The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 21 Issue 36

Wednesday 25 April 2001


Computer system crash stalls D.C. Metro
UPS Shutdown
Kent Borg
Trial by CCTV
M Taylor
Risks of fabricating funny data
Bill Hopkins
Foreign Flimflam
Keith A Rhodes
Wireless Spam
Slack goes when California DMV gains access to SSA database
Elizabeth Weise
U.S. Government cyberdefense lacking
Dave Stringer-Calvert
Errors in AFFX GeneChip Database
Gregory Soo
35,000-pound hacking challenge cracked
Jay Anantharaman
Microsoft's wonderful solution for Outlook security
Dave Stringer-Calvert
Re: Amtrak 'Sharing' Information With D.E.A.
John Noble
Re: Aasta train crash
Dag-Erling Smorgrav
Re: V-22: Titanium properties
Edwin M. Culver
Bathtub Burnout
Jan Verbrueggen
Re: Hidden highway robbery within ... contracts?
Norman Gray
Risks of using filtering proxies
Marc Roessler
Power safety
Marcus L. Rowland
First Workshop on Information Security System Rating and Ranking
Jack Holleran
Info on RISKS (comp.risks)

Computer system crash stalls D.C. Metro

<"Peter G. Neumann" <>>
Wed, 25 Apr 2001 07:52:39 -0700 (PDT)

Washington D.C. Metro's $20 million central computer system crashed at 5:15
p.m. during the evening rush hour on 24 Apr 2001.  The central system
provides real-time graphics to the downtown control center.  Similar
malfunctions occurred in 1998 and 1999 (e.g., RISKS-20.60).  In the 15
months following its installation, this BDM system crashed 50 times,
according to the Metro.  Coincidentally, a six-car train that had broken
down 8 minutes earlier was stuck in the tunnel between Friendship Heights
and Bethesda, and had to be towed out.

The outage caused system-wide delays, with some passengers facing platform
delays up to 45 minutes.  Fortunately, the automated train operation system
continued working, although manual switching was required, and signals
failed at three junctions (Medical Center, Rosslyn, and L'Enfant Plaza).

UPS Shutdown

<Kent Borg <>>
12 Apr 2001 13:47:57 -0000

On the evening of 11 April 2001, a fairly large chunk of Somerville,
MA, USA lost power for two-some hours.

I was very smug about having a nice little UPS for my even littler basement
server, and that it ran for nearly two hours before giving me its "last
chance to shutdown" beeps, at which point I did a blind login and "shutdown
-h now".  Then I turned on the monitor power, which sent the UPS over the
edge to complete shutown.  I left it that way, hard power switch on the
computer still "on" and we went to dinner, me smugly thinking the server
would come up with the mains power.

Nope.  The Belkin UPS I bought has a soft power switch that doesn't
turn on again when power is reapplied.  The battery charges, but the
UPS power button must be pressed for two-seconds to get power back out
back, making this model completely unsuited for unattended operation.
I could find nothing in the instructions point out this "feature".

Lesson: Yet another case where having a UPS can be worse then nothing.
Test your systems with someone watching.

-kb, the Kent who is now in the market for a UPS with a simple hard
power switch that will stay "on".

Trial by CCTV

<M Taylor <>>
Mon, 23 Apr 2001 17:06:52 -0300 (ADT)

Source: Trial by CCTV claims innocent victim, by Kieren McCarthy
19 Apr 2001 <>

Allan Dunne was arrested, publicly accused of being a criminal, and lost his
job because he took 20 pounds out of his own account from a cash machine.
He was caught on CCTV making the transaction shortly just after a thief had
used the same cash machine. The footage was shown on Granada TV's Crimefile
show.  Allan went to the police with records from his own bank account, but
was arrested and suspended from his job.  Evidence that CCTV is not perfect?

Risks of fabricating funny data

<"Bill Hopkins" <>>
Mon, 23 Apr 2001 16:22:59 -0400

In 1998, techies at *The New York Times* made up amusing capsule
descriptions for some old movies, with themselves as stars, while testing a
new update path to the TV listing service's database.  Contrary to
expectations, the capsules were saved, and when one of the movies was
scheduled, The Times published its bogus description.

Who could have anticipated the movie would be scheduled on 1 Apr 2001?

Oh, to be a fly on the wall when that went down!


