The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 67

Friday 4 April 2003

Contents

Rice cooker reprograms pacemaker?
Mark Batten-Carew
eBay reacts to charges against its Paypal operation
NewsScan
Pennsylvania won't identify sites blocked for child porn
Ted Bridis via Monty Solomon
The Googlewashing of our language
Alpha Lau
Is your television watching you?
Phillip Swann via Monty Solomon
Website hoax on killer virus triggers Hong Kong panic
Monty Solomon
Ellison predicts major shakeout in Silicon Valley
NewsScan
Music piracy violations: $150K a song
NewsScan
Streaming video: a patent on porn
Monty Solomon
Laws make crypto and untraceable E-mail illegal?
Douglas W. Jones
The reality behind these laws
Fred Cohen
State Super-DCMAs will be suicidal
David Harmon
Draft legislation on using crypto
Anick Jesdanun via Dave Farber to PGN
Re: Draft legislation on using crypto
David P. Reed
Patriot software again a concern?
Robert I. Eachus
Friendly Fire and the Perils of Statistical Reasoning
Thomas A. Russ
Re: Friendly fire
Anthony Youngman
NCIC: "Death by Oops?"
Lauren Weinstein
POW Social Security numbers revealed
Paul Hirose
Cell phones & 911 service
Jeremy Epstein
Possibly-wrong expectations about bouncing e-mail
Mark T.B. Carroll
Info on RISKS (comp.risks)

Rice cooker reprograms pacemaker?

<"Mark Batten-Carew" <markbc@paulmartin.ca>>
Tue, 1 Apr 2003 12:56:24 -0500

This is an excerpt from a monthly newsletter that sends out interesting
news items.  I don't believe this is an April Fools' item, but then who
knows?  Mark Batten-Carew

  HEARTBREAKING
  A Japanese woman's automatic rice cooker changed the settings on her
  pacemaker. Doctors doing a routine check up were baffled to find that the
  hi tech pumping device they had implanted in the woman, 60, had been
  remotely adjusted. They contacted the manufacturer, who visited her home
  and found that a rogue rice cooker had somehow beamed signals to the
  device.  [Source: A&A Economic Digest - April 2003 Edition,
  http://www.aacb.com/edigest/, 1 April 2003]

[Quite plausible, in light of previous reported cases of electromagnetic
interference on pacemakers
--- from ACM Software Engineering Notes back issues:
* Arthritis-therapy microwaves set pacemaker to 214, killed patient (S 5 1)
* Retail-store anti-theft device reset pacemaker, man died (S 10 2, 11 1)
* Pacemaker locked up when being adjusted by doctor (S 11 1)
* Electrocauterizer disrupts pacemaker (S 20 1:20)
--- and from RISKS:
* Stores' shoplifting gates can set off pacemakers, defibrillator (RISKS-20.05)
* Heart pacemaker and implantable cardioverter defibrillator
  recalls and alerts involve 520,000 devices (S 26 6:8, RISKS-21.60)
PGN]


eBay reacts to charges against its Paypal operation

<"NewsScan" <newsscan@newsscan.com>>
Tue, 01 Apr 2003 10:43:01 -0700

Federal prosecutors in Maryland have accused PayPal, the Internet payments
company acquired by eBay, of violating the Patriot Act by facilitating
illegal gambling.  The company disclosed the accusation in its annual report
filed with the Securities and Exchange Commission; it says that prosecutors
have offered a complete settlement of all possible claims and notes that the
amount of its earnings from online gambling was less than what prosecutors
asserted.  [AP/*San Jose Mercury News*, 31 Mar 2003; NewsScan Daily, 1 Apr
2003]
  http://www.siliconvalley.com/mld/siliconvalley/5525363.htm


Pennsylvania won't identify sites blocked for child porn (Ted Bridis)

<Monty Solomon <monty@roscom.com>>
Thu, 3 Apr 2003 22:09:01 -0500

Mike Fisher, Pennsylvania's attorney general, is citing laws against
distributing child pornography in refusing to identify any of hundreds of
Web sites his office has forced Internet providers to block under a unique
state law that the Center for Democracy and Technology asserts is blocking
Web surfers from accessing legitimate sites, but cannot prove without access
to the list of blocked sites.  Fisher's office said disclosing the list of
blocked Web sites would itself be disseminating such pornography, which is
illegal.  [Source: Ted Bridis, AP Online, 3 Apr 2003; PGN-ed]
  http://finance.lycos.com/home/news/story.asp?story=33704697


