The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 79

Tuesday 8 July 2003

Contents

The risks of assuming things: German payrolls
Debora Weber-Wulff
Radar operator's joke leads to fighter intercept
Ian Chard
"Soft walls" will keep hijacked planes at bay
Chris Meadows
Craig DeForest
Error in E-Mini Dow Futures creates havoc at CBOT, CME
Conrad Heiney
$180 Million for Piracy Conspiracy
Monty Solomon
Computer failure brings Hong Kong passenger to Melbourne
David Goll
Dead-pregnant-men software failure
Ed Ravin
Johnson Calls ATM Arrest Error 'Intolerable'
Keith A Rhodes
RFID Site Security Gaffe Uncovered by Consumer Group
Monty Solomon
Web site turns tables on government officials
Monty Solomon
FTC Increases Focus on Privacy
Bob Tedeschi via Monty Solomon
Web vandalism alert
NewsScan
Re: Cell-phone tracking
Thor Lancelot Simon
Microsoft Word "bytes" Tony Blair in the butt
Richard M. Smith
Dangers of MS Word, yet again
David Magda
New variant on the PayPal scam
Dawn Cohen
Re: Phantom voting in Israeli Knesset
Jonathan Kamens
Watch out for auto-dialing on cellphones
Danny Burstein
Glitches hit FTC 'do-not-call' list
Monty Solomon
Do not do not call?
Dawn Cohen
Risk of appropriating technology you don't understand
Doug Sojourner
About Do-Not-Call ListsMark Siegel
Mark Siegel
Re: New State Laws on Privacy
Don Colton
Info on RISKS (comp.risks)

The risks of assuming things: German payrolls

<Debora Weber-Wulff <weberwu@fhtw-berlin.de>>
Sun, 06 Jul 2003 23:08:26 +0200

The German government has a little problem. Up until now all of the
civil servants have been paid according to a pay scale that is the
same throughout Germany.  The salaries are paid out by the states, but
the federal government determines the pay level. The company SAP has
developed payroll software for the civil service that many states in
German use.  When a new payscale goes into effect, they just issue a
table update, and everything is fine.

Now suddenly the states are rebelling: Berlin has left the fold, and
just this week concocted a wacky payment system. Certain extras are
being cut, others kept, pay is being cut either 8, 10 or 12 percent
depending on what scale people are in, the work week is to be
decreased by 2 hours a week for most of them, etc. etc. No one really
understands it, except that Berlin is broke and is trying to save
money any way it can. The changes are to go into effect immediately -
except that there's the slight problem with the payroll system. It
assumes the same tariffs as everywhere.....

Looks like the folks down at SAP are going to have their vacations
canceled, as they try to whip up programs to institute this payment
schedule change.

Or as a colleague once said many, many years ago: No one can be *that*
crazy....  only to discover a few months later that there really was
someone with a really crazy schema for organizing stuff.

Prof. Dr. Debora Weber-Wulff, FHTW Berlin, FB 4, Internationale
Medieninformatik Treskowallee 8, 10313 Berlin  +49-30-5019-2320


Radar operator's joke leads to fighter intercept

<"Ian Chard" <ichard@cadence.com>>
Thu, 3 Jul 2003 15:27:41 +0100

Avweb Newswire
(http://www.avweb.com/newswire/9_27b/complete/185253-1.html):

"In Europe last week, French fighter jets almost shot down a civilian
helicopter that wandered over Lake Geneva, after a Swiss controller
jokingly labelled the helicopter as 'al-Qaeda' on his radar screen."

Ian Chard  RHCE  Unix systems administrator      E: ichard@cadence.com
European IT, Cadence Design Systems Ltd          T: +44 (0)1506 595019
The Alba Campus, Livingston, Scotland  EH54 7HH  M: +44 (0)7901 855073


"Soft walls" will keep hijacked planes at bay

<Robotech_Master <robotech@eyrie.org>>
Thu, 3 Jul 2003 10:17:29 -0500

Article in *NewScientist* about an interesting new technique for
keeping airliners from crashing into skyscrapers:
  http://www.newscientist.com/news/news.jsp?id=ns99993893

The proposal suggests

  modifying the avionics in aircraft so that the plane would fight any
  efforts by the pilot to fly into restricted airspace. So if a plane
  was flying with a no-fly-zone to the left, and the pilot started
  banking left to enter the zone, the avionics would counter by banking
  right. Lee's system, called "soft walls", would first gently resist
  the pilot, and then become increasingly forceful until it prevailed.
  The risks of this technique I leave as an exercise to the reader.

