The RISKS Digest
Volume 22 Issue 90

Monday, 8th September 2003

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Men steal computers in high-security facility in Australia
David Landgren
Craig S. Bell
Handicapped's gas pedal on left side of car leads to 3 injuries
Kurt Thams
Blackout of mobile phone service in greater Frankfurt
Juergen Fenn
Nuclear powerplants may not have firewalls!!
Marty Leisner
Computer failures led to NE US blackout
Jeremy Epstein
Trade group tells DHS don't use MS
Curtailing online education in the name of homeland security
Jaeger/Burnett via Monty Solomon
Secrecy and the Patriot Act
Amy Goldstein
Identity Theft Victimizes Millions, Costs Billions
Jennifer 8. Lee via Monty Solomon
Victims of identity theft and account theft
California gets new privacy law
ICANN takes hits from lawmakers
The benefits and risks of robot surgery
Juergen Fenn
Eric W. Pfeiffer via Monty Solomon
Covert virus channels?
Rob Slade
The dangers of remote start on a car with manual transmission
Jason Lunz
Testing by Chimp? I think it too risky
Bob Heuman
Info on RISKS (comp.risks)

Men steal computers in high-security facility in Australia

<David Landgren <>>
Sat, 06 Sep 2003 12:41:42 +0200

Two men gained access to a high-security computer facility at Sydney Internal Airport, passing themselves off as contractors. They disconnected and walked off with two computers on a trolley. The Australian Federal Police and ASIO (Australian Security Intelligence Organisation) would like to know as a consequence to what extent their operations have been compromised.

Where once again it is shown that security is only as good as its weakest link:

Men steal computers in high-security facility in Australia

“Craig S. Bell” <>
Sat, 06 Sep 2003 19:00:57 GMT

This appears to have been an inside job. The stolen hardware may contain sensitive security / anti-terror information. I wonder whether they ran any sort of monitoring software that noticed whether the application was running. Even if they were monitoring, would anyone have been able to show up or alert the guards in two hours?

Considering the level of security at a corporate datacenter that I frequent, I can easily foresee how such a thing can happen — if you look like you know where you're going, you are rarely challenged by the superannuated private security guards, who often seem less aware of their surroundings than the janitorial staff.

Handicapped's gas pedal on left side of car leads to 3 injuries

<Kurt Thams <>>
Tue, 2 Sep 2003 15:48:28 -0700 (PDT)

Two elderly women and a young man were hospitalized Monday after an 85-year-old Stockton man driving on the Santa Cruz Municipal Wharf apparently mistook a car's gas pedal for the brake and struck four people. […] The car did not belong to (the driver) and had a gas pedal for handicapped drivers that extends to the left side of the car.


The article does not say whether there is any warning posted on the car that the vehicle's controls are not like other cars. Even so, one wonders if any driver accustomed to standard controls could avoid reflexively hitting the gas when he meant to hit the brake.

Blackout of mobile phone service in greater Frankfurt

<Juergen Fenn <juergen.fenn@GMX.DE>>
Sun, 07 Sep 2003 00:22:29 +0200

Mobile phone services of Deutsche Telekom's subsidiary company T-Mobile in the greater Frankfurt area were interrupted from 10am on 9 September 2003 until late evening when phones could be used again. A spokesman for T-Mobile said in a statement to “heise online” that the failure was probably due to a power blackout, or to a problem with the software the company is using. The blackout initially was said to end after two hours (report in German): Other telephone companies were not affected.

Nuclear powerplants may not have firewalls!!

“Marty Leisner” <>
Mon, 08 Sep 2003 10:25:12 -0400

[Source: The New York Times, 7 Sep 2003]

[…] But an incident in January at the Davis-Besse Nuclear Power Station, run by the FirstEnergy Corporation outside Toledo, Ohio, showed that this was not always the case. The nuclear plant has not been generating power since early 2002, but a computer system there that was not supposed to be linked to the Internet was invaded by a worm known as Slammer, causing the system to shut down for five hours. The event was not made public until Kevin Poulsen reported it on Aug. 20 on SecurityFocus .com, an information-security news site.

Richard Wilkins, a FirstEnergy spokesman, said the company realized after the worm struck that it did not have a firewall isolating its corporate computers from the computers controlling the reactors, but that it now had such a safety precaution in place.

SIX months after the Davis-Besse problem, the North American Electric Reliability Council, the industry group overseeing the electrical grid, announced that there were “documented cases in which bulk electric system control was impaired” by the same worm. It recommended that utility companies separate the computers running their power grids from their corporate networks.

