The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 89

Tuesday 2 September 2003


Chips that can self-destruct
Kenneth Ng
Diebold voting machines
John Paulson
A new approach to roller coasters
Henry Baker
Battling the threat of data extinction
Man steals tracking device, which tracks him down
Careful typography in the CAIB report
Craig DeForest
EchoStar sued for `No-Call List' breach
Monty Solomon
Bahrain's proposed smart ID cards
George Mannes
802.11: When Is 54 Not Equal to 54?
Matthew Gast via Monty Solomon
EarthLink sues to stop Alabama and Vancouver spammers
Monty Solomon
Can't catch it? A virus can still hurt you.
Richard A. O'Keefe
Hackers cut off SCO Web site
Richard Forno via Dave Farber
More theories about Sobig vandal's motivation
Re: Sobig affects Amtrak trains, Air Canada
Scott Nicol
Re: "Good" worm fixes infected computers
Neil Youngman
More on the Davis-Besse worm attack
Martyn Thomas
Re: Satellite photo of Eastern North America during blackout
Dan Pritts
Re: Nasty elevator death at Houston hospital
Paul D. Walker
Richard H Miller
Re: Pilot fixes faulty jet
Daniel Lance Herrick
Info on RISKS (comp.risks)

Chips that can self-destruct

<"Ng, Kenneth (US)" <>>
Mon, 25 Aug 2003 15:51:55 -0400

Michael Sailor and colleagues at the University of California at San Diego
have developed a self-destruct mechanism that can be activated (with a
warning) if a machine detects that it has been stolen.  The first thought I
had was "program bug".  The second was "virus".  The third was "cyber denial
of service attack".  Personally, it wouldn't be the same without the "this
chip will self destruct in 5 seconds, good luck, Jim" followed by the
standard white smoke from Mission Impossible.
    [The technique involves adding gadolinium nitrate to silicon.  PGN]

Diebold voting machines

<john paulson <>>
Tue, 2 Sep 2003 11:57:59 -0700

The head of a company vying to sell voting machines in Ohio told Republicans
in a recent fund-raising letter that he is "committed to helping Ohio
deliver its electoral votes to the President next year."

    Inspired by remotely triggered self-destructing chips, how about voting
    machines that can be remotely instructed to add and subtract votes?
    Well, you might say, why bother?  It can already be done locally!  PGN]

A new approach to roller coasters

<Henry Baker <>>
Thu, 28 Aug 2003 10:03:58 -0700

  [FYI -- Note the use of Windows OS to run this thing.  HB]
     [Could give new meaning to the Blue Screen of Death. PGN]

``Roller coasters are boring. ...  But a new two-seat ride called
RoboCoaster is different.  Its 4,400-pound, 22-foot-long mechanical arm
provides a much wider array of twists and turns than any single traditional
coaster can, its makers say.  And because those whipping motions are just
about infinitely programmable, riders can have radically different
experiences on the same RoboCoaster, and can even customize their own
thrills. ...  Made by the German robotics company Kuka Roboter, the $350,000
RoboCoaster became available last November.  Fourteen have been installed,
two of them in the United States - at American World Resort in Wisconsin
Dells, Wis., and at C.J. Barrymore's, 30 miles north of Detroit.  Ten are
housed in a vast hall at the Legoland theme park in Billund, Denmark, where
they are called Power Builders.

Riders use a Windows-based touch-screen computer to program their own
RoboCoaster experience.  There are seven levels of difficulty, and within
each level are 14 movements -- dips, falls, rocket starts, butterfly rolls
and loops - lasting 5 to 15 seconds.  According to Legoland, more than 1.4
million combinations are possible.  With six axes, the robot can throw
riders in any number of directions, turning them upside down, spinning them
side to side, or making them swoop as if they were in a jet fighter -- all
at 1.9 G's, nearly twice the normal gravitational pull.  Optical sensors
attached to a motor in each axis calculate the position of the coaster's arm
every 32 milliseconds.  [Source: Taking Roller Coaster Limits for a Ride,
Noah Shachtman, *The New York Times*, 28 Aug 2003; PGN-abridged]

Battling the threat of data extinction (NewsScan)

