The RISKS Digest
Volume 22 Issue 08

Wednesday, 22nd May 2002

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


SPAM-demon-ium overload countermeasure
AT&T's e-mail filter filters AT&T's e-mail
Air-traffic control software reliability
Peter B. Ladkin
Disk crash destroys law-enforcement mug shots in Michigan
Thomas Insel
WashDC database crash linked to a death by a falling tree
Przemek Klosowski
Fun with fingerprint readers
Bruce Schneier via Monty Solomon
"Medication errors could be eliminated ..."
Dr. David Alan Gilbert
Copy Protected CDs — risk of selling marker pens
Doug Sojourner
Re: Apple: break your new PC with a copy-protected CD ...
Bill Bumgarner
FBI does not care about standards, nor getting that information
Peter Ha*kanson
2 unsolved telephone mysteries - software faults?
Andrew Goodman-Jones
Candy machine punishes the quick-thinking
Fredric L. Rice
Compaq issues refunds for one-cent PCs
Tudor Bosman
Re: Your bash has Alzheimer's
Bob Bramwell
REVIEW: "CISSP Exam Cram", Mandy Andress
Rob Slade
Info on RISKS (comp.risks)

SPAM-demon-ium overload countermeasure

<RISKS List Owner <>>
Weds, 22 May 2002 10:12:43 PDT

I was away from the RISKS directory for almost a week, and went an overly
long 10 days between RISKS-22.06 and 22.07.  Out of over 1000 e-mail
messages in a 6-day period, there were about 20 potential contributions, and
one message from a would-be subscriber whose mailer had mistakenly sent his
"accept" response to RISKS rather than replying to majordomo.  About *98
percent* of the RISKS e-mail during that period was spam that I deleted
unseen based only on the subject message or the From: address.  (Excuse me
if I accidentally deleted one of your legitimate submissions!)  The RISKS
spam rate has enormously increased over the past year (when I mentioned it
in RISKS-21.39, one year ago, it had just reached 50% for the first time).
At 98%, it has now reached absolutely ridiculous proportions and
necessitates some draconian action.  For example, we could use some sort of
challenge-response confirmation technique and hope that your mail systems
will be able to cope with it; however, as we have read here in the past,
such schemes can create further risks.  CONSEQUENTLY, as a simpler measure,
we have just installed SpamAssassin (free software from,
and in the first few minutes it is *already* a huge success as the spam
pours into another mailbox that I hopefully will seldom look at.  Of course,
SpamAssassin may also filter out some of your legitimate mail, without
letting you know.  So, if you have sent in an absolutely marvelous
contribution or an urgent request and believe that I may never have seen it,
please send an out-of-band message to that effect.

Incidentally, the annual seasonal RISKS slowdown will begin as usual this
year in mid-June, which means just a few issues now and then over the
northern hemisphere's summer.  Let's hope there are not too many disasters
needing to be reported during that period.

Stay tuned.  PGN

AT&T's e-mail filter filters AT&T's e-mail

<"NewsScan" <>>
Wed, 22 May 2002 08:27:09 -0700

An example of foot-in-mouth filtering? AT&T Broadband offered its high-speed
Internet users an e-mail software filter to block spam, but later found out
that it had blocked its own messages to customers notifying them of a rate
increase. An AT&T executive tried to put the best face on it: "If there is a
silver lining, it appears our spam filtering system works so well that it
even deletes mass e-mails from our own company." The company will resend
customer notices of the rate increases.  [AP/*USA Today* 2002; NewsScan
Daily, 22 May 2002]

Air-traffic control software reliability

<"Peter B. Ladkin" <>>
Wed, 15 May 2002 10:03:39 +0200

An article in *Aviation Week and Space Technology*, "Why Controllers Are
Skeptics Regarding New Technology", by Bruce Nordwall, 6 May 2002, pp.50-51,
tells the following tale recounted recently at an air-traffic controllers'
conference by Philippe Domogola, supervisor at the Maastricht Upper Area
Control Center.

"Some years ago," a new European ATC center installed software specified as
"99.99% reliable", which apparently meant 99.99% availability in each
calendar year, or a maximum of roughly 52 minutes down-time per year.  The
software "failed" a couple of months after installation, and suffered 20
hours down-time. "The manufacturer's conclusion was: human error that will
not happen again" (come to think of it, any specific software bug can be put
down to "human error that will not happen again").

