The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 13

Thursday 27 June 2002


Secret American spy photos broadcast unencrypted over satellite TV
Duncan Campbell via Tim Finin via Dave Farber
Software problem kills soldiers in training incident
Steve Bellovin
Safety and human factors in ATC
via Hayley Davison and Nancy Leveson
Car repair shops often can't crack diagnostic code
Monty Solomon
Qui audit ipsos auditors?
Rob Slade
Tools gauging blood pressure raise questions
Monty Solomon
Microsoft's secret plan to secure the PC
Monty Solomon
Risks to your privacy from using MSN Messenger 4.6?
Michael Weiner
Microsoft sent Nimda worm to developers
Mike Hogsett
Microsoft's Allchin: API disclosure may endanger U.S.
Brien Webb
Identity theft site
Conrad Heiney
Randomly generated 4-letter words in sendmail queue-ids
Earle Ake
New virus can infect picture files
Norwegian history database password lost and retrieved
Lillie Coney
Calculators vs. handheld computers
England halts distribution of bad money
Monty Solomon
E-mail address parsing
William Colburn
Risks subscription problem
Ethan Benatan
Re: NERC + token ring
T Panton
Re: US Navy suffers domain hijacking
Jay R. Ashworth
Re: Please ignore the anti-shoplifting device!
Scott Peterson
REVIEW: "Developing Trust", Matt Curtin
Rob Slade
Info on RISKS (comp.risks)

Secret American spy photos broadcast unencrypted over satellite TV

<Dave Farber <>>
Thu, 13 Jun 2002 22:39:31 +0900

  [from Tim Finin, Prof Computer Science & Electrical Eng, Director Inst. for
  Global Electronic Commerce, U Maryland Baltimore County, 1000 Hilltop,
  Baltimore MD 21250 410-455-3522
    Dave's IP archives at:]

Now showing on satellite TV: secret American spy photos;
  Security lapse allows viewers to see sensitive operations
Duncan Campbell, Thursday June 13, 2002, *The Guardian*

European satellite TV viewers can watch live broadcasts of peacekeeping and
anti-terrorist operations being conducted by US spyplanes over the Balkans.
Normally secret video links from the American spies-in-the-sky have a
serious security problem - a problem that makes it easier for terrorists to
tune in to live video of US intelligence activity than to get Disney
cartoons or new-release movies.  For more than six months live pictures from
manned spy aircraft and drones have been broadcast through a satellite over
Brazil.  The satellite, Telstar 11, is a commercial TV relay. The US
spyplane broadcasts are not encrypted, meaning that anyone in the region
with a normal satellite TV receiver can watch surveillance operations as
they happen.  The satellite feeds have also been connected to the Internet,
potentially allowing the missions to be watched from around the globe.,3604,736462,00.html

Software problem kills soldiers in training incident

<Steve Bellovin <>>
Thu, 13 Jun 2002 09:38:10 -0400

According to a U.S. Army report, a software problem contributed to the
deaths of two soldiers in a training accident at Fort Drum.  They were
firing artillery shells, and were relying on the output of the Advanced
Field Artillery Tactical Data System.  But if you forget to enter the
target's altitude, the system assumes a default of 0.  (A Web site I found
indicates that (part of) Ft. Drum is at 679 feet above sea level.)  The
report goes on to warn that soldiers should not depend exclusively on this
one system, and should use other computers or manual calculations.

Other factors in the incident include the state of training of some of
the personnel doing the firing.  [Source: AP]

Steve Bellovin, (me) ("Firewalls" book)

Safety and human factors in ATC (via Hayley Davison and Nancy Leveson)

<Peter Neumann <>>
Fri, 14 Jun 2002 11:03:25 -0400

Air control safety complaints soar
By Paul Marston Transport Correspondent
*Daily Telegraph* (Britain), 14 Jun 2002 [PGN-ed]

The number of formal complaints of over-work from air-traffic controllers
has more than doubled since the Swanwick national control centre opened in
January 2002.  National Air Traffic Services (NATS) said staff had filed 30
"overload" reports in the last five months, compared with 12 during the same
period in 2001.  [Computer-related problems related to Swanwick and UK ATC
are noted in RISKS-22.02,03,09,12.]  Planning staff at Swanwick have also
complained about the legibility of some flight levels and airport codes on
their terminal displays.