<"NewsScan" <>>
Fri, 29 Aug 2003 09:35:18 -0700

Because most digital files are dependent on the operating systems in which
they're stored and the software applications used to create and access them,
would-be archivists are faced with the task of retaining and maintaining the
digital hardware necessary to read digital files as well as the files
themselves. "With each passing day, the reservoir of digital documents
grows," says Eastman Kodak manager Andrew Lawrence. "Often, there is no
associated hard-copy output to archive via conventional means. Over time,
the problem is that media decays and hardware and software platforms evolve,
placing the electronically stored information at risk." Lawrence suggests
the best approach to digital preservation is a dual track. For short-term
needs, users can maintain structured electronic archives in their native
formats. But for longer-term purposes, Lawrence suggests creating a
referenced archive of permanent document images in analog format, such as
microfilm, that could provide a technology-proof repository. Glenn Widener,
director of Internet technology at Swiftview, has a different solution. He
recommends using the Printer Control Language (PCL) format, invented by
Hewlett-Packard for its LaserJet family of printers, as an easy way to
preserve documents. "Many PCL viewers can view 15 to 20 years back. There
will always be commercial tools readily available to read it." Meanwhile,
Dan Schonfeld, director of products for Artesia, says his company's digital
asset management software enables users to archive viewers, readers and
players along with files. "Because we can store any type of media, we can
actually store applications as well as the media files themselves."
[TechNewsWorld 28 Aug 2003; NewsScan Daily, 29 Aug 2003

Man steals tracking device, which tracks him down

<"Peter G. Neumann" <>>
Mon, 1 Sep 2003 08:56:43 -0700 (PDT)

A man stole a $2500 GPS-based computerized home-detention tracking device
that had been temporarily left outside the home of the woman who was
supposed to be wearing it.  By the time she reported the loss, prison
officials had already rounded up the thief.  [Source: AP item 1 Sep 2003;

   [ADDED NOTE: The stolen device was apparently the transponder box.
   I presume the anklet was not removable.  PGN]

Careful typography in the CAIB report

< (Craig DeForest)>
Wed, 27 Aug 2003 15:19:13 -0600

I'm sure that many are reading and will contribute about the recent Columbia
Accident Investigation report:
A rare amusing moment occurs on p. 191, where noted communication expert
Edward Tufte analyses the horrific viewgraph layout used within NASA.

One of Tufte's points is that even a simple unit measurement ("cubic
inches") is laid out three different ways in a single viewgraph, making it
difficult to recognize that the three units are directly comparable (in this
case an analytical model that was designed for foam chunks up to 3 cubic
inches was used for a foam chunk that was over 300 times larger).  But a
diligent copy editor has regularized the three layouts in the corresponding
figure caption, obscuring Tufte's argument.

Tufte analysed the Challenger explosion in his fabulous book, "Visual
Explanations".  He convincingly argued that poor communication (caused in
part by bad charting of the relevant risk factors) played a significant role
in the loss of Challenger.  The same arguments seem to hold about Columbia.

EchoStar Sued for `No-Call List' breach

<Monty Solomon <>>
Thu, 28 Aug 2003 08:54:27 -0400

The state of Missouri sued EchoStar Communications Corp. on 27 Aug 2003,
accusing the satellite television giant of violating the state's
telemarketing "no-call" list, wrongly calling residents who had home
telephone numbers registered with the state's no-call list, pitching its
satellite equipment and television services.  [Source: Jim Suhr, AP Online,
27 Aug 2003; PGN-ed]

Bahrain's proposed smart ID cards

<George Mannes <>>
Thu, 28 Aug 2003 11:36:12 -0400

Bahrain Takes Swipe Into The Future With New Smart ID Cards, 26 Aug 2003, AP,

  Bahraini officials envision a photo ID card with a 64-kilobyte microchip
  holding the card holder's name, address, national identification number,
  digital fingerprints and driver's license, passport, medical, financial
  and educational data.  Users will be able to pay bills, withdraw cash,
  transfer money check their bank balances and conduct Internet transactions
  with a swipe of the card, and use the same card to votes in municipal and
  parliamentary elections.  "We truly believe that this is going to improve
  and change things dramatically," Sheik Ahmed bin Ateyatella Al Khalifa,
  undersecretary of the Central Informatic Organization, told reporters

Improve and change things dramatically for whom? The article -- which says
Bahrainis already used bar-coded ID cards for elections last October --
doesn't say. I'm guessing I'm not the only RISKS reader who'd be a tad
concerned about the RISKS of having all my personal, medical, financial,
educational -- and perhaps political-leanings -- data all in one convenient,
centrally informatic, location.

802.11: When Is 54 Not Equal to 54?

