The RISKS Digest
Volume 22 Issue 72

Saturday, 10th May 2003

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Software bug sent Soyuz off course
Tom Van Vleck
Microsoft admits Passport was vulnerable
Monty Solomon
E-mail hoax at University of Maryland
Paul Kafasis
Pair held in plot to steal thousands of identities
Monty Solomon
"Jeff Jackboot" — more spelling-checker follies?
Daniel P. B. Smith
Misquoting Google
Monty Solomon
T-Mobile Hotspot uses SSN for passphrase
Conrad Heiney
Making it harder for prying eyes
Monty Solomon
Re: Friendly Fire
Matt Jaffe
Re: Patriots and Friendly Fire
Peter B. Ladkin
Re: OpenBSD release protects against buffer-overflow attacks
Jeremy Ardley
Re: Pilots fail exams
Don Lindsay
Vince Mulhollon
Toby Gottfried
Info on RISKS (comp.risks)

Software bug sent Soyuz off course

<Tom Van Vleck <>>
Mon, 5 May 2003 19:42:58 -0400

A mysterious software fault in the new guidance computer of the Soyuz TMA-1
spacecraft was the cause of the high-anxiety off-course landing over the
weekend, NASA sources tell  ONCE IDENTIFIED, the error should be
easy to fix in the computer of the Soyuz TMA-2, which is now attached to the
International Space Station to provide the new two-man crew with a way to
return to Earth..."  [Source: James Oberg, NBC News Space Analyst, 5 May

  [I like that "should."  THVV]
    [Also noted by James Paul and Nancy Leveson.  PGN]

  [The autopilot suddenly reported it had ``forgotten where it was and which
  way it was headed'' — whereupon it switched to backup.  The result was a
  twice-as-rapid deceleration and premature landing.  PGN]

Microsoft admits Passport was vulnerable

<Monty Solomon <>>
Fri, 9 May 2003 01:42:20 -0400

Muhammed Faisal Rauf Danka, a computer researcher in Pakistan discovered
how to breach Microsoft Corp.'s security procedures for its popular Internet
Passport service, designed to protect customers visiting some retail Web
sites, sending e-mails and in some cases making credit-card purchases.

Microsoft acknowledged the flaw affected all its 200 million Passport
accounts but said it fixed the problem early Thursday, after details were
published on the Internet.  Product Manager Adam Sohn said the company was
unaware of hackers actually hijacking anyone's Passport account, but several
experts said they successfully tested the procedure overnight.

In theory, Microsoft could face a staggering fine by U.S. regulators of up
to $2.2 trillion.  Under a settlement with the Federal Trade Commission last
year over lapsed Passport security, Microsoft pledged to take reasonable
safeguards to protect personal consumer information during the next two
decades or risk fines up to $11,000 per violation.

The FTC said it was investigating this latest lapse.  The agency's assistant
director for financial practices, Jessica Rich, said Thursday that each
vulnerable account could constitute a separate violation _ raising the
maximum fine that could be assessed against Microsoft to $2.2 trillion.  ...
[Source: Ted Bridis, Associated Press, 8 May 2003]

E-mail hoax at University of Maryland

<"Paul Kafasis" <>>
Sun, 4 May 2003 13:28:07 -0400

It appears that a gaping security hole at the University of Maryland led
to an unexpected "canceling" of classes for Friday, April 11th. One or
more students sent an e-mail to an address on campus which sent out to
3500 students and had no protection on it. From speaking to students at
the school, it appears that they were signed up for an e-mail list without
their knowledge, a list which accepted submissions from anywhere.
Thursday night (4/10), they began receiving confusing e-mails from each
other, trying to unsubscribe from the list. Before the OIT department
shut it down, a virus and a hoax e-mail canceling classes for the
following day due to "budget cuts" had been sent out.

The culprits even went so far as to spoof the format of other letters sent
out campus wide, as well as the headers and reply-to address. As their OIT
spokewoman said:

"E-mail is one of the most easily forged or compromised mediums," she
said. "Always verify anything that looks suspicious or strange."

