The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 18

Saturday 27 July 2002


Gridlock as 800 London traffic lights seize
Adrian Lightly
Nasdaq glitch hits stocks starting with 'M' or 'N'
Joan Lee Brewer
Princeton admissions office caught breaking into Yale computers
Steve Klein
Warchalking the Networks
Chris Leeson
Handspring hands out names and springs out numbers
Monty Solomon
Risks from cyberterrorism
American style cyber warfare: what are the risks?
No more JPEGs - ISO to withdraw image standard
Monty Solomon
Reinventing read-only disks
Jeremy Epstein
Possible day-of-week error - Zeller
John Stockton
Finger-printing children in schools, without parental involvement
Peter Houppermans
Apple OSX and iDisk and
Randal L. Schwartz
Re: Listen to TCAS, not the controller!
Bob Morrell
Re: E-mail content filtering ...
Anthony W. Youngman
Nick Brown
Marc Horowitz
Robert Woodhead
Re: Uselessness of "Dirty word" filters
J.D. Abolins
Danny Lawrence
news@sei interactive--Second quarter 2002 issue available
Hollen Barmer
Info on RISKS (comp.risks)

Gridlock as 800 London traffic lights seize

<Adrian Lightly <>>
Thu, 25 Jul 2002 09:55:35 +0100

Central London was brought to a standstill in the rush hour today when 800
sets of traffic lights failed at the same time — in effect locking signals
on red.


I liked this bit:

"The worst gridlock the capital has seen for years was caused by a computer
which crashed as engineers installed software designed to give pedestrians
longer to cross the roads."

So, in essence, that worked perfectly. Testing complete.

  [Are you longing to cross the road on red?  PGN]

Nasdaq glitch hits stocks starting with 'M' or 'N'

<"Joan Lee Brewer — CSE" <>>
Wed, 24 Jul 2002 11:57:51 -0700

Six days before it is set to launch a new trading platform, the Nasdaq Stock
Market experienced a glitch as its systems accidentally rebroadcast the
day's data for stocks beginning with the letters 'M' and 'N'.  That resulted
in daily volumes figures appearing much higher than they actually were for
the affected stocks [with Microsoft, Nextel, and Novellus being listed among
the top 10 movers].  [PGN-ed from Reuters item, 23 Jul 2002]

Princeton admissions office caught breaking into Yale computers

<Steve Klein <>>
Fri, 26 Jul 2002 15:51:26 -0400

The 26 Jul 2002 issue of the *Wall Street Journal* carried an article by
Charles Forelle detailing how the Princeton admissions office was caught
"accessing confidential Internet records to see whether its rival had
admitted or rejected students who had applied to both schools."  Princeton
suspended, with pay, associate dean and director of admissions Stephen
LeMenager, pending an investigation of the incident.

  "Princeton was able to use the publicly available Yale.edu1 Web site to
  get the confidential admissions data because it had the students'
  passwords — the names, Social Security numbers and dates of birth they
  had provided on their Princeton applications."

After hearing rumors about Princeton accessing their site, Yale officials
reviewed access logs for the site and discovered that computers using IP
addresses belonging to Princeton had accessed the site.  Yale contacted the
students to ask if they had used computers near Princeton to check their
accounts. No one said yes.  The IP addresses were traced to the Princeton
admissions office.

"Lauren Weinstein, the founder of the Privacy Forum, an electronic-rights
group, said Princeton's actions were clearly wrong, but Yale's site should
not have relied on Social Security numbers and birth dates, which can
sometimes be retrieved from public records, to secure the data."

Excerpted and paraphrased from the Wall Street Journal article found here:
(subscription required)

Steve Klein  1-248-YOUR-MAC-EXPERT (248-968-7622)

Warchalking the Networks

<"LEESON, Chris" <>>
Fri, 26 Jul 2002 09:47:00 +0100

The 26 Jul 2002 *Metro* notes the appearance of strange chalk patterns on
the streets of London.  These consist of two semicircles, a circle, or a
circumscribed W, with some numbers added.

  "Far from being the work of aliens, they have been created by something
  even more sinister - computer geeks."

