The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 57

Weds 19 February 2003


Playing Russian Roulette with traffic lights
Dan Foster
Scuba diving computer recall
Tom Race
Gambling on systems accountability
Irena Szrek
University software development fiasco
Identity withheld by request
Re: Identity theft evidently based on spoofing AOL
Identity withheld
REVIEW: "Mike Meyers' Certification Passport CISSP", Shon Harris
Rob Slade
REVIEW: "CISSP Training Guide", Roberta Bragg
Rob Slade
REVIEW: "Advanced CISSP Prep Guide: Exam Q & A", Krutz/Vines
Rob Slade
REVIEW: "The CISSP Prep Guide Gold Edition", Krutz/Vines
Rob Slade
Info on RISKS (comp.risks)

Playing Russian Roulette with traffic lights

<Dan Foster <>>
Wed, 19 Feb 2003 22:22:53 +0000

I came across a post by someone I know from previous posts in a travel
USENET newsgroup -- Bill Mattocks, who mentioned an interesting cause of a
car accident he was in on 2 Feb 2003 at the College and Nall intersection in
Overland Park, Kansas.

He was driving towards an intersection that was apparently in a flashing
four-way red traffic signal so all cars came to a full stop and yielded
appropriately. He then proceeded to drive through the intersection when it
was his turn and after having verified the intersection and immediate
vicinity was clear of any potential hazards, and had the monumental bad luck
of having entered the intersection just as the lights suddenly started
working again and it had signalled green in the lane at a 90 degree angle to

End result? A BMW sped through the intersection, having seen a green, and
didn't see his car until it was too late. (Both parties seems to be ok, with
some minor injuries, fortunately.)

The RISKS? The light *didn't* fail safely. Well, it did fail safely by
reverting to a four way flashing red light which is equivalent to a four way
stop sign. However, if it was properly designed, it would not have changed
into any other mode without manual intervention by someone present at the
control box by the intersection, along with a police officer to temporarily
handle the traffic at moment the lights were put back into working order,

I realize that such an approach would have been burdensome in certain
situations such as a large scale recovery after a power outage, but it's
much less of a Russian Roulette-type of situation for drivers ("Is the light
going to suddenly indicate green or red in my direction if it decides to
start working again?") when properly handled.

The crux being that there is no safe way to deterministically recover from
such a failure without onsite manual intervention.

Perhaps something that the Department of Transportation (DOT) and engineers
at Crouse-Hinds (a major traffic light manufacturer) might take into

Scuba diving computer recall

< (Tom Race)>
17 Feb 2003 05:35:20 -0800

  [See also Risks in scuba equipment, Carl Page, RISKS-21.41]

In simple terms, a dive computer monitors the amount of nitrogen dissolved
in the diver's blood.  Typically worn like a wrist watch, it tracks the
diver's depth and calculates the absorbed nitrogen according to a
mathematical model of the human body's various tissues.

If a diver surfaces too quickly with too much nitrogen in the body it is
released as bubbles within the blood or tissues, potentially causing injury
or death through Decompression Sickness (DCS).  Divers typically rely
heavily on a computer to tell them when to surface to avoid DCS.

The manufacturer below is being sued over the mathematical model, which has
a faulty assumption, or more likely a complete oversight.  The model
embedded in this computer assumes that the diver on the surface continues to
breath whatever gas mixture they were diving with.  When the diver is using
nitrox, a gas mixture containing extra oxygen and therefore less nitrogen
than air, the computer will assume that they are releasing nitrogen at a
higher rate than reality.  Over several dives and several intervals on the
surface, the state of the mathematical model and the diver's actual nitrogen
levels may become seriously different, and in the 'wrong' (more risky)

A failure of requirements specification or code inspection?  The lawsuit
refers to a 'manufacturing defect'.

I have an interest, since I have a nitrox computer from the same
manufacturer.  Fortunately mine is more recent, and I have not used it for
gases other than air.

