The RISKS Digest
Volume 23 Issue 68

Wednesday, 26th January 2005

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Risk Analysis and the War on Terrorism
Curt Sampson on James Fallows
FBI axes Carnivore, eats investment
E-waste is piling up
Drug histories exposed
A-List Jury
Howard M Israel
A-Train in New York City disabled
Ken Knowlton
F/A-22 crash
Peter B. Ladkin
Figure this out: system configuration
Lindsay Marshall
HTTPS .ne. secure
Jeremy Epstein
No e-mail return address
Louise Pryor
PayPal contradicting its own security advice
Tim Huckvale
Re: eBay open invitation to phishing scammers
Drew Dean
REVIEW: "Outsourcing Information Security", C. Warren Axelrod
Rob Slade
REVIEW: "Degunking Your Email, Spam, and Viruses", Jeff Duntemann
Rob Slade
Info on RISKS (comp.risks)

Risk Analysis and the War on Terrorism

<Curt Sampson <>>
Wed, 19 Jan 2005 13:38:10 +0900 (JST)

In the January/February 2005 issue of _The Atlantic Monthly_ there is
an article by James Fallows entitled "Success Without Victory," discussing
risk management as it applies to the war on terror.

One key point is that there are people out there who, in the tradition
of RISKS readers themselves, take a sensible and scientific approach to
the war on terror, seeing it as an exercise in risk management rather
than something that can be "won," causing all of the risks to go away:

  There will always be a threat that someone will blow up an airplane or a
  building or a container ship.... But while we have to live in danger, we
  don't have to live in fear. Attacks are designed to frighten us even more
  than to kill us. So let's refuse to magnify the damage they do. We'll talk
  about the risk only when that leads to specific ways we can make ourselves
  safer. Otherwise we'll just stop talking about it, as we do about the many
  other risks and tragedies inevitable in life.

  We cannot waste any more time on make-believe....measures that seem
  impressive but do not make us safer, such as national threat-level
  warnings and pro forma ID checks. The most damaging form of make-believe
  is the failure to distinguish between destructive but not annihilating
  kinds of attack we can never eliminate but can withstand and the two or
  three ways terrorist groups could actually put our national survival in
  jeopardy. We should talk less about terrorism in general and more about
  the few real dangers.

  Screening lines at airports are perhaps the most familiar reminder of
  post-9/11 security. They also exemplify what's wrong with the current
  approach. Many of the routines and demands are silly, eroding rather than
  building confidence in the security regime of which they are part.

  [Daniel] Prieto argues that the roughly $4 billion now going strictly
  toward airline passengers could make Americans safer if it were applied
  more broadly in transportation — reinforcing bridges, establishing escape
  routes from tunnels, installing call boxes, mounting environmental
  sensors, screening more cargo. All these efforts combined now get less
  than $300 million a year, which will drop to $50 million next year.

Where the article gets really interesting, however, is in pointing out
the political barriers to doing the rational thing from a risk-analysis
point of view. For example, spending less on airline security in order
to spend more on land and water transportation:

  Rationally, this is an easy tradeoff: less routine screening of passengers
  who don't call out for special attention (watch lists, travel and spending
  patterns, and other warning mechanisms can be improved), in exchange for
  more and faster work to reduce the vulnerabilities of bridges, tunnels,
  and ports. In wartime a commander would easily make such a decision to
  protect his troops.  But politically this decision is almost
  impossible. Such a tradeoff would make it likelier that some airplane,
  somewhere, would be blown up. If that happened, whoever had recommended
  the change would be excoriated — even if more people had been spared
  equally gruesome fates in subways or near ports.

And even examples of where this is already happening:

  [Terror and counter-insurgency experts] understand that this struggle will
  be with us for a very long time, that success will mean reducing rather
  than absolutely eliminating the threat of attacks, and that because there
  is no enemy government or army to surrender, there can be no clear-cut
  moment of victory. "Ironically, when President Bush said this in the
  campaign, he was immediately jumped upon," Jenkins said. "It was a moment
  of truth for which he was promptly punished. Senator Kerry had a similar
  moment, when he said that the objective was to reduce terrorism to no more
  than a nuisance. Conceptually that was quite accurate, even if it was not
  the most felicitous choice of words. And he was punished too.  In a
  campaign with a great deal of nonsense about the threat of terrorism,
  these two moments of truth were mightily punished, and the candidates had
  to back away and revert to the more superficial and less supportable

The article goes on with some general and specific recommendations for
improving the security of America against terror attacks.

