The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 44

Sunday 29 December 2002


Accidental alert spooks Vermont Yankee neighbors
Robin Wheeler
Pioneer 10 still alive, 30 years later
More UK air-traffic woes
Ursula Martin
Russian firm cleared in U.S. copyright case
DEA data thief sentenced to 27 months
Computer programmer faces U.S. fraud charge in virus attack
Monty Solomon
O Big Brother, where art thou? -- everywhere
The Total Information Awareness program is a RISK!
Edward G. Nilges
Old mechanical voting machines also break, but have audit trails
Danny Burstein
Electronic vote machines open to tampering - report
Derek Harnett
Is a cleared check really like money in the bank?
Sidney Markowitz
Baffling ATM behavior
Bill Bumgarner
Re: Crackers steal 52,000 university passwords
Harald Hanche-Olsen
Why you should read Mitnick's book: The risks of seeing the trees and not the forest
Don Norman
Surgical tool left in woman's stomach for 4 months
Keith Rhodes
Info on RISKS (comp.risks)

Accidental alert spooks Vermont Yankee neighbors

<Robin Wheeler <>>
Fri, 27 Dec 2002 10:17:31 -0500

Christmas Day was rough on people in the Northeastern U.S., with snow and
nasty weather conditions.  One very tired National Weather Service
forecaster had worked 24 hours straight, into the following day, because
relief could not make it to the Albany NY work site, with up to three feet
of snow on the ground.  He accidently clicked on an icon that triggered a
high-alert general site emergency to neighbors of the Vermont Yankee nuclear
power station, just one level below the evacuation order.  That alert went
via special tone-alert radios only to people who cannot hear the
urban-centered emergency sirens.  The alert was canceled shortly thereafter,
after the VT Emergency Management Office checked with the power plant.
There is a five-minute delay on such alerts going out to the general radio
audiences, so this particular alert never made it more widely than the
special alert system.  Reportedly, the software will be modified to make
this type of erroneous message less likely.  [Source: Susan Smallheer,
*Rutland Herald* (Vermont), 27 Dec 2002;;

Pioneer 10 still alive, 30 years later

<Peter Neumann <>>
Wed, 18 Dec 2002 20:15:39 -0800 (PST)

"A distant Pioneer whispers to Earth": Like the Energizer Bunny, Pioneer 10
is still going after 30 years -- sort of.  Silent since March 2002, now 7.5
billion miles away, or 11 hours at the speed of light, faint signals were
received but could not be locked on, and no scientific information could be
[or ?]

  [typo corrected in archive copy, alternative URL suggested as well.  PGN]

More UK air-traffic woes

<Ursula Martin <>>
Thu, 19 Dec 2002 08:39:17 GMT

The UK National Air Traffic Control Centre at Swanwick (RISKS-21.98,
22.02,03,09,12,13) is still having ``potentially catastrophic'' problems,
including erratic communications breakdowns between controllers and pilots,
unclear screen images, etc.

Russian firm cleared in U.S. copyright case

<"NewsScan" <>>
Wed, 18 Dec 2002 09:00:59 -0700

ElcomSoft Co. Ltd., based in Moscow, has been found *not guilty* of criminal
charges that it violated the 1998 U.S. Digital Millennium Copyright Act by
selling a software program designed to circumvent the digital locks used to
enforce copyright protections on Adobe Systems e-book software.  The
two-week trial was the first criminal prosecution under the controversial
DCMA, which prohibits the sale of technology that can be used to break the
code that "locks" digitally formatted movies, music and other software.  The
case hinged on whether ElcomSoft had "willfully" violated U.S. law, an
intent the defendants denied.  "They never intended to violate the law,"
said defense attorney Joseph Burton.  ElcomSoft president Alexander Katalov
pointed out that the program was legal in Russia and was not meant to be
used for electronic books that had not been legally purchased.  He said he
didn't know that the software was illegal under U.S. law.  [Reuters, 17 Dec
2002; NewsScan Daily, 18 December 2002]