Tom Race

 - - - - - - - - - - - -

Uwatec, Scuba Pro and Johnson Outdoors Subject of Class Action Seeking
Product Recall; 5 Feb 2003

Dive industry leaders Uwatec and Scuba Pro, and their parent company,
outdoor equipment conglomerate Johnson Outdoors, Inc., have been sued in
federal court by a former authorized reseller, Robert Raimo, seeking a
mandatory recall of all Aladin Air X Nitrox dive computers manufactured
before 1 Feb 1996. The suit seeks certification as a class action on behalf
of all owners of the dive computers, and all persons who acted as retailers,
dealers, wholesalers or distributors of the dive computers.

The suit claims that 1995 model Aladin Air X Nitrox dive computers have a
manufacturing defect that prevents the computer from switching from
underwater to surface, or air mode when the user returns to the surface. As
a result, the computer continues to calculate a diver's decompression
obligations as if the diver were breathing enriched air, or nitrox,
containing as little as 50% nitrogen, while on the surface, instead of
properly calculating the diver's decompression obligations and off-gassing
while the diver is breathing air, which contains 78% nitrogen. This defect
causes the computer to underestimate residual nitrogen loads, and to
overestimate the diver's safe repetitive bottom times, thereby significantly
increasing the diver's risk of contracting decompression sickness (bends).

The suit alleges that the defect is likely to affect experienced divers
making multiple nitrox dives in a single day to maximize bottom time, such
as those conducted on increasingly popular "live-aboard" dive vacations in
exotic locations, far away from the nearest treatment centers capable of
saving the life of a diver stricken with decompression sickness.

The so-called "air-switching defect" was first described in an internal
Uwatec memo dated 30 Jan 1996, which warned one of the company's test divers
about "the faulty Aladin Nitrox".  The memo described how to manually
override the defect so the diver could safely use his computer until it was
replaced by Uwatec. After this memo was sent to Uwatec's U.S. management,
they drafted a product recall notice. However, the suit alleges the managers
were fired before they could issue the recall notice, and the defendants
have maintained a "conspiracy of silence" ever since.

Copies of the 1996 memo and recall notice are attached as exhibits to the
complaint and may be viewed on the News section of the Web site of Raimo's
attorney, David Concannon, at

Raimo was stricken with Type II decompression sickness after using a 1995
model Aladin Air X Nitrox on four nitrox dives off Bonaire in Apr 2002. He
is the former owner of two retail dive centers in New York.

According to Concannon, the suit was filed as a class action only after
Johnson, Scuba Pro and Uwatec rebuffed Raimo's requests that the companies
issue a voluntary recall. The suit was filed in Oakland, California because
four other lawsuits filed by divers alleging they were injured by the same
model computer are currently pending there and are scheduled for trial in
Nov 2003.

Contact: David Concannon, 610-293-8084

David G. Concannon, Law Offices of David G. Concannon, LLC
Strafford Building One, Suite 112, 150 Strafford Avenue
Wayne, Pennsylvania 19087
Phone: (610) 293-8084  Fax: (610) 293-8086

Gambling on systems accountability

<Irena Szrek <>>
Sun, 16 Feb 2003 19:09:46 -0500

I read with interest Peter Neumann's article on 'Gambling on Systems
Accountability' in the 'Inside Risks' section of the February 2003
*Communications of the ACM* (Volume 46, Number 2).  I can not agree more
with Peter's observations on current drawback of computer systems security
and need to focus on system integrity rather then confidentiality.  I feel
that as long as systems will not be designed with security and integrity as
part of the system, and will not provide effective and conclusive audit
capabilities, they will be exposed to insider or outsider fraud and will be
targets of (at times successful) attacks.  This is especially true in
industries where ability to gain large sums of money is at stake, as in the
off-track-betting systems Peter mentions, or in lottery and casino systems.

