The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 21 Issue 17

Tuesday 26 December 2000


Martin Minow
Australian Ansett B767 fleet grounded due to maintenance breaches
Mike Martin
Interference forces RAF to abandon ILS
David Kennedy
Risks of automatic firmware upgrades
Marc Roessler
IBM and Intel push copy protection into ordinary disk drives
John Gilmore
CERT's ActiveX security report
Richard M. Smith
Privacy/quality risks in Quicken Online Billing
Clay Jackson
Credit report lists ex-spouse's address
Beth Roberts
Wanna know my salary ?
John C Haselsberger
Re: Spam as a denial of service attack?
Steve Wildstrom
Armageddon scenario near-miss
Scott Rainey
Info on RISKS (comp.risks)

Martin Minow

<"Peter G. Neumann" <>>
Tue, 26 Dec 2000 15:18:39 PST

It is with deep sadness that we note here the sudden passing of Martin Minow
last Thursday.  He was a long-standing, noble, insightful contributor to
RISKS, dating back to Volume 1, number 33, on 1 Jan 1986.  A quick search
shows that he had 172 messages in RISKS over the past 15 years, including
translations of some otherwise inaccessible news items that appeared in
Swedish sources.  He was a delightful person, and will be sorely missed by
many of us.  Thanks to all of you who forwarded the e-mail message from his

Greg Marriott <> added URLs for Martin's Web pages:


Australian Ansett B767 fleet grounded due to maintenance breaches

<"mike martin" <>>
Sun, 24 Dec 2000 08:52:40 +1100

On 23 Dec 2000, Ansett Airlines, Australia's second national airline,
grounded six of its fleet of seven B767-200 aircraft (its largest domestic
aircraft) when "it realised that important maintenance inspections had not
been carried out". (The seventh aircraft was already out of service for
maintenance.) See and

This, at perhaps the busiest travel weekend of the year, and when Ansett has
been steadily losing market share to Qantas. Oddly enough, while this
inconvenienced thousands of passengers, it was reported that only 18 flights
were cancelled (what do these aircraft do all day then?).

It appears that a mandatory 25,000-cycle maintenance check was completely
overlooked, but the good news (if true) is that an Ansett spokesperson was
reported by the Australian ABC network as saying that "the decision to take
the aircraft out of service was entirely [Ansett's] own". So, if there were
risks introduced by cost cutting or other measures by management of Ansett,
owners Air New Zealand, or part shareholder Singapore Airlines, the system
corrected itself.

Albeit, likely with huge commercial pain. One Ansett customer was quoted by
the *Sun Herald* Sunday newspaper as saying, "I haven't flown Ansett for 20
years and it's only now that I remember why."

While there is no reason to consider that Australian airline travel is more
risky than it used to be, the landing of a Qantas B747 in a Bangkok golf
course last year
was the first of a number of breakdowns of types we have not hear about
before.  Earlier this year, the new Sydney Airport control tower was blacked
out by electrical supply failures twice within a few days. The result was
short term chaos.

Last week the control tower was evacuated due to smoke from burning computer
equipment. However, backup procedures cut in quickly and the old control
tower took over.


Positive... I think.

It seems that maybe organisations are becoming more transparent about risks,
and improving measures to deal with them. While passengers inconvenienced by
the Ansett grounding might have a different view, it was, from the
information publicly available, a brave decision.

Even so, the threads at abound with contrary suspicions.
Neither the regulator, Civil Aviation Safety Authority Australia, nor the
Australian Transport Safety Board has yet posted any comment on the event on
their web sites.

We shall see.

