The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 59

Weds 26 February 2003

Contents

Star Wars exempt from OVERSIGHT, REPORTING, AND TESTING requirements?
PGN
"Bugsplat"--collateral damage simulator
Daniel P.B. Smith
Scientology critic fined for undeclared file
Mark Thorson
eBay: Big Brother is watching you, and documenting
Monty Solomon
Telepathy used to defend voting systems?
Rebecca Mercuri
Voting machine engineer sues, alleges machine design flaws
Susan Marie Weber
Latest spam scam
Jim Griffith
Nigerian slain over e-mail scam
John F. McMullen
Spain - Vodafone sees its network crash after maintenance
Henry Baker
An unexpected bill
Geoffrey Brent
Re: Surgeons transplant mismatched organs
K P
Re: Deadly input validation?
Ed Ravin
REVIEW: "Building Secure Wireless Networks with 802.11", Khan/Khwaja
Rob Slade
Info on RISKS (comp.risks)

Star Wars exempt from OVERSIGHT, REPORTING, AND TESTING requirements?

<"Peter G. Neumann" <neumann@csl.sri.com>>
Mon, 24 Feb 2003 14:46:49 -0800 (PST)

Noted deep in the White House's proposed FY2004 budget, the administration
is proposing to exempt the Pentagon's controversial national missile defense
system from operational testing legally required of every new weapons system
in order to deploy it by 2004.  The requirements are of course intended to
prevent the production and fielding of weapons systems that don't work [many
of which have been the subject of discussion in RISKS in the past].  Last
year, the Missile Defense Agency was already given managerial autonomy and
removed procurement procedures that were intended to ensure new weapons
programs remain on track and within budget.  [From the RISKS perspective of
having observed systems that do not work properly even with extensive
oversight and testing, this seems like a very unwise approach.]  [Source:
Missile Defense Waiver Sought; White House wants to exempt the Pentagon's
controversial weapons system from operational testing rules, a first for a
major program, by Esther Schrader, *Los Angeles Times*, 24 Feb 2003; PGN-ed]
  http://www.latimes.com/news/nationworld/nation/
  la-na-missile24feb24,1,5024689.story?coll=la%2Dhome%2Dheadlines


"Bugsplat"--collateral damage simulator

<"Daniel P.B. Smith" <dpbsmith@world.std.com>>
Sat, 22 Feb 2003 09:48:12 -0500

  [Best code name since "carnivore."  DPBS]

US military planners hope to reduce the potential for civilian casualties in
war by using a new computer program called Bugsplat.  Instead of drawing
concentric circles representing blast effects, Bugsplat generates blob-like
images ("resembling squashed insects") that supposedly more precisely model
expected damage.  The hopes are that this program will help reduce
collateral damage.  QUOTE: "Because the program hasn't been used for actual
targeting, this will be 'learn as you go.'"  [Source: 'Bugsplat' program
gives planners hope, By Bradley Graham, *The Washington Post*, 22 Feb 2003;
PGN-ed]


Scientology critic fined for undeclared file

<Mark Thorson <eee@sonic.net>>
Thu, 20 Feb 2003 19:06:41 -0800

A prominent French critic of Scientology has been fined 901 euros for
maintaining a Web site that contained the name of a Scientologist in
quotations from two published articles.  The Scientologist sued, claiming
his religious rights had been violated.

A 1978 French law intended to protect privacy requires computer files
containing names of people (even one name) to be declared with the National
Commission of Computers and Liberties (CNIL).  On 18 Feb 2003, Roger Gonnet
became the first person disciplined under this law for his Web site,
http://www.antisectes.net, which has been operating since March 1997.

The judgment against Gonnet was 450 euros for violating the law, 450 euros
for plaintiff's legal costs, and 1 euro for damages to plaintiff.
(Plaintiff had been asking for 15,000 euros.)

Gonnet says, "At least 20 million French people are guilty of the same
'crime': they have individual names in their organizers, electronic agendas,
computers, laptops, CD Roms, DVD roms, hard disks, memory cards, and even in
their cell-phone memories, WAPs, texts, and Web sites, as well as the
employers and commercial employees or sellers have lists of their employees,
clients, associates, etc."

