") ------------------------------ Date: Sun, 4 May 2003 11:45:08 -0400 From: Monty Solomon Subject: Misquoting Google Posted, May. 1, 2003 Updated, May. 2, 2003 Misquoting Google By Jonathan Dube MSNBC Sr Producer CyberJournalist.net Publisher Google has become such a part of our culture that writers often quote how frequently a name or phrase appears in a Google search as an indicator of popularity. Unfortunately, more often than not, the numbers published are completely wrong. Here are a few examples of Google hit counts being cited in publications within the past month. Before you read on, do a search for each of these yourself and see if you can figure out if they're in the ballpark or way off: A Google search for the phrase "Iraq war" returns 3.2 million hits. -- *The Raleigh News & Observer* "The best defense is a good offense." That favorite saying of heavyweight champion Jack Dempsey gets a half-million hits on Google... -- *The New York Times* The phrase "geopolitical climate" is a favorite among market commentators. A Google search found 1,410 mentions of it. It makes me feel important to use it. -- *The Motley Fool* A search on the Google search engine under "boycott American products" found 117,000 page hits. -- UPI Most people, when doing searchs, fail to put their terms in quotes. Searching for Iraq War will give you more than 3 million pages, because Google is searching for any pages that have the words Iraq and War in them, in any order. Searching for "Iraq War" will give you about 635,000, because Google is only looking for the exact phrase. Pulitzer-prize winner Bill Dedman, who runs PowerReporting.com and alerted me to The New York Times' goof listed above, points out another problem with not using quotes: Google ignores common words in most searchs. http://www.poynter.org/column.asp?id=32&aid=32072 [Ah, yes! We have noted this problem here before. PGN] ------------------------------ Date: Thu, 8 May 2003 16:20:34 -0700 From: "Conrad Heiney" Subject: T-Mobile Hotspot uses SSN for passphrase I just signed up for T-Mobile Wireless' "Hot Spot" service, which provides wireless Internet access via Starbucks Coffee, Borders Books, and many other semi-public places in the U.S. As a current T-Mobile telephone subscriber I was given a good deal. I was also given a user name and a passphrase, neither one of which can be changed. The user name is my telephone number and the pass phrase is the last four digits of my social security number. The obvious RISK of using the phone number and SSN in this manner is pretty awful (identity theft, etc.) but what's also quite funny is that those are the two things you need to identify yourself to T-Mobile for any other purpose, too. Try again, guys. Conrad Heiney conrad@fringehead.org http://fringehead.org ------------------------------ Date: Mon, 05 May 2003 20:52:33 -0700 From: Monty Solomon Subject: Making it harder for prying eyes A bill in the California state legislature would protect the anonymity of Internet users by requiring Internet service providers to send customers copies of subpoenas seeking to learn their identities. If passed, California's Internet Communications Protection Act would become the second state law requiring that consumers be alerted when an ISP is issued a subpoena to find out an anonymous Internet user's true identity. Virginia passed a similar statute last year. The debate over anonymous online speech has heated to a boil in recent years, with companies and individuals increasingly seeking to have ISPs and Web publishers subpoenaed to learn the names of online critics and people suspected of copyright violations. Yahoo alone expects to receive 600 civil subpoenas this year -- a 50 percent jump from 2002. Such requests seek a variety of personal information about Internet users, including full names, Social Security numbers, home addresses and pseudonyms they've used online. The California legislation would require ISPs to send copies of civil subpoenas to their customers by registered mail within 14 days of receiving them. If the customer decides to fight the request, he or she would have 30 days to serve both the ISP and the issuing party with written copies of the objection. ISPs that fail to comply with the act could be sued by their customers. Source: Article by Julia Scheeres, New California law regarding anonymous customer information, 5 May 2003; wired.com http://www.wired.com/news/politics/0,1283,58720,00.html ------------------------------ Date: Wed, 07 May 2003 06:54:25 -0700 From: Matt Jaffe Subject: Re: Friendly Fire (Vorbrueggen, Risks-22.71) Perhaps I can shed some additional light on the points Mr. Vorbrueggen makes. This subject was touched on quite a while ago in RISKS-08.74, but I think more emphasis was placed there on the problems with the modes and codes than on this discussion of altitude. Although related, the issues are different enough to perhaps warrant some additional discussion here. The first point to clarify here is that at the time of the Vincennes shoot down, Aegis almost certainly did not display vertical rate or vertical acceleration data to its operators. (The original HMI design as of the EDM-3C PDR in the mid 1970's did not provide that