The symbols are the creation of one Matt Jones (a "British Internet
expert"), and denote places where wireless connections to the Internet can
be accessed. From what I can make out from the article the two semi-circles
indicate an unsecured network, the circle indicates a closed network and the
circumscribed W indicates secured network. The recording of this information
is called "Warchalking".

Businesses claim that this is a major risk to security. That may be so - it
is certainly not a good advertisement for the Business in question (the real
threat to security is the Business that has not taken care to secure it's
wireless network).

OK, not a new risk (Wireless LANs go back at least as far as Risks 10.83),
but a more visible incarnation of an existing one.

Handspring hands out names and springs out numbers

<Monty Solomon <>>
Fri, 26 Jul 2002 16:49:27 -0400

Customers received two surprises from Handspring this week: an e-mail
announcing the delay of the Treo handheld Treo 90 and Treo 270 (because of
faulty screen parts), and customer names, e-mail addresses and phone numbers
of other Treo customers.  Handspring confirmed that its customer service
department inadvertently attached a spreadsheet with customer information to
an e-mail sent to about 250 people who placed Treo orders in recent days.
[Source: Richard Shim, CNET, 26 Jul 2002, retitled and PGN-ed]

Risks from cyberterrorism

<"NewsScan" <>>
Thu, 25 Jul 2002 08:56:19 -0700

Cybersecurity experts are busy lobbying Congress for protections from
liability lawsuits but some analysts say the media may be over-stating the
risks from terrorist cyber attacks. Marc Maiffret of eEye Digital Security
says, "Terrorists are only recently starting to realize the benefits of
having people within their organizations that have real hacking skills," and
University of South California professor of communications Douglas Thomas
adds: "Cyber-terrorism is a lot more difficult than many people assume."
Even so, security expert Stanley Jarocki warns that terrorists could do a
lot of damage by cracking U.S. corporate systems: "Today, some say it would
be easier for a terrorist to attack a dam by hacking into its
command-and-control computer network than it would be to obtain and deliver
the tons of explosives needed to blow it up. Even more frightening, such
destruction can be launched remotely, either from the safety of the
terrorist's living room, or their hideout cave." [AP/USA Today 24 Jul 2002;
NewsScan Daily, 25 July 2002]

American style cyber warfare: what are the risks?

<Hendrik <hiz/>>
Sat, 27 Jul 2002 17:19:11 +0900

According to CNET, US Reps. Howard Berman, D-Calif., and Howard
Coble, R-N.C., are planning to introduce a bill "that would permit copyright
holders to perform nearly unchecked electronic hacking if they have a
'reasonable basis' to believe that piracy is taking place."

I had already gotten a feeling of indigestion after researching the
"palladium" issue, and now words are failing me - so may I ask the experts
in this forum to share some of their insights about the proposed cyber
warfare legislation and associated risks?

No more JPEGs - ISO to withdraw image standard

<Monty Solomon <>>
Tue, 23 Jul 2002 20:13:59 -0400

The ISO standards body will take the unprecedented step of withdrawing the
JPEG image format as a formal standard if Forgent Networks, a small Texan
company, continues to demand royalties on a seventeen-year old patent.
According to Richard Clark, JPEG committee member and webmaster,
Forgent's royalty grab — coming after two decades of royalty-free use --
means that ISO is obliged to withdraw the specification.  [Source: Andrew
Orlowski, *The Register*, 23 Jul 2002]

Reinventing read-only disks

<"Jeremy Epstein" <>>
Thu, 25 Jul 2002 16:00:34 -0400

In the days when disk drives were expensive and the size of washing
machines, they usually had a "read only" physical switch.  Flip the switch,
and no matter what the software did, it couldn't write to the disk, because
the write circuitry was disabled.

Fast forward twenty years, where Scarabs Corp just introduced a disk drive
with two heads and two cables.  One cable is connected to a head (or more
likely, a set of heads) that can read the disk and the other cable to an
administrative computer that can both read and write the disk.  Even if a
hacker is successful at breaking into a system, they can't deface the web

Too bad we don't have those old fashioned switches.... with the exception
that you couldn't simultaneously have one machine updating and another in
read-only mode, it's pretty much the same deal.

Of course, none of these solutions are any good for web sites that need to
update information on the fly (e.g., to put an order into a database).