Of course, if the students are correct that this was an open list sending
mail to 3500 people, they were just asking for trouble.

It looks like the culprits were making a Catch-22 reference to Colonel
Cathcart, but no one at the school got it. I found that to be the
funniest part of the article.

Pair held in plot to steal thousands of identities

<Monty Solomon <>>
Mon, 5 May 2003 01:07:26 -0400

Federal authorities have arrested an Irvington, New Jersey, man and woman
who allegedly schemed to steal the identities of as many as 3,700 clients at
one of the nation's largest mortgage companies.  FBI agents found credit
reports, fake licenses, and recently purchased high-tech equipment.  Each
bore the names of customers at Weichert Financial Services, the Morris
Plains-based company that operates as a partner to Weichert Realtors.  One
of the suspects has worked as an administrative assistant for the company
since May 2001.  A federal complaint released yesterday said she and her
roommate used a high-speed Internet connection from their home to access
more than 500 credit reports of Weichert clients between 11 Jan and 7 Feb
2003.  [Source: Article by John P. Martin, Feds charge Irvington couple used
the Internet to illegally access credit reports from mortgage firm, *Newark
Star-Ledger*, 2 May 2003; PGN-ed]

"Jeff Jackboot" — more spelling-checker follies?

<"Daniel P. B. Smith" <>>
Sat, 03 May 2003 20:10:18 -0400

Googling for news, I ran across an opinion piece in an Australian
publication by someone styling himself "Jeff Jackboot."  This didn't sound
like a real surname, and I assumed it to be some kind of curious nom de

The dictionary meanings of "jackboot" are "a stout military boot that
extends above the knee," "a person who uses bullying tactics, especially to
force compliance," and "the spirit sustaining and motivating a militaristic,
highly aggressive, or totalitarian regime or system," and I wondered why
this columnist would want readers to make such associations.

On reading further, the piece seemed oddly familiar... and Jeff Jackboot was
identified as "a columnist with *The Boston Globe*."

I suddenly realized that this was, in fact, *Globe* columnist Jeff Jacoby.

The Age has not answered my e-mail inquiry about the error. I suspect this
was probably a spelling-checker error, although my copy of Microsoft Word
does not not make this correction.
(or just do a Google search for "Jeff Jackboot")

Misquoting Google

<Monty Solomon <>>
Sun, 4 May 2003 11:45:08 -0400

Posted, May. 1, 2003
Updated, May. 2, 2003

Misquoting Google

By Jonathan Dube
MSNBC Sr Producer Publisher

Google has become such a part of our culture that writers often quote how
frequently a name or phrase appears in a Google search as an indicator of
popularity. Unfortunately, more often than not, the numbers published are
completely wrong.

Here are a few examples of Google hit counts being cited in publications
within the past month. Before you read on, do a search for each of these
yourself and see if you can figure out if they're in the ballpark or way

  A Google search for the phrase "Iraq war" returns 3.2 million hits.
  — *The Raleigh News & Observer*

  "The best defense is a good offense." That favorite saying of heavyweight
  champion Jack Dempsey gets a half-million hits on Google... — *The New
  York Times*

  The phrase "geopolitical climate" is a favorite among market
  commentators. A Google search found 1,410 mentions of it. It makes me feel
  important to use it.  — *The Motley Fool*

  A search on the Google search engine under "boycott American products"
  found 117,000 page hits. — UPI

  Most people, when doing searchs, fail to put their terms in quotes.
  Searching for Iraq War will give you more than 3 million pages, because
  Google is searching for any pages that have the words Iraq and War in
  them, in any order.  Searching for "Iraq War" will give you about 635,000,
  because Google is only looking for the exact phrase.

Pulitzer-prize winner Bill Dedman, who runs and alerted
me to The New York Times' goof listed above, points out another problem with
not using quotes: Google ignores common words in most searchs.