    [Cap-sules rush in where mangles cheer to sched.  PGN]

Foreign Flimflam

<"Keith A Rhodes" <RhodesK@GAO.GOV>>
Tue, 27 Feb 2001 08:40:56 -0500

International thieves are using stolen credit card numbers to buy from
U.S. vendors over the Internet.  Goods received at U.S. addresses are then
being rerouted overseas.  One thief had over 300 stolen cards and had
purchased $900,000 in merchandise.  On-line credit-card fraud is currently
estimated at $24 million per day.  Prosecution is of course complicated by
multiple jurisdictions.  [Source: Article by Laura Lorek, Interactive Week,
25 Feb 2001; PGN-ed]

Wireless Spam

<"NewsScan" <>>
Mon, 16 Apr 2001 08:00:34 -0700

The text-messaging services now included as a standard feature by many
wireless companies make it simple for senders of junk mail to target a
specific audience by geographic location and pass the costs of their
messages on to the people being spammed. Todd Bernier, a wireless technology
analyst with Morningstar, predicts: "This will become a huge problem when
text messages become more popular in the states. The industry is going to
have to do something to control itself. People just won't tolerate it."
(AP/*USA Today*, 13 Apr 2001; NewsScan Daily, 16 April 2001

Slack goes when California DMV gains access to SSA database

<eweise <>>
Tue, 24 Apr 2001 16:25:02 -0400

Apparently the California DMV gained access to the computerized database of
the Social Security Administration at the beginning of the year.  Sometime
in February or March the DMV began bouncing back all requests to renew
drivers licenses in which the name given did not exactly match the name in
the SSA computers.

I learned of this the day my license expired when I attempted to renew it
and was told that because my Social Security number was issued under the
name Beth back in the 1960s, according to the DMV I was attempting to
defraud the government "and possibly engaged in identity theft" by
attempting to get a drivers license under the name Elizabeth Weise--despite
the fact that the State of California has accorded me a drivers license
under that name for eight years now.

A call to the Social Security Administration confirmed that since the DMV
was given the ability to hook directly into the SSA's computers, they've
been flooded with Robert-Bob's, Richard-Dicks's and Alex-Alexander's who
are all being told they can't renew their licenses until they officially
change their names. For the record, the clerk at the SSA told me "We
understand that Beth and Elizabeth are the same person and it doesn't
bother us, but the DMV won't let it by any more." To fix this one must
personally go to an SSA office and have them change their official record.
	The identification they require?
	A California drivers license.

Elizabeth Weise, Technology Reporter, USA Today Life Section
2912 Diamond St. #407, San Francisco CA 94131 415/452-8741

U.S. Government cyberdefense lacking

<Dave Stringer-Calvert <>>
Thu, 05 Apr 2001 20:03:19 -0700

U.S. General Accounting Office reviews of 24 agencies (including Treasury,
the IRS, and Social Security) reveal that security gaps place ``a broad
range of critical operations and assets at risk from fraud, misuse, and
disruption.''  During the year 2000, 155 federal computer systems (some with
sensitive information) were taken over by unauthorized users who gained full
administrative privileges.  The military recorded 715 serious attacks in
that period.  [Source: Study of government computers faults security, by
Poornima Gupta, Reuters, 5 Apr 2001; PGN-ed]

Errors in AFFX GeneChip Database

<"Gregory Soo hotmail" <>>
Wed, 7 Mar 2001 20:03:15 -0500

Affymetrix Inc. has discovered errors in some of
its gene chips, involving the UniGene U74 database used to design its Murine
Gene U74 set of GeneChip arrays. The arrays are used to analyze mice tissues
and cells.  [Source" Affymetrix Discovers Errors in GeneChip Database;
GlacierRISKS of database errors propagated into nucleotide-array analysis...
7 Mar 2001 and

35,000-pound hacking challenge cracked (From Dave Farber's IP)

<Jay Anantharaman <>>
Mon, 23 Apr 2001 17:41:15 -0700

A team of computer hackers has gained 35,000 pounds for hacking into a
computer system just twenty-four hours after the competition began.

Argus Systems organised the competition -- to break into a Web server locked
down using its security product called PitBull -- to promote its products
and to coincide with the start of Infosec, the UK's premier computer
security event.

Undeniably, the stunt backfired and is an embarrassment for Argus Systems
Group, as well for as security consultant firm Integralis and hardware
vendor Fujitsu Siemens, which helped organise the stunt and have coordinated
three similar competitions in the US and Germany without suffering setbacks.