Details at,10801,72943,00.html

Possible day-of-week error - Zeller

<John Stockton <>>
Wed, 24 Jul 2002 18:37:22 +0100

Algorithms for determining the day-of-week from year-month-day - whether
or not truly Zeller's - can, for certain dates, compute a negative
number mod 7, which does not yield the desired result.  Zeller himself
dealt with this.

Tests using "current" dates in the later 1900's would not have seen this

A good test date is 2001-03-01 (1st March 2001); the algorithm can
easily be run manually.

The problem has been seen, for example, in C code in an Internet draft.

Those whose systems do suitable run-time checking may already have
discovered the problem.

John Stockton, Surrey, UK.
Dates: miscdate.htm moredate.htm js-dates.htm pas-time.htm critdate.htm etc.

Finger-printing children in schools, without parental involvement

<Peter Houppermans <>>
Mon, 22 Jul 2002 16:37:58 +0100

  [Note the return of an old favourite: "People who have nothing to hide -
  why would they worry?"  PH]

Row over finger-printing in schools


Tens of thousands of children are being finger-printed in school — often
without the consent of their parents, a human rights group has complained.
Prints are taken for a library lending system which the makers say makes
lending more efficient and less vulnerable to abuse.  But the pressure group
Privacy International says the practice is illegal and breaches the human
right to privacy.


One of the makers of the technology, Micro Librarian Systems (MLS), say they
have sold about 1,000 systems to schools in the UK and abroad.  Simon
Davies, of the campaign group Privacy International says the practice is
"dangerous, illegal and unnecessary".  He says the use of the technology
should be banned in schools.

"It dehumanizes our children and degrades their human rights," he said.
"Such a process has the effect of softening children up for such initiatives
as ID cards and DNA testing.  It's clearly a case of 'get them while they're
young'.  They are seen as a soft target for this technology".


The group says it has been contacted by parents who are angry that they have
not been asked for to give their consent for the finger-printing.
Manufacturers MLS say it would be very difficult for a third party to access
the prints and make use of them.  The company's technology director Stephen
Phillips said: "The system does not store the actual finger-print, but a map
of it which takes in the print's key features.  "The image is then
compressed and encrypted, so it would take a lot of effort to use it.

"People who have nothing to hide - why would they worry?"

Mr Phillips said the company advised schools to consult or inform parents
before they used the technology.  He said only two parents had complained
about the use of the technology to the company.

Privacy International says it expects there to be legal challenges to the
use of the technology in schools.

  [Also commented on by Gary Barnes.  PGN]

Apple OSX and iDisk and

<Randal L. Schwartz>
24 Jul 2002 09:10:59 -0700

  (From Bugtraq, submitted to RISKS by Monty Solomon)

The password for an Apple iDisk is sent via HTTPS/WebDAV.  However, if
you configure OSX with an iDisk password, the same password is copied
to the configuration (which might not have been previously
configured).  Clicking on a "mailto" link fires up, which
then connects to which *does not* support any method of
encrypted password transmission.

Net effect: your iDisk password is transmitted in the clear without
your awareness, albeit as a mail password.


- SMTP doesn't support encrypted passwords
-'s mail password is *always* identical to iDisk password
- OSX's "do what I mean" friendliness saves passwords without knowledge

Re: Listen to TCAS, not the controller! (RISKS-22.15)

<"Bob Morrell" <>>
Thu, 25 Jul 2002 09:05:20 -0400

RISKS has for many years now provided us with commentary and insight into
the problems that result from trusting computers too much. I think more
comment is due on the collision of a cargo plane and a Russian airliner,
which could have been prevented if the Russian Pilot had trusted the
computerized collision avoidance system (TCAS) rather than the human air
controller. Marty Solomon noted the event in RISKS-22.15.

