The RISKS Digest
Volume 21 Issue 68

Monday, 8th October 2001

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Rocket plunges into Indian Ocean
New interest in network security
Another unitary transformation
Rodney Polkinghorne
AOPA's TurboMedicalsm eases medical application process
Richard Glover
Ham radios in the aftermath of 11 September 2001
Richard Murnane
11 Sep 2001: Risks of electronic surveillance
Gisle Hannemyr
Re: "The Risks Are Obvious"
Amos Shapir
Risks of bogus e-mail addresses "FROM: ObL"
Peter Wayner
Remote control of airliners
Steve Bellovin
Re: Oxygen tank kills MRI exam subject
Leonard X. Finegold
MS Front Page 2002 Licence Agreement
Alistair McDonald
Re: Creator of Kournikova virus gets 150 hours ...
Gene Berkowitz
Re: Hacker re-writes Yahoo!
Mark Hull-Richter
Trusted Computing, and Embedded and Hybrid Systems - new NSF programs
Wm Randolph Franklin
Computer Security Applications Conference + Advance Program
Jay Kahn
Info on RISKS (comp.risks)

Rocket plunges into Indian Ocean

<"Peter G. Neumann" <>>
Sat, 22 Sep 2001 09:01:03 -0700 (PDT)

On 21 Sep 2001, a Taurus rocket went off-course 83 seconds after launch.
Carrying an Orbital Imaging satellite, a NASA ozone-monitoring QuikTOMS
satellite, and the cremated remains of 50 people ($5300 each), the rocket
failed to reach its intended altitude and velocity despite an attempted
correction, resulting in loss of the payloads.  NASA's share of the cost was
estimated at $50M.  It was the second Orbital Sciences rocket lost in less
than four months.  [Source: AP item in, 22 Sep 2001, PGN-ed]

New interest in network security

<"NewsScan" <>>
Tue, 02 Oct 2001 08:39:44 -0700

Security companies are being deluged with business opportunities, and CEO
Peggy Weigle of the Internet security firm Sanctum explains, "Network
security used to be a necessary evil, but now it's a core value of
companies."  Doing security audits commissioned by 300 organizations, Weigle
found the results "scary" and said, "We could have stolen flight manifests,
personnel files, sensitive data... We could have easily gotten onto a flight
illegally."  Research firms Gartner and IDC predict that the network
security market in the U.S. will grow 20% to 24% a year between now and
2005.  [USA Today 2 Oct 2001; NewsScan Daily, 2 Oct 2001]

Another unitary transformation

<Rodney Polkinghorne <>>
Mon, 08 Oct 2001 10:14:17 +1000

Nature, the journal that told us about cold fusion, posts summaries of
recent physics papers at <>.  One of
these, "Bose, Einstein and chips," reads:

    On the atom chip, the magnetic potential minimum that confines
    the atoms is barely a millimetre or so wide, and it holds the
    condensate an ultracold cloud of around 1,600 rubidium atoms
    about 70-440 mm above the chip surface.

Or, as a read-source-ful scientist might discover:

    about 70&#150;440 <span class="symbol">m</span>m above the chip surface.

The online version of the article they are summarising [W. Hansel et al.,
Nature 413 p498 (2001)], gives the correct height of 70-440 micrometres.
The micro symbol is included in ISO 8859-1.

Unlike the ohm/watt confusion reported earlier (Rolph, RISKS-21.29 and
Peuhkuri, RISKS-21.33), millimetres and micrometres have the same
dimensions.  At least with SI you are always out by a factor of 1000 or
more, which readers of Nature should notice.  But given what you would have
to pay to see that page for yourself, you would think they could afford a
proof reader.

Rodney Polkinghorne

AOPA's TurboMedical(sm) eases medical application process

<Richard Glover <>>
Tue, 04 Sep 2001 09:50:24 -0700


AOPA's TurboMedicalsm eases medical application process, 24 Aug 2001

AOPA has launched a new, Web-based tool to help pilots prepare to obtain
their medical certificates. AOPA's TurboMedicalsm is the first of a series
of "intelligent" online forms to come from AOPA.  Pilots who use
TurboMedicalsm will be less likely to have FAA delay or deny the issuance of
their medical certificate.

"AOPA's Web site ( offers more resources to pilots than any
other aviation site on the Internet," said AOPA President Phil Boyer.
"TurboMedicalsm is an innovative way to use the Web to remove some of the
uncertainty of applying for a medical."

The innovative online form "interviews" the pilot to ensure that all of the
information on FAA's Form 8500-8 (application for an airman medical
certificate or student pilot certificate) is filled in correctly.