The approach will be nothing new to RISKS readers, though the details may
be. But I find it very hopeful that articles like this are appearing in
general interest magazines rather than just specialized forums like this.

The article is available on-line to _The Atlantic Monthly_ subscribers at

If you are not a subscriber but know one, he can e-mail you a link that will
make the full article available to you for three days.

Curt Sampson  <>   +81 90 7737 2974

FBI axes Carnivore, eats investment

<"NewsScan" <>>
Wed, 19 Jan 2005 09:08:42 -0700

The FBI has abandoned its custom-built Internet surveillance technology,
dubbed Carnivore, and is now using commercial software to eavesdrop on
computer network traffic during investigations of suspected criminals,
terrorists and spies. In addition, it's asking Internet service providers to
conducting wiretaps on targeted customers, when necessary.  Carnivore
initially was developed because commercial tools available in 2000 were
inadequate, but FBI spokesman Paul Bresson says the Bureau moved a while ago
to using popular commercial wiretap software because it's less expensive and
has improved in its ability to copy e-mails to and from a specific Internet
account without affecting other subscribers. "We see the value in the
commercially available software; we're using it more now and we're asking
the Internet service providers that have the capabilities to collect data in
compliance with court orders," says Bresson. The FBI didn't disclose how
much it had spent on Carnivore, but outside experts estimate expenditures at
somewhere between $6 million and $15 million.  [AP, 18 Jan 2005; NewsScan
Daily, 19 Jan 2005]

E-waste is piling up

<"NewsScan" <>>
Fri, 21 Jan 2005 10:14:49 -0700

Consumers' penchant for constant upgrades — new cell phones, a sleeker
laptop — is causing havoc in the environment, and with technology products
now accounting for as much as 40% of the lead in U.S. landfills, e-waste has
become one of the fastest-growing sectors of the U.S. solid waste
stream. The International Association of Electronics Recyclers estimates
that Americans dispose of 2 million tons of electronic products a year --
including 50 million computers and 130 million cell phones — and China,
which has served for years as the final resting place for Americans'
unwanted TVs and computers, is becoming overwhelmed by the volume. Some
high-tech companies are taking matters into their own hands — Hewlett
Packard and Dell job out their e-waste handling to environmentally sensitive
recyclers such as RetroBox — but such efforts are still quite limited and
unable to cope with a problem that's reaching crisis proportions. Meanwhile,
the U.S. is the only developed country not to have ratified the 1992 Basel
Convention, the international treaty that controls the export of hazardous
waste. "There's a real electronics-waste crisis," says Basel Action Network
coordinator Jim Puckett. "The U.S. just looks the other way as we use these
cheap and dirty dumping grounds."  [*The Washington Post*, 21 Jan 2005;
NewsScan Daily, 21 Jan 2005]

Drug histories exposed

<"Peter G. Neumann" <>>
Wed, 26 Jan 2005 17:35:17 PST

An investigation by *The Harvard Crimson* was reported in that newspaper on
21 Jan 2005, noting that a Harvard University website, iCommons Poll Tool,
for months had contained confidential information on the drug purchase
history of students and employees that was easily accessible to outsiders.
After *The Crimson* demonstrated this to university officials, the website
was immediately shut down.  Authentication information required for access
was based on a Harvard ID and birthdate that were easily available on the
Web.  In addition, the Family Educational Rights Privacy Act (FERPA)
requires that students may request a special security status for total
privacy, and that status was not properly enforced.  The university's drug
insurer, PharmaCare, also had the same problems — which still existed at
the time of the article in *The Crimson*.  This is seemingly a violation of
the HIPAA legislation, which prohibits unauthorized disclosure of
individual's medical records.

  [I suppose if medicinal uses of marijuana were covered by insurance,
  someone might have found the situation HIPAA-pot-amus-ing.  PGN]

A-List Jury

<Howard M Israel <>>
Mon, 17 Jan 2005 16:35:46 -0500

A computer glitch at the state Office of Jury Commissioner alphabetized
names of potential jurors, rather than shuffling them, before summonses were
sent out. That created a jury pool of people whose last names mostly begin
with the letter "A".

