The RISKS Digest
Volume 22 Issue 70

Sunday, 20th April 2003

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Turtle triggers search and rescue effort
Jim Griffith
Rules let marketers see patient data
Monty Solomon
Airline boarding pass algorithm flaw
Mark Kantrowitz
CNN glitch reveals premature obits
NASCAR fan faces prison time for flooding Fox with angry e-mails
Monty Solomon
Careless use of Web templates
Colin Andrew Percival
Misusing emergency capabilities
Kevin C Stevens
Cyberstalking on the rise
Online harassment: bogus e-mail incites retribution
Monty Solomon
Qmail-ldap discloses Bcc recipients
John Pettitt
Sony to recall 20,000 more Vaio PCs due to glitch
Monty Solomon
Y2K bug alive and working for Macdonalds
Richard A. O'Keefe
Re: POW Social Security numbers revealed
Markus Kuhn
Re: Millennium trains taken off the tracks
Ben Low
Re: "Quick Deposit" systems
Brian Campbell
Re: Friendly Fire
Mark Brader
Correction on fratricide item
Peter B. Ladkin
Re: Traffic lights don't work in the snow
Ed Ravin
Web site wants me to change my proxy? I don't think so...
Sean Sosik-Hamor
Workshop on Wireless Security WiSe 2003 CFP
Adrian Perrig
Info on RISKS (comp.risks)

Turtle triggers search and rescue effort

< (Jim Griffith)>
Fri, 18 Apr 2003 12:51:15 -0400

The U.S. Coast Guard launched a massive search and rescue effort earlier
this week after picking up an emergency distress beacon signal.  They
finally pinpointed the cause - a turtle had become tangled in a rope tied to
a discarded beacon.  The original owner was located, and he said he'd lost
it some time ago.

Rules let marketers see patient data

<Monty Solomon <>>
Sun, 20 Apr 2003 01:25:21 -0400

In an emergency, the hospital can't tell anyone except family that you're a
patient.  But it's free to use intimate medical details to forward marketing
pitches to you from drug companies, insurers, and other "business
associates".  U.S. Representative Edward J. Markey, Massachusetts Democrat,
has filed a bill that would require patient consent.  ...  [Source: Diane
E. Lewis, subtitled Campaign afoot to give patients right to block release
of files, *The Boston Globe*, 19 Apr 2003; PGN-ed]

Airline boarding pass algorithm flaw

<"Kantrowitz, Mark" <>>
Mon, 7 Apr 2003 19:51:11 -0400

On a recent USAir flight, two people were both assigned to the seat in front
of me.  It turns out that they both had the exact same name.  One was female
and the other male, but their full names were spelled identically.

Both were issued boarding passes for the same seat.

This suggests that the algorithm the airline uses to issue boarding passes
is based on the flight number and passenger name, and not based on a unique
identifier such as ticket number or passenger id number.

Besides being a potential security risk, I would not be surprised if it
costs the airline some lost revenue.

  [Perhaps.  But it also might be thought of as saving a little in
  programming complexity and maintenance?  On the other hand, you would
  think there was a flag for "boarding pass already issued".  PGN]

Mark Kantrowitz PO Box 81620, Pittsburgh, PA 15217  1-412-422-6190

CNN glitch reveals premature obits

<"NewsScan" <>>
Fri, 18 Apr 2003 09:53:43 -0700

A glitch on the Web site accidentally made available draft
obituaries written in advance for Dick Cheney, Ronald Reagan, Fidel Castro,
Pope John Paul II and Nelson Mandela. "The design mockups were on a
development site intended for internal review only," says a CNN
spokeswoman. "The development site was temporarily publicly available
because of human error." The pages were yanked about 20 minutes after being
exposed.  [CNet 17 Apr 2003; NewsScan Daily, 18 Apr 2003]

  [As I recall, a similar situation happened previously, to *The New York
  Times*, but I cannot find the entry in RISKS.  PGN]

NASCAR fan faces prison time for flooding Fox with angry e-mails

<Monty Solomon <>>
Thu, 17 Apr 2003 14:21:51 -0400

A NASCAR fan faces up to a year in prison for flooding Fox Entertainment
Group in Los Angeles with more than a half-million e-mails because he was
angry the network aired a Boston Red Sox game instead of an auto race in
early April and May 2001.  Michael Melo of Billerica agreed to plead guilty
to a federal misdemeanor charge of damage to a protected computer system,
(Fearing a cyberattack, Fox shut down part of its Web site, and claims it
cost them $36,000.)  [Source: Mark Pratt, Associated Press, 16 Apr 2003.

