The RISKS Digest
Volume 23 Issue 95

Monday, 1st August 2005

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Reuters: FDA warns Hitachi Medical about MRI systems
Craig S. Bell
Too many features in medical device
Colin Percival
Embedded Systems vs Us
Bob Paddock
Elbtunnel computer crash
New Microsoft anti-piracy program circumvented
Monty Solomon
USC Database hacked
Randall via Dave Farber
Spyware soaring
John Leyden via PGN
Privacy Guru Locks Down VOIP
Kim Zetter via Monty Solomon
TV channel inadvertently broadcasts link to porn site
David Hollman
NSW State Transit Authority decommissions servers --- and data, too
Florian Liekweg
Hacking the Hotel TV — and more
Florian Liekweg
Two reports of possible interest
Gene Spafford
Low Threshold for Fraud Detection
Mark Rockman
'Insane' Quebec Govt Online PAC ID system
Michael Hackett
Partisan e-mail censorship as spam filtering:
Pete Klammer
Risks of REAL ID
Robert Tanner via Monty Solomon
Re: Diebold Optical Scan security
Stanley F. Quayle
Re: Proposed daylight saving time changes
Stuart Prescott
Info on RISKS (comp.risks)

Reuters: FDA warns Hitachi Medical about MRI systems

<"Craig S. Bell" <>>
Fri, 29 Jul 2005 11:23:13 -0700 (PDT)

  Hitachi appears to be experiencing injury problems with their medical
  imaging equipment.  The FDA is on their case, mostly for their lack of
  reporting on recent incidents.

  The RISK: As with the Therac-25, prompt and responsible reporting by the
  manufacturer is key to minimizing the risk of further injury.
  Craig S. Bell, Portland, Oregon USA

The U.S. Food and Drug Administration warned Hitachi Medical Systems America
Inc. that it failed to properly report burns, hearing losses, and other
injuries to patients using its magnetic resonance imaging (MRI) systems.
The FDA suggested that this "may be symptomatic of serious problems in your
firm's manufacturing and quality assurance systems.  You must promptly
initiate permanent corrective and preventive action.  The FDA described one
unreported case in which a woman complained she was "shocked and burned on
the top of her head while being scanned" by a Hitachi MRI system, and
another in which an MRI device caught fire.  [Source: A Reuters item, 26 Jul
2005; PGN-ed]

Too many features in medical device

<Colin Percival <>>
Tue, 26 Jul 2005 02:37:15 +0000 (UTC)

This morning I received notice of an important product recall: Apparently
the blood glucose meter I've been using for the past two years has too many

Some background: There are two different units used for measuring blood
glucose levels — mM and mg/dL.  The metric world uses mM; the USA uses
mg/dL.  In order to provide a product which is useful to everybody, most
blood glucose meters support both units, and allow the user to select which
units they want to use.

Unfortunately, it seems that some people have managed to put their meters
into the wrong mode, and have subsequently failed to realize this.  How this
is possible, I am not sure — if you are expecting an answer of "5" it
should be immediately clear that the value "90" is in the wrong units — but
it seems that this is sufficiently concerning to require a complete recall
of the "defective" products, in order that they can be replaced with a newer
model which can only display results in mM.

This brings to mind two risks — one which the manufacturer has responded
to, and the other which they seem to be blithely ignoring:

  RISK #1: If you add too many features to your software, you'll probably
  end up confusing some of your users.

  RISK #2: If you add a feature and then subsequently remove it, there will
  inevitably be some unhappy customers who were using that feature.

In this case, while mM are the units which Canadians "should" be using, many
of them use mg/dL because those are the units which are most common on
informational sites online.

I think I'll keep my "defective" product.

Embedded Systems vs Us

<Bob Paddock <>>
Wed, 20 Jul 2005 18:46:29 -0400

I parked my Chrysler Voyager in my garage on Friday afternoon, no problems.
Later that day there was a lightning strike near by.

Got the van out Friday night.  I pulled out of the garage and as soon as I
hit the road the Check Engine Light came on and the speedometer dropped to
zero, as I continued to gain speed, going up the hill.  The automatic
transmission was now stuck in 1st-gear.  I turned around a few driveways up
the street and went back to the house.  Made appointment to take it in for
servicing the next morning.

Dealer is about four miles down the street.  Limped along in 1st-gear to the
dealer the next morning until we reached the only major four way
intersection in this four mile gauntlet.

