The RISKS Digest
Volume 21 Issue 35

Monday, 23rd April 2001

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Reliance on Automation "Top Risk"
Peter B. Ladkin
Kew Public Records Office data input problem
Pete Mellor
Never rely entirely on technology...
Peter Houppermans
You've Got Mail ... From The Admissions Office!
David Tarabar
Server 54, Where Are You?
Jack Burke
Hi-tech toilet swallows woman
Gareth Randell
Denial of Tax Service
Rebecca Mercuri
E-mail address ID theft
A.E. Brain
Sabotaged phone lines + stolen credit cards = safety in theft
Simon Carter
Security flaw found in Alcatel's high-speed modems
Monty Solomon
Alcatel admits more than they meant to
Mike Bristow
Web-enabled air conditioners
Alpha Lau
Risks of sorting time alphabetically
Marcos H. Woehrmann
Using Palm VII's to give traffic tickets
Ian Jordan
More on UCITA
Warren Pearce
Re: Aasta Train Crash
Magne Mandt
Merlyn Kline
Re: Risks of Hidden highway robbery ...
Will Fletcher
Viewers lament incredible shrinking Ultimate TV
Monty Solomon
Do prescription records stay private when pharmacy stores are sold?
Monty Solomon
New flashlight sees through doors as well as windows
Monty Solomon
Windows patchwork
Jay Levitt
REVIEW: "Securing Windows NT/2000 Servers for the Internet", Norberg
Rob Slade
Info on RISKS (comp.risks)

Reliance on Automation "Top Risk"

<"Peter B. Ladkin" <>>
Tue, 17 Apr 2001 11:52:59 +0200

David Learmount, reporting from the Flight Safety Foundation's European
Aviation Safety Seminar, held in March in Amsterdam, says in *Flight
International* (20-26 Mar, 2001, p17) that the European Joint Aviation
Authorities' Future Aviation Safety Team has identified "crew reliance on
cockpit automation" as the top potential safety risk in future aircraft.


Kew Public Records Office data input problem

<Pete Mellor <>>
Mon, 9 Apr 2001 11:50:40 +0100 (BST)

>From Private Eye 6-19th April 2001, p6:

  Managers at the Public Records Office in Kew have devised a clever
  money-saving idea: they are using prisoners in British jails to input on
  to computer the information from the 1901 census.  The prisoners' work has
  been checked, however, and they have been found to be rewriting history.
  All references to prison wardens in 1901 have been changed to "bastards".
  Officials are now using cheap labour in India to correct the errors.

Peter Mellor, Centre for Software Reliability, City University,
London EC1V 0HB  +44 (0)20 7477 8422  Pete Mellor <>

  [And of course no one in India still remembers the British.  PGN]

Never rely entirely on technology...

<Peter Houppermans <>>
Wed, 18 Apr 2001 15:36:29 +0100

The RISK here is that there appeared to be no inside escape override for the
door: taking protection against vandalism to new heights.

Interesting related fact: in the UK, all lift escape hatches are welded shut
(i.e., don't exist anymore in a usable fashion), I vaguely remember that
this was to prevent kids in estate buildings getting themselves in danger in
the elevator shaft (which happened frequently).  The fact that this thus
prevents any escape in case of emergency appears to have made insufficient
impact on the decision.

Peter Houppermans <>

You've Got Mail ... From The Admissions Office!

<David Tarabar <>>
Mon, 9 Apr 2001 16:08:03 -0400

For college-bound seniors, it is a ritual of spring to eagerly await the
daily mail delivery - looking for a thick or thin envelope which will notify
them of college acceptance or rejection.

But for the 94% of applicants to Tufts University, who provided an address,
notification of acceptance AND rejection came via an e-mail this year. Tufts
follows up with a physical mailing - and thus will reject people twice!
[Boston Globe. 06-APR-2001. "For some, bad news traveling faster"]

Tufts started email notifications several years ago to students in foreign
countries. Two years ago it started e-mail notifications to applicants on
the West Coast. (Tufts is in Medford, MA) This year it is almost everyone.

The story notes that several colleges have password-protected web sites
where an applicant can look up their admissions status.


1) This seems impersonal for those who are accepted. It would be interesting
to find out if this type of notification changed the percentage who choose
to enroll at Tufts.

And it is adding to insult to injury to reject an applicant twice.  Tufts
must get some very interesting e-mail replies.

2) Not all high school seniors have private email accounts, they are often
shared with family members or friends. Thus the wrong person might get the

3) Could these e-mails be mistaken for spam? I must get a half dozen offers
of University Diplomas each week.