Car repair shops often can't crack diagnostic code

<Monty Solomon <>>
Tue, 25 Jun 2002 01:32:16 -0400

At least a couple of times a week, mechanic Ernie Pride tells customers at
his independent repair shop he can't fix their cars because he doesn't know
what's wrong with them. Go to the dealer, he advises.  He has the experience
and knowledge to service vehicles but lacks the closely guarded information
needed to diagnose problems with today's high-tech cars.  Automakers refuse
to make much of it available to independent shops that compete with
higher-priced dealerships. The practice is raising hackles in Congress and a
vigorous defense by the industry.  ...  [AP, June 24, 2002]

Qui audit ipsos auditors?

<Rob Slade <>>
Wed, 19 Jun 2002 14:25:37 -0800

The Enron/Anderson debacle is fading as news, but it has some reverberations
for those of us in the info tech fields.

Anderson is not alone in engaging in questionable audit practices.  Others
of the "Big 5" are under scrutiny, in at least two cases involving,
ironically, high tech companies.  For the past decade or more, there have
been pressures to reduce regulatory oversight, and we are now seeing the

So, what is the relation to IT?  Well, these are the same firms who hold the
major contracts for auditing information security and assurance.

(In relation to the subject line: yes, "ISACA," I know.)    or

Tools gauging blood pressure raise questions

<Monty Solomon <>>
Fri, 21 Jun 2002 23:00:04 -0400

Gina Kolata, *The New York Times*, 16 Jun 2002

Across the nation, hospitals and doctors' offices are returning blood
pressure cuffs to their manufacturers to comply with a federal
environmental initiative to cut down on the use of mercury, a toxic
metal that can pollute the air and water when disposed of improperly.
But leading medical experts, joined by the American Heart Association
and the National Heart, Lung and Blood Institute, say the mercury
gauges are being replaced by newer devices that may be unreliable,
and they warn that inaccuracies may be leading to false diagnoses and
inappropriate treatments.  [...]

Microsoft's secret plan to secure the PC

<Monty Solomon <>>
Tue, 25 Jun 2002 01:40:54 -0400

You've heard of Trustworthy Computing, and the massive corporate remodeling
going on at Microsoft where every developer, product manager, and executive
assistant has been asked to rethink everything they do in the context of
security. Well, that's just the tip of the iceberg.  Secretly, the company
has been working on a plan to rearchitect the PC from the ground up, to
address the security, privacy, and intellectual property theft issues that
dog the industry today. Inexplicably, the company pulled an Apple and chose
to detail its plans solely to Newsweek, so we only have that one report to
work from. But if Newsweek's take on the plan is correct, and consumers and
businesses buy into the new devices that would result, the PC landscape will
soon change forever.  [...]

Risks to your privacy from using MSN Messenger 4.6?

<"Michael Weiner" <>>
Tue, 18 Jun 2002 17:44:11 +0200

Since I installed MS Messenger 4.6 (4.6.0082) on my machine, my firewall is
going wild: In addition to numerous Microsoft sites, Messenger is contacting
the following sites each time I log in:,, and No
way to know what information MS Messenger is transmitting to these sites, I
did not find any meaningful information on it on the Microsoft website...

Microsoft sent Nimda worm to developers

<Mike Hogsett <>>
Fri, 14 Jun 2002 17:26:34 -0700

Microsoft accidentally sent the virulent Nimda worm to South Korean
developers when it distributed Korean-language versions of Visual Studio
.Net that carried the virus, the company acknowledged Friday.

Microsoft's Allchin: API disclosure may endanger U.S.

<Active Quality Software <>>
Fri, 14 Jun 2002 12:09:43 -0700

>From a 2002/05/13 article by Caron Carlson in,3658,s%253D701%2526a%253D26875,00.asp

  "A senior Microsoft Corp. executive [Jim Allchin] told a federal court
  last week that sharing information with competitors could damage national
  security and even threaten the U.S. war effort in Afghanistan. He later
  acknowledged that some Microsoft code was so flawed it could not be safely

and later, directly quoting Allchin...

  "Computers, including many running Windows operating systems, are used
  throughout the United States Department of Defense and by the armed forces
  of the United States in Afghanistan and elsewhere."