TurboMedicalsm checks the pilot's answers, and flags anything that might
cause problems in issuing a medical certificate.

"FAA's Aeromedical Certification Division is currently taking up to three
months to review medical applications," said Gary Crump, AOPA director of
medical certification. "Some 30 percent of those delays are caused by
simple errors on the application form."

TurboMedicalsm checks for those errors.

The online form takes pilots step-by-step through the 20 question areas on
the medical application form. For each question, the form explains exactly
what FAA is looking for and why it is asking the question. And there are
links to AOPA's expansive online medical data for more information.

The form provides advice on the best way to answer each question. For
example, TurboMedicalsm tells a pilot that it is usually best to apply for
the lowest class of medical that you actually need. Under FAA regulations,
even CFIs need just a Third-Class medical certificate to provide flight
instruction for compensation, although employers may require a higher class
of medical.

TurboMedicalsm is particularly useful in helping the pilot answer the
medication, medical history and medical visit questions.

When a pilot answers the question, "Do you currently use any medications?"
TurboMedicalsm checks the answer against AOPA's list of FAA-accepted drugs.
For example, TurboMedicalsm will tell a pilot that the popular
over-the-counter drug Benadryl is acceptable to FAA as long as the pilot
waits 24 hours after taking it before flying.

But if the drug isn't on the list, TurboMedicalsm will flag it and provide
links to more information. There is even a direct email link to AOPA's
medical experts so the pilot can ask specific questions.

If a pilot answers "yes" to one of the medical history questions,
TurboMedicalsm will search for key words in the explanation to be able to
provide more information to the pilot.

A pilot can skip a question and return to it later. TurboMedicalsm will
temporarily store the answers. A pilot can choose how long TurboMedicalsm
will store the answers.

Once a pilot has completed all of the questions, TurboMedicalsm will review
the form for completeness and accuracy. The pilot can then print out a copy
to take to the medical examiners office. Pilots should also keep a copy in
their personal records.

"TurboMedicalsm is an educational, self-help tool to help pilots prepare to
complete the medical form in the doctor's office," said Crump. "But for the
future, we're working on an 'FAA-approved' version of TurboMedicalsm that
you can complete online and email to your FAA designated medical examiner
prior to the examination."

The 375,000-member Aircraft Owners and Pilots Association is the world's
largest civil aviation organization. More than one-half of the nation's
pilots are AOPA members.

RISKS Comments:

1. I am no expert, but I question the assertion "All of a pilot's answers
on the TurboMedical(sm) form remain absolutely confidential. No one but the
pilot will ever have access to the medical information. Data is stored on a
secured server and data transmissions are encrypted." We have been told
*many times* in other contexts that certain medical data is confidential,
but absent a doctor-patient relationship, I think this is generally a very
tenuous assertion. I am pretty sure there is no doctor-patient relationship
created with this form.

2. "[D]ata *transmissions* are encrypted...." (emphasis added) is not
synonymous with "the data is encrypted." If the data is stored on a secure
server without encryption, it is still readable by anyone with access to
the machine. If the data is encrypted where it is stored, only the person
(with well-publicized exceptions) with the "keys" can access it. There is a
world of difference.

3. The data is stored on a secure server, but I really don't know what that
means. I think my IRS data is on a "secured server," but how many stories
do we see where that data has leaked out? Medical data is *far* more
sensitive to release than financial data, and I am less concerned with
interception in transit than I am with security breaches from the server
where the data is.

4. If data is stored "on a secured server" for a specific period of time,
what becomes of the routine backups made? Are they periodically destroyed?
If not, this information is probably obtainable indefinitely.

5. Are the links to the medications database stored? If I check on a
medication, is the fact I did so recorded? It probably is on my client, and
I wonder what "cookies" are employed.

6. I have not used the system (nor am I likely to), but I wonder what
"disclaimers" are associated with using it. This kind of information might
fall under the Fair Credit Reporting Act (which can have a very broad
reach), and a user might have to authorize far more than what is advertised.

The RISKS of this system far outweigh its usefulness. We need a machine to
tell us how to fill out a form? If you have medical issues, you discuss
them with your *doctor*, and he fills out a form. For a fee, of course, but
I for one, am willing to pay a reasonable fee for privacy.

Ham radios in the aftermath of 11 September 2001

<Richard Murnane <>>
Tue, 2 Oct 2001 11:25:10 +1000

As others have noted, the terrorist attacks of 11th September caused major
disruption to land-line and cellular phone communications. What hasn't been
widely reported is that 570 Amateur (ham) Radio operators from 35 states and
two Canadian provinces provided auxiliary radio communications to relief
agencies operating in the affected areas.