4) Hacking! I shudder to think what could happen if there was a dedicated
hacking attack that sent out forged admission e-mails.

Server 54, Where Are You?

<Jack Burke <>>
Sat, 14 Apr 2001 08:45:43 -0400

My mind boggles.

  The University of North Carolina has finally found a network server that,
  although missing for four years, hasn't missed a packet in all that
  time. Try as they might, university administrators couldn't find the
  server.  Working with Novell Inc., IT workers tracked it down by
  meticulously following cable until they literally ran into a wall. The
  server had been mistakenly sealed behind drywall by maintenance workers.
  Source: TechWeb News, 04/09/01:

This sounds like a novel way — pun intended — to physically secure a
server.  I suppose if you absolutely can't do without a floppy drive, etc.,
per the Orange book, this might be an acceptable alternative to help meet C2

  [Except that electronically, it is C-Through rather than C-2.
     [Also noted by Mike Hogsett.  PGN]

Hi-tech toilet swallows woman

<Gareth Randell>
Tue, 17 Apr 2001 16:45:30 +0100

  [Source: Article by Lester Haines, 17 Apr 2001, via Brian Randell]

A 51-year-old woman was subjected to a harrowing two-hour ordeal [on 16 Apr
2001] when she was imprisoned in a hi-tech public convenience.  Maureen
Shotton, from Whitley Bay, was captured by the maverick cyberloo during a
shopping trip to Newcastle-upon-Tyne. The toilet, which boasts
state-of-the-art electronic auto-flush and door sensors, steadfastly refused
to release Maureen, and further resisted attempts by passers-by to force the
door.  Maureen was finally liberated when the fire brigade ripped the roof
off the cantankerous crapper.  Maureen's terrifying experience confirms that
it is a short step from belligerent bogs to Terminator-style cyborgs hunting
down and exterminating mankind.

Denial of Tax Service

<Rebecca Mercuri <>>
Wed, 18 Apr 2001 14:54:12 -0400 (EDT)

KYW News Radio in Philadelphia reported on 17 Apr 2001 that there had been a
problem when tax procrastinators attempted to file their Pennsylvania State
returns just before the midnight Monday deadline.  Apparently in the last
few hours, users received an error message from the filing Web site, and
they were unable to complete their transaction.  Because of this, the state
decided to give ALL late filers an extension through 18 Apr.  Officials were
quoted as saying that "a glitch on the Web server" was the cause of the
problem (whatever that means).  This brings to mind the possibility of
denial-of-service attacks on the infrastructure being a way to avoid
paying taxes (short term, anyway).

Rebecca Mercuri

  [Life, death, and taxes are not the only sure things.  But perhaps
  *electronic* files could provide a new way to get out of jail.  PGN]

E-mail address ID theft

Mon, 9 Apr 101 11:05:41 GMT

RISK: The simplest ID theft is that of an e-mail address.

I use e-mail quite a lot for business purposes, and also make regular
contributions to a lot of newsgroups.  I've been on the net for a decade, so
am on a zillion and one "40 million e-mail addresses for just $5" lists -
thank god for filters.

But on Sunday some insufferable person or organisation forged my e-mail
address as the sender of some X-rated Spam. This has caused me lost
business, a little personal embarrassment, and a mailbox rapidly filling up
with bounces from nonexistent addresses. I'm expecting DOS counter-attacks
from clueless newbies.

There's not a lot that can be done to stop someone from doing this.

But the risk is that I might not be able to do anything about it in the way
of compensation. NeoTrace has given me plenty of clues to the perpetrators,
but only by tracing the site that was advertised in the email. Proving it is
another matter, and they may have no assets anyway.

A.E.Brain <>

Sabotaged phone lines + stolen credit cards = safety in theft

<Simon Carter <>>
Sun, 15 Apr 2001 16:41:32 +0000

Sabotaged phone lines and stolen credit cards allowed thieves to safely
rob a Sydney shopping centre.

"The thieves first sabotaged the telecommunication network in late
February. They entered the pits via street-level manholes and severed
all the lines leading to shopping centre businesses. With all on-line
transaction systems down, shopkeepers processed transactions manually
and the thieves used stolen credit cards to buy goods and withdraw cash.
Bills are still coming in from the spree."