Careless use of Web templates

<Colin Andrew Percival <>>
Mon, 7 Apr 2003 08:26:47 -0700 (PDT)

Most people who use Google routinely will have noticed that many of the
"sponsored links" seem to be built from templates; this works reasonably
well in most cases, but sometimes fails badly.

While conducting a terrorism-related search, I was confronted with the
following advert:

  Terrorism - Huge Range, Low Prices, Great Service - CLICK HERE!  Free Super Saver Delivery on orders over #39 (see

While in this case the only risk was one of unintended humour, it is clear
that unforeseen consequences can ensue from allowing too wide a range of
terms to be inserted into such a template.  Imagine, for example, the
possible reactions if "Terrorism" were replaced by "Child Pornography".

Misusing emergency capabilities

<Kevin C Stevens <kcs6@cse.Buffalo.EDU>>
Sat, 5 Apr 2003 13:20:22 -0500 (EST)

The small liberal-arts college where my wife teaches has an campus-wide
alert system. One component of that system is the ability to make an
announcement over a PA system. It is used very rarely and has dubious sound
quality. In fact, previous to this week the only two times anyone can
remember it being used were for a severe ice storm when the university was
about to be closed; and 9/11.

Yesterday, a moderately severe ice storm struck the region (we are in
Western New York). There was also a recruiting event for potential new
students that evening for which the publicity flyers had the wrong venue.
As a consequence, high-school seniors and their parents were going from
building to building looking for the event.

You guessed it, they used the campus emergency PA system to make an
announcement that those "All those looking for the recruiting event should
gather in <name of building omitted> for directions."

The dorms emptied, both because the message was poorly understood and
because if it came over the campus PA, it must be critical. So a few hundred
college students left their dorms and wandered out on a cold night, some in
pajamas, only to find out there was no need to be out.

The RISK is obvious, if it was meant for emergencies, only use it for an

Kevin Stevens, Department of Computer Science, University of Buffalo, SUNY

Cyberstalking on the rise

<"NewsScan" <>>
Fri, 18 Apr 2003 09:53:43 -0700

Cyberstalking — stalking people over the Net — is increasing across the
U.S., according to a new study by Wired Safety. And while women remain the
most likely targets, they're getting into the act as perpetrators, too. In
addition, growing numbers of children are cyberstalking children. "We didn't
find much good news," said Wired Safety executive director Parry
Aftab. "Identity theft is increasing. And because more people are cyber
dating they become victims of cyberstalking when things don't work out."
Aftab expressed concern over a recent court ruling that compelled Verizon to
turn over the name of an ISP subscriber under the subpoena power of the
Digital Millennium Copyright Act. "This is an outrageous and dangerous
ruling. It was supposedly about music piracy, but the result of the case is
that anyone can obtain personal information about any Internet user by
simply filling out a one-page form and submitting it to a court clerk.
There is absolutely nothing you can do to protect yourself, even if you are
a police officer doing undercover work against s*xual predators. The future
safety and privacy of all Americans engaged in online communications now
rests with Verizon winning this case on appeal." [Asterisk inserted so that
NewsScan Daily doesn't get caught in the software filters meant to ward off
pornography.]  [Internet News 18 Apr 2003; NewsScan Daily, 18 Apr 2003]

Online harassment: bogus e-mail incites retribution

<Monty Solomon <>>
Sun, 20 Apr 2003 00:50:28 -0400

Arab-American activist Nawar Shora checked his e-mail one day and found
scores of angry messages asking why he hated Americans and Jews.  The
messages were responding to e-mail messages with his spoofed From: address.
However, he had never sent the hate mail; the From: address had been forged
[which is easy to do].  [Source: New online harassment involves provocative
messages sent under guise of activists, Anick Jesdanun, Associated Press, 18
Apr 2003; PGN-ed]

Qmail-ldap discloses Bcc recipients

<John Pettitt <>>
Fri, 11 Apr 2003 08:56:29 -0700

The technique of Bcc'ing all the recipients is often used to send e-mail
messages where the nature of the subject matter is controversial with the
intent of not disclosing who is interested in the message.

However qmail  discloses some or  the recipients by listing the first of
the bcc'd recipients in a Received by header.

What seems to happen is that the MTA adds a header like this:

  Received: from (HELO some.domain) ([])
    by some-other.domain (qmail-ldap-1.03) with SMTP
    for <first.envelope.recipinet@another.domain>;

This happens even when there are no To: or Cc: recipients listed.

A trivial search of my mail archive finds many cases where a "for" clause in
a received header was neither my address or the address of any of the
publicly listed recipients.