There are several reported aspects of this event that deserve some thought.
Every non pilot (and several private aircraft pilots who do not use TCAS)
that I have spoken to, without exception, say they would have trusted the
human air controller rather than the computer, this despite the fact that
the human was miles away, using a remote sensing device and managing other
problems. The TCAS, on the other hand, was right on the scene, directly
communicating with the other plane's TCAS. The Hollywood portrayal of
'infallible' machines, and perhaps daily experience with modern PC's clearly
has downgraded the public trust in automated devices.  Western pilots, it
was reported (NPR I believe), are trained to trust the TCAS over the human
controller, Russian aviators the reverse, so it appears that the pilot was
following his training, rather than deciding on the spur of the moment who
to believe. Russian trainers are no doubt rethinking this policy. It would
be interesting to learn the historical source for this difference in
training.  As with almost all major aviation disasters, multiple mistakes
led to this crash. The decision to ignore the TCAS was the last in a series,
and if the reports on the Russian training are correct, was not, technically
speaking, a mistake on the pilot's part, however horrific the results.  The
RISK of blind, unthinking MIStrust of computers, we now see, can be as great
as the risk of blind trust. An educated understanding of the computerized
systems that we use is essential. Public perception is, in my opinion, too
monolithic. TCAS is a highly tested system with a flawless record; it cannot
be compared to the computer program that calculates my power bill.

Bob Morrell, Cancer Center,

Re: E-mail content filtering ... (Miller, RISKS-22.16)

<"Anthony W. Youngman" <>>
Thu, 25 Jul 2002 13:09:10 +0100

As I understand it, the main purposes of the filters is to control the
amount of unsolicited (usually commercial) bulk e-mail a.k.a. spam. I've
seen reports that UBE is a significant contributor to network infrastructure
costs, which accrue to the recipient, not the sender. The filters do seem to
be having some positive (from the recipients point of view) impact on the
spam problem.

Something else to watch out for is legality ...

Certainly in the UK I do not know of any ISP that filters incoming mail.
There may be some, but none of the big boys (BT, Demon, Freeserve that I
know of) do. To do so without the explicit knowledge of their customers
would almost certainly lay them open to charges of censorship, of unlawfully
tapping and tampering with communications, etc etc.

Many ISPs do filter outgoing mail though. I know Pipex scan everything going
out via their servers, as does (I believe) Freeserve. Freeserve go even
further, forcing all outgoing SMTP through their mail proxies, which have
sophisticated anti-spam checks.

They can get away with scanning outgoing mail because of AUPs and customer
contracts, but scanning incoming mail would be legally very dangerous.


Re: E-mail content filtering ... (Miller, RISKS-22.16)

<BROWN Nick <>>
Thu, 25 Jul 2002 18:35:24 +0200

IMHO, the problem stems (as usual!) from bad management, and to a lesser
degree, to incompetent sysadmins (hired by the same bad managers).

What typically happens is that a bunch of users (say,
not-very-computer-literate bosses - think Dilbert's pointy-haired boss)
receive spam which they deem offensive (say, females receiving invitations
to p*rn sites, or males insulted by the suggestion that they need V*agra or
other below-the-waist "enhancements"), and demand that "something must be
done".  Now in a 33.6K modem environment, spam is a waste of download time,
but on a corporate LAN when mails are brought to your desk in real time, it
really isn't much effort to click "delete", and after a few dozen, one can
recognise 99% of spam from the title... if one cares to make the effort (not
always a hallmark of the "PHB").

So, the PHB storms off to the IS department with cries of "stop this cr*p
from getting through".  Now, either the IS people are clued up - in which
case they might or might not try to dissuade the PHB, depending on whether
their previous experiences in the corporate culture lead them to believe
that this is likely to be fruitful - or, in many cases, they aren't.  Either
way, it's likely that they will implement e-mail filtering with "a product",
usually "the market leader", which in turn got to be that way by making the
biggest and most far-fetched claims, while spending the minimum on R&D to
actually get that way.  Many of us have already been down exactly the same
road with Web content filtering.

Most RISKs readers will, of course, be horrified by the idea that a spam
filter could unintentionally block even a tiny percentage of non-spam mail.
But I suspect that for the average PHB, not getting quite as many [genuine]
e-mails as s/he currently does, might not be a bad thing.  Less time spent
typing (ugh!) and working out how blind copy works, etc.  If they do get
shouted at for not answering an important mail, well, they can blame IS !

Re: E-mail content filtering ... (Bourguignon, R-22.17)

<Marc Horowitz <>>
24 Jul 2002 19:13:34 -0400

> * Just PGP signing an e-mail is enough to ensure that the e-mail content is
>   not altered without notice.

This is true.  However, if it is altered, recovering the content of
the original message may be difficult if you don't know what the
filter did.  One can argue this is a feature, as the recipient cannot
misunderstand what he cannot decode or decrypt.