DEA data thief sentenced to 27 months

<Peter Neumann <>>
Wed, 18 Dec 2002 09:19:01 -0500

Emilio Calatayud, who worked for the U.S. Drug Enforcement Administration
(DEA) for 14 years, has now been sentenced to 27 months in prison and a
$5,000 fine for selling information on claimants in more than 1000 workers'
compensation cases to Triple Check Investigative Services.  He used his
authorized access to the FBI's National Crime Information Center (NCIC), the
California Law Enforcement Telecommunications System (CLETS), and the DEA
Narcotics and Dangerous Drug Information System (NADDIS).  He was paid at
least $22,500 from 1993 to 1999 for these extracurricular services.  On the
first day of his trial in February 2002, he fled to Mexico, but was later
caught.  [Source: Kevin Poulsen, SecurityFocus Online, 18 Dec 2002;;; PGN-ed; Courtesy of
Richard M. Smith]

Computer programmer faces U.S. fraud charge in virus attack

<Monty Solomon <>>
Wed, 18 Dec 2002 22:34:20 -0500

A formerUBS PaineWebber computer expert was indicted on federal charges of
trying to manipulate the stock price of the brokerage's parent company last
spring by disseminating a computer virus among over 1,000 systems used by PW
brokers.  He had reportedly been hoping to gain from the resulting stock
price drop.  [Source: article by Robert Hanley, *The New York Times*, 18 Dec
2002; PGN-ed]

O Big Brother, where art thou? -- everywhere

<"NewsScan" <>>
Mon, 23 Dec 2002 09:31:58 -0700

In order to monitor the U.S. civilian population in its effort to detect
terrorists, the government's Total Information Awareness program will rely
almost completely on data collection systems that are already in place --
e-mail, online shopping and travel booking, ATM systems, cell phone
networks, electronic toll-collection systems and credit card payment
terminals. Technologists say that what the government plans to do in data
sifting and pattern matching in order to flag aberrant behavior is not very
different from programs already in use by private companies. For instance,
credit card companies use such systems to spot unusual spending activities
that might signal a stolen card. The early version of Total Information
Awareness uses a commercial software collaboration program called Groove,
which was developed in 2000 by Ray Ozzie, inventor of Lotus Notes. Groove
enables analysts at various government agencies to share intelligence data
instantly, and links programs that are designed to detect suspicious
patterns of behavior. However, some computer scientists question whether
such a system can really work. "This wouldn't have been possible without the
modern Internet, and even now it's a daunting task," says cryptology expert
Dorothy Denning, a professor in the Department of Defense Analysis at the
Naval Postgraduate School. Part of the challenge, she says, is knowing what
to look for. "Do we really know enough about the precursors to terrorist
activity? I don't think we're there yet."  [*The New York Times*, 23 Dec
2002; NewsScan Daily, 23 December 2002]

The Total Information Awareness program is a RISK!

< (Edward G. Nilges)>
26 Dec 2002 15:34:36 -0800

In *The New York Times* for 23 Dec 2002, John Markoff and John Schwartz find
that "Many tools of Big Brother are up and running."

In this article, they describe how the Total Information Awareness or TIA
program hopes to use the eXtended Markup "Language" (XML) as a form of Krazy
Glue to create the mathematical union of existing and wildly disparate data

Quite apart from genuine concerns about privacy, the real problem may be

This is because the "end user's" vision of a data base, as opposed to a
large program, is relatively optimistic.  Intelligent end users know in some
way the Turing pessimism: that there is no automated procedure, and often no
practical procedure, for determining whether a large software artifact
"halts" or more generally arrives at a desirable state.

But what they may not know is that modern data bases including Oracle and
SQL Server include meta-data that in effect transforms the
non-Turing-complete (and therefore controllable) data base into a very large
Turing machine.

This meta-data traditionally consisted of format declarations, which do not
in themselves present the Turing problem, but also consists of "stored

These are modally small but sometimes large programs written in a
Turing-complete programming language that have the ability to form part of
the semantics of the data base.

For example, a yes/no flag (indicating "probable terrorist involvement") may
be accessed via an automated trigger that returns not its raw value, but its
value, ANDed with another flag that overrides the raw flag. The latter flag
may indicate an explanatory condition such as association with organizations
already known to be neutral (such as the Red Crescent), which association
lowers the probability of the original condition.

And, although traditional meta-data (such as the use of Long or 32-bit
representation for an integer value) does not make a data base Turing
incomplete it may (or may not) represent a statement about the data.