So far I've only found this behavior in qmail-ldap and it's not clear if the
problem exists beyond the first hop in the delivery chain or in other MTA's.
(My tests on postfix suggest it's not a problem.)

Sony to recall 20,000 more Vaio PCs due to glitch

<Monty Solomon <>>
Sat, 19 Apr 2003 14:27:52 -0400

Consumer electronics giant Sony Corporation said on 18 Apr 2003 that it
would recall 20,000 Vaio desktop personal computers sold in Japan between
Sep 2002 and Jan 2003, to replace defective power supply parts.  This is in
addition to 20,000 Vaio PCs recalled in the United States and Canada in Dec
2003 due to a similar problem, a Sony spokesman said.  [Source: Reuters, 18
Apr 2003; PGN-ed]

Y2K bug alive and working for Macdonalds

<"Dr Richard A. O'Keefe" <>>
Wed, 16 Apr 2003 14:43:47 +1200

Last week my elder daughter had her 7th birthday.  The party was held at a
local Macdonalds.  (NOT my choice.)  One of the things they provided was a
cake.  On the box, there was a use-by date.  It was a day in July 1903.

Makes me wonder how many Y2K bugs are still lurking in dark corners.

  [This one really takes the cake!  PGN]

Re: POW Social Security numbers revealed (Cowan, RISK-22.69)

<Markus Kuhn <>>
Wed, 16 Apr 2003 18:08:55 +0100

> SSN's are hopelessly easy to obtain

Well, there is a good opportunity to turn a bug into a feature:

The U.S. social security administration could simply make their entire
database of social security numbers and associated names and dates of
birth openly available to the general public for download, and of course
publicise this step prominently. As a result, the SSN would instantly
lose any usefulness whatsoever as an authenticator and become even more
harmless and fear-free than telephone numbers or ZIP+4 codes. Problem
solved. [I can literally hear a few thousand US RISKS readers breathing
in sharply at this idea as they feel cold shivers running down their
back, so deeply is the cultural fear of anyone else knowing a few digits
associated with you engraved in a nation's collective psyche ... ;-]

Such a step would of course require [listed in order of increasing

(a) some warning time for organizations who currently use the SSN as part of
    an authentication procedure to give them time to adjust their practices,

(b) the introduction of a proper authentication mechanism as an alternative,

(c) a population that can mentally make that step and overcome deeply
    embedded phobias about the entire idea of other people being able to
    look up *YOUR* number, no matter how little (ab)usefulness knowledge of
    that number has in practice

> It is tempting to propose something prescriptive, specifying how
> organizations should authenticate people. ...

Many countries have done that long ago. They run reasonably carefully
administered population registers and residents are entitled to get a
tamper-resistant copy of their entry of that register, to show it to
other people whenever establishing identity is desired in a transaction.
These tamper-resistant copies are usually "called ID" cards, or, where
the form factor is a somewhat larger booklet with sufficient space for
travel visas, they are called "passports". In those few (typically
anglophone) countries where the term "ID card" causes shivers running
down the back of too many scared people for cultural reasons, the same
thing is now called "entitlement card" or "driver's licence".

Passports and ID cards are widely considered the only accepted serious form
of authentication in continental Europe. At first sight, they seem to be
only useful for card-holder present transactions, e.g., were you physically
walk into a bank, school, administration, etc. However, that does not mean
that they are useless for using online services from home.  It is not too
difficult to build remotely usable proper authentication mechanisms on top
of ID cards. For example, on top of a well-run ID card infrastructure, it
becomes immediately feasible for the national postal service to offer
authenticated personal delivery. For a small additional fee, a package or
letter sent to you will only be handed over to you if you show up personally
in the nearest post office and authenticate yourself with your ID card,
which contains all the information that allows the postal office clerk to
verify that your biometrics belong to the person named as the recipient of
the letter. Once you have authenticated postal delivery, companies can
easily send all sorts of authentication tools to you, such as lists of
transaction numbers, floppy disks or chips with certified crypto keys, etc.

Banks and delivery services might find it an attractive business opportunity
to offer similar authenticated delivery services. By using two independent
routes to deliver electronic authenticators to you (two shares of a secret
key arrive via postal authenticated delivery and via pickup from your local
bank branch), abuse of the system by malicious employees in the delivery
chain can be made unattractive enough for potential fraudsters to look
elsewhere for work.

Governments setting up the underlying ID infrastructure remains a
prerequisite for all these more convenient and safer forms of authentication
to become available.