The Googlewashing of our language

<Alpha Lau <avlxyz@yahoo.com>>
Thu, 3 Apr 2003 22:06:12 -0800 (PST)

Taken from Slashdot [1]:

"The Register[2] talks about how a term ("Second Superpower") coined by the
anti-war culture suddenly got radically neutered and altered by a weblog[2]
that a lot of people link to. Searching for the term on Google now brings up
his blog and other people talking about his blog for the first several
entries. Can Google's power to give information to the people be misused and
perverted? This only took 42 days." First the widespread usage of "googling"
to mean web searching, and now this.

The Register article [2] has the details and how powerful google can be.

[3] is the weblog that managed to saturate Google's PageRank.

I had a quick peek on AltaVista and voila, numerous other usages of the term
"Second Superpower" [4].


The Risk? Blindy trusting Google and it's proprietary PageRank algorithm.

Worse yet, as Google gains users trust, it is very easy to trust Google alone.

[1] http://slashdot.org/article.pl?sid=03/04/03/2327239&mode=nested&tid=95
[2] http://www.theregister.co.uk/content/6/30087.html
[3] http://cyber.law.harvard.edu/people/jmoore/secondsuperpower.html
[4] http://www.altavista.com/web/results
    ?q=Second+Superpower&kgs=0&kls=1&avkw=xytx


Is your television watching you? (Phillip Swann)

<Monty Solomon <monty@roscom.com>>
Tue, 1 Apr 2003 14:35:48 -0500

  Could the federal government find out what you're watching on TV?  Even if
  you're not the subject of a criminal investigation?  If you're a satellite
  TV or TiVo owner, the answer is yes, according to legal experts and
  industry officials.

  Under the USA Patriot Act, passed a month after the 9/11 terrorist attack,
  the feds can force a noncable TV operator to disclose every show you have
  watched. The government just has to say that the request is related to a
  terrorism investigation, said Jay Stanley, a technology expert for the
  American Civil Liberties Union.

  Under Section 215 of the Act, you don't even have to be the target of the
  investigation. Plus, your TV provider is prohibited from informing you
  that the feds have requested your personal information.  ...

  Source: Phillip Swann, TVWeek.com
  http://www.tvweek.com/technology/030303isyourtv.html


Website hoax on killer virus triggers Hong Kong panic

<Monty Solomon <monty@roscom.com>>
Tue, 1 Apr 2003 09:42:02 -0500

[Source: Tan Ee Lyn, Reuters, 1 Apr 2003; PGN-ed]

A teenager's Web Site hoax about the killer virus sweeping Hong Kong sparked
panic food buying and hit financial markets on Tuesday, and the government
said it was placing more than 200 people into isolation camps.

Indonesia, the world's fourth most populous nation, reported its
first three suspected cases. One official said one of the patients
had died but this could not be confirmed.

Severe Acute Respiratory Syndrome (SARS) has now affected almost
1,900 people in at least 12 countries, and 63 are known to have
died.

In Hong Kong, where 685 people have been infected and 16 have died
from the virus, the Web Site hoax forced authorities to deny it
would isolate the entire territory.  ...

http://news.lycos.com/news/story.asp?section=Breaking&storyId=691262


Ellison predicts major shakeout in Silicon Valley

<"NewsScan" <newsscan@newsscan.com>>
Wed, 02 Apr 2003 07:49:12 -0700

Oracle founder and CEO Larry Ellison says the high-tech industry is poised
for another sweeping consolidation that will eliminate many of his rivals.
"We think there's at least 1,000 Silicon Valley companies that need to go
bankrupt," says Ellison, who predicted Oracle would be one of the
survivors, along with Microsoft and IBM. He noted that nearly all software
profits are generated by five companies (including Oracle), out of hundreds
in the sector. Ellison says companies in Silicon Valley haven't come to
grips with the realities of a maturing industry and have resisted the
changes necessary to improve efficiency: "The whole model doesn't make
sense. There's a bizarre belief that we'll be young forever."  [*Wall Street
Journal*, 1 Apr 2003; NewsScan Daily, 2 April 2003]
  http://online.wsj.com/article/0,,SB104923666370767900.djm,00.html
  (subscription required)