  ["What's In A Name?"  Oui!
   "What Name is In?"  Non!!!
  PGN]


eBay: Big Brother is watching you, and documenting

<Monty Solomon <monty@roscom.com>>
Thu, 20 Feb 2003 17:34:28 -0500

"I don't know another Web site that has a privacy policy as flexible as
eBay's," says Joseph Sullivan, director of the "law enforcement and
compliance" department at eBay.com, reportedly the world's largest retailer.
Sullivan was speaking to senior representatives of numerous law-enforcement
agencies at "Cyber Crime 2003".  His lecture was closed to reporters, but,
in a recording obtained by Haaretz, Sullivan says that eBay is willing to
hand over everything it knows about its Web users when asked by
investigators.  [Source: Yuval Dror, Haaretz; PGN-ed]
  http://www.haaretz.com/hasen/pages/ShArt.jhtml?itemNo=264863


Telepathy used to defend voting systems?

<"Rebecca Mercuri" <notable@mindspring.com>>
Tue, 28 Jan 2003 13:50:51 -0500

The Canadian Broadcasting Corp. reported that balloting at the 25 Jan 2003
NDP leadership convention in Toronto was disrupted by the SQL Slammer DDoS
attack.  The system that was being used was one provided by election.com --
one of the vendors also vying for Internet voting contracts in the USA.
Apparently election.com's Earl Hurd thought it was a laughing matter when he
told the CBC: "Unless he died in the last few minutes because of the evil
thoughts in my brain, he or she is still out there."
  http://www.cbc.ca/cgi-bin/templates/print.cgi?/2003/01/25/ndp_delay030125


Voting machine engineer sues, alleges machine design flaws

<SusanMarieWeber@earthlink.com>
Sun, 23 Feb 2003 09:26:12 -0800 (PST)

Bev Harris, Black Box Voting <http://www.blackboxvoting.com>, 21 Feb 2003

Dan Spillane, a voting machine test engineer, filed a lawsuit against his
former employer, DRE touch-screen voting machine manufacturer VoteHere.
Georgia recently approved VoteHere's machines, and the military is
considering them for overseas voting.  The company does business also in
Sweden and England, and appears to be manufacturing, or planning to
manufacture, components for other voting machine companies.

Spillane alleges in his lawsuit that he reported over 250 errors in the
system, including critical errors of "severity 1" which include errors
that may prevent the machines from correctly registering the votes. He
sought meetings with company officials to express concerns about system
integrity flaws, and created logs and reports of such flaws.

His complaint indicates that VoteHere did not address the flaws, and
that the VoteHere system was certified by independent testing labs
despite known flaws. Just when the testing lab began its examination of
system integrity, VoteHere fired Spillane.

VoteHere's board of directors includes former CIA director Robert Gates.
VoteHere's Chairman is Admiral Bill Owens, who was senior military assistant
to Secretaries of Defense Frank Carlucci and Dick Cheney.  Carlucci, of
course, now heads the Carlyle Group and Cheney is Vice President.

I will retrieve a copy of the lawsuit early next week, case #
03-2-18779-85SEA, filed in King County, Washington. If possible we will post
it later in the week.

Bev Harris


Latest spam scam

<griffith@dweeb.org (Jim Griffith)>
Mon, 24 Feb 2003 21:10:21 -0500

I just received the following:

  From: dlj4tbad5@hotmail.com (Former NetGaming Programmer)
  Subject: Please help me

  Hello dear friend,

  I'm the developer who made the software for the NetGaming Casino.
  But since they still did not paid me for last six month of work I decided
  to reveal the backdoor in that casino I made for myself.
  This backdoor allow easily win the roulette.
  So: What do you need to win? Read below:
  1. Go to the following secret link::
     http://www.[deleted]/?affiliate_id=230083&campaign_id=20016
  2. Open an account  (click "Join Now").
  3. Play roulette until "13" turn out. That's it! The next turn will be "27"!

  I'll be happy if you ruin them by winning lots of money.

Either it's legitimate, in which case the Web site is totally screwed, or
(far more likely) it's the most recent devious way to attract unsuspecting
suckers.


Nigerian slain over e-mail scam

<"John F. McMullen" <observer@westnet.com>>
Sat, 22 Feb 2003 11:11:05 -0500 (EST)

Nigeria's consul in the Czech Republic, Michael Lekara Wayid, was shot and
killed by a Czech citizen at the Nigerian Embassy in Prague on 19 Feb 2003.
The suspect had been victimized by a now-classical Nigerian scam, which
resulted in the contents of his bank account vanishing.
  [Source: Michelle Delio, Wired News; PGN-ed]
    http://www.wired.com/news/culture/0,1284,57760,00.html?tw=wn_ascii

  [This type of scam still seems to sucker in enough people to make it worth
  the effort to keep the e-mail solicitations flowing.  In the past week
  alone, SpamAssassin has picked out 150 Nigerian scam spams in my mailbox,
  out of 2400 redirected spams; in the past two weeks, it has trapped over
  300 such scam spams addressed to RISKS, out of almost 1500 spams in all.
  So it is definitely a booming industry.  PGN]


Spain - Vodafone sees its network crash after maintenance

<Henry Baker <hbaker1@pipeline.com>>
Fri, 21 Feb 2003 11:10:50 -0800

FYI -- 'Causative Maintenance' ?