Right in the middle of the intersection the engine died like I turned the
key off.  A good Samaritan pushed the van off the road.  The dealer came and
towed the van for the last mile of the trip.

The dealer said that a tachometer feedback sensor had gone bad "and the van
didn't know what speed it was going so it shut down to be safe".

Now for the Us vs Embedded part of the story: Isn't it sufficient that *I*
knew stopping in the middle of a busy four way intersections was a Really
Bad Thing to do?  *It* thought it knew better than I did.

I'm really glad I did not have to cross any railroad tracks when *it*
decided to stop on the crossing because it thought it was safe, rather than
listen to my commands.

Elbtunnel computer crash

<"Peter G. Neumann" <>>
Sat, 30 Jul 2005 15:42:15 PDT

Germany: The crash of a PC controlling both tubes of Hamburg's Elbtunnel
traffic system caused traffic to back up for 14 kilometers on the A7 during
the morning of 28 July 2005.  [Source: *Der Spiegel*, auf deutsch, thanks to
Bruce Schneier; PGN-ed],1518,367185,00.html

New Microsoft anti-piracy program circumvented

<Monty Solomon <>>
Fri, 29 Jul 2005 21:06:43 -0400

Days after Microsoft Corp. launched a new anti-piracy program (Windows
Genuine Advantage), hackers have found a way to get around it.  It requires
computer users to go through a process validating that they're running a
legitimate copy of the Windows operating system before downloading any
software updates except for security patches.  But the check can be bypassed
by entering a simple JavaScript command in the Web browser's address bar and
hitting the "Enter" key.  When that's done, the validation does not run and
the user is taken directly to the download.  ...  [Source: Associated Press
item, 29 Jul 2005; PGN-ed]

USC Database hacked (via Dave Farber's IP list)

<Randall <>>
Tue, 19 Jul, 2005 5:17:54 PM EDT

A University of Southern California database containing about 270,000
records of past applicants including their names and Social Security numbers
was hacked in June 2005, and reported to USC by a journalist on 20 Jun.  The
breach of the university's online application database exposed "dozens" of
records to unauthorized individuals, according to Katharine Harrington, USC
dean of admissions and financial aid.  "There was not a sufficiently precise
tracking capability" but records were able to be viewed only randomly.  "We
are quite confident that there was no massive downloading of data."

USC has since shut down the Web site and has notified people whose names and
Social Security numbers were in the database of the security breach (as
required by the new California law.)  [Source: Univ. of Southern Calif. says
database hacked, Yahoo! News, 19 Jul 2005, 3:46pm; PGN-ed]

[IP Archives:]

Spyware soaring

<"Peter G. Neumann" <>>
Tue, 26 Jul 2005 16:54:18 PDT

Outbound spyware transmissions from infested machines accounted for up to
eight per cent of total outbound web traffic in pilot tests of a new managed
spyware screening service. UK web security firm ScanSafe said the volume of
traffic observed during a 10-week pilot test of its Spyware Screening
service showed that spyware applications are becoming stealthier in their
ability to hide their outbound 'covert' channels among normal web
traffic. That's bad news because data sent when spyware "calls-home" can
include confidential and even privileged information.

Spyware now accounts for around 20 per cent of web-based threats, which
includes other malware such as worms and Trojans, and is still on the
increase, according to ScanSafe. The firm said malware such as
CoolWebSearch, which hides on an infected client using newly developed
root-kit architecture, often evades detection.

[Source: Spyware 'calling home' volumes soar, By John Leyden, *The
Register*, 25 July 2005]

Privacy Guru Locks Down VOIP (Kim Zetter)

<Monty Solomon <>>
Sat, 30 Jul 2005 23:50:42 -0400

[Source: Kim Zetter, 26 Jul 2005]

First there was PGP e-mail. Then there was PGPfone for modems.  Now Phil
Zimmermann, creator of the wildly popular Pretty Good Privacy e-mail
encryption program, is debuting his new project, which he hopes will do for
internet phone calls what PGP did for e-mail.  Zimmermann has developed a
prototype program for encrypting voice over internet protocol, or VOIP,
which he will announce at the BlackHat security conference in Las Vegas this

Like PGP and PGPfone, which he created as human rights tools for people
around the world to communicate without fear of government eavesdropping,
Zimmermann hopes his new program will restore some of the civil liberties
that have been lost in recent years and help businesses shield themselves
against corporate espionage.