Mike Martin, Sydney

Interference forces RAF to abandon ILS

<David Kennedy CISSP <>>
Tue, 26 Dec 2000 13:50:33 -0500

RAF to abandon faulty landing system, by Mark Henderson, science correspondent
excerpted from,,2-58265,00.html

  ROYAL AIR FORCE pilots will stop using a bad-weather navigation system
  from January 1 because new commercial radio frequencies have made it
  unreliable, the Ministry of Defence said yesterday.  Pilots of military
  planes and helicopters fitted with the Instrument Landing System (ILS)
  will not be allowed to use it to land in poor weather in the new
  year. Instead they will have to ask air traffic controllers to talk down
  their flights.

o Commercial FM growth cited as cause.

o Commercial ILS on different frequencies has not been affected.

o Affected aircraft are Nimrod reconnaissance and search and rescue
helicopters.  RAF transport a/c have already been upgraded and tactical
aircraft do not use ILS.

  "There is no operational impact whatsoever," a ministry of Defense
  spokeswoman said. "It is a worldwide problem which affects all countries."
  "New landing assistance systems use more reliable technology, such as
  global positioning satellites, which are not affected by radio
  frequencies. ILS can also be disrupted by signals from mobile telephones."

Dave Kennedy CISSP Director of Research Services TruSecure Corp.

Risks of automatic firmware upgrades

<Marc Roessler <>>
Fri, 22 Dec 2000 18:11:30 +0100

In 1992 (RISKS-14.06), David Honig reported that a "certain
very-popular-workstation-tape-storage-device will reload its firmware upon
finding a firmware-reconfiguration tape within its maw upon power-cycling."

Funny how history keeps repeating.. seems the same technique is now used
for upgrading the firmware of dolby digital sound processors. Those are
used in movie theaters for processing the stream of digital data which is
read optically from the 35mm film.


  [..] Moreover, updates to the audio coding used for Dolby Digital
  soundtracks, which are included from time to time right on Dolby Digital
  release prints, download automatically into the CP500 the first time such
  a print is played in the cinema. [..]

In a German discussion forum dedicated to the projection of cinema movies
( on 9 Nov 2000, the following was
posted by Stefan Mueller:

(translated from German)

  The trailer of "Billy Elliott" has got some nasty bug: If the trailer is
  being cut right behind start mark three, the CP500 will do a software
  reset with data upload as the trailer runs through the machine. Either
  Dolby Digital crashes completely or the Cat 673 is set to factory default,
  which means setting the digital soundhead delay to 500 perforations,
  i.e. the digital sound lags 5.5 seconds behind the picture. [..]

Nice, isn't it?

Concerning David Honig's report: I own a streamer which seems to have been
built in 1995 (same company? maybe same streamer?), and according to the
manual it has this "feature", too. Though no power-cycling is necessary, the
firmware upgrade will happen right after inserting the "Firmware Upgrade
Tape" into the drive. I guess this barrier (the need to power-cycle the
device) was removed for better user friendliness.. (or it is some different
kind of streamer and it never had this barrier, which is just as bad).  I
won't go into the evil details of what to do to a streamer's firmware in
order to maximize the devastating effect as i am sure you all can make up
some nice ideas yourself.

It seems this "auto-firmware-upgrade" feature is making its way in more
and more products. I just can't wait for cars to be firmware upgraded by
refueling them at the gas station. *irony*

IBM and Intel push copy protection into ordinary disk drives

<John Gilmore <>>
Thu, 21 Dec 2000 13:16:03 -0800

  [From; Source:
  Stealth plan puts copy protection into every hard drive]

*The Register* has broken a story of the latest tragedy of copyright mania
in the computer industry.  Intel and IBM have invented and are pushing a
change to the standard spec for PC hard drives that would make each one
enforce "copy protection" on the data stored on the hard drive.  You
wouldn't be able to copy data from your own hard drive to another drive, or
back it up, without permission from some third party.  Every drive would
have a unique ID and unique keys, and would encrypt the data it stores --
not to protect YOU, the drive's owner, but to protect unnamed third parties

The same guy who leads the DVD Copy Control Association is heading the
organization that licenses this new technology — John Hoy.  He's a
front-man for the movie and record companies, and a leading figure in the
California DVD lawsuit.  These people are lunatics, who would destroy the
future of free expression and technological development, so they could sit
in easy chairs at the top of the smoking ruins and light their cigars off