<Monty Solomon <>>
Mon, 1 Sep 2003 04:11:22 -0400

When Is 54 Not Equal to 54? A Look at 802.11a, b, and g Throughput
by Matthew Gast, author of *802.11 Wireless Networks: The Definitive Guide*
08 Aug 2003 (updated: 14 Aug 2003)

Now that the 802.11g standard has been finalized, comparisons with the other
standards in the 802.11 family are inevitable. One conclusion that is
frequently drawn is that 802.11g offers similar speeds to 802.11a. After
all, both products are advertised as having a data rate of 54 Mbps.

This article develops a simple model for the maximum TCP throughput of
802.11 networks so that a comparison can move beyond a simple comparison of
nominal bit rates. According to the model, 802.11g is significantly faster
than 802.11b. In a network consisting only of 802.11g clients, it is even
slightly faster than 802.11a. However, "protection" mechanisms added to
802.11g to ensure backwards compatibility with legacy 802.11b clients can
cut the throughput by 50 percent or more.  ...

EarthLink sues to stop Alabama and Vancouver spammers

<Monty Solomon <>>
Thu, 28 Aug 2003 08:51:12 -0400

Internet provider EarthLink Inc. said it sued operators in Alabama and
British Columbia for flooding its network with some 250 million unwanted
commercial messages, in an attempt to break their e-mail "spam" rings --
which reportedly hide behind a veil of bogus Web sites and e-mail accounts
bought with stolen credit-card numbers.  EarthLink estimates costs around $5
million in employee time and wasted bandwidth.  [Source: Andy Sullivan,
Reuters, 27 Aug 2003; PGN-ed]

Can't catch it? A virus can still hurt you.

<"Dr Richard A. O'Keefe" <>>
Wed, 27 Aug 2003 15:41:08 +1200

I thought I was safe.  My mail machine is an Alpha running OSF/1.  I use
mailx, which not only doesn't do anything in particular with attachments, it
wouldn't know an attachment if one bit it in the backside.  I suppose it's
theoretically possible to write a virus or worm for the Alpha, but there's
not that much thrill in persecuting orphans; the bad guys much prefer going
after idiot boxes.  So I thought no virus could possibly pose a threat to
*my* mail.


My mail comes through the University's Information Technology Services.
Quoting their recent "ITS Incident Report: E-Mail Services #2",

  E-Mail from off-campus destinations were lost by the University e-mail
  system from approximately 5:00 am until 4:45 pm on August 23.  People will
  have received an e-mail from the sender that contained no subject line or

In fact I received a couple of hundred such messages.  How could that be?
Continuing the quote:

  Since Wednesday August 20 [to Monday August 25] the University has
  received over 120,000 copies of the Sobig-F virus. ...  The University
  e-mail hubs scan all e-mail messages for viruses.  Any e-mail that
  contains a virus is quarantined and no further delivery attempts are made.
  The quarantined e-mail messages are occasionally analysed in order to
  trace the origins of viruses, with old e-mail messages purged as required.

So far so good.  They try hard to stop viruses getting through, and they
monitor the bad stuff so they can do a better job.  BUT

  With the advent of Sobig-F, the number of e-mail messages quarantined grew
  dramatically.  The file system on the mailhubs only permits 32,000 files
  per directory.  On Thursday last week one of the mailhubs hit this limit.
  At this time it was thought that the large number of quarantined e-mail
  messages was due to historical data not being purged.  However, another
  32,000 virus infected e-mail messages were intercepted by each of the
  mailhubs over the next 36 hours which caused similar failures to the one
  on Thursday.

  As a result of these failures, incoming e-mail messages could not be
  written to disk for virus and spam scanning.  When the system went to send
  on the e-mail to its destination, only the sender data was retained.

OOPS.  In hindsight, it was a bad idea to store quarantined messages and
good ones on the same file system, and it might not have been such a good
idea to store each quarantined message as a separate file.  However, I'm
pretty sure I wouldn't have thought of that without the benefit of

  The e-mail messages that have had their content lost are not recoverable.
  The only way for you to know the contents of those e-mail messages is to
  ask for the sender to resend the message(s).  You are urged to take care
  to only request a resend from known senders.  In the event that a request
  for a resent message is made to a spammer, you are likely to receive
  greater volumes of spam in the future.

The really sad thing here is that the guys in ITS *do* have a clue or two,
and were trying to do their job.

  ITS has now stopped reaining block e-mail messages containing viruses.