VOIP, or internet telephony, allows people to speak to each other through
their computers using a microphone or phone. But because VOIP uses broadband
networks to transmit calls, conversations are vulnerable to eavesdropping in
the same way that e-mail and other internet traffic is open to snoops.
Attackers can also hijack calls and reroute them to a different number.

Few people consider these risks, however, when they switch to VOIP. ...,1282,68306,00.html

TV channel inadvertently broadcasts link to porn site

<David Hollman <>>
Sat, 23 Jul 2005 18:56:49 +0100

ITN apologises for porn link blunder [METRO (London), 19 Jul 2005]

Newscaster ITN apologised yesterday after a TV bulletin inadvertently
featured a link to a hardcore porn website. ...  A viewer who accessed the
site was horrified to see X-rated images and complained.  ...  ITN said it
kept the address in the story as it thought the site was no longer active.
It later realised access to the site had been blocked by its firewall

  The risk is that the web may not look the same from every vantage point.

NSW State Transit Authority decommissions servers --- and data, too

<Florian Liekweg <>>
Sun, 31 Jul 2005 17:15:56 +0200

In his blog at, Geoffrey Huntley reports his
findings about eighteen IBM RS/6000 E30 servers that his company purchased
after they had been decommissioned by the State Transit Authority of New
South Wales (STA NSW).

While the fact that the 'root' password was set to "root" could be seen as a
courtesy of the SAT-NSW administrators to the new user, the systems
contained not only the complete software used by the SAT-NSW but also
employee data including PIN information used to "secure" the system against
unauthorized access, and ticketing data including incident reports filed by
customers.  For good measure, the backup tapes were also included.

Full story at

Amazingly, it's the government agencies that are often criticized for
creating a needless bureaucratic overhead by having a procedure for all and
every situation.  One should assume that installing the "wipe the disks
before selling a computer" routine would be possible.

Florian Liekweg, IPD Universität Karlsruhe

Hacking the Hotel TV — and more

<Florian Liekweg <>>
Sun, 31 Jul 2005 17:29:26 +0200

Adam Laurie, tech director of the London security and networking firm "The
Bunker", apparently got bored on a recent trip and found the time to hack
the Hotel's TV system which lets customers not just watch 'normal' TV
programming, but also, for a fee, provides access to not-safe-for-work
flicks and access to the Internet including e-mail.

The article at,1848,68370,00.html
reports that a laptop running linux, its IrDA port and an USB TV tuner can
be used to trick the TV into doing more than it was supposed to do,
including gaining access to the NSFW content without being charged for it,
snooping on other people's TV watching habits, their Internet browsing
habits and their e-mails.  Also, the "coding" system used for infrared-based
access control to the hotel minibars doesn't seem to be insurmountable

The bill so far: Lost profit for the hotel, lost privacy for the customers,
the possibility for corporate espionage.  Return value: Easy network access.
Good deal, eh?

Florian Liekweg, IPD Universität Karlsruhe

Two reports of possible interest

<Gene Spafford <>>
Wed, 27 Jul 2005 12:01:10 -0500

The Computer Security Industry Alliance <>
recently issued three reports of possible interest:

CSIA Calls for Increased Adoption of Telework by the Federal Government:
Cites Need to Ensure Continuity of Federal Operations in a Disaster

CSIA Urges the Administration and Congress to Elevate Cyber Security
and Research & Development Efforts:
CSIA voices concern over the dissolution of a Presidential committee focused
on information security issues and calls for a national vision for cyber
security R&D.

CSIA Calls for a National K-12 Cyber Awareness Program:
A Focused, Organized National Effort is Needed to Teach Children
Cyber Security, Cyber Ethics and Cyber Safety.