Full story at

Simon Carter

Security flaw found in Alcatel's high-speed modems

<Monty Solomon <>>
Wed, 11 Apr 2001 17:06:38 -0400

Security flaw found in Alcatel's high-speed modems, By Tim Nott

It's a security flaw. No, it's a spy. No, it doesn't exist at all.  Tsutomu
Shimomura, better known for his contribution to, and book about, the arrest
of hacker Kevin Mitnick claims to have found a "trapdoor" in Alcatel ADSL
modems. On Monday evening, Liberation reported, Shimomura and San Diego
Supercomputer Centre colleague Thomas Perrine reported their findings to the
Computer Emergency Response Team. The point, continued Liberation, is
simple. Anyone can penetrate a computer system linked to the Internet by
Alcatel 1000 ADSL and Speed Touch Home modems.,1151,16251,00.html

Alcatel admits more than they meant to

<Mike Bristow <>>
Tue, 17 Apr 2001 16:47:45 +0100

Recently, Alcatel <URL:> has come under fire
for security problems with some of it's products (see [broken URL]
for details)

As a result, Alcatel has released a statement, as a Microsoft Word document,
which they placed on their Web site.

According to <URL:>, it had all the
document history present (I cannot confirm this, as they appear to have
corrected the mistake), in which we see such gems as:

> (When and where will the firewall software be available? CERT has
> said that they don't believe that installing a firewall is the
> answer.  What are you doing to provide a legitimate fix?)

The RISKS?  Well, apart from looking like idiots, and revealing early drafts
of statements that are "off message", and potentially drawing attention to
errors of omission that you are conveniently brushing under the carpet...

Mike Bristow, seebitwopie

Web-enabled air conditioners

<=?iso-8859-1?q?Alpha=20Lau?= <>>
Mon, 9 Apr 2001 10:38:34 -0700 (PDT)

Not bad! :)  Imagine the malicious freezer viruses!

IBM and Carrier, an air-conditioning manufacturer, said they plan to offer
Web-enabled air conditioners in Europe this summer that can be controlled
wirelessly. Financial terms of the collaboration were not disclosed.  Owners
of the newfangled air conditioners will be able to set temperatures or
switch the units on or off wirelessly using a website called,1367,42918,00.html

  From their press release ( Unit
  performance and maintenance information over time can be gathered and
  recorded.  ...  In the opposite direction it is envisaged that Carrier
  dealers or engineers will be given 'service access' to check the system
  without the need for a PC connection.

In the extreme case, someone with the correct hardware could check the
aircond logs to see the typical times the aircond is off, i.e., when no one
is home!


Risks of sorting time alphabetically

Tue, 10 Apr 2001 14:56:38 -0400 (EDT)

I found a sorting error on Northwest Airlines web site (
that I had not seen before, but am surprised is not more common.

If you ask for a list of flights between two cities it returns the
results sorted by departure time of the outbound flight.  For
example, from San Francisco (SFO) to Minneapolis (MSP) (return
flight and other non-relevant data discarded):

  Departs   Arrives   Flight Number
   6:25am   12:04pm   NW928
   7:50am    1:28pm   NW344
  10:15am    3:47pm   NW350
  11:30am    5:16pm   NW588
  12:40am    6:09am   NW360
   3:25pm    9:01pm   NW354
   5:00pm   10:31pm   NW358

The risk?  Assuming that because 11:30am is later than 10:15 am it
follows that 12:40am is later than 11:30am.

Another good reason to drop AM/PM in favor of a 24 hour clock
(particularly if you call midnight 0.00 and not 24.00).

Marcos H. Woehrmann  |  |

Using Palm VII's to give traffic tickets

<"Ian Jordan" <>>
Fri, 6 Apr 2001 14:05:26 -0700

The Seattle news played a story on a local police force that is now using
Palm VII's to give traffic tickets. Apparently, officers can look up
information on vehicles and people via the wireless interface from this
Palm. The obvious risk comes from the publicly based network that the Palm
relies on, namely the CDPD network.

Just imagine someone getting a ticket, and wanting to cover it up. If they
broke into the system, they could start issuing tickets to every car on the
road. How would anyone know what tickets were valid? Simpler security risks
also are involved, such as just monitoring the communications and seeing
what people are accused of, or even looking for addresses that are
transmitted- if someone is getting pulled over, they're probably not home.

As a side note, I wonder how you get your court summons, since this
procedure removes paper tickets. It would also appear to eliminate the
officer's signature, making for a dubious case, since there is no official
document indicating the charge against you.

The full story is linked at:

More on UCITA

<"Pearce, Warren, CTR" <>>
Wed, 18 Apr 2001 11:50:49 -0600

Ed Foster's Gripeline column in the current issue of *InfoWorld*
( raises another interesting security related issue. The
column starts with:
  Microsoft recently prevented an independent lab from publishing benchmark
  results, using a term in the SQL Server license that says the user "may
  not disclose the results of any benchmark test without Microsoft's prior
  written approval" to threaten the lab with legal action.