The lesson is that even the most modern communications technology can fail,
and that there is still value in having an independent communications
infrastructure, especially when it costs the community little or nothing to
maintain it.

Richard Murnane, Australian Amateur Radio station VK2SKY

11 Sep 2001: Risks of electronic surveillance

<Gisle Hannemyr <>>
Thu, 04 Oct 2001 12:34:35 +0200

In the aftermath of the September 11 terrorist attacks on the USA, a special
feature on automatic electronic surveillance (i.e. Echelon, Carnivore, spy
satellites, and all that) was broadcast by the BBC ClickOnline, hosted by
Stephen Cole, Sep. 22).

The feature included a lengthy interview with Dr. Kevin O'Brian of RAND
Europe about the failure of US intelligence to gather enough information to
pre-empt the attacks. Of particular interest to RISKS readers is the
following quote from Dr. O'Brian:

   "We've seen reports that they may have actually been spoofing or
    misdirecting intelligence services quite knowingly, and that they
    are aware of the fact that they could use the technology against
    the intelligence services by sending out false signals by sending
    out false reports and rumours, by using technology such as mobile
    phone communications or Internet messages to actually misdirect
    the intelligence services' gaze away from their attacks."

The risks are obvious: The over-reliance on massive computer-based automatic
systems for scanning and filtering that has characterised much of US
intelligence gathering in the post-soviet era can only be effective as long
as the bad guys are not aware of what you are doing. The simple fact that
computers systems are rule-based (and AI-systems exceedingly so) permit
enemy agents to play clever counter-intelligence games, where plotting the
response to certain stimuli can be used to "map out" in detail how an
automatic surveillance system will respond to diverse inputs and hence
"learn" how to misdirect the system on a massive scale.

A human-based intelligence system, in particularly a highly organized one,
is of course also vulnerable to this type of attack, but the rule-based
nature of an AI-based system makes the attack easier and more reliable

- gisle hannemyr ( - )

Re: "The Risks Are Obvious"

<Amos Shapir <>>
Thu, 20 Sep 2001 11:08:04 +0300

I first learned of the event by connecting to a local news site here, at
about 4 p.m. local time (which was 9 a.m. EDT).  At first try, the site was
down; when I finally got in and looked at the headline "Two Airliners crash
on NY's WTC" my first reaction (probably the result of reading too many
RISKS issues) was "they let their test page leak out as if it were real

It seems that this "this isn't happening" initial reaction was shared by
many, even some to whom this was actually happening.  This had never
happened before, and even though technically possible, the perceived risk of
its realization was considered unreal.

The main risk is, IMHO, of evaluating the relative costs and benefits of
preparing for an eventuality which, by our common sense, is very improbable;
while the perpetrators seem to be making their evaluations by a completely
different set of priorities and morals.  How do we apply "crazy logic" to
risk assessment?  When do we apply it, and how crazy can we get before
making the very notion of assessment senseless?

Amos Shapir, Sela Software Labs, Ltd.  14 Baruch Hirsch st., Bnei Brak
51202 ISRAEL  Tel: +972 3 6176037

Risks of bogus e-mail addresses "FROM: ObL"

<Peter Wayner <>>
Wed, 3 Oct 2001 14:11:16 -0400

Sincerely yours, *Not* Osama bin Laden?

A Filipino in Belgium ended up in jail after *receiving* a joke e-mail
seemingly from Osama bin Laden (but apparently from one of his friends),
asking to "stay with you for a couple of days."  The man was freed only
after a Catholic priest vouched for him as a regular attendee each Sunday.

  Ah, there's nothing like putting faith in identity, keyword scanning
  surveillance, and data stored in computers.

Remote control of airliners

<Steve Bellovin <>>
Mon, 01 Oct 2001 22:25:03 -0400

The Associated Press reported on a test of a remotely-piloted 727.  The
utility of such a scheme is clear, in the wake of the recent attacks;
to the reporter's credit, the article spent most of its space
discussing whether or not this would actually be an improvement.  The
major focus of the doubters was on security:

	But other experts suggested privately that they would be
	more concerned about terrorists' ability to gain control
	of planes from the ground than to hijack them in the air.

I'm sure RISKS readers can think of many other concerns, including the
accuracy of the GPS system the tested scheme used for navigation (the
vulnerabilities of GPS were discussed recently in RISKS), and the
reliability of the computer programs that would manage such remote control.