I want to mention an approach to stop insider fraud in gaming systems that
use random numbers.  Random-number generators are used in gaming to decide
outcomes of games, and are used in electronic drawing machines to pick draw
numbers.  Typically, the only security present is physical security; the
audit trail, if any, is of the generation process, which can be circumvented
by a skilled insider.  We have introduced a new notion of 'unpredictable
auditable random numbers', where audit of outcomes is an element of system
design.  With the use of digital signature, random numbers can be generated
in a way providing conclusive audit of the numbers themselves.  This
guarantees that a proper set of random numbers is used for the plays or the
draws, and is not tampered with by dishonest insiders.

Irena Szrek, Szrek2Solutions  1-401-398-0395 <>

University software development fiasco

<[Identity withheld by request]>
Wed, 19 Feb 2003

If you are interested in yet another case of a large software project gone
horribly wrong, then this is a beauty:

Back in the planning stages, we had a Director of IT who loathed UNIX.  So
he decreed that the new academic record system would run on Windows back-end
systems.  Oracle and Peoplesoft said, "You want to do what!?"

The new system was switched on in early November 2001 and the old system was
simultaneously switched off.  (NOTE, since we are in the Southern hemisphere,
November is the time of peak demand for student grade processing,
registration, etc.)

It is now over a year after the system was switched on.  The system still
does not provide several of the key features that were touted as the reasons
for its implementation.

Information that has become public in the past year includes the fact that
several U.S. universities have had significant problems with the system.
And *their* version was simpler than ours since our university combines both
a normal U.S. style university and an additional school that is a sort of
combination VocationalTech and junior college.  So, if it didn't work in the
simpler U.S. environment, how could it possibly work here?

The problems and risks that are highlighted here include:

1) Choose the best platform for the job.

2) The "big-bang" approach to implementation is always a disaster waiting to
   happen.  Frequently the disaster doesn't wait.  There were three problems
   which compounded the problem.  There had been no real stress testing of
   the new system, it was rolled-out at the time of peak demand, and the old
   system, which would otherwise have provided a backout option, was
   switched off.

3) Non-technical people driving technical decisions.

4) Overly complex and ambitious systems being implemented as a single system
   and all at once rather than being phased in.

Obviously, I'm sort-of on the inside on this, so I'd rather this didn't get
published with my name.  But, it is cautionary, at least to the extent that
so many of the above problems keep getting repeated, in one form or another,
year after year.  I've been reading comp.risks for a long time now and it
seems like some lessons are never learned.

Re: Identity theft evidently based on spoofing AOL (RISKS-22.56)

<[Identity withheld by request; same contributor as above]>
Wed, 19 Feb 2003

About a year ago, we had a student who created a page based on the Hotmail
password change page and then spammed Hotmail users with a poorly written
e-mail, in fractured English, which instructed them to click on the link and
change their Hotmail password.  We estimate that it was active for no more
than an hour.  At the time he was shut down he had more than 120 username/
password combinations.

Given the dodgy nature of the message from "Hotmail" and the fact that the
URL was clearly of the form ,,,.edu.,,, it makes me wonder about the extent
to which people seem to suspend critical judgment when they connect to the

I suppose that I shouldn't be so surprised, given the number of hoax virus
messages that seem to regularly get forwarded.

REVIEW: "Mike Meyers' Certification Passport CISSP", Shon Harris

<Rob Slade <>>
Mon, 13 Jan 2003 08:20:51 -0800

BKMMCISP.RVW   20021106

"Mike Meyers' Certification Passport CISSP", Shon Harris, 2002,
0-07-222578-5, U$29.99/C$44.95
%A   Shon Harris
%C   300 Water Street, Whitby, Ontario   L1N 9B6
%D   2002
%G   0-07-222578-5
%I   McGraw-Hill Ryerson/Osborne
%O   U$29.99/C$44.95 +1-800-565-5758 +1-905-430-5134 fax: 905-430-5020
%P   422 p.
%T   "Mike Meyers' Certification Passport CISSP"

There is a "Check-In" foreword, which seems to be about the series, and an
introduction that provides a very terse overview of the CISSP (Certified
Information Systems Security Professional) exam.