Chris Meadows aka Robotech_Master robotech@eyrie.org
http://www.eyrie.org/~robotech


"Soft walls" = dangerous avionics?

<zowie@euterpe.boulder.swri.edu (Craig DeForest)>
Mon, 7 Jul 2003 13:03:45 -0600

Edward Lee, at U.C. Berkeley, is proposing to implement no-fly zones
around skyscrapers (and avoid a repeat of the 9/11 massacre) by using
GPS to override the controls of civilian aircraft.  Based on a
database (in the aircraft) of building locations, the on-board
avionics would force the controls of large airplanes to prevent them
from flying into large buildings (with presumably known locations).

There's an interesting article in this week's New Scientist
(http://www.newscientist.com/news/news.jsp?id=ns99993893) that talks
about Lee's system and relates it to other ideas for counter-
terrorism.  Interestingly, one advantage that Lee uses is that other
systems require radio links with the ground and therefore "can be
jammed, or hacked into" (while, presumably, GPS cannot?).

Not surprisingly, Lee says that pilots are "openly hostile" to the
idea.

It seems to me that the system falls prey to a weakness that so many
pseudo-security systems do: it's in essence a cooperative system,
rather than a pre-emptive one (by analogy to multitasking in the
computing world).  Even assuming the avionics work flawlessly, it
would be impossible to install the "soft wall" system on every
airplane in the country, let alone the world -- and it only takes one
airplane with the soft-wall avionics missing or disabled, to defeat
the purpose of the whole system.


Error in E-Mini Dow Futures creates havoc at CBOT, CME

<"Conrad Heiney" <conrad@fringehead.org>>
Thu, 3 Jul 2003 14:16:01 -0700

The Wall Street Journal today (7/3/03) reported that a mistaken order on
the Chicago Board of Trade's "e-mini Dow Jones Industrial Average
Futures" caused wild market swings today.

Apparently an order to sell 10,000 contracts instead of 100 was put in by
mistake. This caused the market, which had been on the upswing that day, to
plunge downwards in both the Chicago Board of Trade and the Chicago
Mercantile Exchange. Several traders reported assuming that some bad news
such as a terrorist attack had sparked the sell-off.

The RISK of a typo on an electronic system causing financial havoc is
once again made clear.

Conrad Heiney
conrad@fringehead.org
http://fringehead.org


$180 Million for Piracy Conspiracy

<Monty Solomon <monty@roscom.com>>
Sun, 29 Jun 2003 23:39:37 -0400

$180 million at $500 a month, Vickie Chachere, Associated Press, 28 Jun 2003

A man who schemed to steal satellite television signals now has
something much bigger than a cable bill to pay -- a whopping $180
million restitution order on which he is to make $500 monthly
payments.
http://www.orlandosentinel.com/news/orl-locpayback28062803jun28,0,5719929.story
http://yro.slashdot.org/yro/03/06/28/181227.shtml


Computer failure brings Hong Kong passenger to Melbourne

<David Goll <dgoll@national.com.au>>
Tue, 8 Jul 2003 11:46:04 +1000

From today's *Melbourne Age*:  According to reports on local radio this
morning, the lady in question was in possession of a branded boarding
pass which clearly identified her carrier as Cathay Pacific not Qantas.
One has to question our reliance on technology when even holding a
branded boarding pass, a passenger can inadvertently walk onto the wrong
flight and end up not only in a different country, but a different
hemisphere to boot!

http://www.theage.com.au/articles/2003/07/08/1057430177680.html


Dead-pregnant-men software failure

<Ed Ravin <eravin@panix.com>>
Mon, 7 Jul 2003 01:38:16 -0400

In a NY Times story about the effects of NY City budget cuts:

  http://www.nytimes.com/2003/07/07/nyregion/07BLOC.html?pagewanted=print

(link free until July 13 or so, after that they charge):

Is a discussion of yet another multi-million dollar software
development failure:

 Eight years ago, at the urging of [...] funeral directors, the
 city agreed to develop a computerized registration system [for the
 filing of death certificates].  About $3.2 million was spent to
 design one, according to an audit released on June 23 by the city
 comptroller. Then the plans were abandoned when the prototype system
 developed serious problems, like registering some men as having
 been pregnant when they died. The city now plans to spend $1.8
 million more for project design. The comptroller's audit called
 the aborted plans "a monumental waste" of taxpayer dollars.

