The RISKS Digest
Volume 23 Issue 37

Tuesday, 18th May 2004

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Las Vegas monorail delayed due to computer glitch
Chuck Weinstock
False Positive Risks
John Lettice via R.G. Newbury
'Blue Screen of Death' on hotel TV screen
Henry Baker
New UK Driving Licence puts Identity at risk
Adam Laurie
Forrester speeds up timeline on white-collar offshoring
Researchers find WiFi flaw
Sasser creator turned in for the reward
German Toll-Collect announces another delay...
Debora Weber-Wulff
Listen to your CPU and break RSA?
Gadi Evron
Banks don't understand phishing social risks
Samuel Liddicott
Fines reimbursed, drivers reinstated; faulty speed camera
Bertrand Meyer
Re: Hybrid vehicles may be hazardous to rescuers' health
Stephen Fairfax
Re: Auto-Blacklisting is a bad idea
Kyler Laird
Formal Methods for Industrial Critical Systems CFP
Diego Latella
Info on RISKS (comp.risks)

Las Vegas monorail delayed due to computer glitch

<Chuck Weinstock <>>
Tue, 11 May 2004 09:46:17 -0400

The Las Vegas strip $650M 3.9-mile monorail project is months behind
schedule.  The opening, which had been scheduled for 20 Jan 2004, was first
postponed to March, and now to the summer.  In January, a train drive-shaft
fell off in a test.  In February, a glitch was detected in the computer
control system that keeps trains spaced safely while moving at 50mph.
Bombardier (Canada) and Granite Construction Co. (Watsonville, California)
are paying about $85,000 a day in penalties.  The control system uses
Alcatel's SelTrac S40 Automatic Train Operating System.  Source: Associated
Press, 11 May 2004

False Positive Risks (John Lettice)

<"R.G. Newbury" <>>
Tue, 11 May 1982 13:25:18 -0400

Roger Benson and Miguel Espinoza brought a lawsuit against Identix and
California and Oregon because Identix's Livescan 10-print fingerprint
scanner assigned each of them an ID that was also assigned to someone else
who had a criminal record.

Benson was imprisoned for 43 days for carrying a firearm after he was
stopped in California for a traffic violation; the ID derived from his
fingerprint scan (incorrectly) matched that of someone with a completely
different name (William Lee Kellogg) who had been convicted for three
felonies in Oregon.  Records show that Benson's and Kellogg's biometric
fingerprint records are completely different — with Benson having only nine
fingertips!  Similarly, Espinoza claimed his restaurant business was
destroyed because his ID was shared by someone with a criminally negligent
homicide conviction.

The ability of this system to generate duplicate IDs has been known since
1996, but evidently not corrected.  In fact, Oregon has a list of 97 such
cases.  As usual, there is significant blame to go around — the system
itself, and the rather unimaginative use of it by law enforcement.  (On 11
May 2004, Identix sought to have the suit dismissed in San Jose Superior

Incidentally, the Department of Homeland Security has a contract for
Identix's fingerprint system, reportedly worth $27M.  The UK Passport
Service is also using this system.

[Source: John Lettice, DHS and UK ID card biometric vendor in false ID lawsuit,
*The Register*, 11 May 2004; PGN-ed]

'Blue Screen of Death' on hotel TV screen

<Henry Baker <>>
Wed, 12 May 2004 05:59:35 -0700

I'm staying in New York City at the Mandarin Oriental Hotel,
where every room has a 'high definition' flat panel TV screen
powered by a PC running Windoze XP Media edition.  This is
massive overkill, since the 'web' feature of the setup is
no better than what you would get with a 'thin' web browser.
(The quality of the TV picture also left a lot to be desired,
indicating that the $$ spent on the PC would have been better
spent on the TV itself, but that is a different story.)

Unfortunately, the PC malfunctioned in the middle of the
night, and completely froze — not responding to the IR wand,
or even trying to power cycle the various components using the
power on/off button..  Note: on this system, the power buttons
are all software interpreted, so when the software screws up,
there's no easy way to even power cycle it.

I was forced to pull a _very_ heavy dresser away from the wall
so I could get access to the power plug and power cycle the
system in this way.  It's only a matter of time before hotels
will disable this option as well, by hard wiring the power to
the system.

The risks of disabling the power buttons are clear — what if the system
were melting down and starting a fire?

