The RISKS Digest
Volume 22 Issue 33

Friday, 1st November 2002

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Home isn't where the security is
Autotote programmer hacks winning Pick Six bets
Lillie Coney
iVotronic voting machines lose 294 early votes
Tom Adams
Voting machines postpone the end of Brazil's daylight saving time
Nik Clayton
Software failure informs eavesdropped phone users
Markus Kuhn
Decimal glitch spurs hotel overbill
Fuzzy Gorilla
Possible role of simulator scenario in AA crash
Cathy Horiuchi
Re: Slide rules in the cockpit
Eric Remy
FDA permits use of ID chips in humans
Roger Clarke
REVIEW: "Managing Information Security Risks", Alberts/Dorofee
Rob Slade
REVIEW: "EW 101: A First Course in Electronic Warfare", David Adamy
Rob Slade
REVIEW: "Disaster and Recovery Planning", Joseph F. Gustin
Rob Slade
CFP, Security and Control of IT in Society: SCITS III
Rob Slade
Info on RISKS (comp.risks)

Home isn't where the security is

<"NewsScan" <>>
Tue, 29 Oct 2002 08:44:26 -0700

Columnist Robert Lemos says the Bush administration's plan to ask home
computer users to secure their systems as part of its "National Strategy to
Secure Cyberspace" is a misguided effort.  Citing the prevalence of users
who still call tech support wondering why their computer won't turn on
(because they've neglected to plug it in), Lemos says: "The experts are
guilty of wrongheaded thinking in relying upon home users to shore up the
nation's security.  Frankly, that's somebody else's job.  Home users are
responsible for protecting their own important data.  But it's a dangerous
illusion to believe they will take better precautions after authorities ask
them to upgrade their cyberdefenses." Lemos says the government instead
should be focusing on persuading the ISPs "to protect cyberspace from home
users.  There are simple technologies for doing this.  Source egress
filtering — a technique for preventing users from sending data with a false
source address, useful in denial-of-service attacks — should be the norm.
Companies filter e-mail messages for any viruses and disallow several types
of executable attachments; ISPs should do the same." Security expert Dorothy
Denning says the only question left is, who will pay? "Once you start
formalizing where we are going to put liability, the questions start coming
up about who's going to pay for it.  And, almost anywhere you put it, the
costs are going to end up coming back to the users." [CNet 29 Oct
2002; NewsScan Daily, 29 October 2002]

    [This seem like old news to long-time RISKS readers, but the
    fundamentally inadequate approach of relying only on users to do
    something rather palliative totally ignores the rampant vulnerabilities
    in the computer-communication systems provided by mass-market software
    developers, ISPs, and others.  It seems to reflect an abysmal lack of
    understanding of or perhaps willful obliviousness to the pervasiveness
    of problems associated with security and other trustworthiness issues
    (reliability, survivability, etc.) by folks who should know better...
    The marketplace does not solve these problems.  PGN]

Autotote programmer hacks winning Pick Six bets

<Lillie Coney <>>
Fri, 01 Nov 2002 09:44:00 -0500

Autotote (a subsidiary of Scientific Games Corp in New York state) develops
the software for most of the nation's off-track betting systems.  One of its
programmers apparently "software-engineered" the system to yield a $3
million Pick Six payoff from the Catskill NY OTB site, to be collected by a
man in Baltimore who had placed his bets by phone before the first race.
The bets were somewhat unusual: picks for the first four races, and
wild-card multiple bets spanning all possibilities for the remaining two
races.  Because of a design decision to minimize loading of the Autotote
system, local OTB data on the first four sets of bets is not posted to the
host network until just after the first four results were known.
Apparently, a little internal engineering resulted in the first four bets
being altered to name the winners of the first four legs, including 26-to-1
and 13-to-1 long shots, along with all possible combinations for the fifth
and sixth races.  The Baltimore man was the only person with the winning
Pick-6 combination, and also had consolation combinations for picking 5 out
of 6.  We presume some sort of collusion.  However, a spokesman for SGC said
that their anomaly detection system caught this event before any payoffs
occurred, after which 72 other consolation winners were then allocated
proportionally larger sums.  He added that he and his technical people had
"considered it absolutely impossible" to hack into the system.  One wag
later posted a note on the SGC Internet Web site asking if he could still
post a bet on those races.  Incidentally, the programmer has been fired, and
the case is under investigation.  [Source: Computer programmer fired in Pick
Six investigation, Greg Sandoval and John Scheinman, *The Washington Post*,
1 Nov 2002, D01; PGN-ed]

  [In this forum, we have been long been noting many of the risks in
  gambling systems as well as in electronic voting systems.  Even in a
  system that has seemingly been carefully designed for security and
  integrity, a little bit of insider action can result in very nasty
  results.  PGN]

Machines lose 294 early votes

Thu, 31 Oct 2002 11:19:28 -0500

iVotronic voting machines lost 294 votes at early voting site in Wake
County, NC due to a "glitch in the software".

