The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 23 Issue 04

Friday 28 November 2003


Sony to recall 550,000 CD Walkman battery packs
Monty Solomon
Amber Alert, Coming to the Inbox Nearest You
Rebecca Mercuri
Southern drawls thwart voice recognition for police
California to require voting machine receipts and stricter auditing
Steve Bellovin
E-Votes must leave a voter-verified paper audit trail
Diebold ATMs hit by Nachi worm
Steve Summit
Proposed reason for electronic voting mess
John Bechtel
Re: Astonishing electronic voting "glitch"
Martin Ward
Whois bug at
Tony Toews
Man arrested wardriving child porn
Walter Roberson
Old Nigerian scam nets $400,000
Arthur J. Byrnes
In-Security clearance
Name withheld by request
Human Error Leads to AT&T's Anti-Spam Gaffe
Ryan Naraine via Fuzzy Gorilla
Books of Interest: End of the World; Human Factor
Mike Smith
REVIEW: "Practical Cryptography", Bruce Schneier/Niels Ferguson
Rob Slade
REVIEW: "Wireless Security Essentials", Russell Dean Vines
Rob Slade
Re: SANS, GSEC, and Chapple book review
Rob Slade
Info on RISKS (comp.risks)

Sony to recall 550,000 CD Walkman battery packs

<Monty Solomon <>>
Wed, 19 Nov 2003 07:56:34 -0500

Reuters, 19 Nov 2003: Sony Corp said on Wednesday it would recall about
550,000 external battery packs for its CD Walkman worldwide because of a
defect in the connector cord that could cause the pack to heat up and
partially melt.  A Sony spokeswoman said there had been one reported
instance of the battery pack damaging the CD player's nylon carrying case.

Amber Alert, Coming to the Inbox Nearest You

<Rebecca Mercuri" <>>
Tue, 25 Nov 2003 20:29:01 -0500

The latest in the spam wars -- Amber Alert!  This one promises to clog your
email box with photos of children who may or may not have vanished, probably
for years even after they've (hopefully) been found.  It's so much more
convincing than those "estate of Nigerian millionaire deposit account"
messages.  Makes you nearly want to cry.  Hey, if it was my kid, I'd spam
the universe. But it's still spam.  So when you reply to the sender (who is
inevitably going to be some kindhearted soul that you know who received this
from a long chain of other friends whose email addresses they've included to
prove it's "authentic") with a "this is spam" message you're just going to
appear to be heartless.  There's no good way out of this one other than to
immediately redirect all messages with the subject phrase "Amber Alert" into
your trashbin, pray you never need to do this for your own kid or someone
you really do know FIRSTHAND, and don't look back.

Southern drawls thwart voice recognition for police

Sun, 23 Nov 2003 09:47:03 -0600

[PGN-ed from an AP item]

Southern drawls ("lazy mouth") have thwarted voice recognition equipment
used by the Shreveport, Louisiana, Police Department to route non-emergency
calls to persons or departments.  Switching to a more conventional voice
menu touch-tone response system is planned.

California to require voting machine receipts and stricter auditing

<Steve Bellovin <>>
Fri, 21 Nov 2003 18:09:04 -0500

According to the Associated Press, California's Secretary of State Kevin
Shelley has ordered that by 2006, all electronic voting machines in the
state must provide a "voter verified paper audit trail".  He also introduced
stricter requirements for testing and auditing the software used for both
recording and tabulating votes.

Steve Bellovin,

[See also Kim Zetter,, 21 Nov 2003.  PGN],2645,61334,00.html

E-Votes must leave a voter-verified paper audit trail

<"Peter G. Neumann" <>>
Sun, 23 Nov 2003 13:12:19 PST

CA SoS Shelley has apparently taken the recommendations of some of the
members of his review panel seriously, in light of recent strange events
previously recorded here.

As RISKS readers are aware, this is in essence an approach recommended by
Rebecca Mercuri, in which voters verify that the paper record is identical
to what is on the touch-screen.  The machine- and human-readable audit trail
would remain within the voting system.  In the pure Mercuri Method, the
machine-readable audit trail would be the official ballot, although the
California wording seems to suggest that the electronic version would be
the official version unless irregularities had to be resolved by comparing
the electronic and paper versions.  Clearly, any discrepancies detected
during the voting process should result in the machine being taken out of

Diebold ATMs hit by Nachi worm

<Steve Summit <>>
Tue, 25 Nov 2003 13:14:28 -0500

Astonishingly, several Diebold Automatic Teller machines were infected by
the "Nachi" worm last August, and the company has confirmed this.  These
were an "advanced line of Diebold ATMs built atop Windows XP Embedded", and
were therefore vulnerable.  They weren't on the public Internet, but of
course many recent worms have displayed remarkable potency in their ability
to hop over firewalls and infect private intranets.