Music piracy violations: $150K a song

<"NewsScan" <newsscan@newsscan.com>>
Fri, 04 Apr 2003 09:07:26 -0700

The Recording Industry Association of America (RIAA) has filed lawsuits
against four students it says it misappropriated academic computing
resources to "illegally distribute millions of copyrighted works over the
Internet." Two of the accused students are enrolled at Rensselaer
Polytechnic Institute, one student is enrolled at Princeton, and the fourth
is at Michigan Technological University. If they are convicted, they could
be fined as much as $150,000 for each song they illegally traded. Digital
media analyst Phil Leigh says of the RIAA's action: "This is just another
step in the direction of demonstrating to the public that there will be
penalties for what they consider to be copyright violations. I think they're
attempting to take a carrot-and-stick approach here. They're whacking a few
people with a stick now. And the carrot is the more liberal rules relating
to label-backed subscription online services."  [*San Jose Mercury News*,
4 Apr 2003; NewsScan Daily, 4 Apr 2003]
  http://www.siliconvalley.com/mld/siliconvalley/5558442.htm


Streaming video: a patent on porn

<Monty Solomon <monty@roscom.com>>
Wed, 2 Apr 2003 10:07:00 -0500

Acacia Research says it owns five U.S. and 17 international patents covering
the transmission and receipt of digital audio and digital video content,
otherwise known as streaming media.  But before attempting to enforce its
patents with big outfits such as Yahoo! and The Walt Disney Co., Acacia
instead chose to go after the smallish adult Internet sites that peddle
videos of women (and men) doffing their clothes--and much more.  They sent
letters to 700 racy Web sites with offers to arrange royalty deals,
typically consisting of 1% to 2% of gross revenue.  Do the deal or we'll see
you in court, warned Acacia.  Eight firms agreed to Acacia's terms.  But 40
didn't, and Acacia promptly slapped them with lawsuits.  Rather than
buckling, though, several of the porno sites joined together and stood their
ground.  Now Acacia is in the fight of its life and may even face a
shareholder revolt as a result.  ...  [Source: Seth Lubove, Forbes.com,
2 Apr 2003; PGN-ed]
  http://www.forbes.com/2003/04/02/cz_sl_0402porn.html


Laws make crypto and untraceable E-mail illegal? (Re: RISKS-22.66)

<"Douglas W. Jones" <jones@cs.uiowa.edu>>
Mon, 31 Mar 2003 13:45:24 -0600

  [See items by Ed Felten (USe a Firewall, Go to Jail), Steve Bellovin
  and William Allen Simpson in RISKS-22.66).  PGN]

[Some of this legislation] could have bizarre consequences for E-voting
advocates, as well as for the entire Internet community.

I quote from Section 750.540c of the Michigan Penal Code,
Full text online at:

http://www.michiganlegislature.org/mileg.asp?page=getObject&objName=mcl-750-540c-amended

This goes into effect today (March 31, 2003):

  (1) A person shall not assemble, develop, manufacture, possess, deliver,
  offer to deliver, or advertise an unlawful telecommunications access
  device or assemble, develop, manufacture, possess, deliver, offer to
  deliver, or advertise a telecommunications device intending to use those
  devices or to allow the devices to be used to do any of the following or
  knowing or having reason to know that the devices are intended to be used
  to do any of the following:

  (b) Conceal the existence or place of origin or destination of any
  telecommunications service.

  (c) To receive, disrupt, decrypt, transmit, retransmit, acquire,
  intercept, or facilitate the receipt, disruption, decryption,
  transmission, retransmission, acquisition, or interception of any
  telecommunications service without the express authority or actual consent
  of the telecommunications service provider.

In effect, item 1b makes it illegal to create any anonymous communication
service, and all of the interesting protocols for ballot deposit appear to
rely on anonymization schemes of one kind or another.