New UK Driving Licence puts Identity at risk

<Adam Laurie <>>
Wed, 05 May 2004 08:29:39 +0100

To obtain the new UK photocard driving licence, you are required to
provide proof of your identity (see item 6 here):

My wife recently applied for one, and submitted her passport as proof of
identity. In due course, the licence arrived, but not the passport. When she
contacted the DVLA, she was told that they were always sent separately, and
the passport should have come first.

Given the following story, showing that the post office is losing 14.4M
letters a year, and the fact that the DVLA take no special precautions such
as registered post, we assumed the worst:

Fortunately, the passport eventually arrived, but a system that sends
crucial documents through a service that is losing such vast quantities of
its charges is clearly putting valuable documents, and thereby identities,
at grave risk, which seems to me to be criminally irresponsible of those in
charge of the DVLA.

Adam Laurie, A.L. Digital Ltd., The Stores, 2 Bath Road, London W4 1LT UK
+44 (20) 8742 0755

Forrester speeds up timeline on white-collar offshoring

<"NewsScan" <>>
Mon, 17 May 2004 10:10:36 -0700

Forrester Research says the export of [U.S.] white-collar jobs is happening
faster than it had first predicted back in 2002, but that its long-term
outlook for offshore outsourcing hasn't changed much since that report,
which estimated that a cumulative 3.3 million white-collar jobs would be
shifted to other countries by 2015.  Forrester's revised numbers project a
total of 830,000 jobs offshored by 2005, up from its earlier estimate of
just under 600,000.  Ironically, Forrester analyst John McCarthy says the
media's focus on the issue has encouraged more companies to experiment with
offshore outsourcing.  "While the press visibility has spurred offshoring's
emergence as a political third rail, it has also fostered an increase in
overall offshore alternatives," says Forrester's revised report.  [*Wall
Street Journal*, 17 May 2004; NewsScan Daily, 17 May 2004],,SB108474869663912901,00.html (sub req'd)

Researchers find WiFi flaw

<"NewsScan" <>>
Fri, 14 May 2004 08:23:38 -0700

Researchers at Queensland University of Technology in Australia have
discovered an easily-exploited vulnerability that can be used to take down
most 802.11 wireless networks. The flaw operates at lower network layers
than most previously-discovered security flaws in 802.11 networking, and
affects any network operating at the 2.4GHz frequency — which is the sole
frequency used by the most popular wireless protocol, 802.11b.  [*The
Australian*, 13 May 2004; NewsScan Daily, 14 May 2004, rec'd from John Lamp,
Deakin U.],7204,9549723%5E15306%5E%5Enbv%5E,00.html

Sasser creator turned in for the reward

<"NewsScan" <>>
Mon, 10 May 2004 08:45:38 -0700

The German teenager who created the computer worm Sasser was identified by
acquaintances seeking a $250,000 reward from Microsoft. The young man was
arrested in the village of Waffensen, near Bremen, and appeared shaken by
the extent of the damage his program had caused around the world. He faces
charges of computer sabotage, which under German law could mean his
imprisonment for five years. If the teenager is convicted, Microsoft will
make good on its pledge for the full $250,000 reward.  {*The Washington
Post*, 9 May 2004; NewsScan Daily, 10 May 2004]

German Toll-Collect announces another delay... (Re: RISKS-23.21)

<Debora Weber-Wulff <>>
Tue, 11 May 2004 12:47:13 +0200

... but in newspeak it is, of course, not announced as such.  The
public-private partnership Toll Collect, which was to have helped the German
Government rake in tolls starting last year, has kept posting delays. This
led to the Transport Secretary throwing them out in February 2004 but
reinstating them the beginning of March because they promised to start
testing in the summer and would have the first stage fully functional by Jan
1, 2005.

Experts laughed, but the government reinstated the consortium, and they got
to work.  AP reports (quoting the *Berliner Zeitung* from 10 May 2004) that
testing will not commence until October or November. [Well, I guess that's
Indian Summer... dww] The company is currently looking for errors in the
individual systems, the head of Toll Collect, Christop Bellmer, announced.
"The recent tests of the on board units are promising. The error rate was
just under3%, about 2% of that are software and 1% are hardware problems. "
[Translation dww].  [typo corrected in archive copy.  PGN]

THREE PERCENT error rate? For a security system of this size? But reading a
snippet from the proposal makes it clear where the error rate is coming from
[my translation]: (in German)

  TollChecker measures the vehicles three-dimensionally and determines a
  geometric vehicle model. With this, the number of axles are determined and
  trailers are recognized. From this data, the system determines the class
  of vehicle, in order to determine the appropriate fee. In addition,
  pictures of the vehicles and the license plates are taken with an infrared
  flash lighting that is invisible to the driver.  With this, the license
  plate can be automatically determined.