Re: Oxygen tank kills MRI exam subject (RISKS-21.67)

<"Leonard X. Finegold" <>>
Mon, 1 Oct 2001 23:29:14 -0400

  [Leonard X. Finegold, Physics, Drexel University (3141 Chestnut Street)
  Philadelphia PA 19104 U.S.A.  (215) 895-2740 (allow 5 rings)]

Volume 345:1000-1001, 27 Sep 2001, Number 13
Preventable Deaths and Injuries during Magnetic Resonance Imaging

To the Editor: In July, a six-year-old child undergoing magnetic resonance
imaging (MRI) in New York suffered a skull fracture and intracranial
hemorrhage after an oxygen tank that had been brought into the room was
pulled into the machine at high speed. He died two days later [1].
Undetected or misplaced metal objects have caused numerous injuries during
MRI. Twenty-four of 46 MRI facilities responding to a survey in 1999 (52
percent) reported the occurrence of MRI-related accidents [2].  Large
objects involved in such incidents included an intravenous-drug pole, a
toolbox, a sandbag containing metal filings, a vacuum cleaner, mop buckets,
a defibrillator, and a wheelchair, among others. Five incidents involving
oxygen or nitrous oxide tanks, one of which caused facial fractures, have
recently been reported [3].

To prevent such incidents, most imaging facilities currently provide safety
training to employees and administer patients a standardized questionnaire
about implants and other embedded foreign bodies before an MRI examination
is performed. Although these efforts prevent many injuries, they are
inherently limited. System-wide strategies to decrease the incidence of
serious errors are important.4 Safety interventions that work continuously
and automatically are generally far more effective than efforts to train
large numbers of employees or to enlist the assistance of large numbers of

The use of metal detectors over the doors of MRI examination rooms could
have prevented every one of the large metal objects listed above from being
brought into the MRI rooms and would have prevented the recent death in New
York. Highly sensitive walk-through metal detectors, such as those used in
airports, are available commercially for about $2,000 to $5,500 and require
minimal maintenance. By comparison, a typical MRI unit costs approximately
$1.3 million annually to operate and generates net revenues of $1.8 million
during use in more than 3000 patients, resulting in an annual net profit of
approximately $500,000 [5].  The cost of installing a metal detector could
thus easily be paid for with operating revenues. Factoring in liability
savings would further decrease real costs.

Metal detectors should not replace the screening protocols currently in use,
since the detectors may be insufficiently sensitive to detect small
implanted metal objects, such as aneurysm clips or cardiac pacemakers. Their
installation would, however, be an inexpensive, simple, and potentially
life-saving addition to current practice.

Christopher Landrigan, M.D., M.P.H.
Children's Hospital, Boston, MA 02115

1. Chen DW. Boy, 6, dies of skull injury during M.R.I. The New York
   Times. July 31, 2001:B1, B5.

2. Chaljub G, vanSonnenberg E, Johnson RF Jr. Accidents and
   incidents in MRI: a questionnaire. AJR Am J Roentgenol

3. Chaljub G, Kramer LA, Johnson RF III, Johnson RF Jr, Singh H, Crow
   WN. Projectile cylinder accidents resulting from the presence of
   ferromagnetic nitrous oxide or oxygen tanks in the MR suite. AJR Am J
   Roentgenol 2001;177:27-30. [Abstract/Full Text]

4. Kaushal R, Bates DW, Landrigan C, et al. Medication errors and adverse
   drug events in pediatric in-patients. JAMA 2001;285:2114-2120. [Medline]

5. Evens RG, Evens RG Jr. Analysis of economics and use of MR imaging units
   in the United States in 1990. AJR Am J Roentgenol, 1991;157:603-607.

MS Front Page 2002 Licence Agreement

<Alistair McDonald <>>
Fri, 21 Sep 2001 09:58:22 +0100

Slashdot reports that
the latest MS Front Page licence agreement prevents you from any
anti-microsoft Web content with it:

  "You may not use the Software in connection with any site that disparages
  Microsoft, MSN, MSNBC, Expedia, or their products or services ..."

I always click through licences these days, so I wouldn't have read it (not
that I'd install Front Page anyway), but what is the world coming to! Is
this legal in _your_ country?