Someone had forgotten about leap years. It failed at 23:59 on February 28.

Some controllers suggested that since the software was "99.99% reliable" and
it had failed for 20 hours, it follows there were going to be no more
failures for the next 25 years.

They were right. It does follow.

Peter B. Ladkin, University of Bielefeld, Germany

Disk crash destroys law-enforcement mug shots in Michigan

<Thomas Insel <>>
Sat, 11 May 2002 12:56:07 -0700 (PDT)

On 11 May 2002, *The New York Times* (page A13 of the National Edition)
reported that the Macomb County, Michigan, sheriff's department lost over
50,000 photographs of criminals on a crashed hard drive.  Not particularly
exciting, except that they had wisely made hardcopy backups of some of the
photos.  The issue of electronic backups was never even raised.  Perhaps
many computer users no longer realize such a thing is possible?

WashDC database crash linked to a death by a falling tree

<Przemek Klosowski <>>
Sat, 18 May 2002 23:15:08 -0400

Among the world cities, the beautiful Washington DC is probably right up
there in terms of a number of parks and wooded neighborhoods; it is possible
to drive into the center of the city on roads that are visually completely
surrounded by trees.

Unfortunately, the DC city government is still struggling with many
municipal services; the city is sometimes few stray blocks short of Mary
Poppins' proper child nursery. Tree maintenance is a particular problem:
many trees have dead branches, and some are sick or dead.  In the recent
wave of violent spring storms, quite a number of trees were partly or
completely felled, causing significant property damage, some injuries, and
at least one death:

Part of the reason for this is the usual lack of funds and bureaucratic
inertia, but there's also a computer angle:

  "One major obstacle for the city is that its database of public
  trees that needed pruning or removal crashed in 2000 and couldn't
  be restored. At that time, the city had a backlog of 5,000 dead
  trees that needed to be removed. Now, it doesn't know how many it has."

Fun with fingerprint readers

<Monty Solomon <>>
Fri, 17 May 2002 17:27:36 -0400

Excerpted from Bruce Schneier's CRYPTO-GRAM, May 15, 2002

Tsutomu Matsumoto, a Japanese cryptographer, recently decided to look at
biometric fingerprint devices that attempt to identify people based on their
fingerprint. For years the companies selling these devices have claimed that
they are very secure, and that it is almost impossible to fool them into
accepting a fake finger as genuine. Matsumoto, along with his students at
the Yokohama National University, showed that they can be reliably fooled
with a little ingenuity and $10 worth of household supplies. [...]

  [They were able to spoof 80% of the machines.  PGN]

"Medication errors could be eliminated ..."

<"Dr. David Alan Gilbert" <>>
Sun, 19 May 2002 19:52:48 +0100

*The Pharmaceutical Journal* (a journal for U.K. Pharmacists) Vol 268, page
697, in an article on the sixth annual conference on electronic prescribing
and medicines administration, has a picture of a health professional using a
computer with the caption:

  'Medication errors could be eliminated by the use of electronic prescribing

The accompanying article (and another in the same issue) is more careful to
say 'reduce' errors; but it is another example of the danger of what a
computer can be expected to do.

Dr. David Alan Gilbert  gro.gilbert @

Copy Protected CDs — risk of selling marker pens

<Doug Sojourner <>>
Mon, 20 May 2002 13:13:17 -0700

> ``Copy-Proof'' CDs Cracked with 99-Cent Marker Pen, 20 May 2002,
> By Bernhard Warner, European Internet Correspondent
>   Technology buffs have cracked music publishing giant Sony Music's
>   elaborate disc copy-protection technology with a decidedly low-tech
>   method: scribbling around the rim of a disk with a felt-tip marker.

Given that marking pens can be used to overcome Sony's CD protection scheme,
will it now become illegal to sell pens?

Re: Apple: break your new PC with a copy-protected CD ... (R 22 07)

<Bill Bumgarner <>>
Sun, 19 May 2002 10:43:54 -0400

Is it a car company's fault if you put sugar water in the gas tank and it
destroys the engine?