The NYC Comptroller's press release announcing the audit is at:

 http://www.comptroller.nyc.gov/press/2001_releases/01-08-055.shtm

Where it is mentioned that the city Health Department, in charge of
the software development, violated both City and State procurement
procedures in using an existing contract with IBM for "computer
maintenance" to develop the new software system.  The full bill
for the system so far is more like $9-$10 million.  The system still
does not work, and the Health Department has issued a new RFP for
the project that does not contain any references to the old system,
so it appears they intend to throw it away.

The audit is available at:

 http://www.comptroller.nyc.gov/bureaus/audit/06-23-03_7A03-073.shtm

The Comptroller quickly reaches to the heart of the matter:

  "[...] the Department did not employ a formal systems development
  methodology or an independent software quality assurance consultant
  [as required by City rules, which] contributed to the apparent
  failure of this project."

Meanwhile, across the river in New Jersey, a similar project was
completed by leveraging an existing Sybase system from the New York
State Department of Health, taking only six months and $250,000.


Johnson Calls ATM Arrest Error 'Intolerable' (Re: RISKS-22.78)

<"Keith A Rhodes" <RhodesK@gao.gov>>
Mon, 30 Jun 2003 08:25:02 -0400

http://www.washingtonpost.com/wp-dyn/articles/A33576-2003Jun25.html

Although this article is focusing more on the local Prince George's
County police force and detective function -- which has gotten a lot
of bad press here in the DC area for quite a long time -- I think the
message that is being missed is that technology can give the exact
opposite result from that intended. Photographs from ATM cameras
linked with ATM card usage and the system clocks are supposed to
provide exact measures of events. However, if the ones using the data
do not carefully collect it and interpret it correctly, then -- as
this article states -- three apparently innocent people are arrested
and held for 22 days. Humans cannot be completely removed from
processes that have severe consequences, but the humans that are left
"in the loop" must understand that what they do has severe
consequences. They should, therefore, be very careful about what the
"system" is telling them. In this case, the detention of the three
innocent people has allowed a killer at least 22 days to get away.


RFID Site Security Gaffe Uncovered by Consumer Group

<Monty Solomon <monty@roscom.com>>
Tue, 8 Jul 2003 02:08:36 -0400

CASPIAN asks, "How can we trust these people with our personal data?"

CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering)
says anyone can download revealing documents labeled "confidential"
from the home page of the MIT Auto-ID Center Web site in two mouse
clicks.  The Auto-ID Center is the organization entrusted with
developing a global Internet infrastructure for radio frequency
identification (RFID). Their plans are to tag all the objects
manufactured on the planet with RFID chips and track them via the
Internet.  Privacy advocates are alarmed about the Center's plans
because RFID technology could enable businesses to collect an
unprecedented amount of information about consumers' possessions and
physical movements.  They point out that consumers might not even know
they're being surveilled since tiny RFID chips can be embedded in
plastic, sewn into the seams of garments, or otherwise hidden.  ...
  http://www.nocards.org/press/pressrelease07-07-03_1.shtml


Web site turns tables on government officials

<Monty Solomon <monty@roscom.com>>
Sat, 5 Jul 2003 00:28:42 -0400

Hiawatha Bray, *The Boston Globe*, 4 Jul 2003

Annoyed by the prospect of a massive new federal surveillance system,
two researchers at the Massachusetts Institute of Technology are
celebrating the Fourth of July with a new Internet service that will
let citizens create dossiers on government officials.  The system will
start by offering standard background information on politicians, but
then go one bold step further, by asking Internet users to submit
their own intelligence reports on government officials -- reports that
will be published with no effort to verify their accuracy.  ''It's
sort of a citizen's intelligence agency,'' said Chris
Csikszentmihalyi, assistant professor at the MIT Media Lab.  He and
graduate student Ryan McKinley created the Government Information
Awareness (GIA) project as a response to the US government's Total
Information Awareness program (TIA).  ...

