The RISKS Digest
Volume 22 Issue 78

Saturday, 28th June 2003

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Cancer therapy missed tumor sites
John Colville
Fear of flying? You just might be a terrorist!
Dawn Cohen
How Hulk Crushed the Online Pirate
P.J. Huffstutter via Monty Solomon
E-Mail Swindle Uses False Report About a Swindle
Hafner-Flynn via Monty
New bill injects FBI into P2P battle
David Becker via Monty Solomon
RFID Chips Are Here
Scott Granneman via Monty Solomon
Cell-phone tracking
David Lesher
Student arrested for allegedly derailing election
John Reinke
ISP's DHCP servers infiltrated
Tom Van Vleck
Wireless gives poorer nations chance to catch up ...
Big sites hoard links
Monty Solomon
Crossing Dateline a navigational risk
John Elsbury
More erroneous arrests over erroneous ATM clocks
David Lesher
Re: Soyuz landing problem caused by software?
Peter B. Ladkin
Virgin Mobile makes the oldest mistake in the book
Jay R. Ashworth
PayPal fraud, and the importance of grammar
Geoffrey Brent
When spam filters go bad
Laura Miller via Monty Solomon
New State Laws on Privacy
Robert Ellis Smith
Monty Solomon <>
Secure Coding Principles and Practices, Graff/van Wyk
Monty Solomon
Info on RISKS (comp.risks)

Cancer therapy missed tumor sites

Mon, 23 Jun 2003 11:55:00 +1000

Ten critically ill patients with advanced lung or esophagus cancer
were given radiation therapy to the wrong spot in the past four years,
doctors from Prince of Wales Hospital admitted.  Eight of those
patients (who were all at the end stages of their illness) have died,
although none of them reportedly died as a result of the mistake.  The
rare treatment (1% of the therapy cases) delivers radiation via a
flexible catheter to the tumor site and was reportedly off by
millimeters — although centimeter adjustments may be expected to
compensate for breathing variances.  Two other patients had the same
incorrect treatment in 1993 and 1995.  (This treatment is apparently
used only for incurable cases, to relieve symptoms.)  An investigation
is under way to determine the extent of the error, which occurred when
the wrong details were entered into a computer used to control the
delivery of the therapy.  [Source: Ruth Pollard, *Sydney Morning
Herald*, 21 Jun 2003; PGN-ed, with American spelling]

John Colville, Department of Computer Systems, University of Technology, Sydney
PO Box 123, Broadway NSW Australia 2007 +61-2-9514-1854

Fear of flying? You just might be a terrorist!

<"Dawn Cohen" <>>
Mon, 23 Jun 2003 15:06:00 -0400

It was reported this morning on Public Radio International's
Marketplace program that a company called QinetiQ is trying to market
an "intelligent" airplane seat that would detect nervousness in
passengers and alert airline staff.  Essentially, it sounded like a
motion detector and profiler.

QinetiQ appears to be a spin-off for Britain's Defense Evaluation
Research Agency (sounded like the British DARPA or some kind of
government lab, from the story.)

I found it interesting that the first half of the story focused on the
terrorism potential for this technology, but the rest of the story went
on to outline how helpful it could be for personalizing your flying
experience.  From the report, it sounded like if you squirmed around a
lot or shook for some reason, you might be brought to the attention of
the crew, as a potential terrorist.   Of course, there would be health
benefits, as well:  if you sat still for too long the crew could warn
you to move around a little to avoid blood clots in your legs.  And by
the way, the intelligent seat would have some kind of card reader that
would let the passenger swipe their personal card to pick a movie to see
or to specify other flight options.

I'm not sure if this is a marketing ploy wrapped as an anti-terrorism
product or an anti-terrorism ploy wrapped as a marketing product.
Either way, it seems like it has good potential for mis-use.

I wonder how many false positives it will take to have the staff turn
the system off altogether.  I imagine it would be kind of irritating to
the crew to have to investigate squirming 2 year olds, people with ADD,
people who have various anxiety conditions, people flying to high stakes
business presentations, oh yeah, and people who look like they might be
from the Middle East, who might just be a little nervous because they've
been profiled before.