Vodafone Spain's network virtually collapsed for almost 7 hours on 21 Feb
2003, following what was thought to be basic maintenance work.  The company
has 8.7 million customers.  No substantial explanation has been given.


An unexpected bill

<Geoffrey Brent <g.brent@student.unsw.edu.au>>
Sun, 23 Feb 2003 19:27:05 +1100

A friend of mine who is a postgraduate student at the University of New
South Wales recently logged on to the university Web site to check the fees
due for Semester 1, 2003. He was rather surprised to be told that his debt
was slightly in excess of three million Australian dollars - by a strange
coincidence, the sum owed was exactly equal to his student number.

Perhaps a little range-checking is in order?


Re: Surgeons transplant mismatched organs (RISKS-22.58)

<K P <mrzeb@yahoo.com>>
Mon, 24 Feb 2003 05:47:51 -0800 (PST)

Patients who need transplants are entered into the national transplant
waiting list maintained by United Network for Organ Sharing (UNOS, Richmond
VA) through a federal contract.  The list includes many items including
blood type, height and weight, how sick they are, and the hospital where
they are waiting.  Nationally, more than 80,000 people are waiting for
hearts, lungs, kidneys, livers and pancreases.

When donor organs become available, information about blood type, size and
location of the donor are entered into the computer generating a "match run"
-- a list of all patients who are a medical match for that donor. They are
listed in order of priority, determined by a complex calculation including
components of illness and how near they are to the donor.  A completed match
run can range from tens of thousands to fewer than 10.  Some organs are
placed on the first call; others take hours.

According to news reports, in Jesica's case, Duke officials say transplant
coordinators called to offer the heart to two of their patients. The heart
was the wrong size for one, and the other was not medically ready for a
transplant.  Jesica's doctor then asked about giving the heart and lungs to
Jesica.  Although she was not listed on the match run, the transplant
coordinator said OK.  Neither the coordinator nor the doctor realized that
she was not the right blood type - the reason she was not on the computer's
list of possible patients.

The UNOS systems didn't make the mistake.  Humans intervened and ultimately
caused the mistake.

It's sad that Jesica died as a result.  But we will never know who else
died because they didn't get the organs they should have in the first place.

  [Dan Graifer noted that lengthy articles appeared in *The Washington Post*.
  PGN]
    http://www.washingtonpost.com/wp-dyn/articles/A56656-2003Feb24.html
    http://www.washingtonpost.com/wp-dyn/articles/A2700-2003Feb25.html


Re: Deadly input validation? (Adams, RISKS-22.58)

<"Ed Ravin" <eravin@panix.com>>
Sun, 23 Feb 2003 12:42:37 -0500 (EST)

  [Although the original item was only marginally computer-related,
  we include this item to correct the archival record.  PGN]

Some corrections and clarifications:

* It was four teenagers in the rowboat, not two.

* The phone call from the distressed teenagers lasted about 12 seconds --
the 911 operator only heard that they were in a boat on Long Island Sound
and were taking in water before the call was cut off.

* The correct thing for the 911 operator to have done was to have assigned
the call to the police harbor unit.  The operator did not know this
information, so he or she went to the supervisor for guidance.

* All supervisors had previously received a notice clarifying what to do
with marine distress calls -- but this supervisor apparently had forgotten
about that and also didn't know what to do with the call.

* The supervisor is getting departmental charges, and could be demoted
or dismissed.  The operator received a "letter of instruction" but
was not otherwise disciplined.

* The cops claim that even if the harbor unit had been notified in time,
with the scant amount of information available it was unlikely they would
have found the boys in time.

More details at:

 http://www.nynewsday.com/news/local/wire/ny-bc-ny--missingteens0218feb18.story

And no doubt in other NYC-area daily newspapers.

Despite what the cops say, things might have been different if they had
properly logged the call - for example, the calling number for the cell
phone should have been recorded, and had the police looked for the owner of
the cell phone they might have been able to find one of the boys' parents
and gotten a better idea of what was going on.  However, given that the call
was received on a frigid January evening, there probably wasn't much else
that could be done until the next morning.