Low Threshold for Fraud Detection

<"Mark Rockman" <>>
Wed, 27 Jul 2005 17:35:59 -0400

The State of Maryland runs a "high risk" insurance pool for otherwise
medically uninsurable patients.  The pool exists to take care of those
patients that regular health insurance companies deem unprofitable and who
may ring up large losses.  The pool, called MHIP, contracts with Magellan
Health Services to evaluate health issues of insured.  Magellan is a highly
profitable gate keeper service who decide, in advance, using
non-peer-reviewed methods, how many visits it will take to cure each
patient.  In one case, Magellan reported an incorrect, out-of-state address
(a PO BOX) for an MHIP client.  This was a simple data entry error and it
was the only "evidence" that the client was trying to live outside the state
and take unfair advantage of a program for Maryland residents.  Result: MHIP
announces it is terminating coverage effective in less than six weeks.
"This letter is to inform you that your MHIP policy will terminate effective
August 31, 2005, because of your lack of residency."  The letter was sent to
a Maryland address — a house — owned by the alleged evil-doer — taxed as
a primary residence.  Guilty until proven innocent.  MHIP provides an out:
the client is given the opportunity to try to prove residency by (what call
center denizens breezily describe as) filling out the Questionnaire.  Oh,
any by the way, send in ALL of the following documents:

 * Did you come to Maryland for the purpose of obtaining MHIP coverage?
 * Do you own or rent living quarters in Maryland?
 * Send in a copy of the rental agreement or the deed.
 * Send in copies of the rent checks.
 * Send in evidence from the rental agent.
 * Where did you live during the past 6 months?
 * Is substantially all of your stuff in Maryland?
 * Did you file income tax returns recently?
 * What state did you file to?
 * Send in copies of your income tax returns.
 * Send in copies of your W-2 forms.
 * Do you own vehicles?
 * If yes, send in purchase date, copies of titles, registration cards,
   and operator permits.
 * If sold, send in a bill of sale.
 * What state issued your operator's permit?
 * Did you renew your operator's permit in the last 6 months?
 * Are you registered to vote?
 * If yes, where are you registered to vote?
 * Send in a copy of your voter registration card.
 * Have you registered to vote in some other state in the past 6 months?
 * Are you on welfare?
 * If yes, from what state are you receiving welfare?

Can you say "invasion of privacy?"

Perhaps this is a "slight" case of overreaching by the hired administrators
of a government program (a company called Schaller-Anderson).  Some effort
to confirm damning data before taking drastic action might be appropriate.
Assuming the client is committing fraud is insulting to the client and
highlights the State's apparent attitude toward its citizens.

Risks: computer data "proves" a case of fraud.  This goes in the pile of
cases where the POE-LEESE arrest an individual based on erroneous or
out-dated computer data.  When the computer says it is so then it is so.
Thus spaketh the machine.

'Insane' Quebec Govt Online PAC ID system

<Michael Hackett <>>
Thu, 28 Jul 2005 23:57:51 -0700

Only Franz Kafka could dream up such a crazy government on-line ID system ():

Web text relating to the Quebec Regie PAC ID scheme
  (Provincial services that use the PAC)
  [Personal access code (PAC)]

  == The Website Text ==

  Why do we authenticate your identity before giving you access to some of
  our services?  Some of our services, for example, CompuPension and the
  on-line Application for a Retirement Pension require information contained
  in your file at the Régie.  We must be sure of your identity so that you
  will be the only person who has access to your information. [...]  While
  you are on-line, you can obtain a user code and choose a password.  They
  will give use rapid access to the personalized services offered by Revenu
  Québec and by the Régie des rentes du Québec. [...]

  We can also authenticate your identity without using Clic Revenu if you
  have a personal access code (PAC) issued by the Régie des rentes du
  Québec. Your code will be valid for 2 years and will be sent to you by
  regular mail.

  [ +++++ The authentication itself (editor)] :

  Personal access codes are issued by the Régie des rentes du Québec and give
  access only to the Régie's on-line services.

  You can obtain a PAC if:

  * you are 18 years of age or over and
  * you are a contributor to the Québec Pension Plan or
  * you are a beneficiary of the Québec Pension Plan or
  * you are entitled to child assistance payments

  Your PAC is confidential; you alone knows the code.  It is sent to you by
  mail and is valid for 2 years following its effective date.

Why the PAC 'ID scheme' is poorly (+ badly) designed, especially for

* I know I have ZERO income from Quebec entities.
  (True for most nonresidents.)
* I know I know I owe no taxes to Quebec entities.
  (True for most nonresidents.)
* Anyone aged 16-72 that has a Canadian SIN is a 'Contributor' to the
  Quebec Pension scheme.
* I know that I have not contributed to any PQ Govt entities separate from
  taxes, as above.
* I have no other relations with Quebec entities that could alter the above
Knowing all inputs are ZERO — should be sufficient enough to be given a

Why use the PAC: for some people in some situations

The PAC ID scheme may be a slightly better system for some people — recent
immigrants or Xpats not living in Canada for example.  There is no guarantee
that one will be able to get the non-PAC ID submission forms to work
properly! (I guess the 'Risk' is here!)  The PAC rejection form is here:

The current arrangement makes it impossible for long term (outside of
Canada) Quebec Xpats to easily conduct business with the Quebec Government.