How Hulk Crushed the Online Pirate

<Monty Solomon <>>
Thu, 26 Jun 2003 23:57:05 -0400

On 25 Jun 2003, Kerry Gonzalez, a 24-year-old New Jersey insurance
underwriter, pleaded guilty in a Manhattan federal court to criminal
charges of posting a bootlegged early non-final copy of the new movie
"The Hulk" on the Internet.  He could face a maximum sentence of three
years in prison and a fine of $250,000 when he is sentenced Sept. 26
in U.S. District Court for the Southern District of New York.
[Source: P.J. Huffstutter, *Los Angeles Times*, 26 Jun 2003],1,1391001.story

E-Mail Swindle Uses False Report About a Swindle

<Monty Solomon <>>
Sat, 21 Jun 2003 22:12:36 -0400

By KATIE HAFNER and LAURIE J. FLYNN, *The New York Times*, 21 Jun 2003

SAN FRANCISCO, June 20 - It was a clever, if not entirely flawless
ruse. Many of its potential victims saw through it immediately.
Others were less skeptical and were caught in its snare.

On Wednesday, starting in the early afternoon, people around the
country began receiving an e-mail message with "Fraud Alert" in the
subject line. In the guise of concern about a purchase from Best Buy
and possible credit card misuse, the message urged recipients to go
to a "special" Web site and correct the problem by
entering their credit card and Social Security numbers.

E-mail posing as a fraud notice to carry out a fraud - indeed preying
on a consumer's fear of being defrauded - is an illegal form of spam,
the much-loathed tide of random, unsolicited messages that pours into
computer inboxes every day. ...

New bill injects FBI into P2P battle

<Monty Solomon <>>
Sat, 21 Jun 2003 23:45:18 -0400

David Becker, CNET, 20 Jun 2003

A bill introduced in Congress on Thursday would put federal agents in
the business of investigating and prosecuting copyright violations,
including online swapping of copyrighted works.  HR-2517, the Piracy
Deterrence and Education Act of 2003, instructs the FBI to develop a
program to deter online traffic of copyrighted material. The bureau
would also develop a warning, with the FBI seal, that copyright
holders could issue to suspected violators. And the bureau would
encourage sharing of information on suspected copyright violations
among law enforcement, copyright owners and ISPs (Internet service

The bill bears the names of two legislators who have been prominent
on intellectual property and copyright issues--Reps. Lamar Smith,
R-Texas, and Howard Berman, D-Calif. Berman gained attention last
year with a bill that would have allowed copyright holders to hack
into peer-to-peer networks believed to be distributing protected

The new bill also calls for the Department of Justice to hire agents
trained to deal with computer hacking and intellectual-property
issues, and it requires the Attorney General, in conjunction with the
departments of Education and Commerce, to develop programs to educate
the public on copyright issues.

A lawyer with the Electronic Frontier Foundation said the bill
includes a number of troubling aspects, particularly the blurring of
distinctions between official prosecution of criminal acts and civil
enforcement of copyright provisions. ...

RFID Chips Are Here

<"monty solomon" <>>
Fri, 27 Jun 2003 17:49:36 -0400

RFID chips are being embedded in everything from jeans to paper money, and
your privacy is at stake.  [Scott Granneman, Security Focus, 26 Jun 2003]

Cell-phone tracking

<David Lesher <>>
Sun, 22 Jun 2003 12:05:26 -0400 (EDT)

IRS Headquarters employee LaToya Taylor vanished after meeting
her ex-BF for lunch. Police searching in Southern MD, an hour+
away from DC recovered a body that may be hers. Why look there?


  The search in Southern Maryland came after police reviewed
  the records of Taylor's cell phone. They determined that at least
  one call was made to her cell phone last weekend while it was in the
  Newburg area; the call was unanswered.

This speaks to a level of log retention by cell carriers that has not
been admitted to before. The FCC is requiring [RISKS-22.69] "enhanced
911" but in reality such location-tracking can function whenever the
phone is powered-up. One wonders how long before divorce attorneys
start subpoenaing same, and employers demand access as a condition of

Student arrested for allegedly derailing election

<"John Reinke" <>>
Tue, 24 Jun 2003 12:14:39 -0400

Student arrested for allegedly hacking university computers to derail

Shawn Nematbakhsh, a 21-year-old student at the University of
California at Riverside, was arrested for allegedly hacking into a
university computer system during student elections and casting 800
votes for his own fabricated candidate (American Ninja).  (He told
police he was tring to point out that the UCR network was vulnerable.)
The election will be redone next month.  [Source: Associated Press, 21
Jun 2003; PGN-ed]

Good thing it was a made up candidate. Otherwise they might not even
have known! Computer security is an "art" just like brain surgery.
But, "anybody" can do it.  I just read this and chuckle.  Can
government do any thing "right".  And, some want to run real elections
this way?  John