  [Ah, yes!  We have noted this problem here before.  PGN]

T-Mobile Hotspot uses SSN for passphrase

<"Conrad Heiney" <>>
Thu, 8 May 2003 16:20:34 -0700

I just signed up for T-Mobile Wireless' "Hot Spot" service, which provides
wireless Internet access via Starbucks Coffee, Borders Books, and many other
semi-public places in the U.S. As a current T-Mobile telephone subscriber I
was given a good deal. I was also given a user name and a passphrase,
neither one of which can be changed. The user name is my telephone number
and the pass phrase is the last four digits of my social security number.

The obvious RISK of using the phone number and SSN in this manner is
pretty awful (identity theft, etc.) but what's also quite funny is that
those are the two things you need to identify yourself to T-Mobile for
any other purpose, too. Try again, guys.

Conrad Heiney

Making it harder for prying eyes

<Monty Solomon <>>
Mon, 05 May 2003 20:52:33 -0700

A bill in the California state legislature would protect the anonymity of
Internet users by requiring Internet service providers to send customers
copies of subpoenas seeking to learn their identities.  If passed,
California's Internet Communications Protection Act would become the second
state law requiring that consumers be alerted when an ISP is issued a
subpoena to find out an anonymous Internet user's true identity. Virginia
passed a similar statute last year.

The debate over anonymous online speech has heated to a boil in recent
years, with companies and individuals increasingly seeking to have ISPs and
Web publishers subpoenaed to learn the names of online critics and people
suspected of copyright violations. Yahoo alone expects to receive 600 civil
subpoenas this year — a 50 percent jump from 2002.

Such requests seek a variety of personal information about Internet users,
including full names, Social Security numbers, home addresses and pseudonyms
they've used online.

The California legislation would require ISPs to send copies of civil
subpoenas to their customers by registered mail within 14 days of receiving
them. If the customer decides to fight the request, he or she would have 30
days to serve both the ISP and the issuing party with written copies of the

ISPs that fail to comply with the act could be sued by their customers.

Source: Article by Julia Scheeres, New California law regarding anonymous
customer information, 5 May 2003;,1283,58720,00.html

Re: Friendly Fire (Vorbrueggen, Risks-22.71)

<Matt Jaffe <>>
Wed, 07 May 2003 06:54:25 -0700

Perhaps I can shed some additional light on the points Mr. Vorbrueggen
makes.  This subject was touched on quite a while ago in RISKS-08.74, but I
think more emphasis was placed there on the problems with the modes and
codes than on this discussion of altitude.  Although related, the issues are
different enough to perhaps warrant some additional discussion here.

The first point to clarify here is that at the time of the Vincennes shoot
down, Aegis almost certainly did not display vertical rate or vertical
acceleration data to its operators.  (The original HMI design as of the
EDM-3C PDR in the mid 1970's did not provide that data; of that I am
certain.)  It displayed computed altitude only (not rate).  We debated that
issue (adding a vertical rate [but not acceleration] indicator to some of
the operational displays) quite heatedly during the design phase for the
original Aegis human-machine interface.  It was no casual oversight that it
was omitted.  The reason for the omission was essentially as Mr. Vorbrüggen
notes: "These values, derived as they [would have to have been] from noisy
measurements, [would have been] notoriously unreliable."

Since the "rawer" (not by any means raw) initial altitude estimates were
intrinsically noisy, a timely display of vertical rate would thus be
intrinsically unstable ("It's climbing; no, its descending; no, now it's
climbing again; no, now it's descending ... .") and a more stable estimate
requiring extensive filtering/damping would be too sluggish of response to
be tactically useful.  ("Oh, Captain, you'll undoubtedly be pleased to know
that the missile that hit us 30 seconds ago was dropped from an aircraft
that we now know was descending, not level, when it launched.")