  The information from the control system is then compared by way of the
  communication interfaces [satellite!] with the data from the on-board unit
  and the data that was registered with the central computer system. Should
  it appear that some sort of falsification has occurred, the data will be
  stored as evidence.

All this computational effort to determine how many axles the vehicle has?
No wonder they are having problems! It seems to me that it would be a lot
easier to have the trucks buy stickers and police the use of the stickers!
For this they have built ugly toll station information collectors over all
the autobahns, have installed terminals that don't work in rest stops, and
are using satellite technology.

It seems that the assumption is that people are hell-bent on deceiving the
system, so they are trying to solve the social problem with technology, and
that is not working. Germany is suffering from this wild scheme because the
money was planned for repairing roads for the World Cup in 2006. Oh well,
anyone for a train? Just a few minor signalling and switching problems

[Added note from Debora: Here's a later followup on the Toll Collect:]

There are reports (for example
that 3 high school students have developed a toll collection system as part
of the "Jugend forscht" (Young Scientist Award given every year in Germany).
They spent only 1300 Euros on their system which uses WLAN technology and
broadcasts information on the number of axles to access points mounted over
the autobahns.  The data are then sent to a central computer, and when the
truck leaves the highway via an exit ramp, a bill is automatically sent to
the owner. This is similar to the toll system used, for example, on the
bridge between Denmark and Sweden.

The students won first prize in the Geosciences division. They were invited
to speak with TollCollect (the consortium that has not actually produced a
toll system yet but is burning money by the hayloads), but TollCollect said
that they would not use the technology because so much has already been
invested in the method that they are using.

I would give TollCollect first prize in the "Never-admitting-we-were-wrong"

Prof. Dr. Debora Weber-Wulff, FHTW Berlin, FB4, Treskowallee 8, 10313 Berlin
GERMANY  +49-30-5019-2320

Listen to your CPU and break RSA?

<Gadi Evron <>
Sat, 08 May 2004 18:46:09 +0200

A story hit slashdot today about a research done by Adi Shamir and Eran
Tromer on how you can perhaps break RSA keys by listening to a CPU.

The idea by itself i snot new. If you are interested you can look up
information on DPA and SPA as well.

I won't talk about how and what, you can find more information on the
following URL's, and they are pretty easy to read an understand.

/. article at:

Original article at:

As much as this technology is a risk and therefore a potential threat,
unless you are of the really paranoid (which would mean this interests you
considerably) there are far easier ways of attacking a computer.

This attack came to show how to attack the key, which is why it interests
these folks, I suppose, but it would be much easier to use TEMPEST if you
get access to actually install some tool to hear && (record || transmit) the
audio. Then again, if you get that close you could always install a Trojan
horse (which doesn't have to be software).

I would suggest TEMPEST would also be more reliable, but some testing is in
order and the POC is impressive in its simplicity and efficiency. I would
think a lot of research would be required for every CPU you intend to
attack, but I am apparently wrong (?).

Cost vs. benefit? I can't really see it. But it works!

This is pretty cool though! I have to admit that!
(adding another mark on my paranoia list).

+972-50-428610 (Cell) Backup:

  [See also an article by Dmitri Asonov and Rakesh Agrawal, Keyboard
  Acoustic Emanations, 2004 IEEE Symposium on Security and Privacy,
  pages 3--11.  PGN]

Banks don't understand phishing social risks

<"Samuel Liddicott" <>>
Mon, 17 May 2004 10:48:38 +0100

[This post has been edited slightly since being sent to the Co-operative
Bank (UK). No response had been received from the bank after 4 weeks]

Normally there are subtle differences between the way a bank operates and
the way phishing scams operate; typically any client initiated contact with
the bank is safe (typos aside).

Phishing scams generally work by initiating a fake contact from the bank
that directs users to transactions that scam the user.

The Coop bank is engaging in marketing practices indistinguishable from
those practiced by phishers, encouraging customers to believe that callers
claiming to be from the bank are indeed from the bank, making it easy for
phishers to impersonate the bank for the purposes of obtaining customers
security information.