Is it a printer manufacturer's fault if you put toilet paper through your
printer and completely destroy the print heads?

No — is the consumer's fault in those cases.

In the case of the copy protected CDs, things aren't so clear.  It still
isn't the computer manufacturers fault-- at the time of design and
manufacture, they cannot predict changes in technology and they certainly
can't predict and account for changes in technology that are designed to
break their products!

The problem with the copy protected audio CDs is that the CD manufacturer
has purposefully designed a CD to be incompatible with computer hardware.
They have purposefully violated a standard that hardware manufacturers have
been manufacturing to for nearly two decades (since 1983/1984).

Let's rephrase the question slightly:

  Should it be legal for antitheft devices to destroy property?  In
  particular, should it be legal to destroy property in contexts where it is
  not 100% guaranteed that a theft was actually in progress?

That is exactly what the audio CD manufacturers (to be fair, the folks
mastering the CDs) are doing.  They are purposefully creating a piece of
media that, when inserted into a computer, can cause data loss [a number of
PCs outright crash when faced with these CDs] or even changes to the
hardware that require relatively nasty fixes (as is the case with the Macs
-- it doesn't hurt it, just leaves it such that there is no way to get the
damned disk out).

Sure — it may be the fault of the consumer for actually sticking the CD into
their computer.

But it would seem that the folks that created the format in direct violation
of published standards should share some of the blame and resulting

FBI does not care about standards, nor getting that information

<peter h <>>
Sun, 19 May 2002 11:22:58 +0200

A few days ago I noticed that one of my children got spam in his mailbox.
Browsing through it,it looked very nasty, advertizing child-pornography. As
this is a crime both in my country and in Maryland, USA, I decided to report

Finding was easy. Finding an e-mail address was difficult. In
fact, I failed finding an e-mail address. What was available was one of
those Webforms that never really is appropriate for the task in hand.  As
the Webform was the only alternative, I tried to register my complaints,
hoping that someone would contact me via e-mail so all details could be

Within hours there was an attempt, I say attempt because my mailserver is
configured to reject connections from abusive and rfc-ignorant sites. A
common technique that spammers hide behind is sending e-mail from a domain
that does not exist. Those mails can never be replied to, nor complained

Guess what? the connection attempt was from <>

I see two problems with FBI'S attitude.  The serious one is that they will
miss some tips and e-mails with data (not everyone has an explorer browser
available).  The other problem is that their IT-responsibility seems to be
totally clueless.

What's most important?  To get those tips - or to make sure that everyone
uses Microsoft Explorer whenever they contact FBI.  I have my opinion, but
unfortunately I cannot vote in the US.

I also sent a copy of the same mail to the Swedish police, where I could
find e-mail addresses, but they seem to have ignored the report.

2 unsolved telephone mysteries - software faults?

<"Andrew Goodman-Jones" <>>
Thu, 23 May 2002 00:48:22 +1000

It's 5am.  My mum gets woken by one ring on her home phone.  It stops before
she can answer it.

Being her curious and paranoid self (wonder where she gets that from?), she
gets up anyway and checks the Caller ID unit.  The number is her own mobile.
Her mobile is in her bedroom on the table.  It has a flip down panel that
covers the keypad (which prevents accidental dialing by bumping the
buttons).  She checks the recent outgoing calls list (after asking me how to
view it).  Her home number is in the list.

How did her mobile phone make a call by itself at 5am?

It is believed that no-one else intervened in this situation (i.e.,
cat-burglars, children etc)

Anyone have any ideas? (BTW, it's a Samsung GSM phone if that helps.  I have
the same model and this has never happened to me, that I know of.)

This is the second on my list of Weird Stuff.  First on the list is:

Back in 1996 when I went to NYC, a call was made from my phone in my office
in Sydney a few days after I had left.  Ok, not too weird - it was probably
the other guy I was sharing the office with.  Here's the weird bit: A call
at a very similar time was made on my HOME phone to the same number (which I
don't recognise at all).  No-one from the office had any association at all
with my home.  Different bills, different suburbs, different exchanges etc.
I have no idea at all what happened here.

I reckon that both events were software faults.  The first in the mobile
phone's firmware, the second at the billing dept. of the phone company.