Howard Israel, Avaya Global Services, Avaya, Inc.  1-732-852-3353

  [Suffolk Superior Court, Massachusetts.  That must be as random as
  anything else they do.  None of the lawyers objected!  PGN]

A-Train in New York City disabled

<Ken Knowlton <>>
Tue, 25 Jan 2005 09:48:54 EST

On 25 Jan 2005, a homeless man trying to keep warm (says the early report)
started a fire that wiped out a control room, disabling New York City's 'A'
subway line indefinitely, and seriously curtailed service on several other
lines; it may take months, possibly years, to repair the damage. The subway
controls destroyed are those that automatically prevent closely-spaced
trains from colliding.

F/A-22 crash

<"Peter B. Ladkin" <>>
Wed, 19 Jan 2005 08:34:41 +0100

On 20 Dec 2004, an F/A-22 crashed on takeoff from Nellis Air Foce Base,
Nevada (*Aviation Week*, 3 Jan 2005, pp21-22).  According to *Aviation Week*
(10 Jan 2005, p19), based on preliminary data, "Pentagon leaders believe"
that the cause was a problem in the digital flight control system (DFCS).

The short article quotes an unnamed official that, after an apparently
normal takeoff roll, once airborne the pilot had "no control over pitch, yaw
or roll." Those are the names for the movements about the three axes which
constitute the aircraft's movement in the air. The pilot apparently received
no warning of a failure.

According to the 3 Jan article, in September an F/A-22 was stressed to
10-11g when flying through the wake of an F-16 while carrying external fuel
tanks. The operational limit on the aircraft is 9g. The incident was put
down to a feature in the DFCS software producing a violent pitch
reaction. The pitch gain was calibrated for low-altitude operations, but the
aircraft was manoeuvring at high altitude.  The SW was modified. The
incident aircraft was grounded, and it is uncertain whether it will fly

The F/A-22 is the U.S.'s new stealthy air superiority fighter.  The program
is notorious for its tardy and expensive SW development, and thereby ran
into funding difficulties with the U.S. Congress, indeed I believe it was
threatened with cancellation.

The crash of a prototype YF-22A aircraft at very low altitude (just off the
runway) was reported by Leveson (citing an article in *The Washington Post*
by Gellman) in RISKS-13.46 in 1992, and followed in RISKS-13.47 and 13.50 by
some speculative commentary.

Peter B. Ladkin, University of Bielefeld, Germany

Figure this out: system configuration

<"Lindsay Marshall" <>>
Mon, 24 Jan 2005 21:37:03 -0000

A neighbour of mine just bought a new Epson printer and were trying to
install it on their laptop. They had a problem : they rebooted their system
and it said "Not a system disk". They gave me a call and I wandered up to
have a look. I hit a few keys and suddenly it booted again. Odd I thought
(not having noticed a crucial event!). I got in as Administrator and
installed the software for them and we connected up the printer and
rebooted. "Not a system disk". I thought for a bit and looked in the BIOS
and lo and behold, the first boot item was a USB disc, and the printer does
indeed have a USB disc feature so that you can access camera memory cards
via the printer. Unplug the printer and the system boots fine, plug it and
no dice. (What I hadn't noticed above was that my neighbour had unplugged
the printer from the USB as I was hitting keys)

How could anyone expect everyday users with no experience of systems
internals to deal with a situation like that? Why should a printer look like
a disc anyway (at least by default), and why have the default BIOS setting
to boot from USB first? A disaster waiting to happen and it happened.

HTTPS .ne. secure

<Jeremy Epstein <>>
Fri, 21 Jan 2005 7:25:35 -0500

I recently filed a change of address for some Qwest stock I own.  Qwest uses
The Bank of New York ( to manage stock accounts, so I went
to their web page, and filled out the form using name, address, SSN, and
account number.  Checked for the padlock indicating HTTPS, and convinced
there was *some* degree of due diligence, submitted the form.  The
confirmation screen starred out all but the last four digits of the SSN
(i.e., ***-**-9999), which seemed reasonable.

Last night I got back an e-mail that they couldn't process my change request
(the reason is unimportant), and included in the text of the message my
name, e-mail address, account number, and SSN.  No stars this time to shield
sensitive information.  Seems like a pretty useful e-mail to intercept!

What kind of security policies allow including this sort of information?
The security & privacy policies don't say anything about safeguarding
customer information.

If anyone has a privacy/security contact at Bank of New York, I'd certainly
be interested in talking to them!

(This is certainly not a new type of problem; see RISKS 21.83 for another
example I wrote about 3 years ago.)