Scammers would also need account number and sort code information that could
be had from disposed receipts, personal cheques, stolen/found wallets etc,
or obtained from the same phone call used to obtain the answers to security

A few times in this past year I have received a telephone call from the bank
(I suppose). The caller would identify themselves as being from the Coop
bank, and that before they could proceed, would I have any objection to
answering some security questions? I always refused to do so, not being able
to tell that they were really from the bank and not some fraudster currently
online to my bank and needing some help to answer my personal security

Recently, within the last few weeks, our of curiosity I took the call a
little further.

I told the caller that I would not answer the questions, for how could I
tell she really was from the Coop bank.

She assured me she was a genuine caller from the bank, and seemed to think
this assurance held some weight.

I suggested that for all I knew she was a fraudster who was on the line to
my bank that very moment and asking me the same security questions the bank
was asking her.

She finally understood my concerns enough and offered to let me call the
bank number given on the bank website and then ask for her extension, which
I did. When I then spoke to her, she said the call was just to make sure
that I knew, that since the Coop bank and Coop insurance had merged, they
could offer me combined products!  For some reason "making sure I knew"
needed me to answer personal security questions.

What is more concerning is not how sure the bank wanted to be that they were
talking to me, but that they put their customers into the habit of believing
that callers claiming to be from the bank are indeed from the bank.

And after all, what's the difference TO THE CUSTOMER between an e-mail
purporting to be from the bank (typical phishing scam) and a phone call
claiming to be from the bank?

I'll tell you the answer: On the bank website the customer is warned not to
believe e-mails from the bank. There are no such warnings about telephone
calls (yet).

Fortunately, while this sort of behaviour makes the banks customers more
susceptible to believing man-in-the-middle phishers, it doesn't affect me.

It is admirable that the bank authenticates its customers, but before it
does so the customers need to authenticate the caller as being the bank; I
don't know how many customers are competent enough to do this, and while
this is the case I think the bank should be careful what sort of
expectations they instill into their customers.

Fines reimbursed, drivers reinstated; faulty speed camera (R-23.35)

<"Bertrand Meyer" <>>
Sun, 16 May 2004 17:22:03 +0200

New developments on the Victoria (Australia) defective speed cameras
affair (see my note in RISKS 23:35):

  Almost 165,000 motorists caught by fixed speed cameras will have their
  fines waived or be paid compensation, costing the State Government $26
  million. This includes waiving $6.1 million in fines.  Hundreds of drivers
  who lost their licenses for speeding may be back on the road.  The State
  Premier Steve Bracks said that every one of the 90,000 speeding fines ever
  issued because of Western Ring Road fixed cameras would be repaid.

(Sums in Australian dollars. Summarized from the Melbourne Age, 15 May 2004,

"Wear and tear, poor installation and electromagnetic interference were
blamed for faulty readings on ring road cameras". The State Government is
blaming the supplier, now in "administration", which says it's being
scapegoated and was not in charge of camera maintenance.

The opposition criticizes the State Government for not releasing the full
report and is threatening to go to court to get it published

-- Bertrand Meyer
ETH Zurich — Eiffel Software

Re: Hybrid vehicles may be hazardous to rescuers' health (R-23.35)

<Stephen Fairfax <>>
Sat, 08 May 2004 16:10:21 -0400

My wife owns a Toyota Prius, and as an engineer interested in power
electronics and reliability I purchased and studied all the available shop
manuals and other technical documentation available for the vehicle.

The hybrid voltage battery is located in the trunk.  The Prius DC cables are
colored bright orange for visibility and easy identification. Unlike power
cables in 12 VDC systems, where the car chassis serves as the return
circuit, two cables carry the + and - DC to the power electronics.  This
means that a person would have to accidently touch both terminals to be
shocked.  In the unlikely but conceivable instance where damaged cable
insulation connects one cable to the metallic chassis, a ground fault
detection circuit would open the main DC relays (there are two, normally
open) and de-energize the cables. Any collision that activates the front
airbags will also cause the main DC relays to open and de-energize the
cables and power electronics.