Microsoft proposes to withhold details of the MSMQ protocol (TCP port 1801
and UDP port 3527), the Windows File Protection API, as well as APIs for
anti-piracy protection and digital rights management under the security

I recall that the Windows NT family of operating systems was designed to
meet DOD's C2 security criteria, including the Orange Book (standalone,
which they passed), as well as Red Book (networking) and Blue Book
(subsystems) criteria which they started working on at least 4 years ago; I
don't know if they've yet passed, but I suspect not if it's so flawed that
they don't want to disclose the protocol or API!  See  url=/library/en-

So, one risk of flawed software might be that you have to publicly invoke
national security (read patriotism) as a last refuge from legal process.

--Brien Webb

Identity theft site

<"Conrad Heiney" <>>
Wed, 26 Jun 2002 15:32:48 -0700

According to CNN's website today
a nongovernmental organization called CardCops is providing a service in
which consumers can check to see if their credit cards have been abused in
some way.

The check is done by visiting the website and entering your credit card

The RISKS here are bad enough to be humorous. Although CardCops themselves
appear to be a legitimate organization (at least at time of press) , and do
not themselves ask for the expiration date required to complete a
transaction, there's no protection against copycat websites whose intent is
entirely evil, or telephone scams based on the CardCops publicity.  The
quality of the data is another obvious minefield.

  [And as of today, their site is also down due to high volume.]

Conrad Heiney

Randomly generated 4-letter words in sendmail queue-ids

<Earle Ake <>>
Mon, 17 Jun 2002 16:59:38 -0400 (EDT)

I was checking the sendmail queue today when I noticed a message with a
certain 4-letter word as part of the queue id that ends in "uck".  I checked
the sendmail logs further and there was another 4 letter word as part of
another queue id that also ends in "uck" and another that ends in "ock" with
a certain letter before it.  I wonder how many people pay attention to queue
IDs and would raise an eyebrow on those.  I also wonder if any of the
filtering software out there might filter out legit mail messages just
because certain random 4 letter words were contained in the queue-id that
are inserted into the mail headers as they pass through each system.

New virus can infect picture files

<"NewsScan" <>>
Fri, 14 Jun 2002 08:32:37 -0700

McAfee Security is reporting that a new virus called "Perrun" is the first
ever to infect picture files, which, along with other data files, have long
been considered safe from such threats. Researchers at McAfee received the
virus from its creator and say it's what's called a proof-of-concept virus
and does not cause any damage. Up until now, viruses infected and were
spread through program files; data files might be deleted or damaged, but
Perrun is the first to infect them by inserting portions of the virus code
into the picture file. When a .JPG picture is viewed, the virus installs a
file on the victim's hard drive that can infect other pictures. Because the
original picture looks fine, the victim won't know that anything's amiss.
[AP, 13 Jun 2002; NewsScan Daily, 14 June 2002]

Norwegian history database password lost and retrieved

<Lillie Coney <>>
Tue, 11 Jun 2002 11:37:02 -0400

After the password for accessing a Norwegian history museum's database
catalog for 11,000 books and manuscripts had been lost when the database's
steward died, the museum established a competition to recover it.  Joachim
Eriksson, a Swedish game company programmer, won the race to discover the
password (ladepujd, the reverse of the name of the researcher who had
created the database).  How he arrived at it was not disclosed.  [Source:
Long-lost password discovered: Norwegian history database cracked with help
from the Web, By Robert Lemos, MSNBC, 11 Jun 2002; PGN-ed]

Lillie Coney, Public Policy Coordinator, U.S. Association for Computing
Machinery Suite 510 2120 L Street, NW Washington, D.C. 20037 1-202-478-6124

Calculators vs. handheld computers

<"NewsScan" <>>
Wed, 12 Jun 2002 08:01:42 -0700

As handheld computers become increasingly competitive with Texas Instrument
(TI) calculators for mathematical graphing, TI has been busy adding features
such as address books, organizers, and a large variety of spreadsheet
programs. The main advantage of handhelds, of course, is that they are
general-purpose devices.  Nelson Heller, who publishes the Heller Report
newsletter on education technology, says that both calculators and handheld
computers are getting better but adds: "The question I see is whether a
specialized appliance like the graphing calculator will in the long run lose
out to a more generalized appliance like a PDA."  Calculators, however, still
have two advantages: lower cost (about half of a PDA's cost) and
acceptability in testing situations, in that students are permitted to use
calculators but not handheld computers when taking the Scholastic Aptitude
Test.  The reason? Fear that some students might use the infrared messaging
capability of handhelds to cheat on the test. (AP/*San Jose Mercury-News*,
12 Jun 2002; NewsScan Daily, 12 June 2002)