Partisan e-mail censorship as spam filtering:

<"Pete Klammer" <>>
Wed, 27 Jul 2005 15:24:20 -0600

In the run-up to the 2004 election, I found activist messages about (against)
Arnold Schwarzenegger were being screened by ACM's e-mail screening service
controlled by Postini.  I was only able to verify this, and retrieve my
messages, because I had chosen the "quarantine" option, and checked the
quarantine area soon enough, before the messages were permanently expunged.

Now we hear that messages regarding the Downing Street memos have been
blocked from customers (one of the largest high-speed cable
internet providers in the U.S.), based on content of the message — a URL --
rather than subject line or sender address or domain.

The potential for (mis)information manipulation by large and powerful
corporations is frightening, particularly as U.S. law exempts them from
"common carriage" legal requirements.  We would never (I hope!) stand for
our telephone company to redirect our flight-reservation phone call to a
different airline "partner" company; why must we tolerate such distortion on
the Internet?

Pete Klammer, P.E. 3200 Routt Street / Wheat Ridge, Colorado 80033-5452
 (303)233-9485 /

Risks of REAL ID (Robert Tanner)

<Monty Solomon <>>
Wed, 20 Jul 2005 03:36:45 -0400

Fees for a new driver's license could triple. Lines at motor vehicles
offices could stretch out the door.  U.S. Governors warned yesterday that
states and consumers would bear much of the burden for a terrorism-driven
push to turn licenses into a national ID card.  Ed Rendell, Democrat of
Pennsylvania: ''Trying to make this work, there will be hell to pay'' and
could cost Pennsylvania ''$100 million plus'' to restructure motor vehicle
offices to respond to the REAL ID Act.  By 2008, states must begin to verify
whether license applicants are legal residents of the United States.
[Source: Governors balk at new US license rules; Warn of higher costs,
privacy concerns in push for standard IDs Robert Tanner, Associated Press,
19 Jul 2005; PGN-ed]

Re: Diebold Optical Scan security (O'Dell, RISKS-23.94)

<"Stanley F. Quayle" <>>
Wed, 27 Jul 2005 00:13:26 -0400

A $1 lottery ticket is serially numbered, with UV-encoded information, on
tamper-evident paper, and tracked with a heavily- audited central system.
Reasonable, since that ticket could be worth hundreds of millions of

Your ballot has a level of protection equal to its projected value: Zero.
Until votes are worth something, they will continue to be worthless.

Stanley F. Quayle, P.E. N8SQ  +1 614-868-1363  stan-at-stanq-dot-com
8572 North Spring Ct., Pickerington, OH  43147  USA

Re: Proposed daylight saving time changes (RISKS-23.94)

<Stuart Prescott <>>
Thu, 28 Jul 2005 14:08:04 +1000

For the Olympics in 2000, the state government (New South Wales) decided to
start daylight saving almost 2 months early (in August) so that the Olympics
visitors would benefit from the longer evenings. Some of the other states in
Australia followed suit.

In the organisation I was then working for, the problem was that it took
quite some time for a patch to come from Microsoft to update the Windows NT
and 2000 operating systems that were being used.

The RISK was not that we had to revert to the good old days of manually
changing the time on the computer with the widely used calendar applications
like Microsoft Outlook. It turned out that MS Outlook stores all appointment
times in UTC, converting between local time and UTC when the appointment is
made and then back again when displaying the appointment. Installing the
updated TZ info from MS changed this conversion but not the stored UTC data.

So what ended up happening was that every appointment that was scheduled in
the period between between August and October that was entered into the
diary before the TZ update was applied was wrong by one hour after the TZ
patch was applied. Similarly, if you sent an appointment to someone who
didn't have the TZ patch installed (but had manually changed their time for
those two months), then the times would also be out for that appointment.

For those who were heavily reliant on their MS Lookout calendar, it made
for an interesting couple of months...

  [Various other comments were received on this topic.  PGN]

Please report problems with the web pages to the maintainer