Full story at .

To me, this incident reinforces a worrisome trend.  On the one hand,
everyone knows that critical functions shouldn't be implemented using
less-than-rugged components such as "consumer grade" operating systems.  But
the ubiquity of the market leader's products and the resulting convenience
of using them means that the temptation to do so, even when it's formally
inadvisable, is quite often irresistible.  Such decisions are always papered
over with superficially plausible rationalizations such as "this component
performs a non-critical function of the otherwise critical system"
(e.g. "these computers are involved with nonessential railway communication
functions, not signalling") or "these computers are not connected to the
public Internet in any way" (as in the present incident), but as we know all
too well, in complex, interconnected systems, those convenient assumptions
have a way of breaking down.

Proposed reason for electronic voting mess

<John Bechtel>
Sat, 15 Nov 2003 19:23:35 +0000

Reading RISKS, there are endless stories of badly designed and implemented
electronic voting machines.  The authors are passionately committed to the
democratic process, and hate to see even a chance of voter
disenfranchisement.  The authors elicit dismay at the "authorities" callous
disregard for due process and good engineering.  The authors care.

A comparison comes to mind: Much of modern art is, frankly, rubbish.  The
artists will say that its purpose isn't to be beautiful, its purpose is to
make us think.  Question.  Have an opinion.  Care.

Maybe, just maybe, "they" are doing the same thing with the voting machines?
Putting bad products in the field to make "us" care, to think, to
act... even, as a last resort, vote.  Voter apathy and low voter turnout is
well known. Begging people to vote hasn't worked.  Perhaps there is no
better way to make people cherish their vote, and use it, than to make them
think it is being taken away.

Nothing like an even bigger conspiracy theory, is there?

John Bechtel, Maidenhead, UK

Re: Astonishing electronic voting "glitch" (RISKS-23.03)

<Martin Ward <>>
Tue, 18 Nov 2003 10:34:03 +0000

> It's interesting to wonder what might have happened if the initial
> inaccurate result had not been so glaringly obvious ...  [PGN]

Perhaps I am too paranoid, but it looks as though "someone" is testing to
see just how big a "glitch" they can get away with, while at the same time
getting the punters accustomed to regular "glitches" in e-voting software
(just as MS has got people accustomed to desktops which regularly crash,
freeze or scramble documents).

How many other results were there that were *not* so glaringly obvious? How
do you know that the results of this "test" were not: "Just keep the total
number of votes less than the total number of voters, and people won't
notice a thing"?

Whois bug at

<Tony Toews <>>
Fri, 14 Nov 2003 22:21:19 -0700

I went to run a whois inquiry on a domain at  I get a
screen which asks me to validate a number which appears on a graphic.  And
it doesn't take the entered number.   It displays another number in
graphical format.  Which it also doesn't take.  Repeat until frustrated.

I later reread the screen and decided to check my browser's cookie settings
-- which I manually set for each Web site I visit.  If I see anything
suspicious in the cookie site I tell IE to not save that Web site cookies.
Turns out that was the problem.

1) I complained a week ago and have not received a response.

2) A sentence along the lines of "If the system doesn't accept the number
you enter double check your cookie settings." would've saved a lot of
frustration on my part.

Tony Toews, Microsoft Access MVP
Microsoft Access Links, Hints, Tips & Accounting Systems at

Man arrested wardriving child porn

<Walter Roberson <>>
Sat, 22 Nov 2003 11:57:04 -0600 (CST)

In Toronto, Canada, this week:

  After pulling the man over, Sgt. Don Woods discovered the man was naked
  from the waist down as he downloaded images on a laptop computer of a
  young girl involved in a sex act with an adult.  Investigation showed the
  man had hooked into a wireless computer network at a nearby house to gain
  access to a resident's Internet connection and download images from child
  pornography Web sites.

Old Nigerian scam nets $400,000

<"Arthur J. Byrnes" <>>
Wed, 19 Nov 2003 21:11:14 -0500

  [For those of you who wonder why you keep getting variants of the
  confidential scam spams asking you to help launder millions of dollars,
  here is one of the reasons why: There are still suckers falling for them.