data; of that I am certain.) It displayed computed altitude only (not rate). We debated that issue (adding a vertical rate [but not acceleration] indicator to some of the operational displays) quite heatedly during the design phase for the original Aegis human-machine interface. It was no casual oversight that it was omitted. The reason for the omission was essentially as Mr. Vorbrüggen notes: "These values, derived as they [would have to have been] from noisy measurements, [would have been] notoriously unreliable." Since the "rawer" (not by any means raw) initial altitude estimates were intrinsically noisy, a timely display of vertical rate would thus be intrinsically unstable ("It's climbing; no, its descending; no, now it's climbing again; no, now it's descending ... .") and a more stable estimate requiring extensive filtering/damping would be too sluggish of response to be tactically useful. ("Oh, Captain, you'll undoubtedly be pleased to know that the missile that hit us 30 seconds ago was dropped from an aircraft that we now know was descending, not level, when it launched.") With regard to Mr. Vorbrüggen's comment about error bars: In those prehistoric days, neither the main PPI nor the auxiliary data readout CRT had graphics, color coding, or font variation capabilities. (I think we were on the old AN/UYA-4/OJ-194 series at the beginning). Had we decided (as, after extensive debate, we did not) to provide a vertical rate display, we surely then would have considered generalizing from the old Naval Tactical Data System 2-dimensional track quality indicator (that I believe we retained in 2-D form) to provide a quality indicator for vertical domain data; but there would have been little utility in so doing: At the ranges where the difficult tactical decisions got made, the altitude data (and hence even more so any derived vertical rate estimate) would always have been of the same unvaryingly poor quality. Using scarce tactical display real estate to display such essentially constant information ("low quality vertical rate") would not seem good HMI design. Overall, after many years, I think the conclusions that I stated in RISKS-08.74 still stand (the interested reader is referred to the RISKS archives): Although the expression is overused these days, the fog of war is very real and there will always be intrinsic limitations on our ability to design systems (including their organizational and procedural aspects) to aid in penetrating it. To put such systems into play in ambiguous environments is to risk catastrophe. But *that* of course, is a political decision, not a technical, organizational, or operational one. http://backoff.pr.erau.edu/jaffem ------------------------------ Date: Tue, 06 May 2003 13:03:56 +0200 From: "Peter B. Ladkin" Subject: Re: Patriots and Friendly Fire Friendly Fire incidents during armed hostilities have been discussed in Risks-22.65 (Paul, PGN), -22.66 (Tyson), -22.67 (Eachus, Russ, Youngman), -22.68 (Ladkin, van Meter, Guaspari), -22.69 (Ladkin, Goodall), much of it concerning the statistics and the interpretation thereof. There were in total three friendly fire incidents in the 2003 Iraq War that we know about in which Patriot surface-to-air (SAM) missile systems are implicated. A UK Royal Air Force Tornado GR4 was shot down by a Patriot on 23 March [1]. On 24 March, a Patriot radar "locked on" to a USAF F-16CJ. The F-16 destroyed the Patriot battery with an anti-radiation (HARM) missile [1]. In a third incident, in which a US Navy F/A-18C was shot down by a SAM, US Central Command confirmed that a Patriot is suspected [2]. The US Department of Defence's technology chief say that there is a requirement to look at new technology to help prevent friendly fire incidents [3]. Concerning the varying statistics on friendly fire and their interpretation, Col. (ret.) Scott Snook, in his book referenced in my Risks-22.68 note, remarks that 24% (35 out of 148) of all U.S. combat fatalities in the first Gulf War were caused by friendly fire ([4], p11). The 24% figure was repeated by William Safire in his Language column in the International Herald Tribune of 5 May, 2003 [5]. This precision contrasts with the undefined 5% figure of the US Army FM 100-14 which I mentioned in my Risks-22.69 note. Safire mentions that "In Gulf War II, the rate of [friendly fire] battle deaths dropped to 8 per cent ...." [5] There are a number of different phrases used for combat damage caused by one's own side. Safire found a first use of "friendly fire" in an NYT article on April 3, 1944. He mentions that the term "fratricide", seemingly preferred by the military nowadays, "emerged in the press in the '80s." He notes that there has not yet been a sororicide [5]. It has been called "amicicide" (semantically a more appropriate phrase) by C.R. Shrader in the title of a 1982 book [6]. Flight International has used the phrase "blue on blue" [2,3]. In war games, Safire explains, "friendly" forces are known as "blues", and "enemy" forces as "reds". References [1] Accidents Take Their Toll, Flight International, 1-7 April 2003, p6. [2] Flight International, Patriot under fire for second error, 8-14 April 2003, p10. [3] Flight International, Science could