Oh dear.  Retaining messages was a *good* thing.  The sheer volume of bad
stuff has stopped them doing it.  Death of the net?  Oh yes, it's entirely
forgivable that they didn't spend a lot of time thinking about the problem
on Thursday, because tech support people around the campus have been as busy
as one-armed paperhangers trying to clean up after Blaster and Sobig-F.
Yes, they *do* stop those things entering through the network.  Yes, they
*do* provide up-to-date anti-virus software.  However, people _will_ run
Windows on their laptops, take them home, and bring the infection back...

Instead of just deleting all virus messages, I think it would be better to
retain a random sample of (say) 30,000 of them.

So I've learned something:  I can lose a couple of hundred messages because
of a virus my machine didn't catch and cannot catch, because of what the
virus did to a mail hub that didn't and couldn't catch it either.

I've also learned that if I receive e-mail without content or subject
line, I probably shouldn't delete it all, like I did.  Sigh.

  [The quoted text was quite sloppy.  Vastly too many "(sic.)"s have been
  removed, and various garbles fixed to make this message more readable.
  My apologies if I missed a few!  PGN]

Hackers cut off SCO Web site (via Dave Farber)

<Richard Forno <>
Mon, 25 Aug 2003 17:42:09 -0400

As an IT security professional but also someone who thinks the SCO-World
case is loonier than Franken-Fox, I'm not sure whether to smirk with
satisfaction or offer to help find the perpetrator....

Hackers cut off SCO Web site
By Martin LaMonica, CNET, 25 Aug 2003

This weekend, a denial-of-service attack took down the Web site of The SCO
Group, which is caught in an increasingly acrimonious row with the
open-source community over the company's legal campaign against Linux.
SCO's Web site was largely out of commission until Monday morning, a
representative of the Lindon, Utah-based Unix and Linux seller said Monday.
Performance measurement statistics from Netcraft indicated that the site had
been down since Friday night.

In a distributed denial-of-service (DDoS) attack, numerous computers
simultaneously send so much data across a network that the targeted system
slows to a crawl while trying to keep up with the traffic it's receiving.
The SCO representative could not say where this weekend's strike originated.
However, unofficial open-source spokesman Eric Raymond suggested in a
posting Sunday to open-source news Web site NewsForge that the attack was
launched by someone angry at comments from SCO executives criticizing the
open-source community's role in the legal battles over Linux.  [...]

Source: Dave Farber's IP distribution

More theories about Sobig vandal's motivation

<"NewsScan" <>>
Tue, 26 Aug 2003 08:28:20 -0700

Is money the real motivation for the spread of the Sobig virus? Sobig is
transmitted as an e-mail attachment and is the sixth variant of the
malicious code by an unknown attacker. Mikko H. Hypponen, director of
antivirus research at F-Secure corporation in Finland says: "I think the
motivation is clear: it's money. Behind Sobig we have a group of hackers
who have a budget and money." Computer security expert Russ Cooper suggests
that the vandal is acting out comic book fantasies: "You can liken this guy
to Lex Luthor and we're all Supermen. Luckily, we've been able to get the
kryptonite from around our necks each time so far." One popular theory is
that Sobig is the work of an e-mail spammer who is aggressively trying to
build a clandestine infrastructure for blitzing the Internet with junk
e-mail. Antivirus software researcher Joe Hartman of TrendMicro says, "If
machines remain infected they could be used in any kind of attack. The
question we ask ourselves is, What is he trying to achieve? We don't think
it's planned for a specific threat, rather its more likely a money-making
spam scheme." And Bruce Hughes of Trusecure points out: "There is some
evidence that he's been tied in with spammers." Sobig spreads further only
when a computer user selects the attached program that then secretly mails
itself to e-mail addresses stored in the user's computer. The Computer
Emergency Response Team at Carnegie Mellon University says, "Our current
advice is: Don't open an attachment unless you are expecting one."  [*The
New York Times*, 26 Aug 2003; NewsScan Daily, 26 August 2003]

Re: Sobig affects Amtrak trains, Air Canada (Leisner, RISKS-22.88)

<Scott Nicol <>>
Wed, 27 Aug 2003 22:17:34 -0400

According to a technically sparse press release by CSX
it wasn't the signalling computers that were affected, but rather the
communication lines that the signals are sent on.  One would have to
assume this means that the communication lines that are used for
signalling are also used for other purposes, including sending e-mail.