  http://www.boston.com/dailyglobe2/185/business/
  Website_turns_tables_on_government_officials+.shtml


FTC Increases Focus on Privacy

<Monty Solomon <monty@roscom.com>>
Tue, 1 Jul 2003 00:28:13 -0400

Bob Tedeschi, *The New York Times*, 30 Jun 2003

What started more than a year ago as a California teenager's quest for
blue jeans ended this month with a warning shot from the Federal Trade
Commission, which is moving more aggressively against e-tailers seen
as too lax about protecting their customers' privacy.  Online
merchants say they can handle the commission's new scrutiny.  But some
people, including the young man who set off the FTC investigation in
this case, are not so sure. And given that the young man pointed out a
security flaw in another well-known online merchant last week, he may
be right.

In February 2002, Jeremiah Jacks, then a 19-year-old computer
programmer, was set to buy a pair of jeans on the Web site of Guess
Inc. But before entering his credit card information, he took the
unusual step of checking the site's security - not the security pledge
in Guess.com's privacy policy, but the company's actual practices.  In
the site's address bar he entered a string of characters that, on an
insecure site, would produce a page listing the credit card numbers of
the company's customers. The vulnerability, he said, is well known
within the programming community.

It worked. About 200,000 customer names and credit card numbers
appeared in Mr. Jacks's browser. In an interview last week, Mr. Jacks
recalled that he had immediately tried to inform Guess of its
vulnerability to such a break-in [an SQL injection].  Guess.com
ignored his entreaties, he said, and Mr. Jacks soon reported his
discovery to SecurityFocus, an Internet security news site owned by
the Symantec Corporation, which then notified Guess. Within hours, the
company fixed the site.

http://www.nytimes.com/2003/06/30/technology/30ECOM.html


Web vandalism alert

<"NewsScan" <newsscan@newsscan.com>>
Thu, 03 Jul 2003 09:30:59 -0700

Anonymous organizers of a Web-vandalizing contest this weekend say that the
goal will be to deface 6,000 Web sites in six hours, with winners to be
awarded prizes such as Web hosting space and Internet domain names. Pete
Allor of Internet Security Systems Inc., which runs a threat-detection
service, cautions Web operators: "The problem is now, and you shouldn't
wait until Sunday to address it." (Atlanta Journal-Constitution 3 Jul 2003)
http://www.ajc.com/business/content/business/0703/03hacker.html
NewsScan Daily, 3 Jul 2003

  [Apparently mostly small sites were hit.  PGN]


Re: Cell-phone tracking (Lesher, RISKS-22.78)

<tls@panix.com (Thor Lancelot Simon)>
28 Jun 2003 18:17:21 -0400

Knowing which location register (cell-phone networks use, essentially,
remote procedure call with callbacks between "location registers" to
authorize outbound calls, correctly route inbound calls, etc.) a phone is
currently active on, or has recently been active on, is *not* the same as
knowing where a phone is with GPS precision, nor even the same as knowing
which cell site a phone is currently speaking to.  Logs of transitions
between LRs ("roaming", even if that hardly exists from most customers'
points of view any longer) are useful and probably even necessary for
diagnosing connectivity and billing problems and for settling accounts among
providers.


Microsoft Word "bytes" Tony Blair in the butt

<"Richard M. Smith" <rms@computerbytesman.com>>
Mon, 30 Jun 2003 09:04:13 -0400

Microsoft Word documents are notorious for containing private
information in file headers which people would sometimes rather not
share.  The British government of Tony Blair just learned this lesson
the hard way.

Last week, Alastair Campbell, Blair's Director of Communications and
Strategy, was in the hot seat in British Parliament hearings
explaining what roles four of his employees played in the creation of
a plagiarized dossier on Iraq which the UK government published in
February 2003.  The names of these four employees were found hidden
inside of a Microsoft Word file of the Iraq dossier which was posted
on the 10 Downing Street Web site for use by the press.  The "dodgy
dossier" as it became known in the British press raised serious
questions about the quality of British intelligence before the second
Iraq war.