The *Daytona Beach News Journal* (13 Nov 2003) reported that a local man had
fallen for the Nigerian 419 e-mail scam to the tune of $400,000.  Even after
being informed it was a scam, he continued to send money.  He had mortgaged
his house and used up his life savings.  [PGN-ed]

The Risk?  With no spam regulations and no cooperation between national
governments con-men are getting away with many people's hard earned money.

Some folks think that the greedy get what they deserve, but falling for
this type of scam, may also be a sign of mental illness.

  [Gambling is addictive behavior.  Perhaps so are Nigerian-type scams.

In-Security clearance

<[Name withheld by request]>
Sat, 22 Nov 2003

I am in the process of getting a DoD security clearance in connection with
my job.  My contact in my employer's security office claimed to have sent
me the information I needed to apply for the clearance by e-mail, but I
never got it.  When I talked to this person by phone she said that she had
sent me "the program" several times.  The following exchange ensued:

Me: The program?  You mean, you sent me an executable attachment?

She: That's right.

Me: Well, no wonder I didn't get it!  It was deleted by my virus
protection program, which deletes all e-mails with executable attachments.

She: No problem, I'll just send you a URL where you can download it.

Me: OK.  Er, isn't there any other way for me to submit my application,
like on paper for example?

She: No.

The URL she sent me was:

Note it's http, not https.

It is quite a challenge to find the right link on that page, but when you
do you eventually get lead to:

Thankfully a secure page, but one whose certificate is not signed.

From there you are lead to a page where you "certify" (by clicking on a
button that says, "I certify that the above answers are true") that you
are in the U.S. and promise not to export the program outside the U.S.
(because it contains encryption technology).

Finally, you get to the download page, where you have the following choices
of operating systems:

1.  Windows 95, 98, NT or 2000
2.  Windows 3.x

Mac and Linux users like me are out of luck.

Fortunately, I have a dual-boot Linux/Win2000 machine at home, so I tried
running the program on that machine.  The executable I got from the site
turned out to be an installer, which installed 212 different files (that I
could find) on my disk.

The punch line, of course, is that when I tried to run it, it didn't work.
The cursor changed into an hourglass, then back to an arrow, and nothing
else happened.  God only knows what it did.  I'll probably have to wipe the
disk and reinstall the OS before I can trust this machine again.

The degree of cluelessness on the part of the people who are responsible for
guarding our country's military secrets that this episode reveals is truly
scary.  Think about it: the only way to get a security clearance is to agree
to 1) run a program whose pedigree you have no way of verifying 2) on an
operating system that is notoriously insecure and 3) (presumably -- I never
got a chance to find out) give that program sensitive personal information.
To my mind, anyone who agrees to this ought to be summarily denied a
clearance, but of course, that fate is probably reserved for troublemakers
like me who raise these kinds of issues.

Human Error Leads to AT&T's Anti-Spam Gaffe

<Fuzzy Gorilla <>>
Sun, 16 Nov 2003 20:57:15 -0500

After seeing a rush of spam, and brainstorming possible remedies, AT&T sent
out a mass e-mailing to business partners and customers asking for the IP
addresses of all outbound SMTP servers (to be used for a white list),
threatening to cut off e-mail access of nonresponders.  Subsequently, they
sent a follow-up apology, with a request to disregard the first e-mail,
claiming that the original notices went out as a result of "human error".
[Source: Ryan Naraine, 22 Oct 2003, Jupitermedia Corporation; PGN-ed]

Books of Interest: End of the World; Human Factor

<"Smith, Mike" <>>
Fri, 28 Nov 2003 08:33:59 -0500

I thought RISKS readers might be interested in two books I came across

The first is "The End of the World: The Science and Ethics of Human
Extinction" by John Leslie.  It's focus is the so-called Doomsday Argument,
first described by cosmologist Brandon Carter.

The argument assumes that human population growth will continue to be
exponential up to the point where some unspecified disaster wipes out the
species.  Therefore, most of the humans who will have ever lived will live
in the one or two generations before Doomsday.  If you take yourself as a
random human, you must conclude that you are most likely to be in the last
couple of generations.  In other words, Doom is more likely to come sooner
rather than later.  About half the book defends the argument.  Apparently
mathematicians and philosophers have been trying to find an error in the
reasoning for about twenty years, without success.