prevent friendly fire, 15-21 April 2003, p8. [4] Scott A. Snook, Friendly Fire: The Accidental Shootdown of U.S. Black Hawks over Northern Iraq, Princeton University Press, 2000. Details at http://pup.princeton.edu/titles/6847.html [5] William Safire, Of severe/acute: Is the acronym SARS redundant? International Herald Tribune, 05 May 2003, available from http://www.iht.com/ihtsearch.php?id=95223&owner=(NYT)&date=20030505130338 [6] C. R. Shrader, Amicicide: The Problem of Friendly Fire in Modern War, Fort Leavenworth, Kansas: U.S. Army Command and General Staff College Press, 1982. Peter B. Ladkin, University of Bielefeld, Germany http://www.rvs.uni-bielefeld.de ------------------------------ Date: Sun, 4 May 2003 14:30:51 +0800 From: "Jeremy Ardley" Subject: Re: OpenBSD release protects against buffer-overflow attacks (R 22-71) It is commendable that the FreeBSD group is doing protecting against buffer overflow attacks. What is not so apparent is why technology that was developed and operating over 30 years ago is just being re-invented in software. The Burroughs 6700 implemented a hardware solution to the problem by assigning 3 bits of very 51 bit memory location to the type of data contained. Memory that was tagged as data could not be executed. The result was that no stack overflow attack was possible. Today's Intel based fix is appears to be a hack to work around a deficient architecture. The question that arises is why the architecture of today ignores the solid groundwork or previous years? [Because mass-market operating systems don't use the protection that is available in today's hardware. Note that Multics had a similar execute bit solution in 1965 that prevented execution of data. Executable attachments are clearly an abomination. PGN] ------------------------------ Date: Sun, 4 May 2003 00:37:11 +0000 (GMT) From: Don Lindsay Subject: Re: Pilots fail exams (RISKS-22.71) > The pilots couldn't pass the psychological and physical tests to be > allowed to carry a firearm --- but flying huge planes full of people is > OK. Oh, this makes so much sense! The risks should be obvious. Indeed, it does make sense. It would be risky so assume that one skill set implies another. The two domains (commercial piloting and inflight weapons use) do have some things in common. Both require the ability to learn procedure, and both require efficient action under stress. But they differ significantly. Piloting involves relatively few interpersonal skills, whereas the use of weapons requires judgments of motive and threat, discrimination of perpetrators from hostages, and the like. Also, piloting can be done safely by a bigot, but you don't give police powers to someone who feels that everyone in a particular ethnic group is better off dead. Some people are so nervous about weapons that their hand shakes, and they can't hit the broad side of a barn door. And so on. I'm pleased that domain-specific testing was applied. [Also commented on by Bill Hopkins. PGN] ------------------------------ Date: Mon, 5 May 2003 09:03:48 -0500 From: "Vince Mulhollon" Subject: Re: Pilots fail exams (RISKS-22.71) The belief that carrying a gun and flying an airplane are the same is a false analogy. That makes irrelevant the implication that failures of the gun program are bad pilots. I can think of several examples which would disqualify a pilot carrying a gun, but not flying a plane. As for failing the background check, a income tax cheater could be a felon, and felons can't carry. But, an income tax cheat could be an excellent, safe pilot. As for failing psychological tests, what about a conscientious objector? If a pilot learns during training, that they cannot take a human life, there is no point in giving them a weapon. A pilot whom is unwilling to kill is probably an otherwise safe pilot. As for physical test failures, the impact load of a pistol is more intense than any other physical task required to fly an airplane. If someone has experienced stress fractures in their arm or wrist in the past, it would be dumb to give them a .45, as after they shoot the hijacker, they'd likely break their arm again, and then be unable to fly the plane. Or, as an chronic issue, good marksmanship requires regular training, and someone with tendonitis or carpal tunnel should probably not aggravate those problems by regular firearms practice, although the low impact task of flying may be perfectly safe. Finally as for marksmanship training, the ability to get a bullseye has no relation to piloting ability. ------------------------------ Date: Mon, 5 May 2003 08:27:57 -0700 From: "Toby Gottfried" Subject: Re: Pilots fail exams (RISKS-22.71) "Officials said the four rejections showed that the government was serious about providing guns only to pilots who were psychologically and physically fit to carry firearms in flight and defend their planes against attackers." Can we presume, then, that these four would not be allowed to fly as co-pilots with another pilot who had passed the tests and was armed ? ------------------------------ Date: 29 Mar 2002 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 21" for volume 21] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 22.72 ************************