The folks at Intel and IBM who are letting themselves be led by the nose are
even crazier.  They've piled fortunes on fortunes by building machines that
are better and better at copying and communicating WHATEVER collections of
raw bits their customers desire to copy.  Now for some completely
unfathomable reason, they're actively destroying that working business
model.  Instead they're building in circuitry that gives third parties
enforceable veto power over which bits their customers can send where.
(This disk drive stuff is just the tip of the iceberg; they're doing the
same thing with LCD monitors, flash memory, digital cable interfaces,
BIOSes, and the OS.  Next week we'll probably hear of some new industry-wide
copy protection spec, perhaps for network interface cards or DRAMs.)  I
don't know whether the movie moguls are holding compromising photos of Intel
and IBM executives over their heads, or whether they have simply lost their
minds.  The only way they can succeed in imposing this on the buyers in the
computer market is if those buyers have no honest vendors to turn to.  Or if
those buyers honestly don't know what they are being sold.

So spread the word.  No copy protection should exist ANYWHERE in generic
computer hardware!  It's up to the BUYER to determine what to use their
product for.  It's not up to the vendors of generic hardware, and certainly
not up to a record company that's shadily influencing those vendors in
back-room meetings.  Demand a policy declaration from your vendor that they
will build only open hardware, not covertly controlled hardware.  Use your
purchasing dollars to enforce that policy.

Our business should go to the honest vendors, who'll sell you a drive and an
OS and a motherboard and a CPU and a monitor that YOU, the buyer, can
determine what is a valid use of.  Don't send your money to Intel or IBM or
Sony.  Give your money to the vendors who'll sell you a product that YOU


CERT's ActiveX security report

<"Richard M. Smith" <>>
Fri, 22 Dec 2000 13:25:20 -0500

This past summer, CERT sponsored a two-day workshop on security issues with
ActiveX controls.  The final report was just released today and is available
as a PDF file at the CERT Web site:

There is a lot of good information in the report about how individuals and
organizations can reduce security risks in Internet Explorer when using
ActiveX controls.

In addition, there is a section aimed at software developers on how to
create safer controls.

A good bit of the technical information in the report has not been made
public before.


Privacy/quality risks in Quicken Online Billing

<"Clay Jackson" <>>
Fri, 22 Dec 2000 16:34:34 -0800

I'm a pretty trusting fellow, and a very early adopter of new technology,
but the disclaimer in Quicken 2001's Online Billing agreement gave even me


I'm currently a 'wage slave', but have done my share of consulting - I sure
wish I could get this blatant a disclaimer in MY contracts.  To add possible
injury to the insult, the NEXT page (when I clicked 'Accept' on this) asked
me for my SSN, birthdate, place of birth and mother's maiden name, with NO
indication as to where and how this information might be used, or even if
the transmission would be 'secure' or encrypted in any way.  Needless to
say, I cancelled out of THAT agreement.

Clay Jackson <>

Credit report lists ex-spouse's address

<Beth Roberts <>>
Sun, 24 Dec 2000 12:22:18 -0500 (EST)

Having recently decided to clear up any erroneous black marks on my credit
rating, I ordered reports from both Trans Union and Equifax. Both informed
me that they could not send my credit report because they could not verify
my current address (where I have resided for over a year).

To my surprise, I did receive a copy of my credit report, from a company
called CSC Credit Services. The report gives no clues as to whether this
company is affiliated with Trans Union, Equifax, or neither.

At the top, I see why they had such trouble believing that I live where I
do - all three of the addresses they have listed for me (one current, two
previous) are completely unfamiliar to me. Since they also have my name
listed incorrectly as my married name, I can only assume that they had
surmised I was still living with my ex-husband, and that any address
applying to his last name also applied to me.