The book consists of ten chapters, one for each of the CBK (Common Body of
Knowledge) domains.  "Security Management Practices" demonstrates that the
book is perhaps a bit too thin: illustrations and other materials from
Harris' "All-in-One" guide (cf. BKCISPA1.RVW) appear, but most of the
tutorial material is vague and generic.  (When covering "controls," a vital
concept in this domain, the text provides an "exam tip" that controls should
be visible enough to deter misdeeds, but not visible enough to be avoided,
but completely neglects the second axis of the control matrix, which covers
deterrence, detection, and so forth.)  The review questions at the end of
the chapter are better than some, but still quite simplistic.  As well as
being limited, the content is suspect in places: a "cognitive password" is
very insecure, and why would a retina scanner blow air into your eye?  The
"Computers 101" part of "Security Architecture and Models" is all right,
although very brief and with significant gaps, but the formal models are
simplified to a problematic extent (and the explanation of lattice models is
flatly wrong).  The "Physical Security" chapter is probably adequate for
study purposes.  Even after all of the above, I was surprised at how poor
the material in "Telecommunications and Networking Security" was.  The
TCP/IP content is definitely insufficient, and specific errors are made in a
number of areas (such as the ability of PPTP [Point-to-Point Tunneling
Protocol] to encrypt data).  "Cryptography" is limited to little more than
the terms involved, and it is odd how much space is wasted on editorial
comment.  (The text could also use a bit more organization: a number of
topics appear, in isolation, at a fair distance away from related items.)
"Disaster Recovery and Business Continuity" is terse, but possibly
sufficient for study purposes.  The material in "Law, Investigation, and
Ethics" is problematic: it appears to be somewhat dated and has some
important gaps, such as corporate liability, interviewing, and the process
of incident response.  A great deal of the content in "Application
Development" seems to have been parroted without any understanding: the
iterative class of systems development models are not collected, the spiral
model description is incorrectly described, the point of Java as a hybrid of
compilation and interpretation seems to have been completely lost, and the
malware text is rife with errors.  "Operations Security" doesn't have as
many mistakes, but it seems to be pretty much of an unorganized grab bag of

Yes, I can see the need (or desire) for a short and quick reference to the
CISSP CBK.  However, if you are going to take on that task, you have to make
every single word (and figure) count.  This book doesn't.  Since McGraw-Hill
also published "CISSP All-in-One Certification Exam Guide" they should
probably have heeded the old dictum that "if it ain't broke, don't fix it."
As it is, this work is well back in the CISSP pack, along with "Secured
Computing" (cf. BKSCDCMP.RVW) and "CISSP for Dummies" (cf. BKCISPDM.RVW).

copyright Robert M. Slade, 2002   BKMMCISP.RVW   20021106

REVIEW: "CISSP Training Guide", Roberta Bragg

<Rob Slade <>>
Tue, 11 Feb 2003 08:10:53 -0800

BKCISPTG.RVW   20030127

"CISSP Training Guide", Roberta Bragg, 2003, 0-7897-2801-X,
%A   Roberta Bragg
%C   201 W. 103rd Street, Indianapolis, IN   46290
%D   2003
%G   0-7897-2801-X
%I   Macmillan Computer Publishing (MCP)
%O   U$69.99/C$108.99/UK#50.99 800-858-7674
%P   727 p. + CD-ROM
%T   "CISSP Training Guide"

The introduction and frontmatter appear to be much more concerned with the
structure of the book (and this particular series of books) than the CISSP
(Certified Information Systems Security Professional) exam.  The initial
list of topics covered by the domains has notable gaps and some oddities in