Officials apparently have the names of the voters but have lost their
virtual ballots.  They are trying to contact the
voters so that they can revote.  Given the times and locations in the
article, I may be one of those voters!

Voting machines postpone the end of Brazil's daylight saving time

<Nik Clayton <>>
Sat, 26 Oct 2002 10:56:48 +0100

A recent revision to the timezone files used by (among other operating
systems) FreeBSD highlights an unforeseen risk of electronic voting.

This year the Brazilian elections were sufficiently close that a second
round of voting is required.  This will take place on October 27th, which
would normally be after the DST transition.

The Brazilian Constitution requires elections to start at 8am and finish at
5pm.  However, Brazil's vote counting systems are computerised, and the
electoral machines can not have their internal clock changed.  Rather than
change the constitution, or do the necessary timezone adjustments to the
output of the electoral machines, Brazil's government decided to postpone
the DST transition.

The diff (at
southamerica.diff?r1=1.19&r2=1.20) has more details in the comments.

Software failure informs eavesdropped phone users

<Markus Kuhn <>>
Thu, 31 Oct 2002 14:28:52 +0000

The *Sueddeutsche Zeitung* in Munich reports:

Thanks to a rather absurd accident, dozens of suspected extremists and
criminals obtained proof that their phones were being tapped by German
security services.  A few days ago, they received from their phone company
O2 an invoice that listed and billed connections to a mailbox unknown to
them.  For instance, a man in Berlin was asked to pay phone charges of 15.35
euros for 53 connections made during 3-30 September 2002 to always the same
mailbox.  At the listed number, a voice informs the caller about a lack of
authorization.  The accident was discovered when the customer complained with
his phone company.

Security sources confirmed Monday that around 50 persons, all of whose phone
numbers start with +49 179, had been invoiced for eavesdropping costs.
Initially, the authorities suspected a much larger number of persons,
because the number of phone taps is high.  According to latest informations
from the telecommunication services providers, almost 20000 lines are being
recorded at present in Germany.  The number of lines under surveillance has
increased particularly significantly since 11 September 2001.

Security services contacted O2 in Munich immediately after the accident was
noticed and stopped the delivery of printed but not yet mailed invoices.
Security service sources claimed that the problem was triggered by a
software update.

[Summarizing translation by M. Kuhn]

Source: Annette Ramelsberger: "Beweis auf dem Silbertablett - Durch
Panne tauchten Abhörkosten auf Telefonrechnung auf", Sueddeutsche
Zeitung, Munich, Germany, 2002-10-31.

Markus Kuhn, Computer Lab, Univ of Cambridge, GB | __oo_O..O_oo__

  [This article also noted by Martyn Thomas.  In addition
  Florian Liekweg, IPD Universität Karlsruhe, reported on an article in
  in *Frankfurter Rundschau*, with original German at
  02 was formerly known as Viag Interkom.  PGN]

Decimal glitch spurs hotel overbill

<"Fuzzy Gorilla" <>>
Fri, 01 Nov 2002 17:33:06 -0500

[I have to wonder what happened to basic software testing?]

If you stayed at a Holiday Inn, Holiday Inn Express, or Crowne Plaza hotel
and checked out between 24 Oct and 26 Oct 2002, you are likely to have been
one of 26,000 people who were charged 100 times what they owed, such as
$6,500 to $21,000 per night.  A credit-processing error resulted in the
decimal points being dropped.  Most of the charges were later reversed,
although many people discovered that their credit limits had been exhausted.
Overcharged guests will get two free nights at any of those hotels.
[Source: Article by Russ Bynum, Associated Press, 01 Nov 2002; PGN-ed]

Possible role of simulator scenario in AA crash

<Cathy Horiuchi <>>
Thu, 31 Oct 2002 14:02:28 -0800

*Wall Street Journal*, 31 Oct 2002, p. D10,
American Revised Training Methods in Wake of Crash

The role of simulators in predisposing pilots to particular strategies
is part of the NTSB investigation into last year's crash of AA flight
587.  From the article...