  From Dave Farber's IP.  For Dave's archives, see  PGN]

Microsoft's wonderful solution for Outlook security

<Dave Stringer-Calvert <>>
Fri, 06 Apr 2001 11:01:51 -0700

Microsoft is apparently defending against e-mail viruses (such as Melissa
and I Love You) by restricting the types of file attachments that can be
opened or downloaded by the newest version of its Outlook 2002, which will
reject over 30 types of attachments -- including program execution files,
batch files, Windows help files, Java and Visual Basic scripting files,
photo CD images, screensavers and HTML application files.  [Source:
Microsoft's virus antidote: Ban attachments, Is Microsoft making the cure
worse than the sickness?  by Joe Wilcox, CNET; PGN-ed
  microsoft_s_virus_antidote_ban_attachments_1.html (URL split)]

    [We are getting close to the old days of IBM mainframes (which also had
    weak -- if nonexistent -- operating system protection), where, in the
    absence of RACF or similar security applique, the best advice was not to
    allow any users, compilers, and especially system programmers on the
    system -- just canned pre-vetted turnkey application programs.  PGN]

Re: Amtrak 'Sharing' Information With D.E.A. (From Dave Farber's IP)

<John Noble <>>
Sun, 15 Apr 2001 18:57:38 -0400

 > Something to think about next time you decide to ride the rails: Amtrak
 > has acknowledged that one of its ticketing offices has been "sharing
 > information" about passengers with the Drug Enforcement Administration,
 > and then taking a 10 percent cut of any assets seized from drug couriers.

It gets better ...

"We provide a limited amount of information about our passengers to the
D.E.A. and other agencies as a part of their law enforcement activities,"
said Debbie Hare, an Amtrak spokeswoman. "I can't tell you how long it has
been going on, but this program exists all across the country."

So it's not "one of its ticketing offices," but "all across the country."

"A computer link from Amtrak's ticketing terminal in Albuquerque to the
local D.E.A. office allows agents to peruse passengers' names and
itineraries and to see whether they paid in cash or credit. The information
determines which passengers will be questioned or have their luggage
searched by drug-sniffing dogs."

Names, itineraries, cash/credit. This is profiling. They don't give you a
pass when you use a credit card, because then you could beat the
surveillance by using a credit card. They can't investigate everybody who
pays cash because they don't have the manpower. All they get is a vague
indication of wealth and possible preference for anonymity. So they go to
names and itineraries -- national origin, race, gender, religion,
urban/rural. Now we're cookin'. Maybe they toss in the ticket agent's flag
based on his "gut feeling." I wonder if he gets a bonus when he's right.

John Noble

  [From Dave Farber's IP.  For Dave's archives, see
  Incidentally, apparently Amtrak has just backed off.  25 Apr 2001.  PGN]

Re: Aasta train crash (Kline, RISKS-21.35)

<Dag-Erling Smorgrav <>>
24 Apr 2001 22:42:43 +0200

Merlyn Kline is assuming that the handsets in question are digital GSM
handsets.  As far as I know, they're not - they use an older analog system
called NMT, which has better audio quality and longer range than GSM, and
better coverage in out-of-the-way parts of Norway.  As to battery life, this
is hardly a problem on a train, which has plenty of power to spare; and even
the most power-hungry GSM handsets have sufficient battery capacity to last
a six- or seven-hour shift (the handsets apparently follow the crew).

In any case, this point is moot -- better communications probably wouldn't
have made much of a difference in this particular accident; there simply
wasn't enough time.

BTW, a few days before my previous article went out on RISKS, the Norwegian
Railway Authority (in charge of tracks, station and other infrastructure)
was fined NOK 10M (approx. USD 1.1M) for non-adherence to safety
regulations.  More than a year after the accident, very little has been done
to raise the standard of the line where it occurred.  The railway authority
are whining that the impact of the fine on their budget will delay security
work; then again, they've never shown any willingness to to assume
responsibility for their own actions in the past, so why start now?

Dag-Erling Smřrgrav -

Re: V-22: Titanium properties (Ladkin, RISKS-21.33)

<"Edwin M. Culver" <>>
Sun, 08 Apr 2001 23:07:17 -0400

Peter B. Ladkin wrote "...titanium, whilst light and strong, is also quite

Before becoming a full time programmer in the early 90's, I was a structural
test engineer at a helicopter maker (the one not involved in the Osprey ;-) ).