  [And exam proctors will be able to determine that the so-called
  "calculator" is not surreptitiously a general-purpose device?  PGN]

England halts distribution of bad money

<"monty solomon" <>>
Tue, 28 May 2002 13:01:11 -0400

The Bank of England asked banks Monday to stop issuing its new
anti-counterfeit 5-pound notes after discovering that serial numbers on the
currency could be rubbed off.  [AP, 27 May 2002]

E-mail address parsing

<"Schlake (William Colburn)" <"@ @">>
Fri, 21 Jun 2002 14:23:45 -0600

About the same time PGN posted to the list about RISKS SPAM, I got a call
from someone who was going through corporate-education on e-mail addresses.
She had been given a test, and she had to identify which e-mail addresses
were valid.  She was told that half of them were invalid.  The purpose of
the test was to train employees to be able to properly harvest the e-mail
addresses of their elderly customers.  As far as I can tell, all of them
were valid.

The very next day, I made myself a new e-mail address, "@ @"  I
like this address, it has been a lot of fun so far.  No
customer-relations software seems able to accept that this is a valid
e-mail address.  People seem pretty trusting, and are willing to try and
(and are surprised when it works).

The risk is that the customer-relations programmers are living in a
world of [a-z0-9_] for mailbox names, while the standard has long
allowed for virtually any character (including NULL).  More and more
services are unavailable if you "don't have an e-mail address", and
usually even the web form to submit a bug won't process because it wants
your e-mail address, so they never even know.  Even if I wasn't taunting
them with "@ @", I'd be giving out my address with a "+" and then the
name of their company to help me sort out where my SPAM is really coming
from. Few pieces of software will allow even the harmless  little "+"
character in an address.

Risks subscription

<Ethan Benatan <>>
Thu, 13 Jun 2002 16:32:40 -0700

  [In attempting to confirm a subscription request, Ethan's mail system
  responded to RISKS and not to majordomo.  This seems to happen from other
  e-mail systems as well.  PGN]

Eudora's recent MacOS X version is broken and ignores reply-to headers;
older versions didn't used to do that.

Re: NERC + token ring (Ladkin, RISKS-22.12)

Tue, 11 Jun 2002 17:06:14 +0000 (GMT)

In RISKS-22.12, Peter Ladkin mentions NERC's use of a token ring as if this
were obviously a bad thing.  If I remember correctly, a token ring has
better behaviour at high load (as compared to ethernet), because it
implements a round-robin allocation and thus does not waste capacity in

Indeed a precursor (the Cambridge ring) had the endearing characteristic
that high loads made the PLL clock drift fast, upping the capacity by a few
percent.  The risk is in assuming the dominant technology is best for all
situations.  URL: - Internet recon.

Re: US Navy suffers domain hijacking (Brent, RISKS-22.10)

<"Jay R. Ashworth" <>>
Tue, 11 Jun 2002 12:46:25 -0400

Thank you, Geoffrey, for you've given me a hook on which to hang one of my
*favorite* rants.

"" (the proper spelling, for the DNS is case-insensitive by
design) is *not* a "trusted domain", in any remote sense of the word.  Nor
is "" (an alias for, which apparently is too
complicated for people) or "".

I have a *real* dislike for municipal and government web teams who have *so*
little faith in their audience's mentalities that they feel they have to
spurn the TLDs in which they *would* be protected -- and could be trusted
(the ".gov" and ".us" domains which have -- or perhaps in the latter case
"had" -- restrictions on registration) -- for ".com", just because "that's
the only thing people understand".  <sigh>

At least it turned around and bit Largo Florida in the ass about a year ago
when their mail server melted down under the load of 60K+ *bounce* and
complaint messages when someone used "" as a forged return address
on some spam.

I've seriously thought about registering "" and putting up a
website that looks very much like, but is parody (when you
look closely enough), and which explains exactly why I think they are doing
wrong... but while that wouldn't even *be* civil disobedience, much less
copyright infringement (based on the Skyywalker Music case), the fact that no
less a legal luminary than Lawrence Lessig thinks that civil disobedience is
no longer a useful approach
scares me to death.