I'm amazed by so many things…including they use commercial, virus-plagued operating systems systems to run their infrastructure.

Computer failures led to NE US blackout

<Jeremy Epstein <>>
Thu, 4 Sep 2003 10:03:11 -0400

According to the WashPost, transcripts of telephone conversations released by the House Energy and Commerce Committee show that computer failures in monitoring the transmission lines left the operators blind. That meant they couldn't tell what was happening or control the systems, leading to the power surge that caused the blackout.

Readers of RISKS shouldn't be the least bit surprised…

Trade group tells DHS don't use MS

“Peter G. Neumann” <>
Tue, 2 Sep 2003 15:36:49 -0700 (PDT)

The Computer & Communications Industry Association (CCIA) has urged the Department of Homeland Security to reconsider its decision to use Microsoft software on its desktop and server systems, citing “major security failures” created by the raft of vulnerabilities in MS's products.

Curtailing online education in the name of homeland security

<Monty Solomon <>>
Wed, 3 Sep 2003 01:23:36 -0400

Curtailing online education in the name of homeland security: The USA PATRIOT Act, SEVIS, and international students in the United States by Paul T. Jaeger and Gary Burnett

ABSTRACT Online courses have become an important part of the academic offerings of many institutions of higher education in the United States. However, the homeland security laws and regulations enacted since September 2001, including the USA PATRIOT Act, have created serious limitations on the ability of international students studying in the United States to participate in online educational opportunities. Placing online education within the context of the mutually beneficial relationships between international students and the United States, this article examines the assumptions and the impacts of these regulations on the students and the institutions of higher education. This article explores the enrollment limitations in online courses for international students in terms of information policy and concepts of presence and identity in online environments, offering an examination of the implications of this issue for education and information in United States.

CONTENTS Introduction: The United States of America, immigrants, and visitors International students in the United States The USA PATRIOT Act and international students Restrictions on the online education of international students Identity and presence in online environments Conclusion: The policy picture for education and information

Secrecy and the Patriot Act (Amy Goldstein)

“Peter G. Neumann” <>
Mon, 08 Sep 2003 09:59:02 -0400

[Source: Fierce Fight Over Secrecy, Scope of Law; Amid Rights Debate, Law Cloaks Data on Its Impact By Amy Goldstein, The Washington Post, 8 Sep 2003; Page A01; PGN-excerpted from a long and informative article]

In Seattle, the public library printed 3,000 bookmarks to alert patrons that the FBI could, in the name of national security, seek permission from a secret federal court to inspect their reading and computer records — and prohibit librarians from revealing that a search had taken place.

In suburban Boston, a state legislator was stunned to discover last spring that her bank had blocked a $300 wire transfer because she is married to a naturalized U.S. citizen named Nasir Khan.

And in Hillsboro, Ore., Police Chief Ron Louie has ordered his officers to refuse to assist any federal terrorism investigations that his department believes violate state law or constitutional rights. […]

By its very terms, the Patriot Act hides information about how its most contentious aspects are used, allowing investigations to be authorized and conducted under greater secrecy. As a result, critics ranging from the liberal American Civil Liberties Union to the conservative Eagle Forum complain that the law is violating people's rights but acknowledge that they cannot cite specific instances of abuse. […]

This summer, two major lawsuits were filed challenging the Patriot Act's central provisions. The Republican-led House startled the administration in July by voting to halt funding for a part of the law that allows more delays in notifying people about searches of their records or belongings. And the GOP chairmen of the two congressional committees that oversee the Justice Department have warned Ashcroft that they will resist any effort, for now, to strengthen the law.

Identity Theft Victimizes Millions, Costs Billions

<Monty Solomon <>>
Thu, 4 Sep 2003 23:01:39 -0400

Source: Article by Jennifer 8. Lee, 4 Sep 2003

About 3.3 million American consumers discovered within the last year that their personal information had been used to open fraudulent bank, credit card or utility accounts, or to commit other crimes, according to the Federal Trade Commission's first national survey on identity theft. The commission, in a report issued today, said these cases had collectively cost businesses $32.9 billion and consumers $3.8 billion.

In addition, 6.6 million people fell victim to account theft in the last year. Unlike identity theft, in which the criminal uses personal information to open and use accounts that are in the victim's name, account theft entails using stolen credit or A.T.M. cards, or financial records, to steal from the victim's existing accounts.