Prius service technicians are taught about an easily accessible bright
orange plastic plug inside the trunk that can be pulled to physically
disconnect the battery and remove all power from the high voltage
electronics and cables.  First responders are trained not to touch anything
colored bright orange in the Prius.  There is also a control relay under the
hood that can be removed to open the main DC relays and de-energize the
cables.  I found instructions for removing that relay in about 15 seconds of
google searching using the search ("toyota prius" hazmat) at  As I am not a first responder I cannot comment on how
many read

Using the search ( "toyota prius" "high voltage" ) I found
the Toyota Emergency Response Guide (ERG), a 26-page PDF document explaining
the operation of the vehicle, roadside assistance, and emergency response
procedures.  During a fire, the car is treated as any other car fire.  As
the ERG notes, firefighters can not be expected to notice that the car is a
hybrid until after the fire has been knocked down.  The battery electrolyte
is potentially hazardous as it is a caustic alkali.  The electrolyte is
confined in a gel and will not normally leak even if the hybrid battery case
is cracked.

The DC cables do NOT run through the doors.  Many automobile wires, brake
hydraulic, and fuel lines run in or near the frames surrounding the doors,
as these are typically heavily reinforced and so offer good protection from
both normal wear and accidents.

While the dangers posed by hybrid batteries are real, in context they are
not very large, and Toyota seems to have done a commendable job of
anticipating and mitigating the hazards.  The new RISK arises from the fact
that this is new technology for automobiles and there is a transition period
where not all first responders have received appropriate training.  During
that transition period, uninformed speculation and misinformation could
result in unwarranted delays extracting an injured person or in controlling
a fire.

The greatest hazard in a damaged and motionless vehicle is almost always the
tank of gasoline.  Can you imagine the safety, environmental, and other
regulatory hullabaloo that would arise if we were trying to introduce
gasoline into vehicles for the first time today?

Re: Auto-Blacklisting is a bad idea (RISKS-23.36)

<Kyler Laird <>>
Mon, 10 May 2004 14:08:08 GMT

> ... challenge-response system warned that it was going to automatically
> blacklist my e-mail address if I didn't respond.

Anyone know when auto-blacklisting would be beneficial?  I'm not getting it.

If the message truly is spam, the sending address is probably bogus.  (I use
TMDA and I think I have the data to back up that assertion.)  Either the
address belongs to an innocent user (in which case auto-blacklisting has
negative value, as demonstrated above) or the address points into a bit
bucket somewhere (in which case blacklisting of any sort has little or no

On the rare occasion that a spammer sends a message with a legitimate sender
address, the challenge will be sent to the spammer.  It would be easy enough
for that spammer to respond to the challenge (even, as we've already seen,
if it requires some thought such as the image-based challenges) and the auto-
blacklisting is not engaged.

So now we're down to the tiny chance of a spammer sending a message with a
legitimate sender address from which he does not respond.  Now the auto-
blacklist engages and kills further messages from that address.  So?  The
effect seen by the intended recipient is the same as if auto-blacklisting
had not been used; either way, no messages are passed.

It's a stretch, but I'm willing to say that there is *some* benefit to not
sending challenges to the same (unresponsive) address repeatedly.  That
benefit is so tiny that it disappears in the noise compared to the problems
caused as a result.  Also, there is no benefit to the intended recipient
unless bandwidth has a very high cost.

Anything I'm missing?

  [PGN asked Drew Dean if he wanted to answer that question, and
  his response was evidently NO, Kyler has it right, although Drew
  added this counterquestion as to what might be added:

    That people often assume that things are linear and symmetric even
    when they aren't?
    Granted, much of the real world is linear and symmetric, so it's hard
    to fight against a large number of years of "life experience."  DD]

       [typo corrected in archive copy.  PGN]

Formal Methods for Industrial Critical Systems CFP

<Diego Latella <>>
Mon, 10 May 2004 11:56:15 +0200

The 9th ERCIM "Formal Methods for Industrial Critical Systems" Workshop will
be held in Linz, Austria (EU) on 20-21 September 2004

The aim of the FMICS <> workshops is to
provide a forum for researchers who are interested in the development and
application of formal methods in industry. In particular, these workshops
are intended to bring together scientists who are active in the area of
formal methods and interested in exchanging their experiences in the
industrial usage of these methods. These workshops also strive to promote
research and development for the improvement of formal methods and tools for
industrial applications.

Submissions are due by 21 June 2004.  Further information at

Dott. Diego Latella, Consiglio Nazionale delle Ricerche
Ist. di Scienze e Tecnologia dell'Informazione - ISTI
Via G. Moruzzi, 1 - I56124 Pisa, ITALY
phone: +39 0503152982 or +39 348 8283101
  fax: +39 0503138091 or +39 0503138092

Please report problems with the web pages to the maintainer