Jay R. Ashworth, Baylink, Member of the Technical Staff, The Suncoast Freenet
Tampa Bay, Florida  +1 727 647 1274

Re: Please ignore the anti-shoplifting device! (Hendricks, R-22.12)

<Scott Peterson <>>
Thu, 06 Jun 2002 19:21:10 -0700

> I also realized that the alarm would likely sound as I exited at the other
> end of the store.

Which also points out a whole series of other problems.  I worked with
corporate security for a large supermarket chain in So. Calif. several
years ago.

I don't think the law has significantly changed, but at the time, you, as
an individual, could not stop someone for a misdemeanor (like shoplifting)
unless you saw them take the item and followed them until they exited.  If
you did, it was quite possible for you to be charged with unlawful
detention getting both yourself and the company in big trouble. Having an
alarm go off as you walk through it was not a good enough reason to stop
someone.  Only a sworn peace officer could stop someone in those

For this reason and the safety of the employees, they were required to know
the store policy and follow it.  If they suspected someone of shoplifting
they were to call someone in management and let them deal with it. Under no
circumstances were they to take any action on their own.

Bottom line: Those alarm units are often more a psychological barrier than a
legal one.

REVIEW: "Developing Trust", Matt Curtin>

<Rob Slade <>>
Mon, 17 Jun 2002 08:00:56 -0800

BKDEVTRS.RVW   20020514

"Developing Trust", Matt Curtin, 2002, 1-893115-72-0, U$39.95
%A   Matt Curtin
%C   175 Fifth Ave., New York, NY   10010
%D   2002
%G   1-893115-72-0
%I   Springer-Verlag/Apress
%O   U$39.95 212-460-1500 800-777-4643
%P   282 p.
%T   "Developing Trust: Online Privacy and Security"

The title, foreword, preface, and introduction aren't terribly clear
about the purpose of the book.  Ultimately, the key word seems to be
not trust, but privacy: the work appears to be directed at providing
tips for developers, of all stripes, to help maintain the
confidentiality of information.

Part one is a generic introduction to security and privacy.  Chapter
one, entitled "Why Privacy," seems, ironically, to move us even
further away from the topic of privacy.  The emphasis of the chapter
is on intrusions, although the reconnaissance phase does get the most
space.  (The subtitle, "Why This Book," does not appear to be
addressed.)  The discussion of privacy theory, in chapter two, flips
back and forth between the technical issues of identity authentication
and access control, and the social concepts of privacy, failing to
make hard relations between the two ideas.  A partial list of basic
conceptual security terms are reasonably well defined in chapter
three.  Chapter four does start to get into privacy issues, specifying
a number of notions important to protecting confidentiality in an
online (generally Web based) environment.  A number (but not an
exhaustive list) of threats to privacy are discussed in chapter five.

Part two looks at the problem.  Chapter six provides a concise list of
the basic principles of development of secure applications.
(Interestingly, Curtin uses the principle of least common mechanism as
an argument for the adoption of modular code, where others might say
that it was a reason to avoid modularity.)  Background concepts for
the Internet and Web, the basic development environment assumed for
the book, are given in chapter seven.  Some specific examples of
privacy problems on the Web are presented in chapter eight.

Part three outlines the cure.  Chapter nine reviews some basic
security protections, such as firewalls and constrained systems.  Opt
out systems are criticized in chapter ten.  "Earning Trust," in
chapter eleven, points out that providing privacy for customers is not
just a cost and a nuisance, but good business.  A structure for
analyzing and designing secure Web systems is proposed in chapter

Strangely, while the book is disjointed and difficult to pin down as
to the central theme, ultimately it could be quite valuable.  In the
end, the title is appropriate, albeit in a punning fashion: the
content is directed at developing trustworthy applications.  The
literature in the field of developing secure applications is not
extensive, and much of it is either ethereally academic or completely
language specific.  This book attempts to be practical, and, while
hardly ever touching on implementation, the precepts suggested are a
sound foundation.  Security professionals would find the general
background limited, but developers will neither be snowed under by
esoteric discussions nor left with too many vulnerabilities uncovered.
The specifics in the book deal with the Web, but the tenets of secure
design are applicable to all systems.

copyright Robert M. Slade, 2002   BKDEVTRS.RVW   20020514    or

Please report problems with the web pages to the maintainer