  "Mr. Young said that until earlier this year, American flight instructors
  routinely set the stage for practicing upset recoveries in simulators by
  telling pilots to pretend they had just entered the wake of a preceding
  jumbo jet.  Then the simulator was instructed to depict a sharp roll or
  steep nose-up maneuver, which typically required a fair amount of rudder
  input to correct."

This resembles issues surrounding decoding any constructed "word problem"
into a "math problem".  Scenario setters decided on the physical forces --
and it seems from this report, the solution — then programmed it into the
simulator; the equivalent of a fully articulated mathematical problem.  Then
they gave the pilots a scenario and set them loose to discover the
biological/mathematical simulated solution in the cockpit.  Conclusions
drawn from Mr. Young's testimony differ, and the NTSB investigation are
incomplete.  Yet this seems to suggest the increasing difficulty of
adequately simulating our complex machinery for correct operations under
real-world conditions.

Re: Slide rules in the cockpit (White, RISKS-22.32)

<"Eric Remy" <>>
Wed, 30 Oct 2002 14:55:24 -0500

George White comments that "Years ago, pilots carried circular slide rules
to perform fuel and distance calculations."

Let me one of the many who comment that they still do, at least those of us
in general aviation. I was certainly trained to use an E6B when I got my
pilot's license about a year ago, and I've never used anything else.  The
E6B can do time/speed/distance/fuel burn, crosswind corrections, temperature
and statute<->nautical mile conversions and a few others I forget at the
moment.  It's more or less unchanged since WWII: cheap, durable, very fast
(I can often beat people using an "electronic E6B", and my instructor made
me look slow.) and it has no batteries to die at the wrong moment.  See for a photo
of a typical one.

Eric D. Remy, Instructional Technology Coordinator
Randolph-Macon Woman's College  (434) 947-8618 x7

FDA permits use of ID chips in humans

<Roger Clarke <>>
Thu, 24 Oct 2002 08:44:21 +1000

This is a re-posting from the Politech list, with comments.  The news report
first, comments by Declan McCullagh second, comments by me third.

Date: Wed, 23 Oct 2002 10:10:45 -0400
From: Bob <>
Subject: ID Chip's Controversial Approval, 23 Oct 2002,1283,55952,00.html

A surprise decision by the Food and Drug Administration permits the use of
implantable ID chips in humans, despite an FDA investigator's recent public
reservations about the devices.

The FDA sent chip manufacturer Applied Digital Solutions a letter stating
that the agency would not regulate the VeriChip if it was used for
"security, financial and personal identification or safety applications,"
ADS said Tuesday.

But the FDA has not determined whether the controversial chip can be used
for medical purposes, including linking to medical databases, the company

Declan McCullagh's Comments:

[There are two obvious questions: Should federal bureaucrats forcibly
prevent a company from selling implantable chips of this sort? And would it
be desirable for society to adopt these chips? I think the answer to the
first is "no," and the answer to the second is also "no." I would not stop
by government force or intervention people from using such implants, but it
is reasonable to be concerned about what might happen with widescale
adoption and speak out against it.  Previous Politech message: --Declan]

Roger's Comments:

In the early 1990s, I wrote about what I call 'imposed identifiers':
I also mused about prosthetisation of humans in:

For some years, I used the-chip-in-your-neck as a shock tactic in a lot of
presentations.  After the initial reaction of disbelief, audiences were
forced to accept the line of argument that the institutionalised would be
the first - prisoners, prisoners on day-release, senile dementia patients.

Over a few short years, people have become inured to the shock-tactic.  in
response to press reports of the FDA announcement, there will be murmurs of
'oh, isn't it awful', and then parents will resume pumping chips into
children (for what reason I've yet to work out), and Professor Warwick will
become even more of a celebrity, with every failure reported in Wired
Magazine, and hence the rest of the media, as another step forward.

I've not read the psychology literature about the Nazi assault on
minorities; but the human race clearly has a genetic predisposition to
rationalise the most dehumanising actions being taken in respect not only of
other people, but even of one's self.