We have been willfully ignoring each other since the divorce, but it could
be dangerous if I were a stalking or vindictive type. This would be an easy
way for me to find out where he is, regardless of any measures he might have
taken to safeguard his privacy. Alternatively, if I were seeking child
support from him, it might come in handy for me. We had no children, so this
doesn't apply.

I am not sure whether the same type of mistake is possible in the reverse
direction - that is, listing an ex-wife's post-divorce addresses in an
ex-husband's credit report. This privacy problem may only occur when there
is confusion as to the ex-wife's last name, so it may only potentially
reveal the ex-husband.

For me, it's just yet another piece of data I have to get them to correct,
in addition to the three (out of ten) incorrect credit history entries that
still show a balance due, even though I paid them off.

Beth Roberts <>

Wanna know my salary ?

<John C Haselsberger <>>
Fri, 22 Dec 2000 10:34:33 -0500

I work for a large corporation that has recently outsourced "employment
verification" (for use in credit applications and such) to a Web-based
service, .  This system works as follows: You
log into the system with a company code, a Social Security number, and a
PIN. You then can generate single-use keys to distribute to those who need
your credit or employment verification; then they log onto the same web site
with that key and have access to your salary and I believe duration of

To make the system easy-to-use, you can look up a company code given a
company name so that this tiny security barrier is useless.

The default PIN is the last 4 digits of your Social Security number.  Strike
two for Security.

My company has the unfortunate habit of using Social Security numbers, even
though each employee has a unique employee number, for identification.  Over
the years, I have been exposed to many other employees' Social Security
numbers, and I can only assume the reverse is true. Strike three.

While we are given the opportunity to change our PIN, the timing of this
situation while many people are off on vacation, coupled with human nature,
barely lessens this RISK. I called their customer support number, and there
is no way to "opt out" of their system.

Whereas they DO use SSL to protect the web transactions, the real risks lie

John Haselsberger <>

Re: Spam as a denial of service attack? (Bellovin, RISKS-21.15)

<Steve Wildstrom <>>
Fri, 22 Dec 2000 10:09:18 -0500

Interestingly, Verizon has failed to come up, at least in public, with any
evidence that this was in fact an attack. Given the company's dubious
service record, a lot of folks suspect this may be a pretty lame attempt to
blame a popular bogeyman for an inability to handle traffic.  Sometimes, I
feel that I personally get millions of spam messages a day, but our system
generally handles it. An attack would almost certainly have involved a large
number of messages from a small number of sources and at least the mail
relays that the messages were sent through would have ben identifiable, if
not the ultimate source.

Steve Wildstrom, Technology & You Editor, *Business Week*, 1200 G St. NW #1100
Washington DC  20005  1-202-383-2203

Armageddon scenario near-miss

<Scott Rainey <>>
Sun, 24 Dec 2000 11:21:46 +0000

It seems our favorite planet - Earth - barely missed yet another pyrotechnic
run-in with a city-killer sized asteroid.  It was early Xmas Eve 2000.

Nobody saw it till it had already gone past.  Range: 800,000 km.  That's
barely double the distance of earth to the moon.  When you figure that we've
got some serious gravity constantly inviting passing space rocks to to pay us
a visit, I'd say that it's awful dang close.  Although the collision
probabilities for us and all known space rocks are officially listed as <
1e-9, I really don't trust that math.

The risk is in insufficient funding for early warning systems and sub-zero
funding for deploying solutions.

If we are REALLY lucky a smallish rock like this one will touch down in a
sparsely populated corn field, crating an instant tourist mecca and a kick in
the pants for policy wonks.... not to mention a big ratings week for CNN. has the first story of which I am aware @,4057,1550084%255E1702,00.html

For fresh info on what we claim to know about the sky falling, click to the
JPL news page:

  [Somewhat off your normal news beat, but I'd bet it is something
  with high interest for your audience.  SR]

    [Certainly has risks to computers and related
    systems, as well as to people.  TNX.  PGN]

Please report problems with the web pages to the maintainer