Item 1c is really hard to make out.  It appears to be intended as an
anti-wiretapping rule, but the plain wording appears to require the express
authority or actual consent of every ISP for any use of that ISP's
facilities; does this mean that if I was in Michigan, I'd have to ask
permission before I hit the send key to E-mail this message?  I checked
their definition of telecommunications service provider and it is broad.
The owner of the wire, the owner of the switching systems, they're all
involved and each must give permission.

According to slashdot, a goodly number of states are now considering this
kind of law.  See:
  http://yro.slashdot.org/article.pl?sid=03/03/28/1541230&tid=103
It's pretty obvious that they haven't thought these bills through.


The reality behind these laws (Re: Firewall, Jail, RISKS-22.66)

<Fred Cohen <fc@all.net>>
Tue, 1 Apr 2003 05:29:07 -0800 (PST)

As I read the Texas bill, it starts out by saying:
  http://www.capitol.state.tx.us/data/docmodel/78r/billtext/pdf/HB02121I.PDF

  "A person commits an offense if, with the intent to defraud a communications
  service..."

The Michigan bill starts out saying:
  http://www.michiganlegislature.org/printDocument.asp
    ?objName=mcl-750-219a-amended&version=txt
  http://www.michiganlegislature.org/printDocument.asp
    ?objName=mcl-750-540c-amended&version=txt

  "(1) A person shall not knowingly obtain or attempt to obtain
       telecommunications service with intent to avoid, attempt to avoid, or
       cause another person to avoid or attempt to avoid any lawful charge
       for that telecommunications service by using any of the following:"

> The Bill analysis basically quotes the MPAA website!
> http://michiganlegislature.org/documents/2001-2002/
>   billanalysis/house/htm/2001-HLA-6079-b.htm

This analysis agrees with mine.  That these bills increase penalties only
for already illegal actions and possibly criminalize what would currently be
some civil matters.  If you are paying for one class of service (e.g., home
use of the Internet for one computer) and using it for another class of
services (e.g., selling access to your neighborhood by putting up a NAT
firewall), you are already violating the law and you will also be violating
these laws.

I know that this was the April 1 issue, but the rumors on these bills are
spreading faster than most computer viruses, and they have been spreading
for several days with increasing intensity and are being taken seriously.
Nothing in these bills in any way prevents firewalling, encryption, etc.
UNLESS it is being used to defraud.

Fred Cohen - http://all.net/ - fc@all.net - fc@unhca.com - tel/fax 925-454-0171
Fred Cohen & Associates	- University of New Haven - Security Posture

  [defraud ... in the eyes of the accuser!  PGN]


State Super-DCMAs will be suicidal (Re: RISKS-22.66)

<David Harmon <dmh@tiac.net>>
Tue, 01 Apr 2003 11:23:41 -0500

I suspect at least the Michigan state legislature may reconsider -- after
their tech industries pick up and *leave*.  The first to go will be the ones
actually working on the criminalized tools etc.  These will be followed by
those whose lawyers were paying attention.  The third wave will be triggered
as both government and private actors start (ab)using the new laws for
arbitrary "takedowns" of their enemies.  Of course, quickly repealing or
nullifying the laws *may* stop the exodus, but I expect the state will still
be regretting this bonehead move for some time, as will any other states who
follow suit.

I do, however, doubt Massachusetts will actually *pass* any such law,
given the assured and powerful opposition of MIT and their *many*
friends.  I would hope that whoever introduced it gets stomped at their
next election, but that may be too much to ask.  On the other hand, some
of the other states in question may not have techies with enough pull to
make their voice heard.

Of course, a fair number of the companies and persons involved will
decide to leave the country altogether, leaving us with fewer national
resources for defense *or* productivity.  Steve Kirsch was right:

 > The terrorists have won. They have successfully convinced America to
 > attack itself.

(from: http://www.skirsch.com/politics/iraq/Lessons911.htm )

	Dave H.

PS:  The basic pattern I'm seeing here is that private self-defense "in
cyberspace" is being methodically outlawed.  Has anyone *else* noticed
that "we" are slowly dismantling the various obstacles to a _Handmaid's_
_Tale_ style techno-coup?