Mr. Leslie goes on to discuss some of the ways in which we might become
extinct, from nuclear war to plague to technology run amok to asteroid
impact.  He discusses whether we should, from an ethical perspective, try to
preserve ourselves if we can't eliminate human misery.  Some of these
philosophical discussions are pretty tough reading.

Ultimately, Mr. Leslie's point is that not only are the risks obvious, but
they are also higher than we might otherwise think.

The second book is "The Human Factor" by Kim Vicente.  This very readable
book is about why we need to consider the "human factor" in designing
socio-technological systems.  Without considering the way people use
technology, we run the risk of our technological systems moving outside
their "safety envelopes" and causing disasters.  He uses a wide array of
case studies, from the Reach toothbrush to the Aviation Safety Reporting
System, to show how human factor engineering and systems approaches to
design benefit everyone.  Mr. Vicente also gives many examples of poor
system design that led to disaster, including preventable accidental
hospital deaths (which outnumber traffic accident deaths in the U.S.) and
the Walkerton, Ontario, contaminated water tragedy.

Mike Smith, Senior IT Security Engineer, AEPOS Technologies Corporation
819-772-8522 ext. 230

REVIEW: "Practical Cryptography", Bruce Schneier/Niels Ferguson

<Rob Slade <>>
Mon, 17 Nov 2003 07:42:08 -0800

BKPRCCRP.RVW   20030918

"Practical Cryptography", Bruce Schneier/Niels Ferguson, 2003,
0-471-22357-3, U$50.00/C$76.95/UK#34.95
%A   Bruce Schneier
%A   Niels Ferguson
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2003
%G   0-471-22357-3
%I   John Wiley & Sons, Inc.
%O   U$50.00/C$76.95/UK#34.95 416-236-4433 fax: 416-236-4448
%P   410 p.
%T   "Practical Cryptography"

The preface points out that cryptography has done more harm than good in
terms of securing information systems, not because cryptography fails in and
of itself, but, rather, due to the improper use or implementation of the
technology.  This book is intended to provide concrete advice to those
designing and implementing cryptographic systems.  As such, it is not the
usual introduction to cryptography, and is aimed at a fairly limited group.

Chapter one asserts that we should be engineering for security, rather than
speed or bells and whistles.  Security is only as strong as the weakest
link, we are told in chapter two, and (following from the idea of defence in
depth) we need to have engineering in depth (and probably breadth, as well).
The issues are important, but there is some lack of clarity to the
organization and flow of the text and arguments: the reader may start to
wonder what the essence of the message is.  (I see that I should have
trademarked "professional paranoia" when I started using it years ago, but
it is nice to note that the point is being taken.)  Chapter three is a
rather unusual "Introduction to Cryptography" (and the mathematical format
of the text doesn't make it easier for the math-phobic to concentrate on the
meaning), but focussing on the applications and problems, the cryptanalytic
attacks, and repeating the injunctions against complexity and the sacrifice
of security for performance is a reasonable position.

Having come this far, it is interesting to note that we are only starting
part one, reviewing message security.  Chapter four compares and reviews
various existing block ciphers.  The modes, and attacks against specific
modes, of block algorithms are described in chapter five.  (This material
appears to be what would, in a more traditional book, be the introduction to
cryptography.)  Hash functions are explained, compared, and assessed in
chapter six, while seven extends the concept to message authentication
codes, which ensure not only detection of accidental alteration, but are
also resistant to outsider modification attacks on the data or transmission.
We therefore have the basic tools that we need to consider a channel that is
secure from eavesdropping and manipulation by anyone not party to the
communications, in chapter eight.  Implementation, and the engineering or
software development considerations, are examined in chapter nine.

Part two deals with key negotiation, partly by introducing the concept of
asymmetric (more commonly, if less accurately, referred to as "public key")
cryptography, the major strength of which involves the handling of keys.
Chapter ten raises the issue of randomness, which is vital in the choice of
keys, and also talks about the components of the Fortuna system for
generating pseudo-random numbers.  Prime numbers are explained in chapter
eleven, due to their importance in asymmetric cryptography.  The venerable
Diffie-Hellman algorithm is reviewed, along with the math that makes it
work, in chapter twelve.  (If you want to follow the material all the way,
you'll have to be good at mathematics, but the discussion, while
interesting, is not vital to the use of the system.)  A similar job is done
on RSA in chapter thirteen.  Chapter fourteen is entitled an "Introduction
to Cryptographic Protocols" but really talks about trust, risk, and more
requirements for the secure channel.  The high level design of a key
negotiation protocol is incrementally developed in chapter fifteen.
Implementation issues specific to asymmetric systems are reviewed in chapter