No e-mail return address

<Louise Pryor <>>
Tue, 18 Jan 2005 15:04:48 +0000

Many automated e-mails have no usable e-mail return addresses. For example,
Verizon include the following rubric at the bottom of their messages: "This
message was sent from a notification-only e-mail address that cannot accept
incoming e-mail messages. Please do not reply."

I know this because I have now received five messages from Verizon intended
for somebody who shares my last name and probably has a similar e-mail
address. I now know this person's mailing address and telephone number, and
that they have ordered Verizon's DSL service. I know that the DSL service is
now available.

I've been receiving these e-mail messages for about a month now (there was a
delay in getting the DSL service operational, apparently, for which Verizon
have apologised). I have tried e=mailing, but have no
effect. I could, I suppose, telephone or write to the intended recipient,
but I don't see why I should make a transatlantic phone call to someone I
don't know. For obvious reasons, I don't have an e-mail address for this

The risks here are obvious. Verizon presumably have a disgruntled customer,
frustrated with not having heard from them. I have personal information
about somebody else that I am not entitled to have (at least they didn't
sent the account username and password through by e-mail) and get a small
amount of unwanted e-mail.

Louise Pryor

PayPal contradicting its own security advice

<"Tim Huckvale" <>>
Tue, 18 Jan 2005 12:30:15 -0000

I just received an e-mail from PayPal warning me that my credit card was
about to expire. Naturally my first thought was that it was a phishing trip,
but closer inspection showed it to be genuine.

It ended with the following warning:

  - -  - -  - -  - -  - -  - -  - -  - -  - -  - -  - -  - -  - -  - -
                    PROTECT YOUR PASSWORD

  NEVER give your password to anyone and ONLY log in at Protect yourself against fraudulent websites
  by opening a new web browser (e.g. Internet Explorer or Netscape) and
  typing in the PayPal URL every time you log in to your account.

  - -  - -  - -  - -  - -  - -  - -  - -  - -  - -  - -  - -  - -  - -

Typing in the URL is excellent advice. Such a shame that they defeated it by
making the link clickable.

Re: eBay open invitation to phishing scammers (RISKS-23.66)

<Drew Dean <>>
Mon, 17 Jan 2005 16:18:03 -0800

> ... Thus it is indistinguishable from a phishing scam, ...

The amusing thing is that this is actually meant as an anti-phishing tool,
and it started from a good idea: eBay would communicate with its customers
via an area on its website rather than e-mail.  The (reasonable) assumption
being that it is somewhat harder (though, of course, not impossible) to
spoof eBay's website than a piece of e-mail.  But you have to get started,
so how do you communicate this new policy to your customers?

Presumably eBay would have been better off sending plain text e-mail
providing a link only to, or even better, telling people
to type that into their browser, or use a pre-existing bookmark, but plain
Jane e-mail might cause people to think it was a phishing attack, or other
folks probably don't know how to enter a URL directly into a browser — all
of which would drive up eBay's technical support costs.

This appears to be one of those cases in which you just can't win.

Drew Dean, Computer Science Laboratory, SRI International

REVIEW: "Outsourcing Information Security", C. Warren Axelrod

<Rob Slade <>>
Thu, 20 Jan 2005 08:23:18 -0800

BKOSINSC.RVW   20041210

"Outsourcing Information Security", C. Warren Axelrod, 2004,
1-58053-531-3, U$85.00/C$119.50
%A   C. Warren Axelrod
%C   685 Canton St., Norwood, MA   02062
%D   2004
%G   1-58053-531-3
%I   Artech House/Horizon
%O   U$85.00/C$119.50 800-225-9977
%O   tl a rl 1 tc 1 ta 3 tv 2 wq 2
%P   248 p.
%T   "Outsourcing Information Security"

The author states that he intends to raise issues involved in outsourcing
security in such as way that those working through the process will not
neglect important areas of concern.

Chapter one reviews reasons for outsourcing.  Lists of threats and
vulnerabilities, in general, are given in chapter two.  Costs are examined
in chapter three, as a basic discussion of justification for outsourcing.
Chapter four looks at risks that might be associated with outsourcing.
Various types of costs, such as intangible, subjective, and indirect, are
contemplated in chapter five, and costs related to different stages of the
evaluation process in chapter six.  Chapter seven investigates a number of
issues surrounding the development of requirements for system or project
development.  The first chapter that actually seems to talk in detail about
security outsourcing, rather than just outsourcing itself, is chapter eight,
which goes through the ten domains of the CISSP (Certified Information
Systems Security Professional) CBK (Common Body of Knowledge) (and some
subdomains), determining which of them are particularly appropriate for
outsourcing, and which are not.  Chapter nine outlines the outsourcing
process as a sequence of steps.