Markus Kuhn, University of Cambridge, GB

Re: Millennium trains taken off the tracks (Frankston, RISKS-22.69)

<Ben Low <>>
Sat, 19 Apr 2003 01:38:59 +1000

The interference caused by the Millennium trains may simply be trashing the
signal completely, possibly across a wide range of frequencies. In which
case, as noted, the fail-safe for all listening devices would surely be "go
to red".

Indeed, if it were an analogue system, you'd expect the quote to be "turning
lights red, green or orange for all following and leading trains" :-)

(BTW, I suspect the original quote meant "interfering *on* the frequency of
the ... signalling system", rather than *with* the frequency. :-)

Re: "Quick Deposit" systems

< (Brian Campbell)>
Sat, 19 Apr 2003 15:31:09 +0100

In Risks 22.69, Gervase Markham described a ATM-like deposit machine booting
Windows NT and allowing a little control with the provided keypad and
buttons before displaying a "not in use" message.  He summarised [various
risks,] but I don't think these really capture the nature of the problem.
Essentially, the interface presented to the end-user is wider than intended,
exposing implementation details and associated risks.

When engineering systems a key method of improving reliability and security
is to reduce complexity.  Providing the software with a normal keyboard
interface for the keypad makes a lot of sense for reduced complexity.
Similarly, keeping some of the debugging tools around is often helpful for
diagnosing faults.

As such, it would be better if the system restricted the built-in keys and
display to the actual application, and have internal connections for
attaching a second keyboard and display which act as normal for use when
debugging.  However, this does require that the operating system support
using multiple keyboards and displays separately.

Re: Friendly Fire (Goodall, RISKS-22.69)

< (Mark Brader)>
Wed, 16 Apr 2003 00:11:17 -0400 (EDT)

I'm reminded of the way that many people writing about the Titanic disaster
tend to assert that about 1,520 *passengers* were killed.  Actually it was
820 passengers and 700 crew, out of 1320 and 900 respectively, all this
in round numbers.  Note that the crew death rate was significantly higher.

Correction on fratricide item (Ladkin, RISKS-22.68)

<"Peter B. Ladkin" <>>
Mon, 14 Apr 2003 13:49:02 +0200

Im my fratricide note in RISKS-22.68, I gave figures from FM 100-14 via
Chris Johnson that the fratricide figure for Desert Storm/Shield was 1%
according to FM 100-14. Well, FM 100-14 in fact says 5% for Desert
Storm/Shield fratricide (I found an on-line copy). All the other figures in
the table in my note are correctly transcribed from FM 100-14.

  [Annotated correction is being made in the official archives.  PGN]

In my new note, I give on-line source for FM 100-14, and also quote a UK
National Audit Office report that says that US research has shown that
historically the figure lies around 10-15%, not the 1-5% that FM 100-14

Peter B. Ladkin, Professor of Computer Networks and Distributed Systems,
Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany

Re: Traffic lights don't work in the snow (RISKS-22.65)

<Ed Ravin <>
Tue, 1 Apr 2003 00:25:45 -0500 (EST)

For those of us who ride bicycles, we've been dealing with this problem ever
since the technology was introduced.  Sometimes lying your bicycle on the
ground over the sensor is enough to trigger it.  Other options are to look
for a button meant for use by pedestrians, to wait for a motor vehicle to
show up and trigger the sensor, and finally, the most popular option in my
observation, merge with traffic as best one can regardless of the state of
the traffic signal.

I'm told most of these devices can be tuned to sense bicycles, but traffic
engineers in the U.S. are notorious for taking the "windshield view" - that
is, they see everything on the road from the perspective of a driver in a
motor vehicle.  It's a classic case of building a system for 99% of the
users and making life miserable for the other 1%.

> You have no choice but to attempt to join a potentially busy road by going
> through a red light or ride on the pavement to a safe spot to rejoin
> traffic.

To clarify for our American readers, I believe what Ryan calls "riding on
the pavement" would be "driving on the sidewalk" in Americanese, or
"operating a motor vehicle on the pedestrian right-of-way" in bureaucratese.

Web site wants me to change my proxy? I don't think so...

<Sean Sosik-Hamor <>>
Mon, 31 Mar 2003 11:13:24 -0500

It appears that OnlineNIC, a discount bulk domain registrar that caters to
domain squatters, has been attacked and their Web servers are unavailable.
We had to deal with them about a year ago to transfer a domain name away
from a squatter in Korea and found their customer support extremely lacking.
On top of that, even after successfully transferring the domain name away
from them, they seem to think that we're still a customer so we keep
receiving promotional and maintenance e-mail from them.