F. John Reinke, 3 Tyne Court, Kendall Park, NJ 08824

ISP's DHCP servers infiltrated

<Tom Van Vleck <>>
Fri, 20 Jun 2003 15:33:15 -0400

"... It turns out, Charter Communications' DHCP servers were
infiltrated and were providing as the
'Connection-specific DNS suffix', causing all non-hardened Windows
(whatever that means in a Windows context) machines to get lookups
from a hijacked subdomain DNS server which simply responded to every
query with a set of 3 addresses (,,

On these IPs were some phantom services. There were proxying Web
servers (presumably collecting cookies and username/password combos),
as well as an ssh server where the perpetrators were most likely
hoping people would simply say 'yes' to the key differences and enter
in their username/password..."

Hmm, my cable ISP was down this morning.  Maybe coincidence.

Wireless gives poorer nations chance to catch up ...

<"NewsScan" <>>
Fri, 27 Jun 2003 08:36:17 -0700

In a speech prepared for a UN conference on the social implications of
wireless communications technologies, UN Secretary-General Kofi Annan
declared that wireless Internet access has "a key role to play everywhere,
but especially in developing countries and countries with economies in
transition... It is precisely in places where no infrastructure exists that
Wi-Fi can be particularly effective, helping countries to leapfrog
generations of telecommunications technology and infrastructure and empower
their people." (Reuters, 26 Jun 2003)

... But needs to be watched for security breaches

Using a laptop with a wireless card outside the main office of a Palo Alto,
California school district, a reporter was able to gain access to such data
as grades, home phone numbers and addresses, emergency medical information,
student photos, and psychological evaluations.  Unlike the majority of the
district's information, the documents available on this wireless network
were not password-protected.  Superintendent Mary Frances Callan says: "I
don't see this as such a huge news story." The real story, says Callan, is
the great progress represented by the network itself, which was made
possible by new software purchases, employee training sessions, and
technology-use policies. (*Palo Alto Weekly*, 25 Jun 2003)

NewsScan Daily, 27 Jun 2003

Big sites hoard links

<Monty Solomon <>>
Mon, 23 Jun 2003 01:52:25 -0400

*Technology Research News*, 23 Jun 2003

The Internet is scale-free, meaning it is made up of a few nodes, or
servers, that have many links, and many nodes with only a few links.
It is also a small-world network — you can get to any node via only a
few links among adjoining nodes.

University of London researchers have uncovered another clue about the
Internet's structure-the rich-club phenomenon. Large, well-connected
nodes have more links to each other than to smaller nodes, and smaller
nodes have more links to the larger nodes than to each other.  ...

Crossing Dateline a navigational risk

<John Elsbury <>>
Mon, 23 Jun 2003 12:26:42 +1200

> Late last week a twin-engined aircraft on a delivery flight from Samoa to
> New Zealand - a course a few degrees west of south - missed NZ due to a
> navigational error and had to be rescued after they set off their ELB.
> They had ended up a long way to the east of New Zealand and, fortunately,
> had enough fuel to get to an airport once they had been located by  a
> samaritan flight.
> The reported cause was "When they crossed the Date Line, they should have
> reconfigured the navigation computer for Western Hemisphere coordinates
> but did not do so".   It seems, then, that on crossing the date line (a
> fair distance north of NZ)  they started heading as many degrees east of
> south as they had hitherto been flying west of south - at least, it looks
> that way on the map.
> They were in bad weather, so I can understand not noticing a fairly sudden
> change in the relative locations of the moon and stars - but that, surely,
> ought to have shown up on the magnetic compass?
> Regards
> John Elsbury

More erroneous arrests over erroneous ATM clocks (RISKS-22.76)

<David Lesher <>>
Sun, 22 Jun 2003 11:29:52 -0400 (EDT)


By Ruben Castaneda, *The Washington Post*, 22 Jun 2003; Page A01

For nearly a year after Denise Mansfield was strangled in her Prince
George's County home last June, police focused their investigation on
three female suspects whose identities were a mystery. A surveillance
camera videotaped them getting cash from an automated teller machine
where Mansfield's missing debit card was used after her slaying. The
time of the withdrawal from the dead woman's account, recorded by a
bank computer, corresponded to the times stamped on the ATM video of
the suspects.  ...  A SunTrust Bank spokesman declined to comment on
the time discrepancy. But Fredrik Nilsson, director of business
development for Axis Cameras, which provides video surveillance
systems to business and government agencies, said most bank cameras
are not synchronized with ATM transactions. The times are set
separately and can be off by a few minutes, or even an hour if someone
forgets to reset them for daylight saving time, Nilsson said.