Any kind of external justification will do — technological determinism,
cost savings, prompt recognition of cadavers, instructions by the scientist
conducting the experiment, or the desires of a belligerent government
(Germany of the 30s and 40s, Argentina of the Generals, the Cambodia of Pol
Pot, the U.S. of the here and now).

Roger Clarke   +61 2 6288 1472
Xamax Consultancy Pty Ltd, 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Visiting Professor, Uni of Hong Kong; Visiting Fellow, Australian National U.

REVIEW: "Managing Information Security Risks", Alberts/Dorofee

<Rob Slade <>>
Thu, 24 Oct 2002 08:00:40 -0800

BKMISROA.RVW   20020826

"Managing Information Security Risks", Christopher Alberts/Audrey Dorofee,
2003, 0-321-11886-3, U$54.99/C$85.99
%A   Christopher Alberts
%A   Audrey Dorofee
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%D   2003
%G   0-321-11886-3
%I   Addison-Wesley Publishing Co.
%O   U$54.99/C$85.99 416-447-5101 fax: 416-443-0948
%P   471 p.
%T   "Managing Information Security Risks: The OCTAVE Approach"

Part one is an introduction to risks and risk evaluation.  Chapter one is a
generic, and not particularly clearly written, outline of a basic risk
analysis process.  The OCTAVE (Operationally Critical Threat, Asset, and
Vulnerability Evaluation) process is described in chapter two, along with
various principles, factors (called attributes), and three phases of outputs
(or deliverables) of the process.

Part two presents more details of the method.  Chapter three runs through
the outcomes and attributes again, but in a confusing fashion.  "Preparing
for OCTAVE," in chapter four, is a fairly generic outline of preparation for
any kind of planning.  Chapter five begins a list of the individual
processes of OCTAVE, but essentially says that the company should identify
assets, threats and vulnerabilities.  The creation of threat profiles, in
chapter six, is the first part of the process that actually presents details
and tools that might help in risk analysis.  Chapter seven suggests that you
identify key components of an asset, but, again, does not offer a specific
process for doing so.  Evaluating selected components, in chapter eight,
seems to be merely subdividing asset threat analysis.  Risk analysis is
vaguely and briefly covered in chapter nine.  Chapters ten and eleven
contain pedestrian advice about developing a protection strategy.

Part three talks about variations to OCTAVE.  Chapter twelve discusses the
tailoring of OCTAVE, but since OCTAVE itself is rather vague, it is
difficult to understand the options for alteration.  Chapter thirteen
asserts that OCTAVE is suitable for a variety of situations: since the
process is so generic this is probably true.  Chapter fourteen recommends
reviewing or redoing an OCTAVE assessment from time to time--just like any
risk analysis.

Appendix B lists a variety of worksheets for risk analysis which could be
quite useful.

This book is written in such a nebulous manner that it is difficult to
day whether OCTAVE is an obscure method, or whether it is simply
poorly explained.

copyright Robert M. Slade, 2002   BKMISROA.RVW   20020826    or

REVIEW: "EW 101: A First Course in Electronic Warfare", David Adamy

<Rob Slade <>>
Wed, 30 Oct 2002 07:15:11 -0800

BKEW101.RVW   20020902

"EW 101: A First Course in Electronic Warfare", David Adamy, 2001,
1-58053-169-5, U$89.00
%A   David Adamy
%C   685 Canton St., Norwood, MA   02062
%D   2001
%G   1-58053-169-5
%I   Artech House/Horizon
%O   U$89.00 800-225-9977 fax: 617-769-6334
%P   308 p.
%T   "EW 101: A First Course in Electronic Warfare"

The book is based on the "EW 101" columns in the "Journal of
Electronic Defense."  It is, in fact, the first sixty such columns,
structured into chapters and linked with additional material.