Axelrod has provided a very solid and useful framework for dealing with the
many areas that need to be considered if outsourcing is sought.  Very little
is directly relevant to the security function itself, but that may simply
expand the market for the book.  It is probably futile to expect that any
more guidance could have been provided, since the possibilities are so
immense, but the summary given here still leaves the potential outsourcer
with an enormous amount of work to do.

copyright Robert M. Slade, 2004   BKOSINSC.RVW   20041210    or

  [For those of you interested in security implications, see Table 7.1 of
  my recent report, which summarizes the pros and cons of both outsourcing
  and offshoring: for browsing, Section 7.10.2 and .ps otherwise, page 133

REVIEW: "Degunking Your Email, Spam, and Viruses", Jeff Duntemann

<Rob Slade <>>
Wed, 26 Jan 2005 08:14:12 -0800

BKDYESAV.RVW   20041205

"Degunking Your Email, Spam, and Viruses", Jeff Duntemann, 2004,
1-932111-93-X, U$24.99/C$37.99
%A   Jeff Duntemann
%C   Suite 115 4015 North 78th Street, Scottsdale AZ   85251
%D   2004
%G   1-932111-93-X
%I   Paraglyph Press
%O   U$24.99/C$37.99 602-749-8787
%O   tl i rl 3 tc 3 ta 4 tv 4 wq 3
%P   334 p.
%T   "Degunking Your Email, Spam, and Viruses"

Lots of books have "quick tips" at the front these days.  Usually these are
nothing more than promotional fluff, designed to convince you that the
author Knows Important Stuff.  However, when I perused the suggestions for
what to do about email and viruses if you had limited amounts of time, I was
quite impressed that Duntemann had, in fact, carefully selected those tasks
that would give the most protective value for the temporal coin.  I could
cavil at a few, but generally this list is very well chosen for those
readers who do need to get started right away.

Chapter one is an introduction, defining the various problems, and outlining
the "12-step" program that structures most of the rest of the book.
Although chapter two is supposed to be about creating an email strategy it
doesn't go quite that far.  But Duntemann does provide guidance on the type
of email user you are, and notes the importance (which varies) of having
alternative email addresses.  Various email clients, and important features,
are reviewed in chapter three.  The advice is good (although I don't know
why he is dissing Pegasus :-) Chapter four outlines good email habits, and
effective practices for using and managing email.  The advice on maintaining
contact and synchronization on the road, given in chapter five, is helpful
to travelers although I am not sure that it a) applies to everyone, and b)
is a "gunky" problem.  Chapter six provides valuable advice for managing
stored or saved messages.

Chapter seven describes the situation with regard to spam, and suggests the
standard actions to avoid it.  The concepts and tools for spam filtering are
outlined in chapter eight.  Chapter nine walks the reader through the
installation and "training" of POPfile, while ten lists arguments against
non-Bayesian spam prevention filters and systems.

Chapter eleven is a good introduction to the broad categories of malware.
The choice and evaluation of antiviral programs, given in chapter twelve, is
quite decent, although the space and precedence given to the "three sisters"
seems to be excessive: companies like Sophos, F-Prot, and Avast turn out
technically superior products and are hardly "obscure."  Spyware and adware,
as well as suggestions to limit them and products to deal with them, are
covered in chapter thirteen.  Chapter fourteen has good advice about dealing
with worms (although I'm surprised that Duntemann did not mention turning
off DCOM, which would probably have saved his friend some grief).  Chain
letters and scams are discussed in chapter fifteen.  (I was teaching in
Nigeria when I read this book, so I found the coverage of the 419 scam
ironic.  Nigeria isn't in chaos: it just seems that way.)  Chapter sixteen
finishes off with advice on what to do if you *have* been hit with something

The book has a lot of very practical and useful information.  It is written
at a level that any intermediate user, and many intelligent novices can use
directly without further experimentation.  (A few items could use more
detail: how do you turn an .iso file into a bootable CD?)  I would
recommend this as an excellent reference to have to hand for pretty much
any computer user.

copyright Robert M. Slade, 2004   BKDYESAV.RVW   20041205    or

Please report problems with the web pages to the maintainer