What happens when somebody inside CSX sends an e-mail to "all", on the
subject of, say, next years health plan choices, with a 20MB powerpoint
presentation attached?  Do the signals get blocked for a few minutes until
the e-mail is dispatched everywhere?

Re: "Good" worm fixes infected computers (Schindler, RISKS-22.87)

<Neil Youngman <>>
Wed, 27 Aug 2003 18:51:16 +0100

> Even though the new worm is "good," it can cause plenty of
> trouble for computer users ...  

I remember discussing the topic of "good viruses" and why there was no such
thing -- way back in 1989; see

Now I know of one company whose network was taken off line for at least 24
hours by this "good virus". A truly destructive "good virus" may have taken
a long time to arrive but I'm sorry to see that it finally got here.

More on the Davis-Besse worm attack (RISKS-22.88)

<"Martyn Thomas" <>>
Sun, 31 Aug 2003 15:00:15 +0100

"When the Davis-Besse nuclear power plant in Ohio was hit by the Slammer
worm [in Jan 2003], the reactor happened to be off-line.  But the worm
disabled a safety monitoring system for nearly five hours.  'We are still
working through the information to find out what happened', says a spokesman
for Akron-based FirstEnergy, which owns the plant."  [Source: *New
Scientist*, 30 Aug 2003, page 5]

Re: Satellite photo of Eastern North America during blackout (R-22.88)

<Dan Pritts <>>
Wed, 27 Aug 2003 17:15:06 -0400

Given the population density, I would be shocked if there were not more cars
and generators per square mile in metro NYC than anywhere else on the
continent.  Detroit and Cleveland are certainly much less densely populated
than metro NYC (I don't know about Toronto but it can't be any MORE dense).

I would also expect that the saturation of generators is likely very low in
all of these areas compared to the saturation of cars.  Most families have
multiple cars - few families have generators.  Obviously not all the cars
were on, but traffic snarls in NYC might also suggest that the commuters all
were still trying to get home 7 hours later.

Re: Nasty elevator death at Houston hospital (RISKS-22.87)

<"Paul D. Walker" <>>
Sat, 23 Aug 2003 22:30:19 +0800

> RISKS reported the earlier cases in Ottawa [...]

Actually, there were three deaths that summer from elevators.  I lived in
Ottawa during that summer and since then I have become extra cautious about
crossing elevator doors.

Re: Nasty elevator death at Houston hospital

< (Richard H Miller)>
Fri, 22 Aug 2003 10:08:51 -0500 (CDT)

> ... We also previously reported the Houston elevator that failed
> in the floods caused by Tropical Storm Allison and by default went down to
> the BOTTOM, drowning its occupant (RISKS-21.47).

Actually this is becoming a bit of an urban legend. The elevator did not
take the woman down to the basement. What happened was the several people
walked down to the lower levels of the garage to attempt to move their cars
higher.  [I believe it was the woman and a security guard].  In the basement
level, a wall separating the garage from the bayou was penetrated and the
water came rushing into the garage.  The woman was picked up by the water
and happened to be flung into the open elevator.  Some of the details may be
fuzzy but it was not a case of an elevator opening into a flood

Richard H. Miller, MCSE, Information Security Manager, Information Technology
Security and Compliance, Information Technology - Baylor College of Medicine

Re: Pilot fixes faulty jet (Ladkin, RISKS-22.88)

<daniel lance herrick <>>
Tue, 2 Sep 2003 13:42:16 -0400 (EDT)

Peter Ladkin's followup in RISKS-22.88 had the URL of a BBC story on the
incident. That story had a whole lot of (generally uninformed) comments
added at the end. There was one highly informative contribution:

 I was one of the passengers on this flight (with my wife and 2 young
 children) and have been amazed by the inaccuracy of the reporting on this
 event. The vote was not to see if we should "risk it" but merely whether
 passengers wanted to go the lengths of boarding the plane again (3rd time)
 to try and fly home. The only "risk" was that the plane would only be able
 to taxi to the end of the runway and because of the fault not start the
 initialisation sequence. We would then have had to go straight back to the
 terminal and wait at least another 4 hours for the engineers to be flown
 from the UK.

 All the news I have read today is about a "patched" plane "personally
 repaired" by the pilot and then us voting whether we thought it was safe to
 fly, which is just not the case but obviously makes for a better
 headline. It is funny that the bit of oil on the pilots shirt has now
 become him being "caked" and "covered" in oil!  Nigel, England

What a letdown!

Please report problems with the web pages to the maintainer