Such account-theft cases, the survey found, caused $14 billion in business losses and $1.1 billion in consumer losses. The vast majority of these cases, almost 80 percent, involved credit card fraud.

Though account theft and identity theft are often lumped together in popular perception, data from the survey showed that the consequences of identity theft were more severe. In identity theft, which accounted for nearly 10 million of the 27 million cases of both types in the last five years, the financial losses were greater, and it took victims longer to resolve the cases. […]

Victims of identity theft and account theft

“NewsScan” <>
Thu, 04 Sep 2003 09:17:35 -0700

[…] Half of all victims knew the method by which the thieves had obtained the personal information. About 25% of the victims said the information had been stolen through either the mail or the loss of a wallet, and 13% percent said it had been stolen in the course of a purchase or another transaction.[The New York Times, 4 Sep 2003; NewsScan Daily, 4 Sep 2003]

California gets new privacy law

“NewsScan” <>
Thu, 28 Aug 2003 08:30:19 -0700

California has just passed privacy legislation aimed at preventing banks, insurance companies and other institutions from sharing their personal information, and Gov. Gray Davis said: “Most Californians are stunned to learn that financial corporations trade their names for money. That is wrong, and when I sign this bill, that practice will stop.” The law will require permission from a customer before financial institutions share any information on that customer with an unaffiliated company or an affiliated firm in a different line of business. [AP/USA Today, 28 Aug 2003; NewsScan Daily, 28 Aug 2003]

ICANN takes hits from lawmakers

“NewsScan” <>
Fri, 05 Sep 2003 08:30:32 -0700

Rep. Howard Berman (D-Calif.) is critical of ICANN (the Internet Corporation for Assigned Names and Numbers) for not doing enough to stop scammers and child pornographers from registering under false names with stolen credit cards: “I'm disappointed with the failure of the marketplace and regulators to deal with this problem. A legislative solution seems necessary.” And Rep. Lamar Smith (R-Texas) agrees: “There&#apos;s not a real seriousness of intent either by ICANN or the Department of Commerce to have an accurate whois database.” Commerce Department General Counsel Theodore Kassinger says that ICANN is busy working on solving the problem. [Reuters/USA Today, 4 Sep 2003; NewsScan Daily, 5 September 2003]

The benefits and risks of robot surgery

<Juergen Fenn <juergen.fenn@GMX.DE>>
Sun, 07 Sep 2003 00:11:40 +0200

The benefits and risks of robot surgery have been discussed in press reports in Germany recently. A medical robot constructed to make operations for inserting artificial hip and knee joint implants more precise has been criticised for allegedly causing severe harm to at least a small number of patients, German news magazine DER SPIEGEL reported recently (in German):,1518,262585,00.html,1518,262637,00.html

The reports are claiming “about two dozen cases” would be considered by medical experts as some former patients are seeking compensation for rather severe damages to their muscles and nerves after undergoing operations. Ten lawsuits are pending at a Frankfurt court. According to DER SPIEGEL a Los Angeles law firm is said to represent some American patients who underwent surgery at a clinic at Frankfurt, Germany, specialising in this kind of operations suing the American manufacturer of the system in mass action at a Californian court.

The report admits, however, that some 6000 operations have been done in all. Most operations are said to have been successful.

In a press release the body responsible for the clinic has said the system is also used in Korean and Japanese clinics routinely. Using “Robodoc” meant putting considerably less strain on patients than traditional methods. It is said to be working rather reliable. The risks of post-surgical complications would be much smaller than without the system which has already been used for 10 years (in German):

A presentation of the robot's capabilities can be found at


<Monty Solomon <>>
Mon, 25 Aug 2003 11:00:59 -0400

By Eric W. Pfeiffer, Sep 2003, Technology Review

Soon, hardware and software that track your location will be providing directions, offering shopping discounts, and aiding rescue workers-services that promise a windfall for ailing telecom carriers.

Amanda sits idly at the bar of the trendiest restaurant in town, twirling a swizzle stick and sipping a cocktail. But cool as she looks, she's feeling anxious: her date is nearly 15 minutes late. She considers calling him but doesn't want to seem nervous or overeager. Still, she pulls out her cell phone, only instead of calling, she opens a special menu, enters his number, and sees that he is at the corner of Prospect and Broadway, not more than three minutes away. When he walks in, Amanda brushes off his apology, saying she wasn't at all worried.