Andrew Goodman-Jones <>

Candy machine punishes the quick-thinking

<"Fredric L. Rice" <frice@SkepticTank.ORG>>
Thu, 09 May 2002 13:12:03

While picking up my company snail mail, I observed a guy shove a dollar bill
into a candy vending machine, slowly look over the selections, and then
punch in a choice.  He was rewarded with not only candy but also change for
his buck.  Good deal; everybody walked away happy.

There were some mints in the machine that I wanted so I walked up, shove my
dollar into the machine, and punched D2 only to be rewarded with an "ERROR:
Cost $.70" message and no sign of my dollar.  After a minute or two of
pounding, kicking, and yelling at the machine (I'm a programmer) I tried
again (I'm also a sucker) only this time I shoved in the dollar and waited
for the display to show "Credit: $1.00."  When I made my selection — D2
again — this time I got my mints and my change.

It turns out that there's a period of time between when you shove in your
buck and get the "Credit: $1.00" message that if you make a selection the
machine will eat the dollar and then swear up and down you never gave it

Funny, though, that people who know exactly what they want in life before
they pay their money are the ones who get rooked the most while the people
who shove in their buck and then examine the variety of available choices
life has to offer are the ones who get rooked less.

The risks?  I suspect that the software that went in to the machine was
tested by the programmer and not tested in the field before being released
-- though the only way to find out would be to ask.  Not doing real-world
testing is a common risk but this fault was dumb and should have been easy
to catch before the software was released.

  [Just wait until the thing starts accepting debit and credit cards.  More
  good ways to make the software fail!  }:-} ]
     [So, we need atomic transactions from a candy machine!  PGN]

Compaq issues refunds for one-cent PCs

<Tudor Bosman <tudorb@Stanford.EDU>>
Sat, 11 May 2002 12:16:49 -0700

The RISK is obvious.  From

Despite its initial denials, Compaq Australia now admits that it did in fact
process the payments of customers who bought Presario laptops for just one
cent as a result of an online pricing hiccup.  [...]  Compaq is still
adamant, however, that it is not obligated to honor the accidental one-cent
pricing, despite mounting industry criticism and ongoing threats of a
customer-initiated class action law suit.  [...]  "As this was a genuine
error, Compaq canceled all orders from the system. In instances where 1
cent was debited from customers accounts it will be refunded."

Re: Your bash has Alzheimer's (Maziuk, RISKS-22.07)

<Bob Bramwell <>>
Sun, 19 May 2002 03:28:08 +0000 (GMT)

Interestingly enough, not merely is my bash mentally deficient, but so is
ksh, sh, csh, and tcsh. This is on a SunBlade 100 running Solaris 8.  Now,
what does this say about Korn, Bourne, Joy, and Grevstad I wonder?  Methinks
it is a little unfair to single out Larry Wall for such criticism, but I
appreciate the "heads up"!

Bob Bramwell, ProntoLogical, 60 Baker Cr. NW, Calgary, AB  T2L 1R4, Canada
+1 403/861-8827

REVIEW: "CISSP Exam Cram", Mandy Andress

<Rob Slade <>>
Mon, 13 May 2002 11:56:34 -0800

BKCISPEC.RVW   20020321

"CISSP (Exam Cram)", Mandy Andress, 2001, 1-58880-029-6,
%A   Mandy Andress
%C   14455 N. Hayden Road, Suite 220, Scottsdale, AZ  85260
%D   2001
%G   1-58880-029-6
%I   Coriolis
%O   U$34.99/C$53.99/UK#24.49 800-410-0192 fax: 602-483-0193
%P   265 p.
%T   "CISSP (Exam Cram)"

It is interesting, and somewhat disturbing, to note that while there are a
number of effusive quotes on and inside the cover extolling the virtues of
the Exam Cram series, none specifically mention this book.

Bound into the inside front cover is a cram sheet, with 50 points on
it that are obviously supposed to be vitally important to the exam.
Leaving aside both the simplistic nature of the information presented,
and the difficulty of answering a 250 question exam with a mere 50
points, we only have to get to the third point on the sheet before we
run into rather significant errors.  (Role-based access control is not
an alternative to discretionary or mandatory controls, but can
implement either.)  This does not bode well.