REVIEW: "Building Secure Wireless Networks with 802.11", Khan/Khwaja

<Rob Slade <rslade@sprint.ca>>
Tue, 25 Feb 2003 07:47:39 -0800

BKBSWNW8.RVW   20030208

"Building Secure Wireless Networks with 802.11", Jahanzeb Khan/Anis
Khwaja, 2003, 0-471-23715-9, U$40.00/C$62.95/UK#29.95
%A   Jahanzeb Khan
%A   Anis Khwaja
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2003
%G   0-471-23715-9
%I   John Wiley & Sons, Inc.
%O   U$40.00/C$62.95/UK#29.95 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0471237159/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0471237159/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0471237159/robsladesin03-20
%P   330 p.
%T   "Building Secure Wireless Networks with 802.11"

As with any hot topic, there are lots of people willing (eager!) to tell you
about the security of wireless local area networks, without first making
sure that they really know the subject.

Part one is an introduction to wireless LANs.  Chapter one is a history of
networks, an outline of topologies (concentrating on cabling, interestingly
enough), and a review of the TCP/IP (actually OSI, [Open Systems
Interconnection] protocol stack.  The last page gives too little information
for an exercise in setting up a home LAN.  Terms in regard to wireless
technology are listed in chapter two, but the material is verbose without
being informative.  The explanations given for spectrum multiplexing are
unclear, and seem to be delivered by rote without any understanding.  The
discussion does not build on that from chapter one to, for example, point
out that ad hoc wireless networks are similar to bus topologies, while
infrastructure networks are more akin to stars.  The various IEEE (Institute
of Electrical and Electronics Engineers) 802.11 standards are listed in
chapter three.  However, there is a great deal of material repeated from
prior text (the discussion of spectrum is reprised almost word for word),
and, other than some frequency and maximum bandwidth information, there is
little additional detail.  (Repetition and duplication is rife throughout
the book, as well as a good deal of space wasted with pointless figures and
graphics.  On page 125 we are told that "The 40- bit shared key is
concatenated with a 24-bit long initialization vector" and referred to
figure 6.1.  Figure 6.1 tells us "Concatenated-Key = Shared-Key + IV."  Not
very helpful.)  Chapter four is supposed to help you decide whether a
wireless LAN is right for you, but only has some vague opining, a little
content on wireless ISPs (Internet Service Providers: hardly suitable for
LAN discussions), and almost no analysis or details.

Part two purports to emphasize secure wireless LANs.  Chapter five has
random topics regarding network security.  Most of it is irrelevant to the
specific needs of wireless situations or is not discussed in terms of the
particular needs of wireless networks.  (Physically securing the components
of a wireless LAN has some importance in overall security, but may be
pointless if someone driving by can take over the network).  Securing the
IEEE 802.11 wireless LAN is not reviewed well in chapter six.  There is more
duplication of content, few details about WEP (Wired Equivalent Privacy),
and some clear evidence of misunderstanding of the base technologies.  (If
you are going to talk about 40 bit keys at the low level, higher level
security should be 104, rather than 128, bit.  And a 128 bit key is *not*
equivalent to 64 characters, in anybody's representation.)  When security
aspects are discussed, often they relate to issues that are beyond the
control of the user, such as moderation of signal strength.

Part three collects topics related to the building of secure wireless LANs.
Chapter seven is a simplistic overview of generic LAN planning.  Shopping
for the right equipment is important, but the list of product specifications
in chapter eight fails to address vital areas, such as driver availability,
default key length, and the existence of default accounts.  More space is
devoted to where you can buy equipment than how to evaluate it.  The
installation instructions, in chapter nine, pretty much ignore security
considerations.  Chapter ten supposedly deals with advanced wireless LANs,
including security, but has little new material aside from screenshots of
Microsoft Windows utilities with some relationship to VPNs (Virtual Private
Networks).

Part four covers troubleshooting and maintenance.  Chapter eleven touches on
a number of possibly wireless connectivity problems.  A collection of text
repeated from prior chapters is in chapter twelve.

There is a glossary included with the book.  It is quite limited, and, in
particular, does not deal well with acronyms.  In fact, the book is full of
TLAs (Three Letter Acronyms) and other abbreviations that get used before
they are defined, and do not appear in either the glossary or the index.
This can be quite aggravating, particularly in cases where the acronyms
aren't standard.  (The authors use "PHY" to refer to the physical layer of
the OSI model, which is not commonly so represented in either communications
or security literature.)

The text of the book is excessively padded with useless verbiage and
irrelevant material.  The actual content pertinent to the security of
wireless LANs is barely enough to fill a decent magazine article.  Overall,
the book is poorly structured, limited in detail, and bloated with
meaningless or repetitious content.

copyright, Robert M. Slade, 2003   BKBSWNW8.RVW   20030208

Please report problems with the web pages to the maintainer

Top