With regard to Mr. Vorbrüggen's comment about error bars: In those
prehistoric days, neither the main PPI nor the auxiliary data readout CRT
had graphics, color coding, or font variation capabilities. (I think we were
on the old AN/UYA-4/OJ-194 series at the beginning).  Had we decided (as,
after extensive debate, we did not) to provide a vertical rate display, we
surely then would have considered generalizing from the old Naval Tactical
Data System 2-dimensional track quality indicator (that I believe we
retained in 2-D form) to provide a quality indicator for vertical domain
data; but there would have been little utility in so doing: At the ranges
where the difficult tactical decisions got made, the altitude data (and
hence even more so any derived vertical rate estimate) would always have
been of the same unvaryingly poor quality.  Using scarce tactical display
real estate to display such essentially constant information ("low quality
vertical rate") would not seem good HMI design.

Overall, after many years, I think the conclusions that I stated in
RISKS-08.74 still stand (the interested reader is referred to the RISKS
archives): Although the expression is overused these days, the fog of war is
very real and there will always be intrinsic limitations on our ability to
design systems (including their organizational and procedural aspects) to
aid in penetrating it.  To put such systems into play in ambiguous
environments is to risk catastrophe. But *that* of course, is a political
decision, not a technical, organizational, or operational one.

Re: Patriots and Friendly Fire

<"Peter B. Ladkin" <>>
Tue, 06 May 2003 13:03:56 +0200

Friendly Fire incidents during armed hostilities have been discussed
in Risks-22.65 (Paul, PGN), -22.66 (Tyson), -22.67 (Eachus, Russ,
Youngman), -22.68 (Ladkin, van Meter, Guaspari), -22.69 (Ladkin, Goodall),
much of it concerning the statistics and the interpretation thereof.

There were in total three friendly fire incidents in the 2003 Iraq War
that we know about in which Patriot surface-to-air (SAM) missile systems
are implicated. A UK Royal Air Force Tornado GR4 was shot down by a Patriot
on 23 March [1]. On 24 March, a Patriot radar "locked on" to a USAF F-16CJ.
The F-16 destroyed the Patriot battery with an anti-radiation (HARM)
missile [1]. In a third incident, in which a US Navy F/A-18C was shot down
by a SAM, US Central Command confirmed that a Patriot is suspected [2].

The US Department of Defence's technology chief say that there is a
requirement to look at new technology to help prevent friendly fire
incidents [3].

Concerning the varying statistics on friendly fire and their
interpretation, Col. (ret.) Scott Snook, in his book referenced in
my Risks-22.68 note, remarks that 24% (35 out of 148) of all U.S. combat
fatalities in the first Gulf War were caused by friendly fire ([4], p11).
The 24% figure was repeated by William Safire in his Language column in
the International Herald Tribune of 5 May, 2003 [5]. This precision
contrasts with the undefined 5% figure of the US Army FM 100-14 which I
mentioned in my Risks-22.69 note.

Safire mentions that "In Gulf War II, the rate of [friendly fire] battle
deaths dropped to 8 per cent ...." [5]

There are a number of different phrases used for combat damage caused by
one's own side. Safire found a first use of "friendly fire" in an NYT
article on April 3, 1944. He mentions that the term "fratricide", seemingly
preferred by the military nowadays, "emerged in the press in the '80s." He
notes that there has not yet been a sororicide [5]. It has been called
"amicicide" (semantically a more appropriate phrase) by C.R. Shrader in the
title of a 1982 book [6]. Flight International has used the phrase "blue on
blue" [2,3]. In war games, Safire explains, "friendly" forces are known as
"blues", and "enemy" forces as "reds".


[1] Accidents Take Their Toll, Flight International, 1-7 April 2003, p6.

[2] Flight International, Patriot under fire for second error, 8-14 April
2003, p10.

[3] Flight International, Science could prevent friendly fire, 15-21 April
2003, p8.

[4] Scott A. Snook, Friendly Fire: The Accidental Shootdown of U.S. Black
Hawks over Northern Iraq, Princeton University Press, 2000. Details at

[5] William Safire, Of severe/acute: Is the acronym SARS redundant?
International Herald Tribune, 05 May 2003, available from

[6] C. R. Shrader, Amicicide: The Problem of Friendly Fire in Modern War,
Fort Leavenworth, Kansas: U.S. Army Command and General Staff College
Press, 1982.