I wrote an article for my Web site about how a bit computer forensics
Analysis played a role in this controversy:

   http://www.ComputerBytesMan.com/privacy/blair.htm

Richard M. Smith  http://www.ComputerBytesMan.com


Dangers of MS Word, yet again

<David Magda <dmagda+risks@magda.ca>>
Thu, 3 Jul 2003 20:28:52 -0400

The British government learned the hard way about how Microsoft Word
documents keep a revision history:

http://www.wsws.org/articles/2003/feb2003/cnew-f10.shtml
http://www.computerbytesman.com/privacy/blair.htm
http://www.abc.net.au/pm/s779254.htm

The original analysis was supposedly this:

http://www.casi.org.uk/discuss/2003/msg00457.html

This is nothing new of course: see RISKS 20.83, 20.28, 17.76, 19.97,
18.46, 18.44, 18.41, etc.

This problem goes back to (at least) 1996 (RISKS 17.76) and yet
people are still bitten by this bug(?).

The more things change...

David Magda <dmagda at ee.ryerson.ca>, http://www.magda.ca/


New variant on the PayPal scam

<"Dawn Cohen" <COHEND@wyeth.com>>
Thu, 03 Jul 2003 09:23:02 -0400

I don't know exactly what it is about PayPal (as compared with any
other e-commerce sort of thing)...I seem to get more scam e-mails
targeting them than anything else, and all of these e-mails seem to
look very similar.  They all appear to be from PayPal, and include
HTML forms with legitimate PayPal images and have links with real
PayPal URL's.  The kicker is always that the submit button takes you
to a non-PayPal site.

The newest variant is a bit more insidious than the previous ones I've
received.  The submit button, as usual, takes you to a non-PayPal
site, but appears to immediately re-direct you to a valid PayPal page.
You have to either be looking in the page source for the non-PayPal
URL or be *very* quick to notice that you are going to a non-PayPal
URL, first.  And even the non-PayPal URL might be a little hard for a
naive user to catch, assuming they were fast enough to see it:

http://www.paypal.com0011101100011010011100011100001110001101001110001110000111000110100111000111000011100011@pizdatohosting.com/paypal/paypal.php


Re: Phantom voting in Israeli Knesset (Ravin, RISKS 22.76)

<Jonathan Kamens <jik@kamens.brookline.ma.us>>
Tue, 1 Jul 2003 16:13:09 -0400

It is worth noting that the computerized voting system used by the
Israeli Knesset has, as far as I know, no security whatsoever.  It
consists solely of a station of buttons at each Member of Knesset's
(MK's) seat for him/her to use to register his/her vote.  No
authentication is required for casting a vote.  All an MK has to do to
cast someone else's vote is to lean over and push the desired button
at the other MK's station.

In contrast, the electronic voting stations in the US House of
Representatives require a "Vote-ID" card to be inserted before a
Congressman can vote.  Furthermore, there are many fewer stations than
seats (Congressman line up to vote at the stations), so I suspect that
the stations all have cameras trained on them throughout each vote,
such that if there is suspicion of wrong-doing after a vote, it is
straightforward to replay the video to find out who voted twice.

The US Senate has no electronic voting equipment -- counted votes are
conducted by roll-call or paper ballot.

This is surely far from the first time that MK's have voted for each
other.  In fact, I find myself wondering not how this could be allowed
to happen, but rather why a fuss is being made about this particular
instance of it.  If the Knesset really wanted to prevent it, they
could do so, so it seems to me that they haven't seen it as a problem.
Perhaps the culture within Israel's government is changing, such that
what was previously acceptable behavior is becoming unacceptable.


Watch out for auto-dialing on cellphones

<danny burstein <dannyb@panix.com>>
Tue, 1 Jul 2003 04:20:35 -0400 (EDT)

RISKS has previously pointed out the awkwardness that can result from
inadvertently tapping an auto-dial button on a cellphone. We now have a
burgler who will now have quite a bit of spare time to study RISKS.