{and ANOTHER group of victims...but low-tech}

The arrests of the three Arizona residents were not the only ones to
result from the wrong ATM pictures. Last winter, police charged a pair
of sisters from the District with murdering Mansfield after a third
sister misidentified them in the surveillance images, which were
published in The Post and shown on local TV newscasts. The two were
jailed for several weeks, until DNA tests exonerated one of them and
the other proved that she had been away on a business trip when the
killing occurred.

 - - - - -

This was not the District (RISKS-22.76), rather adjacent Prince
Georges County, but the behaviour of the authorities seems virtually
identical.  [PG is ...noted.. for officer shootings of suspects and
unwitnessed confessions, later found untenable. There were allegedly
going to be locked cameras installed in the interrogation rooms but I
see no mention of same.]

In both cases, there was available evidence that the accused had a
legitimate reason to be at the ATM. Yet the bank/police did not even
LOOK at adjacent transactions in the ATM log? (That would have ID'ed
the AZ women immediately.) This after the publicity over the DC

The RISK here is not just faulty timestamps, but faulty analysis of
them, and lack of critical thinking by supposedly-expert
investigators, and the prosecutors on the case.

When dangled a "high-tech" bone, Officer McGruff grabbed the bone and
ran, without worrying about other details. Given the growing number of
cameras recording our every move, the concept that mere presence near
the time of a crime is sufficient to establish guilt unless proven
innocent, is downright scary.

Re: Soyuz landing problem caused by software? (Bellovin, Risks 22.74)

<"Peter B. Ladkin" <>>
Wed, 25 Jun 2003 10:35:56 +0200

In RISKS-22.74, Steve Bellovin summarised an article by James Oberg on
the Soyuz TMA-1 ballistic reentry on 4 May, 2003. The Oberg article
also raised questions of human error.

According to the article "Soyuz probe reveals human errors" by Tim
Furniss in Flight International, 17-23 June, 2003, p39, the ballistic
reentry was caused by a failure in the Busp-M guidance system that
controls the normal reentry. Busp-M reads data from gyroscopes and
accelerometers and outputs commands to the attitude control
system. The yaw control channel "produced undefined readings
indicating a malfunction", which resulted in Busp being taken off-line
by supervisory control, which switched to ballistic reentry.  Busp had
performed 49 "flawless" reentries since 1979. The article does not say
what caused the "undefined readings".

The human errors were unrelated. The crew switched on the Kurs
rendezvous-docking system by mistake during reentry; failed to inform
search aircraft that they were performing a ballistic reentry; and
made mistakes in landing procedures.

An earlier *Flight International* article, 3-9 June 2003, p26,
reported the change to ballistic reentry as having been caused by a
"faulty gyroscope switch".

Peter B. Ladkin, University of Bielefeld, Germany

Virgin Mobile makes the oldest mistake in the book

<"Jay R. Ashworth" <>>
Thu, 19 Jun 2003 20:12:37 -0400

My sister got a new cellphone the other day.  From Virgin Mobile,
though they're reselling SprintPCS's airtime.

The e-mail that she got read like this:

  - ----- Forwarded message follows -------
Date sent: Thu, 19 Jun 2003 04:19:29 -0700 (PDT)
Subject:   Virgin Mobile - Your Cell Number and phone programming instructions


Ready for this?

Your Virgin Mobile Phone Number: (727) 123-4567
Your Virgin Mobile Phone's Network ID: 007271234567

(Give your friends your phone number, but keep the super secret Network ID
to yourself, you might need it to program your phone… this message may

[ lots of administrivia elided ]

Welcome to Virgin Mobile - It doesn't get any easier than this!


Virgin Mobile USA

If you need to contact us, please call Central Intelligence on (888)
322-1122 or *VM from your Virgin Mobile cell phone, alternatively visit us

 - ------ End of forwarded message -------

So, did everyone notice the format and contents of that "super secret
Network ID"?  I've modified it, of course, for this message, but yes,
they're the same.  Central *Intelligence*?  Guess it's just as much of
an oxymoron here...

Does anyone know Richard Branson's cell phone number?