The selection of 32 bits may represent a decision that the value in question
ranges between -2**31 and -2**31-1, or it may represent ONLY the absence, at
the time the data base was created, of a 64 bit architecture.

The problem is that eXtended Markup Language CAN represent all these
subtleties in principle but WILL NOT in practice owing to time pressures.
Already in the literature one finds a split.  Managerial articles on XML
promise complete control, while in the same journal, programmers and system
administrators are assured that XML is permissive and will allow the
representation of values as ASCII strings...without type constraints.

XML is no Pascal but is instead in the tradition of C, which allows the
developer to make forensic decisions on his own without oversight.  The
manager believes that everything is under control, while in the server room
it is decided, modally in an undocumented way, that a citizen who posts long
articles on the Internet is a potential troublemaker.

The problem is that the artifact resulting will be an uncontrollable,
because Turing complete, PROGRAM that will form its own documentation.

As a form of de facto electronic law, it will result in even more
Constitutional mischief than we've seen enough of already in the war against

Old mechanical voting machines also break, but have audit trails

<danny burstein <>>
Sat, 7 Dec 2002 18:15:11 -0500 (EST)

We've got a curious case in White Plains, NY (about 20 miles north of NYC)
in which one of the older mechanical voting machines broke down - leading to
a great deal of messiness as to who won the election. The allegation is that
the lever for one candidate jammed, so people couldn't readily vote for
him. The good thing here is that there was feedback to the voters that they
weren't getting through and that these concerns were, indeed, taken
seriously. (We all know far too well the problems with more "modern"

For various legal reasons the losing candidate doesn't have direct standing,
but has to defer to the Attorney General. Mr. Spitzer's office investigated,
and has now filed the court paperwork.

to quote from the AG's press release:

"In March, Delgado requested that the Attorney General consider bringing a
*quo warranto* action. Following long-standing office policy, the Attorney
General's Office convened a panel of three seasoned assistant attorneys
general to investigate the White Plains Common Council election.  During its
six-month investigation, the panel interviewed Delgado and Hockley, as well
as officials from the Westchester Board of Elections and poll workers.

"Information uncovered in the investigation showed that the voting machine
in the 18th Election District had, in fact, jammed only on the line with
Delgado's name, preventing votes for him from being recorded. In the
investigation, the panel received 103 sworn affidavits from White Plains
voters who said they voted for Delgado on the voting machine in the 18th
Election District. The investigation also determined that those voters had
signed in and voted at the 18th Election District. Those 103 votes would
have been more than needed to overcome the 47-vote differential between the
candidates.  [...]

So while it's taking much longer than I'm sure anyone would like, the
process is clearcut and making its way through.

further details at:

Electronic vote machines open to tampering - report

<Derek Harnett <>>
Mon, 9 Dec 2002 13:34:44 -0000

In the last couple of elections/referenda here we've had a few pilot schemes
here for electronic voting.  The plan is to introduce electronic voting
countrywide in the next couple of years.  The system is one that does not
have an paper audit trail etc.  Despite commissioning an report on the
integrity/security of the systems used, the government department
responsible seems set on ignoring the results of the report and will
continue to roll out the process.

>From the 'Irish Independent' 9 Dec 2002:

Electronic vote machines open to tampering - report

A PRIVATE report for the Department of the Environment has cast doubt on the
security of the ballot in new electronic voting machines.

The "powervote" machines, deployed in seven constituencies at the last
general election and due to be used countrywide for the local and European
elections in 2004, are vulnerable to tampering, the report claimed.

Consultants Zerflow told the department that it would be easy to paste a
dummy ballot paper over the face of the machine, rearranging the list of
candidates, in a bid to attract votes away from someone perceived as likely
to be the most popular candidate.

The examination team also successfully obtained a key to operate one of the
machines and copied it at a local shopping centre - raising the scenario of
tamperers armed with many keys reactivating the machines after close of
voting to engage in the electronic equivalent of ballot-stuffing.

The Department of the Environment has rejected many of the concerns,
pointing out that the machines' integrity is protected by a scrutineer who
remains by each machine during voting.

Fine Gael spokesman Bernard Allen said last night that the Minister for the
Environment, Martin Cullen, must now publish the full facts relating to the
Zerflow report.