First, some engineer speak: "brittle" refers to materials which don't
exhibit permanent deformation, or set.  Glass is an example of a material
which is usually brittle.

Titanium-based alloys are light and strong...and not brittle.  Or at least
not more brittle than the comparable steel or aluminum based aerospace
alloys.  Most titanium based alloys have better fatigue properties than most
steels or aluminum alloys.  Titanium has some shortcomings: it can be quite
difficult to work (it's flammable), and threads in titanium gall (kind of
stick to themselves), but the aerospace industry is quite used to dealing
with these.

I'll peruse the GAO articles when I get a chance, but don't really expect
any surprises.

While tiltrotor technology is not very new (the original tilt rotor aircraft
was built in the 1950's), the V-22 is the first attempt at a production
aircraft.  It has many problems of both fixed wing aircraft and helicopters
and a few that would be unique.

E. M. Culver

Bathtub Burnout (Re: Nordal, RISKS-21.33; Mercuri,-21.34)

<"Dr. Jan C. =?iso-8859-1?Q?Vorbr=FCggen?=" <>>
Thu, 12 Apr 2001 13:51:49 +0200

I actually find both conclusions misleading. The original one was:

> The risk of putting non-reliable legacy equipment in the same room
> as your $30,000 servers with hundreds of concurrent users is obvious.

The risk of using systems - hardware and software - that result in
unexpected outages leading to the irretrievable loss of data really
is the issue here. If the server "went away", why did the users loose
their work? It's not that the server's disk actually burnt! - and
designed systems survive even that (cf. Credit Lyonnais), at a cost, of
course. So what _really_ happened? I can still envisage a scenario where
shutting down the server incidentally lead to data loss, but from the
description provided, I would say the reaction to smoke in the room was
quite proper.

Jan Vorbrüggen - MediaSec Technologies, Berliner Platz 6-8, D-45127 Essen
GERMANY Research & Development  +49 201 437 5252

Re: Hidden highway robbery within ... contracts? (RISKS-21.32)

<Norman Gray <>>
Tue, 17 Apr 2001 13:13:07 +0100 (BST)

I was rather alarmed to notice that the Yahoo! terms of service[1] (which I
would _never_ have looked at without the prompt of this RISKS posting) have
an apparently similar licence.  However, it refers only to `publicly
accessible areas of the Service', which they explicitly say excludes `Yahoo
services intended for private communication such as Yahoo! Mail' and several
other things.

Though I presume that the point of these `licences' is merely to allow
Yahoo to continue to deliver archived postings in future, the licence
does go much further than that.  The Microsoft version, however, goes
further even than the Yahoo one, and doesn't even obviously fail to
cover a mail message I might send _to_ a hotmail user.

The RISK, I'm sure, is that you could unwittingly hazard your or your
institution's IPR, and be forced to spend time with the local lawyers.

[1] (section 8)

Norman Gray              
Physics and Astronomy, University of Glasgow, UK

Risks of using filtering proxies

<Marc Roessler <>>
Wed, 4 Apr 2001 17:45:49 +0200

In RISKS-18.65 James Cameron wrote about the RISKS of using proxy-servers,
as they 'may change your view of the Internet'.

Some days ago I experienced something similar: filtering proxies changing
the view of the Internet.

One week ago I published a paper "Search Engines and Privacy"
It is a plain text ASCII file with some HTML tags included as
examples. Some days later a friend of mine complained that something
was wrong with the paper, he told me I had mentioned redirects where
the quoted examples did not show any redirects at all.
An HTML example which should have read
	<a href="/r?r=">
was served to him as a link pointing to

After some testing it became obvious that this was due to his filtering
proxy, WebWasher Version 3.0 for Windows. One of the features of this proxy
is changing redirected links (which e.g.  AltaVista uses) to direct
links. In this case this made the quote invalid, of course.

This is expected behavior for a HTML file, but this is a plaintext file.  It
was found that the link rewriting goes along with WebWasher changing the
content type from "text/plain" to "text/html". This causes an additional
effect: the browser interprets the HTML tags contained within the textfile
instead of displaying them.

So far it seems that the content type is changed if the first line of the
served document is shorter than three characters (my paper started with two
empty lines). In this case the first line gets dropped.

Both tested Windows versions (2.21 and 3.0) show this problem.

The code maintainers were notified.
Credits go to Jens Krabbenhoeft <>.