Jay R. Ashworth, Baylink, The Suncoast Freenet, Tampa Bay, Florida  +1 727 647 1274

PayPal fraud, and the importance of grammar

<Geoffrey Brent <>>
Wed, 25 Jun 2003 13:28:49 +1000

In the last four days I've received four e-mail messages purporting to
be from PayPal:

  "Your (sic) As part of our continuing commitment to protect your account
  and to reduce the instance (sic) of fraud on our Web site, we are
  undertaking a period (sic) review of our member accounts. You are
  requested to visit our site by following the link given below."

The link is the clickable text

but hovering over it and looking at the URL this produces shows that the
actual link is

Something that could very easily be mistaken for a legitimate PayPal
site, no doubt set up to steal account details.

I think a very similar fraud has been reported on RISKS before, but the
text illustrates an interesting point - even when the *technical* side
of a scam is well-concealed, frauds often give themselves away by other
signs - in this case, a poor grasp of the language. The flip-side to
this is that legitimate businesses do well to maintain high standards of
presentation, because it makes it easier to distinguish them from most

When spam filters go bad

<Monty Solomon <>>
Sun, 22 Jun 2003 01:49:33 -0400

Trying to block junk mail, my cable modem company installed a system
that prevented me from getting my REAL mail — and when I complained,
insisted it was all for the good of the System.

- - - - - - - - - - - -
By Laura Miller, 19 Jun 2003

"The equivalent of treating dandruff by decapitation": That's what
Frank Zappa, testifying before a Senate committee in 1985, called the
censorship plans of the Parents Music Resource Center. In the annals
of overreaction, draconian measures tend to spring from mind-muddling
passions — in the case of the PMRC, parental desire to protect the
young from nastiness. But when it comes to passion, even our darkest,
most primal instincts can hardly compare to the raw fury that people
have come to feel toward spam. So e-mail users, beware: It's time to
watch your head. I can testify from personal experience that the cure
has finally become worse than the disease.

In June, the company that provides my cable modem service, Road
Runner, installed a superaggressive new set of spam blockers on its
e-mail servers. Late in the first day of the blockers' activation, I
suddenly noticed that I hadn't gotten any e-mail at all in nearly
three hours. No e-mail from Salon colleagues or from friends and, most
puzzling of all, no e-mail from the editor at the New York Times with
whom I'd been corresponding all morning about a freelance piece I was
writing for her. I gave her a call.  ...

New State Laws on Privacy

<"Robert Ellis Smith" <>>
Thu, 19 Jun 2003 10:52:36 -0400

Privacy Journal has published the latest supplement to its "Compilation of
State and Federal Privacy Laws," showing a huge increase in state anti-spam
laws and do-not-call telemarketing laws. A total of 34 states have passed
new laws limiting bulk electronic-mail advertising, according to Privacy
Journal's new listing, which includes a description and legal citation for
each law. Most states require that "spam" be labeled as advertising and
provide a means to get off an e-mail ad list. Other laws are more stringent,
making some "spam" a crime or requiring an advertiser to consult a
do-not-e-mail list maintained by the state.

The Compilation of State and Federal Privacy Laws 2003 Supplement lists
shows 26 state laws requiring telemarketers to consult a state-maintained
do-not-call list. Some state lists will be merged with a new federal
database beginning in late summer this year.

The book and 2003 supplement are available for $31 plus $4 handling from
Privacy Journal, PO Box 28577, Providence RI 02908, 401/274-7861, fax
401/274-4747,, The 2003
supplement alone costs $21 plus $4.

For three years, only the three states with the most intense Internet
activity - California, Virginia, and Washington - had anti-spam laws, but
now nearly three-quarters of the states have enacted some limits.

Secure Coding

<Monty Solomon <>>
Fri, 27 Jun 2003 20:33:26 -0400

Secure Coding: Principles & Practices

By Mark G. Graff, Kenneth R. van Wyk
June 2003
0-596-00242-4, Order Number: 2424
224 pages, $29.95 US, $46.95 CA, £20.95 UK

Despite their myriad manifestations and different targets, nearly all
attacks on computer systems have one fundamental cause: the code used
to run far too many systems today is not secure. Flaws in its design,
implementation, testing, and operations allow attackers all-too-easy
access. Secure Coding: Principles & Practices looks at the problem of
bad code in a new way. Packed with advice based on the authors'
decades of experience in the computer security field, this concise and
highly readable book explains why so much code today is filled with
vulnerabilities, and tells readers what they must do to avoid writing
code that can be exploited by attackers.

Please report problems with the web pages to the maintainer