Part three looks at key management, and various approaches to the problem.
Chapter seventeen discusses the use, and risks of using, clocks and time in
cryptosystems.  The idea of the key server is illustrated by Kerberos in
chapter eighteen, but almost no detail is included.  A quick introduction to
PKI (Public Key Infrastructure) is given in chapter nineteen, followed by a
philosophical review of other considerations in twenty, and additional
practical concerns in twenty one.  (While the division is not unreasonable,
these three could, without seriously distorting the book, have been one big
chapter.)  Storing secrets, important for key and password reliability, is
contemplated in chapter twenty two.

Part four contains miscellaneous topics, including the futility of standards
(twenty three), the questionable utility of patents (twenty four), and the
need for involving real experts (twenty five).

As noted, this book is not simply another introduction to cryptography.  The
content is for those involved in the guts of a cryptosystem, and the
material provides significant guidance for the concerns of people in that

copyright Robert M. Slade, 2003   BKPRCCRP.RVW   20030918

REVIEW: "Wireless Security Essentials", Russell Dean Vines

<Rob Slade <>>
Fri, 21 Nov 2003 07:31:38 -0800

BKWLSCES.RVW   20031018

"Wireless Security Essentials", Russell Dean Vines, 2002,
0-471-20936-8, U$40.00/C$62.50
%A   Russell Dean Vines
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2002
%G   0-471-20936-8
%I   John Wiley & Sons, Inc.
%O   U$40.00/C$62.50 416-236-4433 fax: 416-236-4448
%P   345 p.
%T   "Wireless Security Essentials"

The introduction asserts, as a statement on the rapid pace of technological
innovation, that wireless security may have changed between the writing and
the publication of the book.  It may be an interesting comment on security
that the book is still relevant and that wireless security is unchanged in
the two years since the book's completion.  It may also be a measure of the
good job that Vines did on his subject.

Part one deals with the foundational aspects of the technology.  Chapter one
covers computing technology, with a basic but brief look at computer
architecture and some network architecture (but mostly protocols).  Both
wireless LAN and cellular telephone are discussed, but the LAN material
predominates.  Wireless theory, including radio communication and
transmission protocols, is examined in chapter two.  The explanations are
good: Direct Sequence Spread Spectrum (DSSS) and Frequency Hopping Spread
Spectrum (FHSS) are much better than in other related works, although the
text could still use some improvement on details such as DSSS chipping and
the mapping of bits to the frequency signals.  Wireless reality, in chapter
three, is an odd mix of the security portions of wireless LAN protocols
(except for Bluetooth, which has a number of functions explained in detail),
the Infrared Data Association (IrDA), wireless operating systems and
devices, and wireless services.

Part two covers security essentials.  Chapter four outlines security
concepts and methodologies in a well-chosen (with the signal exception of
cryptography) but not well-structured list.  (Given Vines' participation in
"The CISSP Prep Guide" [cf. BKCISPPG.RVW] this is not surprising.)
According to chapter five, security technology primarily encompasses
cryptographic aspects of wireless LAN protocols.  There is a very
comprehensive examination of a broad range of attacks against wireless
devices (Personal Digital Assistant [PDA] viruses, for example) and
transmissions (there is an extremely detailed analysis of WEP weaknesses,
backed up by even more details in appendices B and C), as well as
recommended countermeasures, in chapter six.

Although not perfect, this book is an extremely useful guide to the security
issues surrounding the use of wireless devices.  Of the various books
reviewed on the topic of wireless LANs and security, it is the best work
seen to date.

copyright Robert M. Slade, 2003   BKWLSCES.RVW   20031018

Re: SANS, GSEC, and Chapple book review (RISKS-23.02)

<Rob Slade <>>
Sat, 22 Nov 2003 22:27:57 -0800

In my recent review of "The GSEC Prep Guide" by Mike Chapple, I probably did
not sufficiently stress the point that the faults of the book are not
necessarily to be imputed to the GSEC program itself.  I have been asked by
Stephen Northcutt to note that Chapple has no association with SANS, and
that Northcutt has (in a review under the book's listing on
noted that the material in Chapple's book does not adequately reflect the
breadth of the material tested for in the GSEC exam.

Please report problems with the web pages to the maintainer