He said he would be asking the Chairman of the Oireachtas Environment
Committee to convene a meeting to examine the situation in detail. The
report's authors and the minister would be invited to discuss the matter.

"There should be no further consideration given to extending electronic
voting until such time as the system can be guaranteed to be secure," he

The report identified several "high level" risks to the integrity of the
vote, and suggested that results obtained under the current system could be
open to legal challenge.

Powervote said its machines have been operating in Germany and the
Netherlands for over a decade without problems.

Is a cleared check really like money in the bank?

<"Sidney Markowitz" <>>
Thu, 19 Dec 2002 00:41:15 +1300

Wired has an article on a new Nigerian scam,1284,56829,00.html

The con can be abstracted into these steps:

1. Con artist sends you a cashier's check as payment for something.

2. Some reason you find plausible is given for you to send back a portion of
the money once you are sure that the check has cleared

3. You deposit the check, wait until the bank says it has cleared, and send
some part of the money to the con artist

4. Bank informs you some days or weeks later that the check was a
counterfeit and you owe them the full amount they paid you

There seems to be a really big RISK here, aside from the Nigerian scam: It
is common for check transactions to be held until the check clears, to
ensure that the check is good. Now we see that the time it takes for a check
to clear is determined by US law that sets a limit on how long a bank can
delay paying for a deposited check. But that limit does not make it any
faster for the bank to really determine if the check is good. The unintended
consequence of the law is that a cleared check may not be a cleared check,
with the depositor being the one who is liable if something goes wrong.

Baffling ATM behavior

<Bill Bumgarner <>>
Wed, 11 Dec 2002 15:03:27 -0500

Yesterday, I stopped by an ATM to pick up a bit of cash and experienced a
truly stupid bit of interaction with the ATM.

I inserted and retrieved my card, typed my PIN, typed the amount of money I
wanted, agreed to pay the vig, and hit enter to receive my cash.


No warning, no beeping, no error message, no cash.  No feedback whatsoever.

Then I noticed that the machine had the previous customer's receipt sticking
out of the printer slot.  Assuming it wouldn't help, I removed the receipt.

Lo and behold, the machine coughed up my cash, coughed up a receipt (that I
didn't ask for), and the transaction was concluded.

The risks should be obvious:

 - Machine enters a 'locked' state after concluding the transaction
   internally, but before cash is delivered to user

 - Zero feedback of what is holding up transaction completion

 - Spitting out a receipt when the user explicitly asks NOT to receive a

I would assume that the system completes the transaction with the user's
account immediately prior to dispensing cash.  As such, the cash to be
dispensed is "in the queue" and no longer in the account?

The potential scam is much more nefarious.  It would be trivially easy to
use a razor to cut off the receipt in the printer slot after a transaction
is completed.  Once done, the thief merely has to wait for someone who tries
to obtain cash, but isn't aware that the machine will lock up in the fashion
described above.  The user will eventually walk away-- maybe pressing
cancel, more likely not (I didn't test that the 'cancel' would really
'cancel' the transaction).  Given that the ATM is on the side of the bank
that owns the ATM, it is quite likely the user will step into the bank for

As soon as the user steps away, the thief merely has to extract the old
receipt to cause the machine to spit cash.

It would be hard to even prove that the thief was actually a thief and not
someone who just lucked into completing the transaction.

I'm certainly going to check twice that the printer slot is clear before
using any ATM, but I can think of a number of situations where a blockage
wouldn't be visible.

  [Correction inserted in archive copy. PGN]

Re: Crackers steal 52,000 university passwords (RISKS-22.39)

<Harald Hanche-Olsen <>>
Sun, 01 Dec 2002 01:00:19 +0100

Regarding the break-in where crackers stole the password file from the
University of Oslo [RISKS 22.39], the mere fact that they managed this isn't
half as interesting as the reason they could pull it off.

Apparently, the crackers got in via a computer used for testing a new
administrative system for the telephone exchange. As it turns out, this
system is based on the MS SQL server, a fact unknown to the people
installing the software. Now they had installed the latest security patches
for the whole system, except for the SQL server - since they were not aware
that it was running. And that provided the crackers' opportunity.