I received the following maintenance e-mail from them this morning informing
me that their servers are under attack.  It is unclear whether the attack is
simply a denial of service attack or if their Web servers were actually
compromised.  Regardless, the request that OnlineNIC has made in the
following e-mail is absolutely outrageous.  After informing me that their Web
servers are under attack (I didn't trust them before and I sure don't trust
them now that I know they may have been compromised), they want me to change
my proxies to one of theirs.

To quote many RISKS posters that came before me, the RISKS here are obvious.

If this request is legitimate due to a denial of service attack then I would
assume that they are filtering out all traffic to their Web servers and only
allowing traffic to their Web server from their proxies.  In theory, I'm
sure this idea made sense to someone somewhere in the OnlineNIC chain of
command.  Regardless, setting my proxy to one of theirs would send all my
Web traffic through it...not just traffic to OnlineNIC.  I really don't
think I trust OnlineNIC with logs and caching of every Web site I visit.

Since I'm a paranoid freak, I'm assuming that OnlineNIC's Web servers were
completely compromised (my theory, no way to confirm), their customer base
was leaked, the attacker sent this e-mail to all customers and the below
proxies are hostile and designed specifically to log all Web traffic for
OnlineNIC's customers.  I only come to this conclusion because the headers
of this e-mail are very sparse and seem forged (Received from: YOURNAME
localhost.localdomain), there are typos in the e-mail and the e-mail asks me
for my username/password.

Oh well...even if the request was legitimate, how many naive users who
actually switch their proxies are going to remember to switch them back
after OnlineNIC comes back online?  If the proxies are no longer required,
how long with OnlineNIC keep those proxies online for the "convenience" of
their customers?  And, are these proxies wide open for anyone to use for
semi-anonymous surfing?  If the request is legitimate, OnlineNIC is opening
themselves up to abuse by making these proxies available.


Begin forwarded message:

> From: ""<>
> Date: Mon Mar 31, 2003  5:42:49  AM US/Eastern
> To:
> Subject: About the problem of Onlinenic
> Dear Customer,
> We are sorry to inform you that our WEB server has been attacked by
> somebody. Our technicicans are taking great effort in getting it
> solved now. Please rest assured that the problem will be solved soon.
> To visit Onlinenic, would you please try it at
>, if it still fails, please try to use the
> proxy server: in the following way:
> Go to 'Tools' in IE, choose 'Internet' , it will lead you to an
> interface, then choose 'Connect', click 'LAN setup', then you may set
> up the proxy with the port 80.
> If this proxy server doesn't work, you may try the following ones:
> Plus, Some of the e-mail sent to may have lost.
> If you haven't got any reply from us, please write to
> Please rest assured that we will never ingore
> any e-mail reaching us.
> If you have domains which are supposed to be registered urgently,
> please kindly offer us your id, password and the detailed whois
> information of your domains, we will try to help you register them
> here.
> Please rest assured that you may feel free to change your account
> password after the domains have been registered successfully here for
> you.
> Your kind understanding and cooperation will be highly appreciated.
> Should you have further questions, please feel free to contact us.
> Sincerely,
> OnlineNIC Customer Care
> E-mail:

Workshop on Wireless Security WiSe 2003 CFP

<Adrian Perrig <>>
Tue, 15 Apr 2003 20:16:09 -0400 (EDT)

Call for Papers
Workshop on Wireless Security (WiSe) in conjunction with ACM MobiCom 2003
Sponsored by SIGMOBILE
19 Sep 2003, San Diego, CA

[PGN-excerpted for RISKS.  See full call for papers:]

The workshop on Wireless Security will be held in conjunction with ACM
MobiCom 2003.  The objective of this workshop is to bring together
researchers from research communities in wireless networking, security,
applied cryptography, and dependability; with the goal of fostering
interaction.  With the proliferation of wireless networks, issues related to
secure and dependable operation of such networks are gaining importance.
Topics of interest include, but are not limited to:

 * Key management in wireless/mobile environments
 * Trust establishment
 * Intrusion detection, detection of malicious behaviour
 * Revocation of malicious parties
 * Secure PHY/MAC/routing protocols
 * Secure location determination
 * Denial of service
 * User privacy
 * Anonymity, prevention of traffic analysis
 * Dependable wireless networking
 * Monitoring and surveillance

Instructions for electronic submission of papers will be posted at
Paper submissions due: May 27, 2003

Workshop Co-Chairs:
* Douglas Maughan, DARPA (
* Adrian Perrig, Carnegie Mellon University (

Please report problems with the web pages to the maintainer