Part one is entitled "Exam Preparation," and is divided into the ten
standard domains of the CBK (Common Body of Knowledge).  Chapter one, on
access control, shows problems right away.  The first paragraph tries to
distinguish between access control and authentication, but doesn't really
outline the relationship between the two concepts, let alone dealing with
the broader and more usual interrelated ideas of identification,
authentication, authorization, and accountability.  When discussing access
models, the lattice content touches on advanced outcomes of the model, but
not the basic principles.  The biometric material is simply inadequate.
There are sample questions at the end of the chapter, and this first set, at
least, do appear to be crafted in order to avoid the usual "reading check"
level of simplicity, but the wording is extremely poor and many answers are
either flatly wrong or highly misleading.  Similar problems are evident with
telecommunications and networking, in chapter two, which has excessive space
given to topics like cabling characteristics, poor explanation of the
relationship between tunnelling and virtual private networks, an overview of
intrusion detection that contradicts the material in chapter one, and some
completely idiosyncratic terminology.  The answers to sample question are
more correct, but only because the questions themselves are overly
simplistic.  The rudimentary factors of security management are discussed in
chapter three, but in a confused fashion, not assisted by the fact that
topics are repeated and sections from other domains are introduced for no
apparent reason.  The central material is very brief, despite the sixty
pages devoted to the topic, and entire sections, such as the various
evaluation criteria, are missing.  Applications development, in chapter
four, does possibly provide enough information to deal with the CISSP exam
on this subject, but lists lots of problems without many solutions, and has
a great deal of extraneous material such as lists of different types of
memory (fast page mode [FPM] versus extended data out [EDO] dynamic random
access memory, for example).  I thought the introduction to cryptography, in
chapter five, wasn't all that bad (absent details such as the key in a one
time pad having to be no shorter than the message being sent).  That is,
until I realized that it was the entire chapter, and details about any form
of encryption, digital signatures, and the requirements for certification
and a public key infrastructure were completely missing.  Chapter six does
cover the elemental points of security architecture, but in a disorganized
manner, and has no material at all dealing with computer architecture.
Operations security is discussed in terms of details like specific logs in
Windows 2000 and updating antiviral scanners, and chapter seven misses more
general concepts and operating principles.  Business continuity and disaster
recovery planning, in chapter eight, does provide most necessary information
about the process, except for the recovery phase.  Law, in chapter nine,
concentrates too heavily on US legislation, and the investigative process
fails to address incident response, interviewing, and relations with outside
agencies.  Chapter ten again covers physical security with specific details
rather than underlying concepts.

Part two is a review.  About half of the "Fast Facts" are useful and the
rest aren't: it would be hard for an exam candidate to know which is which.
The study and exam prep tips are generic, and probably not much help.  The
practice exam questions are, like most of the sample questions in the book,
far too simplistic and particular to properly prepare candidates for the
actual CISSP exam.

Despite the size of this volume, it does not contain as much information as,
say, Harris' "CISSP All-in-One Certification Exam Guide" (cf. BKCISPA1.RVW),
nor is it organized as well as the Krutz and Vines work (cf. BKCISPPG.RVW).
It is closer to the Endorf (cf.  BKSCDCMP.RVW), Miller/Gregory
(cf. BKCISPDM.RVW), or the second Harris (cf. BKMMCISP.RVW) works, and
therefore its utility as preparation for the CISSP exam is questionable.

copyright, Robert M. Slade, 2003   BKCISPTG.RVW   20030127    or

REVIEW: "Advanced CISSP Prep Guide: Exam Q & A", Krutz/Vines

<Rob Slade <>>
Wed, 5 Feb 2003 08:28:24 -0800

BKADCIPG.RVW   20030110

"Advanced CISSP Prep Guide: Exam Q & A", Ronald L. Krutz/Russell Dean
Vines, 2003, 0-471-23663-2, U$50.00/C$77.50/UK#37.50
%A   Ronald L. Krutz
%A   Russell Dean Vines
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2003
%G   0-471-23663-2
%I   John Wiley & Sons, Inc.
%O   U$50.00/C$77.50/UK#37.50 416-236-4433 fax: 416-236-4448
%P   331 p. + CD-ROM
%T   "Advanced CISSP Prep Guide: Exam Q & A"

Like "The Total CISSP Exam Prep Book" (cf. BKTCIEPB.RVW) before it, this
volume contains no tutorial material, only questions, and then questions and
answers.  The format is quite similar to the Peltier work, with the book
divided into the standard ten domains.  A major difference is the inclusion
of a CD-ROM with a testing engine.  Every CISSP candidate wants sample exams
and sample questions, so the query remains, are the questions any good?