Why you should read Mitnick's book: The risks of seeing the trees

<"Don Norman" <>>
Wed, 18 Dec 2002 02:46:21 -0600
  and not the forest

In an apparent coincidence, in RISKS 22.43, in the article that followed
my recommendation that RISK readers read the new book by Mitnick &
Simon, Rod Slade did his standard "this book has no merit" review of the

Slade is wrong: you should read this book.

Slade criticizes each individual tree, and thereby misses the forest.
His critique of the individual trees is correct. Are the stories
repetitive? Yes. (you know, each tree looks just like the other, and
after awhile, it gets boring.)  Is the book self-serving?  Yes. Is
Mitnick reformed or still a scoundrel (guess). Is the advice he gives
rather pedestrian or even worthless? Yes.  Are there any new, profound
insights, well, no, not if you keep your head down and only focus on the

But individual trees add up to a forest, and there is value in studying

I'm a student of human psychology.  That's what I do for a living.
Technology and people. Among other things, I read books by ex-criminals:
Thieves, bank robbers, con-artists.  I learn a lot. This is not the
first such book I have read. And it won't be the last.

I learned a lot from Mitnick. I was impressed by his approaches. They
are not as simple and easy to do as a quick reading would make them
appear. After the fact, everything always looks obvious. But I, for
example, would find it difficult to even think of the schemes, let alone
carry them out successfully. As with all great confidence operators, he
knows a lot about practical, human psychology.  He knows how to set up
the mark. How to make multiple phone calls or visits, each to a
different person, each asking for help, and each time picking up one
little piece of information that, by itself, does not seem important.
How to win confidence.  And then, put the little bits together, and you
sound like a legitimate employee, supplier, or customer in an
unfortunate situation, where just a little help would be useful.  It's
classic con-artist, and he does it very well.

I believe that many readers of RISKS would learn a lot -- and be very
bothered by what was learned; it would be very easy to fall for some of
those ruses.  (As Mitnick points out, even good con artists will
sometimes fall for other people's cons.)  This is a really good antidote
to all those technical approaches to security.

Slade also can't decide how to treat Mitnick: as a weak technologist
(hey, most of his cons don't involve technology, so what's the big deal)
or as too good a technologist (to do one fraud, you need to reprogram a
DMS-100 switch). That last fraud, by the way, is quite interesting: Go
out and buy a used switch -- or just get access to someone else's -- and
you can make the telephone caller ID say anything you want it to. So
don't trust caller ID to show that the caller is someone you know, or
from your own company.  Is this news to professionals? No. Is it good to
know?  Yes. Would a serious person trying to steal company secrets, or
money, use the trick? Gee, I would -- wouldn't you?  Of course they
would. Can I program the switch?  No, but I could learn, or more easily,
just hire someone to do it for me.

Slade complains that this is not a technology book, "this is a book
about how to fool people." Well, yeah, duh, that's the point. Put up all
the technology you want, it isn't that secure because I'll break in from
inside, or fool people into giving me the information I seek.

So, if you are a security professional, you can ignore the book. Maybe.
You already know all this stuff. You could probably write a better book
yourself. If you aren't such an expert, read the book. Its an easy read.
Big print. Lots of stories. No big words or deep thoughts. Very
repetitive. But I found it revealing -- and frightening.

On one thing Slade and I agree: "Chapter four tells you to distrust
everyone--which would probably be more damaging to society than social
engineering." Yup, this was precisely the point of my posting in RISKS
22.43.  It is already becoming more damaging.

Read Mitnick & Simon. Don't take their recommendations seriously -- they
are lightweight, sometimes wrong or irrelevant, and probably there for
legal reasons -- to impress the court that this is a prevention book,
not a "how-to" book.

It's a great how-to book, and if you read it, you will become better at
prevention. Maybe.

Don Norman, Computer Science, Northwestern University
Nielsen Norman Group

Surgical tool left in woman's stomach for 4 months

<Keith Rhodes <>>
Tue, 17 Dec 2002 08:31:52 -0800 (PST)

An airport metal detector was triggered by a Canadian woman, although no
metal was evident.  Noting that she had been suffering from persistent
stomach pains ever since abdominal surgery, she went for an x-ray the next
day.  A four-inch surgical retractor was discovered in her abdomen.
[, PGN-ed]

which says it was a 33-centimeter retractor.
NOTE ADDED in archive copy.  PGN]

Please report problems with the web pages to the maintainer