It's not my intent to focus on Microsoft as this is an element of UCITA. In
prior columns, Ed included a similar comment from Network Associates.
Consider a security related "benchmark test" that reveals a vulnerability.
The vendor's permission will be required to "disclose the results" of the
test. What does this do to the entire CERT process?

Re: Aasta Train Crash

<"Mandt, Magne" <>>
Tue, 3 Apr 2001 08:10:56 +0200

There is one very important point that has been forgotten in the latest
postings about the fatal Aasta train crash: The railways deliberately
introduced a single point of failure system some months prior to the
accident.  The old operating procedure was that both the train driver and
the ticket taker (conductor) had to verify that the signal was green before
the train left the station.  Under the new procedure, introduced some months
before the crash, only the driver had to check the signal. The line where
the crash occurred does not have an automatic train stop system that stops
trains that are headed towards each other on the same track, so the drivers
observation of the signal is the final barrier against a crash.

Magne Mandt

Re: Aasta train crash (Smorgrav, RISKS-21.32)

<"Merlyn Kline" <>>
Tue, 3 Apr 2001 11:14:11 +0100

Am I missing something here or is all this beside the point? Using mobile
'phones as a safety-critical means of communication entails so many risks I
hardly know where to start: The network coverage is patchy at best and
hardly at its best when used in a train; the handset batteries have short
lives and are liable to fail; the handsets are easily lost or damaged;
handsets are typically unsuitable for noisy environments; communication is
dependent on a network outside the control of the train company; even if you
get network coverage, cell capacity is limited; the list just goes on and
on. Some of these risks can be addressed but some simply cannot. Surely this
can't be right?

Merlyn Kline

Re: Risks of Hidden highway robbery ... (RISKS-21.32)

<"Will Fletcher" <>>
Thu, 19 Apr 2001 20:37:15 -0500

In RISKS-21.32 it was noted that Microsoft was being particularly
heavy-handed with the end-user agreement and the rights to intellectual
property transmitted over their.NET or Hailstorm passport service.  Wanting
to see the fine print for myself I downloaded the agreement at  Yes, it does say that
Microsoft reserves the right to take advantage of any intellectual
property. However, it would appear that the intent of the agreement is allow
Microsoft the rights to any intellectual property submitted to them
concerning the service, not intellectual property transmitted over the
service. Towards the end of the section in question the following appears:

  This section also is inapplicable to any documents, information, or other
  data that you upload,transmit or otherwise submit to or through any
  Passport-Enabled Properties. Please refer to the terms and conditions for
  such Passport-Enabled Properties to determine the rights of the web site
  or service provider to such documents, information and/or data.

The first sentence would seem to limit the rights of Microsoft with respect
to misappropriating intellectual property transmitted via these
services. But, then again the second sentence might lead one to be
suspicious about how such rights are determined.

Perhaps the real risk is not being able to read all of the fine print, since
it is not clear where one would go to find these additional "terms and
conditions for such Passport-Enabled Properties".

Will Fletcher <>

Viewers lament incredible shrinking Ultimate TV

<Monty Solomon <>>
Wed, 18 Apr 2001 01:40:16 -0400

UltimateTV shrinks from the spotlight

A software bug is inadvertently shrinking hard-drive storage space on
set-top boxes for UltimateTV, the new interactive TV service from Microsoft.
The bug reduces how many hours of programming people can record onto the
hard drive of UltimateTV set-top boxes. Customers began reporting the
problem on Web forums earlier this month.,4586,5081102,00.html

Do prescription records stay private when pharmacy stores are sold?

<Monty Solomon <>>
Wed, 11 Apr 2001 17:02:53 -0400

Do prescription records stay private when pharmacy stores are sold?

The issue caught the attention of the Clinton administration

By Milo Geyelin

April 11 - A novel lawsuit over the privacy of prescription records at a
former neighborhood drug store could complicate the way pharmacy chains buy
up their competitors. The suit challenges the common but little-known
practice of "file buying," in which chains purchase customer prescription
files from pharmacies they acquire and add them to their own.

New flashlight sees through doors as well as windows

<Monty Solomon <>>
Wed, 18 Apr 2001 01:30:46 -0400

Police officers serving a warrant or searching for a suspect hiding
inside a building could soon have a new tool for protecting
themselves and finding the "bad guy."

A prototype device called the RADAR Flashlight, developed at the
Georgia Tech Research Institute (GTRI), can detect a human's presence
through doors and walls up to 8 inches thick.