Alistair McDonald	Bacchus Consultancy

  [UCITA (RISKS-21.27,45,41) seems to make this legal in those states in
  which UCITA has passed (at least Virginia and Maryland).  Incidentally,
  The Risks Forum tries to be an equal-disparager forum, but it is worth
  noting for the record that each issue is prepared using Gnu-emacs on
  Linux.  PGN]

Re: Creator of Kournikova virus gets 150 hours ... (RISKS-21.67)

<"Gene Berkowitz" <>>
Tue, 02 Oct 2001 00:15:41 -0400

  "... The American investigation service FBI reported an amount of $166.827
  in damages."  [Translation from Dutch]

Needless to say, I don't think the FBI calculated the damages to the nearest
tenth of a cent.  As is European custom, the period (.) is used as a thousands
separator, while the comma (,) is used as the decimal point.
So, is one hundred and sixty-six thousand dollars ($166,827) limited damage?

If so, Mr. De W.'s time is apparently worth over one thousand dollars per

--Gene Berkowitz

Re: Hacker re-writes Yahoo! (Stock, RISKS-21.67)

<Mark Hull-Richter <>>
Tue, 2 Oct 2001 11:56:13 -0700

Respected news outlets?  Respected by whom?  And since when does Yahoo! rate?

RISK: Assuming that there is such a thing as a "respected news outlet" and
that the "news" presented has some resemblance to news (i.e., unbiased
information) instead of the usual propaganda.

P.S.: Remember, the "liberal press" myth is dead and buried.

Mark Hull-Richter, Senior Programmer, Quest Software

Trusted Computing, and Embedded and Hybrid Systems - new NSF programs

<"Franklin, Wm Randolph" <>>
Fri, 14 Sep 2001 16:05:21 -0400

The Computer-Communications Research Division (C-CR) of the Computer and
Information Sciences and Engineering Directorate (CISE) of the US National
Science Foundation (NSF) is pleased to announce two new programs whose goal
is reducing the number of submissions to this valuable newsgroup,
comp.risks.  For each, the due date is 5 Dec 2001, and $4M-$6M may be
available to support 20-25 awards, subject to the usual caveats.

** Trusted Computing (TC), NSF 01-160,

TC seeks to establish a sound scientific foundation and technological basis
for managing privacy and security in a world linked through computing and
communication technology. This research is necessary to build the secure and
reliable systems required for today's and tomorrow's highly interconnected,
information technology enabled society. The program funds innovative
research in all aspects of secure, reliable information systems, including
methods for assessing the trustworthiness of systems.

** Embedded and Hybrid Systems (EHS), NSF-01-161,

Past research in embedded systems has focused primarily on
resource-impoverished computational environments: algorithms and software
that must execute on memory-, processing-, and power-constrained
processors. The computational design was simple and synchronous to maximize
effective operating rates, and a great deal of design effort went into
optimizing performance under these conditions. As processing speed and data
capacity have increased and demands for automation have expanded, the nature
of the problem has changed. Now, hard and soft real-time processes must
interact, and they may be required to share the same resources. Applications
such as distributed control demand communication, which introduces
variability in operation. A scientific foundation currently is lacking for
systematic development and integration of physical and computational
components in embedded systems. This lack is particularly severe for
increasingly complex, distributed embedded systems. Empirical reports show
that relying on brute-force testing for verification and validation of
software for modern embedded systems can push certification costs to at
least half the total cost of the software.  Scientific principles and
supporting technology are needed to assure that requirements are met during
development of software-based systems, in order to reduce the cost of
evaluating dependability and certifying that a system is fit for
operation. NSF investment is critical to sustain, adapt, and expand the
National research and development capacity in embedded systems.

I am your humble scribe for the programs' officers, who are:

* Dr. Helen Gill,  Program Director, CISE, C-CR, 1145,

* Ms. Carmen Whitson, Associate Program Director, CISE, C-CR, 1145,

Please contact them for more info.

Wm Randolph Franklin, Program Director
Numeric, Symbolic, and Geometric Computation, CISE/C-CR. Room 1145
National Science Foundation, 4201 Wilson Blvd, Arlington VA  22230
  1-703-292-8912, fax: 703-292-9059  email: WFRANKLI@NSF.GOV

Relevant due dates:, FY02: Regular NSG:  Nov 5.
Large ITR preproposals: Nov 9, Medium ITR: Nov 13, Small ITR: Feb 7.

Computer Security Applications Conference + Advance Program

<Jay Kahn <>>
Sun, 30 Sep 2001 22:20:49 -0400

17th ACSAC, 10-14 Dec 2001, New Orleans, Louisiana, USA.

The 17th ACSAC Committee is pleased to announce the availability of the
Advance Program for the 17th Annual Computer Security Applications
Conference (ACSAC) on our web site at  The Advance
Program is available in HTML for web viewing and also in PDF format for
downloading and printing.  If you need a hard copy of the Advance Program,
please send your name and mailing address to, and
we'll mail you a copy.

Please report problems with the web pages to the maintainer