Per the *NY Post* article, excerpts attached:

"It seems Boylan accidentally hit the redial button on his cell phone
during a burglary - providing the break-in victim with a voice-mail
recording of the crime in progress, said Detective Lt. Steve Skrynecki.

"Before the 3:20 a.m. burglary on Sunday, Boylan had called the victim's
girlfriend on her cell and spoke to the victim, the detective said.

"Somehow, Boylan "inadvertently hit the redial on his cell phone" while he
and his buddy ransacked the house and chatted as they grabbed a video-game
player, game cartridges, a remote-controlled car and an antique bayonet,
Skrynecki said.

"They had no idea their crime-scene commentary was being recorded on the
girlfriend's voice mail, Skrynecki said.

  http://nypost.com/news/regionalnews/2178.htm


Glitches hit FTC 'do-not-call' list

<Monty Solomon <monty@roscom.com>>
Tue, 1 Jul 2003 00:47:31 -0400

Nearly one-fourth of the consumers who tried to sign up for the
Federal Trade Commission's Do Not Call database haven't completed the
process, the agency said Monday. The agency blames in part a series of
technological glitches, including aggressive spam filtering by e-mail
providers that accidentally deleted some confirmation e-mails sent by
the FTC. But many consumers just haven't replied to the FTC e-mail,
which is the final step in the sign-up process, said FTC attorney
Eileen Harrington.  [Source: Bob Sullivan, Three million consumers
didn't finish sign-up process, MSNBC, 30 Jun 2003]
  http://www.msnbc.com/news/933138.asp


Do not do not call?

<"Dawn Cohen" <COHEND@wyeth.com>>
Tue, 01 Jul 2003 13:27:04 -0400

I found my way to the Web site for the national Do Not Call registry,
through the CDT Web site.

With great cheerfulness, I registered my two phone numbers.  I followed
the instructions:  I entered my phone numbers and one of my e-mail
addresses.  I received the automatic e-mails generated by the registry
Web site, and followed their instructions, which were simply to click on
a link in the e-mail and print out the confirmation on the linked Web
page.

"How simple!" thought I to myself.  "What a blessing!  With no effort at
all, I am relieved of countless nuisance calls that interrupt my
otherwise hectic dinner!"

"But wait a bit!  How does it know that the e-mail address I entered
corresponds to someone who legitimately has the rights to put my number
on the Do Not Call registry?  Oh well...I guess it doesn't
matter...suppose I go out of my way to take someone else off the
list...are they going to cry because they don't get a lot of
telemarketing calls?  I guess not.  No problem!"

"Oh, but wait...I think I saw a 'delete registration' button..."

Yup.  It works the same way.  Type in a phone number and your favorite
e-mail address, and you can make sure that that number is not on the do
not call registry!


Risk of appropriating technology you don't understand

<Doug Sojourner <dsojourner@matrixsemi.com>>
Mon, 30 Jun 2003 14:51:12 -0700

Like many other people, I registered at www.donotcall.gov the other
day. It seems like they are using a "validation" technique that is
often used for e-mail lists: contact the e-mail given to see if it
really belongs to the person trying to subscribe.

Alas, this does no good when you contact an e-mail to validate a phone
number.


About Do-Not-Call Lists

<Mark Siegel <web@eee.org>>
Sun, 29 Jun 2003 11:40:09 -0700

Assume for a moment, that do not call/do not spam lists are found to be
invalid/unenforceable/unconstitutional. 'They', now, have all the valid
e-mail addresses and phone numbers anyone could want.


Re: New State Laws on Privacy (RESmith, 22.78)

<Don Colton <don@colton.byuh.edu>>
Sat, 28 Jun 2003 19:07:44 -1000

What are the RISKs of a do-not-call (or do-not-e-mail) list?  How does
this process work?  Does a telemarketer purchase a copy of the
do-not-call list, or does the telemarketer submit his own copy and get
back a list of rejections?  Since conducting surveys is apparently
still allowed under the new law, will telemarketers use the
do-not-call list but employ a pseudo-survey marketing tactic?  Or will
the free market dictate that calling the unwilling is not a
money-making proposition?  Or is the list seeded with honey pots to
facilitate catching violators?  I find myself afraid to sign up.

Please report problems with the web pages to the maintainer

Top