Electronic warfare (EW), as chapter one tells us, is intended to
reserve the electromagnetic spectrum for friendly use, while denying
it to the enemy.  We may be using the spectrum for communications,
such as radio, although the primary concern seems to be with remote
sensing, such as radar.  EW is not concerned with such activities as
interception of enemy communications, or the design of directed energy
weapons.  Chapter two covers basic mathematics necessary for working
with EW, such as logarithms (for working with decibel, or dB,
representations) or spherical trigonometry.  There is a very clear
discussion of antenna characteristics, uses and design considerations
in chapter three.  Chapter four does the same thing for receivers,
with an added examination of the concept of sensitivity.  Processing
of received signals is dealt with in chapter five, with a special
concentration on display for and to the user (generally a pilot or
signals officer).  Chapter six looks at the multidimensional and
multitechnology problem of the search for "threats" (as radio emitters
are known in electronic warfare circles).  "Low probability of
intercept" (LPI) signals are the topic of chapter seven, which
emphasizes the considerations in regard to spread spectrum technology.
Various techniques for locating emitters are covered in chapter eight.
Chapter nine deals with the many different types of jamming, and the
power calculations necessary to concepts such as "burn through" range.
Different types, missions, and purposes of decoys are discussed in
chapter ten.  Chapter eleven examines a wide variety of considerations
involved in simulations.

As the title notes, for those interested in an introduction to the
topic, this book is an informative and interesting tutorial, readable,
and with a minimum of mathematics necessary to the topic.

copyright Robert M. Slade, 2002   BKEW101.RVW   20020902    or

REVIEW: "Disaster and Recovery Planning", Joseph F. Gustin

<Rob Slade <>>
Fri, 25 Oct 2002 07:46:27 -0800

BKDRPGFM.RVW   20020825

"Disaster and Recovery Planning", Joseph F. Gustin, 2002,
%A   Joseph F. Gustin
%C   One Lake St., Upper Saddle River, NJ   07458
%D   2002
%G   0-13-009289-4
%I   Prentice Hall
%O   U$ +1-201-236-7139 fax: +1-201-236-7131
%P   304 p.
%T   "Disaster and Recovery Planning: A guide for Facility Managers"

Despite the title, and a number of the topics covered, this book seems
to have more to do with business continuity than disaster planning.
Chapter one does talk about disaster types (and lists not-so-recent
disasters), and has a rough outline of basic parts of the planning
process.  Some US regulations that may influence plans are discussed
in chapter two.  Immediate emergency response is reviewed in chapter
three.  Chapter four talks about types of disasters again (and, again,
the examples are fairly old).  Fire protection and response, in
chapter five, is very uneven in the level of detail, and concentrates
heavily on technicalities in regard to exits.  Bomb threat response,
in chapter six, emphasizes searching techniques.  Evacuations are
covered in chapter seven.  Chapter eight encompasses earthquakes, with
the major emphasis being on structural design to prevent damage.
Computer and data protection, in chapter nine, is poor and brief.
Chapter ten is a simplistic look at power requirements.  There is a
set of generic loss prevention strategies in chapter eleven.  Crisis
planning, in chapter twelve, is primarily concerned with handling the
media.  Chapter thirteen, putting the plan together, is pedestrian,
but reasonably comprehensive.

The final chapter, on managing the recovery, is very thorough.

For those new to business continuity planning, this book does provide
some basic outlines and tips.  But for those who have worked with
disaster or continuity planning to any extent, there is nothing new

copyright Robert M. Slade, 2002   BKDRPGFM.RVW   20020825    or

CFP, Security and Control of IT in Society: SCITS III

<Rob Slade <>>
Thu, 24 Oct 2002 10:37:23 -0800

Security and Control of IT in Society (SCITS) III
Special Track on SEC'2003
18th IFIP International Information Security Conference
Athens Chamber of Commerce and Industry
26-28 May 2003, Athens, Greece

  [Contact for instructions.  Papers must be received by
  November 12, 2002.  PGN]

Papers offering novel research contributions in any aspect of IT Misuse
and the Law are solicited for submission to this Special Track of the 18th
IFIP International Information Security Conference. Papers may present
theory, applications or practical experiences (e.g. case studies) on
topics including, but not limited to:

- High-tech crime prevention, detection, and investigation
- International Cooperation in fighting high-tech crime
- Computer Forensics
- IT law for preventing Misuse
- Social and Legal Risks through interception and tracking technologies -
  Data retention vs. privacy in communication and archived systems - Crypto
  / Anonymity debate - Protecting users/usees by Privacy-Enhancing
- Perception of security in society
- Behavioral issues of information security
- Security awareness
- Users' security responsibilities
- Critical Information Infrastructure Protection and Social Implications -
  Adequacy and Inadequacy of the Law - Multilateral Security - Social, legal
  and ethical aspects of IT security

Please report problems with the web pages to the maintainer