Draft legislation on using crypto

<"Peter G. Neumann" <neumann@csl.sri.com>>
Mon, 31 Mar 2003 16:11:25 -0500

Cheating on income taxes or neglecting to pay sales taxes on online
purchases could get you five extra years in prison if the government
succeeds in restricting data-scrambling technology, and discourage human
rights workers to protect sensitive data.  Draft legislation circulating in
the Justice Department would extend prison sentences for using encryption in
the commission of a crime, something encryption advocates fear would achieve
little in catching terrorists and hurt only legitimate uses of cryptography.
The new proposal is part of the proposed Patriot II legislation.  [Source:
Anick Jesdanun, *The Washington Post*, 31 Mar 2003; PGN-ed via Dave Farber]

  [The full item is available on Dave's IP Archives:
    http://www.interesting-people.org/archives/interesting-people/
  PGN]


Re: Draft legislation on using crypto (RISKS-22.67)

<"David P. Reed" <dpreed@reed.com>>
Mon, 31 Mar 2003 21:21:10 -0500

If they declare that encryptions are arms, perhaps we should point out the
Second Amendment (favorite of the National Rifle Association) guarantees the
right to keep and bear arms.  [via Dave Farber's IP]


Patriot software again a concern?

<"Robert I. Eachus" <rieachus@attbi.com>>
Mon, 31 Mar 2003 19:53:22 -0500

The two Patriot "failures" in have different -- and understandable --
modalities.  Whether these incidents were indicative of a problem with the
system has to be determined.  The first thing you have to understand is that
once a missile has been fired, if an aircraft flies between the target and
the Patriot radar on the ground, the missile can acquire the closer aircraft.
The Patriot operator can tell the radar not to track the closer aircraft
when that plane is showing friendly IFF.  If this happens, the missile
should reacquire the original target.  Off course, if the missile is close to
the aircraft, the wrong target may be attacked anyway.

This seems to be what happened in the incident where the British aircraft
was shot down.  It is not clear whether there really was an enemy
missile -- or if the incoming was really a mortar shell.

The decision to put IFF recognition in the Patriot ground systems but not in
the missiles is both a practical design decision and a military one.  If the
enemy starts broadcasting "your" IFF code do you want the Patriot system to
be able to override IFF recognition?

In the second incident, the operators were again under attack and apparently
"unassed" the control trailer.  My guess is that the radar was in TWS (track
while scan) mode, and the F-15 countermeasures read it as a lock-on -- which
of course it was.  If the Patriot battery had been manned they could have
either told the radar not to lock on to the F-15, or turned off the radar so
that the HARM would have lost lock.

In both cases, note that the situation was a typical one for "friendly fire"
incidents -- multi-mode attacks that haven't been considered by the rules of
engagement.


Friendly Fire and the Perils of Statistical Reasoning

<tar@ISI.EDU (Thomas A. Russ)>
31 Mar 2003 15:02:39 -0800

Actually, having it be higher in the first Gulf War is not really that
astounding, given the general circumstances.  In that war, the overwhelming
majority of all casualties were inflicted by the Coalition Forces.  Given
that tremendous disparity, even a very small error rate applied to the
casualty causation numbers would end up being a very large part of the
overall casualties.

While good figures for the Iraqis are hard to come by, CNN's web site lists
the following.  Coalition 213 combat fatalities (plus another 145 nonbattle
deaths).  Iraqi military fatalities estimated at 100,000.  If the latter is
true, then having just a 0.1% error rate would explain about 100 friendly
casualties or about half of all of them...

(CNN did not break down US casualties by cause, although British losses were
listed as 24, 9 by U.S. fire).

Thomas A. Russ,  USC/Information Sciences Institute          tar@isi.edu


Re: Friendly fire (RISKS-22.65)

<Anthony Youngman <Anthony.Youngman@ECA-International.com>>
Mon, 31 Mar 2003 10:27:41 +0100

In the first Gulf War, our (the British) "friendly fire" casualties were
about FIFTY percent of total casualties.  Nearly all of them were caused by
a single American "hunter air patrol" which, while OUT of its patrol area,
and OUT of radio touch (accidental or deliberate?) with its controllers,
mis-identified two Warrior APCs as Iraqi and destroyed them.