Peter B. Ladkin, University of Bielefeld, Germany

Re: OpenBSD release protects against buffer-overflow attacks (R 22-71)

<"Jeremy Ardley" <>>
Sun, 4 May 2003 14:30:51 +0800

It is commendable that the OpenBSD group [*] is doing protecting against
buffer overflow attacks.

What is not so apparent is why technology that was developed and operating
over 30 years ago is just being re-invented in software.

The Burroughs 6700 implemented a hardware solution to the problem by
assigning 3 bits of very 51 bit memory location to the type of data

Memory that was tagged as data could not be executed. The result was that no
stack overflow attack was possible.

Today's Intel based fix is appears to be a hack to work around a deficient
architecture.  The question that arises is why the architecture of today
ignores the solid groundwork or previous years?

  [Because mass-market operating systems don't use the protection that is
  available in today's hardware.  Note that Multics had a similar execute
  bit solution in 1965 that prevented execution of data.  Executable
  attachments are clearly an abomination.  PGN]

    [* Misattribution now corrected in ARCHIVE COPY.  PGN]

Re: Pilots fail exams (RISKS-22.71)

<Don Lindsay <>>
Sun, 4 May 2003 00:37:11 +0000 (GMT)

> The pilots couldn't pass the psychological and physical tests to be
> allowed to carry a firearm --- but flying huge planes full of people is
> OK.  Oh, this makes so much sense! The risks should be obvious.

Indeed, it does make sense. It would be risky so assume that one skill set
implies another.

The two domains (commercial piloting and inflight weapons use) do have some
things in common. Both require the ability to learn procedure, and both
require efficient action under stress. But they differ significantly.
Piloting involves relatively few interpersonal skills, whereas the use of
weapons requires judgments of motive and threat, discrimination of
perpetrators from hostages, and the like. Also, piloting can be done safely
by a bigot, but you don't give police powers to someone who feels that
everyone in a particular ethnic group is better off dead. Some people are so
nervous about weapons that their hand shakes, and they can't hit the broad
side of a barn door. And so on.

I'm pleased that domain-specific testing was applied.

  [Also commented on by Bill Hopkins.  PGN]

Re: Pilots fail exams (RISKS-22.71)

<"Vince Mulhollon" <>>
Mon, 5 May 2003 09:03:48 -0500

The belief that carrying a gun and flying an airplane are the same is a
false analogy.  That makes irrelevant the implication that failures of the
gun program are bad pilots.

I can think of several examples which would disqualify a pilot carrying a
gun, but not flying a plane.

As for failing the background check, a income tax cheater could be a felon,
and felons can't carry.  But, an income tax cheat could be an excellent,
safe pilot.

As for failing psychological tests, what about a conscientious objector?  If
a pilot learns during training, that they cannot take a human life, there is
no point in giving them a weapon.  A pilot whom is unwilling to kill is
probably an otherwise safe pilot.

As for physical test failures, the impact load of a pistol is more intense
than any other physical task required to fly an airplane.  If someone has
experienced stress fractures in their arm or wrist in the past, it would be
dumb to give them a .45, as after they shoot the hijacker, they'd likely
break their arm again, and then be unable to fly the plane.  Or, as an
chronic issue, good marksmanship requires regular training, and someone with
tendonitis or carpal tunnel should probably not aggravate those problems by
regular firearms practice, although the low impact task of flying may be
perfectly safe.

Finally as for marksmanship training, the ability to get a bullseye has no
relation to piloting ability.

Re: Pilots fail exams (RISKS-22.71)

<"Toby Gottfried" <>>
Mon, 5 May 2003 08:27:57 -0700

 "Officials said the four rejections showed that the government was serious
 about providing guns only to pilots who were psychologically and physically
 fit to carry firearms in flight and defend their planes against attackers."

Can we presume, then, that these four would not be allowed to fly as
co-pilots with another pilot who had passed the tests and was armed ?

Please report problems with the web pages to the maintainer