The introduction explains the CISSP (Certified Information Systems Security
Professional) designation.  The text makes frequent references to the
(ISC)^2 web site, but, since the recent site redesign, all these URLs are
incorrect.  There is also a short self- assessment section, intended to help
you determine whether or not you are prepared for the exam, but the vague
and generic metrics suggested are unlikely to help determine your readiness.

Chapter one's discussion of the exam, and techniques for writing the exam,
does contain some useful recommendations (if you don't know, answer anyway),
but other advice is problematic, and may be detrimental.  Access control, in
chapter two, is the first of the ten domains of the Common Body of Knowledge
(CBK) of the CISSP.  The material is presented as a list of key terms and
phrases, and the presentation might be helpful to the exam candidate were it
not for the extremely limited nature of the deliberation and frequent
errors.  For some reason a significant amount of space is given to topics
(like SYN floods) that do not belong in this domain.  There is a brief list
of questions at the end of the chapter, with answers and discussion
presented immediately afterward.  Unfortunately, these questions are so
simplistic that they cannot be said to represent, in any way, the exam
itself, and the wording is so careless that it is often impossible to say
whether the answers given are, in fact, right or wrong.

Chapter three provides an almost random assortment of topics related to
telecommunications and networking.  (There is a modicum of structure in that
subjects are grouped together, but there is no logical flow: IPsec is
discussed before the base IP concepts are covered.)  There are many problems
with the material: it is difficult to say whether the definition of a
"circuit gateway" firewall means anything, let alone is right or wrong, and
we are told that SSL (Secure Sockets Layer) is only used for host-to-host
communications and resides in the session layer.  (The book contradicts
itself: chapter six does note that SSL is used between client browser and
web server.)  Again, many irrelevant topics are included while important
areas are missed.  (PPP (Point-to-Point Protocol) is listed, PPTP
(Point-to-Point Tunnelling Protocol) is not.)  Security management practices
are not covered in chapter four: the vital areas of policies and risk
analysis are given brief mention at the end of a meandering and incomplete
list of management concerns.  Another haphazard catalog of terms takes the
place of the applications development domain in chapter five.  (The
definition of a virus is that of a trojan and the definition for a worm
seems to fit payload.)  That the author is unfamiliar with basic concepts of
cryptography is obvious when, in chapter six, "strong encryption" is defined
as the use of a 128-bit key.  (In the discussion of triple DES (Data
Encryption Standard), the "meet-in-the-middle" attack is obviously confused
with "man-in-the-middle.")  Chapter seven's review of security architectures
contains another arbitrary list of computer architecture topics.  There is
some material that is security related, but in the discussion of the Bell-La
Padula model, about the only reliable information is that it involves
security levels.  Operations security is fairly straightforward, so chapter
eight doesn't make any glaring errors.  (The content is, however, very
terse.)  Much the same holds true for business continuity and disaster
recovery in chapter nine.  Aside from an over-emphasis on US legislation,
chapter ten does not do a really bad job with law, investigation, and
ethics.  Chapter eleven collates some checklists related to physical
security, but has numerous gaps in the discussion of the overall topic.

About the best that can be said for this book is that most of the items in
the common body of knowledge get a mention at some point.  Beyond that, the
material is too scattered and unreliable to be used either to study for the
CISSP exam (unless you want to play "spot the error"), or even as a quick
guide for those charged with security.

copyright Robert M. Slade, 2002   BKCISPEC.RVW   20020321    or

  [Perhaps Coriolis can Force you to pass the exam?  Quite a spin!  PGN]

11th USENIX Security Symposium (excerpted for RISKS)

<Alex Walker <>>
Mon, 20 May 2002 10:43:19 -0700

11th USENIX Security Symposium
August 5-9, 2002, San Francisco, California

Register online by July 10, 2002, and SAVE up to $400!

KEYNOTE SPEAKER, Whitfield Diffie, Distinguished Engineer, Sun
  Microsystems speaking about "Information Security in the 21st Century"
Simon D. Byers, ATT Labs - Research
Professor Edward W. Felten, Princeton University.
Paul Kocher, Cryptography Research, Inc.

Please report problems with the web pages to the maintainer