It caused considerable bad press over here, and the impression left was that
the pilots were fed up with not finding targets, wanted to attack
something/anything, and had pretty much disobeyed orders in order to find
something to shoot at. Shame it was a bunch of soldiers on the same side ...


NCIC: "Death by Oops?"

<Lauren Weinstein <lauren@vortex.com>>
Wed, 02 Apr 2003 20:34:30 -0800 (PST)

The latest "Fact Squad Radio" short audio segment may be of interest.  It
concerns the issue of data accuracy in the FBI's NCIC system.  It's called:

  "The FBI NCIC: Death by Oops?"
and is available via:
  http://www.factsquad.org/radio

+1 (818) 225-2800 lauren@pfir.org
PFIR: People For Internet Responsibility - http://www.pfir.org


POW Social Security numbers revealed

<Paul Hirose <x3xpp-c52ye-0401@earthlink.net>>
Thu, 03 Apr 2003 00:02:47 GMT

The current war in Iraq has highlighted a risky practice the Pentagon has
been following for many years: using the Social Security number as a
military member's "service number". Americans taken POW have been seen and
heard on television identifying themselves as required by the Geneva
Convention. Naturally this included reciting their SSNs.

In every case I've seen (all on American TV), the interview was edited so
only the first few digits were revealed. I'm not sure who did this; I hope
it occurred at the source (presumably Iraqi state television).

The use of SSNs as service numbers was an issue even before the war.  In one
incident, some senior officers suffered identity theft when their SSNs were
published in the Congressional Record:

http://www.washingtonpost.com/ac2/wp-dyn/A35194-2000Apr7?language=printer

Foreign readers should understand the SSN is practically an American's
national identity number, heavily used by the government, employers, banks,
even schools. Broadcasting a POW's name and SSN worldwide creates a severe
risk of identity theft and invasion of privacy.

Perhaps when the change to SSNs occurred (in the Vietnam era, according to
the newspaper article) the danger seemed minimal. But times have
changed. The Pentagon should revert to service numbers which have no meaning
or usefulness outside the military.

Paul Hirose <x3xpp-c52ye-0401@earthlink.net>


Cell phones & 911 service

<Jeremy Epstein <jeremy.epstein@webmethods.com>>
Wed, 2 Apr 2003 10:54:10 -0500

*The Washington Post* reports on a number of cases where calling 911 from a
cell phone was routed to the wrong jurisdiction, so "response to a
life-threatening -- and ultimately fatal -- emergency was delayed because a
cell phone call to 911 didn't work the way it was supposed to".

The examples given were a caller in Chillum MD routed to 911 in Washington
DC (an immediately adjacent jurisdiction) and the recent case [RISKS-22.58]
where teenagers in Long Island Sound drown because 911 wasn't able to
determine where the call was coming from.  They note that in the Chillum
case, the problem occurred because "a wireless signal can get picked up by
the wrong cell phone tower".

In this case, though, the technology isn't at fault, despite what *The Post*
says.  Radio waves don't respect human boundaries; the cell phone goes to
the nearest/strongest signal (not sure exactly how this works).  If I stand
on one side of a street, I can be in a different jurisdiction from the other
side of the street.  There's no way for the cell tower to know which side of
the street I'm on, and route the call to the correct 911 location.  The RISK
is that 911 dispatchers aren't trained to recognize calls from adjacent
jurisdictions and route them appropriately.

http://www.washingtonpost.com/wp-dyn/articles/A54802-2003Mar30.html


Possibly-wrong expectations about bouncing e-mail

<"Mark T.B. Carroll" <Mark.Carroll@Aetion.com>>
Fri, 4 Apr 2003 07:50:16 -0500 (EST)

I have domain names with short names where all e-mail to anyone at that
domain comes past me. One thing I find is that people from organisations
that have a similar domain name to one of mine send their inter-office
stuff to me as they mistype their own organisation's domain name in the
intended recipients' addresses. I wonder if they would be more careful
with internal documents if they realised it is actually not all that
improbable that e-mail to Some.Odd.Name@wrong-short.domain that doesn't
look like spam will be read by at least somebody instead of being bounced
automatically.

Please report problems with the web pages to the maintainer

Top