The device uses a narrow 16-degree radar beam and specialized signal
processor to discern respiration and/or movement up to three meters
behind a wall. The device can penetrate even heavy clothing to detect
respiration and movements of as little as a few millimeters.

Windows patchwork

<"Jay Levitt" <>>
Tue, 10 Apr 2001 22:09:50 -0400

A recent *Wired* news article
<,1282,42771,00.html> detailed
problems that Microsoft had with an Internet Explorer security patch: In
some cases the patch would wrongly display "This update does not need to be
installed on this system."  Although I hadn't seen such a message, I
double-checked that the patch was properly installed - and it wasn't. After
digging further, I was surprised at the reason why.

Microsoft maintains a "Windows Update" site, which automatically scans your
Windows installation (locally), compares it with a list of known patches,
and lists any missing updates.  Further, they have a "Critical Update
Notification" tool that runs in the background and automatically alerts the
user when any "critical" patches are added to Windows Update.  I run the
notification tool, and I check Windows Update often, so I expected my system
to be quite current.

Documentation for the notification tool says: "Download this component and
never miss a Critical Update again. Whenever a new Critical Fix is released,
you will be notified... Critical Update Notification is the best way to keep
your computer up-to-date and protected from potential security issues
affecting Microsoft Windows."

As it turns out, although Microsoft puts many of its IE security patches on
Windows Update, four critical patches this year were not included there, and
thus are not detected by the notification tool.  Users must go to a separate
IE Security site to download these patches - a site that is not promoted or
even mentioned by the Windows Update site or other customer service pages.
I first learned of it from the *Wired* article.


- Maintaining two separate patch repositories
- Promoting a site as the way to "never miss" security patches, but failing
  to add all security patches there
- Trusting Microsoft to help keep my computer up-to-date

Jay Levitt <>

REVIEW: "Securing Windows NT/2000 Servers for the Internet", Norberg

<"Rob Slade, doting grandpa of Ryan and Trevor" <>>
Mon, 16 Apr 2001 08:48:21 -0800

BKSWN2SI.RVW   20010320

"Securing Windows NT/2000 Servers for the Internet", Stefan Norberg,
2001, 1-56592-768-0, U$29.95/C$43.95
%A   Stefan Norberg
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2001
%G   1-56592-768-0
%I   O'Reilly & Associates, Inc.
%O   U$29.95/C$43.95 800-998-9938 fax: 707-829-0104
%P   199 p.
%T   "Securing Windows NT/2000 Servers for the Internet"

This book is based on the paper "Building a Windows NT bastion host in
practice," which is available on the author's Web site.  The title of the
essay is much more accurate than the title of the text.  The work is
concerned strictly with bastion hosts, and does not address, in more than a
nominal way, considerations of applications that are necessarily part of any
Internet server.

Chapter one takes a brief, scattered, and not very clear look at a number of
issues related to Windows and/or security.  This disregard for background
information extends into chapter two.  Having presented an extensive list of
services to turn off, Norberg tells us that "[you now] understand the
purpose of all active software components on the host."  The irony of this
bald assertion stems from the fact that there has been little discussion of
why these services are to be turned off, and what you lose along the way.
(Further, for those new to Windows NT or 2000, there is no indication of how
to accomplish the task of reduction.)  Once we get into more advanced tuning
there is slightly more information, but not much.  The material on the
differences in Win2K, contained in chapter three, does present a bit more
detail on how to accomplish the restrictions.

Chapter four describes a number of software tools that will encrypt sessions
to be used for remote administration, but does not deal with system
management itself.  The standard advice you always read about backups ("make
one") is repeated in chapter five.  Chapter six reviews auditing and
logging, with, for some unknown reason, four times as much space devoted to
network time synchronization as to intrusion detection.  "Maintaining Your
Perimeter Network" is the title of chapter seven, but it seems to be a
return to the same kind of catch-all discussion that started the book.

In the Preface, Norberg does state that the book is not intended as a primer
for security, or even for Windows security.  The text is written as a kind
of a checklist for those thoroughly familiar with NT or 2K.  There is, of
course, nothing wrong with such an approach, and those in the target
audience will appreciate the brevity of this concise guide.  The approach
does, however, severely limit the utility of the work.  Chapter two (and
three, if you are using Win2K) is the heart of the book, and the rest seems
to be an attempt to expand the text to more than pamphlet length.

copyright Robert M. Slade, 2001   BKSWN2SI.RVW   20010320    or

Please report problems with the web pages to the maintainer