The RISKS: While filtering proxies generally are of great benefit to privacy
concerned users they may (caused by bugs) do more than you expect them to
do. In this case: content rewriting regardless of host or content type and
changing the content type of seemingly harmless textfiles to HTML (which
makes browsers interpret them).

Besides, this is a nice example for obscure bugs not showing up during
regular testing. "We never experienced any bugs" does not mean that there
are none.

Power safety

<"Marcus L. Rowland" <>>
Mon, 23 Apr 2001 21:42:52 +0100

I work in a suite of school science labs, most of which were built with
special "safe" mains electricity power supplies. This basically consists
of a transformer unit which (a) cuts the power if a safety button is
pressed, (b) splits the normal British 220-230v down to 110-115v either
side of true neutral, and (c) trips if there is earth leakage of more
than 5 milliamps, well below the minimum believed dangerous. Each
transformer unit is a bulky box, costs about 500 UK pounds, and has to
be sited in a special locked cupboard in a corridor for safety reasons.

The snag here is that _all_ of the sockets in these labs are on these
units, which has had several undesirable results:

About half of our older portable power packs and several other
appliances proved to have pilot lights working on the (supposed) low
voltage from neutral to earth. Mostly they tripped the breakers as soon
as they were plugged in - in one case the earth connection was faulty,
so the casing was suddenly live at about 100 volts. Mostly this was
obvious from day one, so it was a short-lived problem. Which cost about
500 pounds to put right...

At least twice electricians working in the labs have wasted unnecessary
hours on the assumption that if the "neutral" line is really 110v there
is something wrong with the system.

Every couple of weeks one or another of the breakers trips (usually
because someone has plugged something in with a dirty plug - grease on
the plug body can conduct enough power to trip the breakers). No
immediate problem if no other equipment is in use; unfortunately all of
the labs now have computers, network hubs, printers etc., there are also
two incubators and a freezer which are supposed to be on all the time.
The last time this happened was in the Easter holiday, in the lab with
the freezer; it contained frozen zoological specimens, and the result
after several days was unpleasant, to say the least.

Whenever the power goes back on after one of these interruptions all of
the computers reboot or come on if they were off. The extraction
pressure safety alarms in the fume cupboards also trip, and have to be
turned off manually. On several occasions equipment that was on when the
power tripped has been left plugged in and switched on, and forgotten
since it looked like it was off; in one case this meant that an electric
heating mantle was left under a flask of oil, with nobody monitoring its
temperature, for several hours after power was restored.

The cupboards containing the transformer units have ventilation slots.
Whenever I have to reset one I usually find that someone has dropped
some waste paper through the slots, a fire risk.

A couple of years ago we rebuilt two labs and were able to replace two
of these units with normal earth leakage and circuit breakers; there has
since been no trouble, nobody has been electrocuted, and we have never
had any loss of power in those labs. I'm now trying to get the rest

Every electrician I've talked to has told me that the degree of "safety"
offered by these units is way beyond anything that would normally be
considered necessary. The risks should be reasonably obvious; over-
specified and over-sensitive safety equipment can sometimes cause
hazards of its own.

Marcus L. Rowland

First Workshop on Information Security System Rating and Ranking

<Jack Holleran <>>
Tue, 27 Mar 2001 11:43:32 -0500

Call for Participation
(commonly but improperly known as "Security Metrics")

Williamsburg, Virginia,  21-23 May 2001
Sponsored by:
  Applied Computer Security Associates (ACSA) and The MITRE Corporation

After more than 20 years of effort in "security metrics," the evolution of
product evaluation criteria identification, Information Assurance (IA)
quantification, and risk assessment/analysis methodology development, has
led to the widespread need for a single number or digraph rating of the
"security goodness" of a component or system.

Computer science has steadily frustrated this need--it has neither provided
generally accepted, reliable measures for rating IT security nor has it
applied any measures for security assurance.  The goals of this workshop
are to recap the current thinking on "IA metrics" activities and to
formulate a path for future work on IA rating/ranking systems.  Topics will
include identifying workable successes or capturing lessons learned from
our failures, clarifying what is measurable, and the addressing the impact
of related technology insertion.  The expected workshop result is the
determination of "good" indicators of the IA posture of a system.  The
workshop will serve as a forum for group discussion, with topics determined
by the participants.

Submission of a 4-to-5-page position paper is required for workshop
attendance.  Deadline for submission of papers EXTENDED TO 4 MAY 2001.

For further information, please see:

Please report problems with the web pages to the maintainer