The CD-ROM contains "the Boson-powered test engine," but the questions are
not quite as simplistic as those on the Boson exams.  They tend to be
longer, and, at first glance, look a lot more like real CISSP exam
questions.  However, upon closer examination, two problems become obvious.
One is that a number of the questions are still very simple, despite the
additional verbiage.  They concentrate on pure recitation of facts, without
the analysis and critical thinking that the actual exam requires.  The
second issue is that a large number of questions rely on very specific, and
often esoteric facts.  Again, this is counter to the genuine test, where
concepts and principles are emphasized.

Occasionally these two difficulties combine in a single question, such as
"Which choice below is NOT one of NIST's 33 IT security principles?"  If you
haven't fully memorized NIST's 33 security principles, don't worry.  Even if
you have no idea where to find NIST's 33 security principles you can still
get the answer.  One of your options is "Totally eliminate any level of
risk."  Even the rawest security neophyte can tell you that, since this is
impossible, it obviously has to be the right answer.

This book may give you a somewhat better idea of the types of questions you
may encounter, and the range of topics you may need to know.  As preparation
for the exam, however, it will both scare you unnecessarily (although if it
drives you to take the ISC2 course, that might not be a bad thing), and fail
to prepare you fully.

copyright Robert M. Slade, CISSP, 2003   BKADCIPG.RVW   20030110    or

REVIEW: "The CISSP Prep Guide Gold Edition", Krutz/Vines

<Rob Slade <>>
Wed, 12 Feb 2003 08:04:50 -0800

BKCIPGGE.RVW   20030130

"The CISSP Prep Guide Gold Edition", Ronald L. Krutz/Russell Dean
Vines, 2003, 0=471-26802-X, U$80.00/C$124.50/UK#59.50
%A   Ronald L. Krutz
%A   Russell Dean Vines
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2003
%G   0=471-26802-X
%I   John Wiley & Sons, Inc.
%O   U$80.00/C$124.50/UK#59.50 416-236-4433 fax: 416-236-4448
%P   944 p. + CD-ROM
%T   "The CISSP Prep Guide Gold Edition"

I happened to notice, in the preparation of this review, that a certain
online bookstore has a special in relation to this title.  You can buy it,
along with the "Advanced CISSP Prep Guide: Exam Q & A" for a price slightly
less than that of the two volumes together.  Pity those who take the
bookstore up on their offer: this volume is nothing more than "The CISSP
Prep Guide" (cf. BKCISPPG.RVW) and "Advanced CISSP Prep Guide: Exam Q & A"
(cf. BKADCIPG.RVW) bound together.

The authors have done some updating: there are, for example, a few
additional pages of material on wireless security.  The authors have
improved their coverage of the Common Criteria--by reprinting the
explanation that is provided on the National Institute of Standards and
Technology (NIST) Web site.

Overall, however, the same comments appropriate to Krutz and Vines' original
books still apply, so what I said was, for those studying for the CISSP
exam, this book does provide a guide to the topics to be covered.  If you
are confident that you know more than the book at every point, you should be
in good shape to sit the exam: if not, you will have to get help somewhere
else.  If you are studying for another security course, or are a security
professional, this work will not have much to offer you.  This volume may
give you a somewhat better idea of the types of questions you may encounter,
for the CISSP exam.  As preparation for the exam, however, it will both
scare you unnecessarily and fail to prepare you fully.

copyright, Robert M. Slade, 2003   BKCIPGGE.RVW   20030130    or

More-Than-Abridged info on RISKS (comp.risks)

19 Feb 2003

  [See for the archives of back issues, almost all of
  which include info on RISKS.  (This issue is an exception.)  PGN]

Please report problems with the web pages to the maintainer