Sound fanciful-or outright implausible? Lock on to location-based computing, the hottest thing in wireless, which offers new services to customers and new revenue streams to carriers, and could save lives in the process. The idea is to make cell phones, personal digital assistants, and even fashion accessories capable of tracking their owners' every movement-whether they're outdoors, working on the 60th floor, or shopping in a basement arcade. Already, Japanese telecommunications company KDDI offers over 100 different location-based services using technology developed by wireless-equipment maker Qualcomm, from bracelets to let parents track their kids in the park, to cell phones that point the way to cheap noodle shops in Tokyo's skyscraping Shinjyuku district. In Korea, two million citizens use their cell phones to locate nearby friends and, for example, find the most convenient coffee shops for impromptu meetings. In Europe, cell-phone networks can locate users and give them personalized directions to Big Ben, or the Eiffel Tower. […]

Covert virus channels?

<Rob Slade <>>
Wed, 3 Sep 2003 15:56:59 -0800

I am under attack. Or, at least, it feels like it.

Craig, in Atlanta, has a broadband connection, from He also has Sobig. And he's been sending me between 60 and 100 infected messages per hour for the past couple of days. (He seems to turn his machine off at night. Thank goodness.)

That's about all I can find out about Craig, given his email headers:

Received: from CRAIG ( [64.30.ZZZ.ZZ] (may be forged)) by (8.11.7+Sun/8.11.7) with ESMTP id h83LZkX08894 for <>; Wed, 3 Sep 2003 14:35:47 -0700 (PDT)

After all, Sobig isn't one of those viruses, like Sircam and Klez, that steals info from your machine and broadcasts it all over the net.

Or is it?

Given the number of messages I've received from him over the past two days, I've got a pretty complete list of the email addresses on his machine.

Not knowing the rag, I don't know whether I'm supposed to be impressed that he is in contact with He seems to be into self- promotion— and And maybe trying to set up his own business ( He does seem to be trying to better himself, maybe get an education ( and He might be aware that something is wrong with his machine: he seems to be rather eclectic in terms of where he goes for help (,,,

All of this may be due to an impending marriage: is he searching for an engagement ring ( And, if so, does his fiancee know about,,,, and

Then again, maybe he's a terrorist:

(For those both ethical and unobservant, I have tried to mung anything that seemed to identify any person.) or

The dangers of remote start on a car with manual transmission

<Jason Lunz <>>
Wed, 3 Sep 2003 14:23:13 -0400
[This story appeared on a local chat mailing list. It's forwarded to RISKS and rewritten for brevity with permission. Jason]

An online acquaintance of mine has a manual-transmission car with remote start option. On Saturday, a stuck antenna switch on the console needed to be cleaned. The car was parked, out of gear, with the hand brake on. To operate the switch, the hand brake had to be released, so the car was put in gear to stop it from rolling. The antenna switch was cleaned and returned to working order.

On Sunday when the car was next needed, its state was momentarily forgotten. The remote start button was pressed several times. Nothing happened. The car alarm was disarmed, and trunk opened for loading. The remote start button was tried again, this time with disastrous results. The car started, then proceeded driverless over a curb, over some rosebushes, over a sapling, and over an embankment wall.

The risk is obvious. Why would it be possible for a remote start feature to engage with the car in gear? My automatic-transmission car won't shift out of park unless a safety interlock is disengaged, and the safety won't operate unless I put my foot on the brake. It's not clear why something as potentially dangerous as a remote start system wouldn't take similar precautions.

Testing by Chimp? I think it too risky

Tue, 02 Sep 2003 21:57:17 -0400

How do I describe the risks of using programs tested by Chimps paid 45 cents per hour (Banana Dollars?)… This is definitely outsourcing, but who is it who is out of their mind?

Found at

Chimps go ape for Visual Basic 6.0

Funny enough, this is no joke [*]. A company in Des Moines, Iowa is teaching computer programming skills to chimpanzees and has plans to resell their services in outsourcing contracts. Primate Programming Inc. recently conducted research that claims computer programming is a task that most higher primates can perform. And, according to the company, the primate programming language of choice is Microsoft Corp.'s Visual Basic 6.0. Primate Programming is offering software maintenance and report writing services — all conducted by chimpanzees — for approximately US$0.69 per hour. The company also offers software testing for US$0.45 per hour — a lower price since the chimps require less skill to conduct tests. Visit for more information.

Please report problems with the web pages to the maintainer