>> * Just PGP encrypting is enough to ensure that the e-mail content
>> cannot be filtered.

This is not true, and ignores the point of Bill Gunshannon's original
post.  It is nearly guaranteed that PGP's base64 encoding will contain
words which may cause the e-mail to be modified or dropped.  Your dirty
jokes may get through, but your lunch plans with your mother may not.
Of course, the presence of such words in the encoded ciphertext is
completely uncorrelated to the presence of such words in the
plaintext, but explaining this to your PHB is up to you.

Re: E-mail content filtering ... (Miller, RISKS-22.16)

<Robert Woodhead <>>
Thu, 25 Jul 2002 19:56:56 -0400

>* Just PGP encrypting is enough to ensure that the e-mail content cannot be
>   filtered.

Unfortunately, one of the most common and useful anti-spam heuristics is
"e-mail contains none of the most commmon english words".  This catches a lot
of non-English spam and pure-html crud.

As the maintainer of a database of anti-spam heuristics (and previously, an
anti-virus program author), the fact is that perfect spam detection is
impossible, it's yet another variant of the halting problem.

I personally find that the most effective approach is spam-labelling; in
other words, adding headers to suspect e-mail saying "I think this is spam,
and this is why".  Then let the user's e-mail app apply filtering rules
using the additional context.

For example, I filter all e-mail marked as spam to the bottom of my inbox
(lowest priority), then use other filtering rules to whitelist e-mail from
known sources.  I get over 300 spams a day but it takes only a few seconds
to quickly scan them for false positives.

Robert Woodhead, Webslave & Mad Overlord

Re: Uselessness of "Dirty word" filters (Lawrence, RISKS-22.16)

<"J.D. Abolins" <>>
Thu, 25 Jul 2002 08:16:41 +0000

Re: rejecting a horse named "Dr. Fager", I started to see other possible
rejection problems.

Proper names: Would the name of the current USA President being interpreted
as a vulgar term deserving filtering?

The possible derogatory term rejected by the DW filter Danny Lawrence
encountered is also a British reference for a cigarette.  (I guess some
proponents of DW filters would consider cigarettes and smoking worth
filtering out. But then how can one do an anti-smoking... oops,,,
anti-[filtered]... education on the Web?)

Speaking of British terms, a recipes for some traditional British food
dishes would run afoul of the filters:
"[filtered]ers and Mash"
"Spotted [filtered]"
"[filtered] in Gravy"

But "Bubble and Squeak" should be be safe. <g>

  [Not entirely.  PGN]

Re: Dirty word filters and Horse's names

<"Danny Lawrence" <>>
Thu, 25 Jul 2002 11:44:06 -0400

Actually horse's names are still limited to 18 letters and all names must
be submitted to the Jockey Club for approval.  There is an overview of
allowable names here:
(see, there is a "Rule 6"!). Also note the last rule "B. In addition to
the provisions of this Rule, the Registrar of The Jockey Club reserves the
right of approval on all name claiming requests." One owner, after having
several names rejected by Buddy Bishop, the registrar, decided to call his
horse "Buddy Named Me".

news@sei interactive--Second quarter 2002 issue available

<Hollen Barmer <>>
Wed, 24 Jul 2002 11:18:15 -0400

The second quarter 2002 issue of news@sei interactive is now available.

The articles in this issue are
  "Preventing Security-Related Defects"
  "TIDE: Promoting Technology Adoption Through Technology Collaboration"
  "First International Conference on COTS-Based Software Systems a Success"
  "CERT/CC and Secret Service Collaborate on Security"

Our columns in this issue are
Watts New: "Surviving Failure"
The Architect: "Aligning Business Models, Business Architectures, and IT
The COTS Spot: "Risk/Misfit Redux"
Security Matters: "Is There an Intruder in My Computer?"

news@sei interactive ( is a Web-based
publication of the Software Engineering Institute (SEI). The news@sei
interactive team is interested in your comments, questions, and
suggestions for improvement. Contact us at

CERT, Capability Maturity Model, and CMM are registered in the U.S. Patent
and Trademark Office.  CMM Integration, CMMI, Personal Software Process, and
Team Software Process are service marks of Carnegie Mellon University.

Please report problems with the web pages to the maintainer