The RISKS Digest
Volume 23 Issue 18

Thursday, 12th February 2004

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Software bug contributed to blackout
Kevin L. Poulsen
*WashPost* registration expired, newsroom hampered
Bill Hopkins
GM will recall some Chevrolet Corvettes
Monty Solomon
Police face sack in ongoing privacy incidents
Three degrees of outsourcing leads to data disclosure
Ed Ravin
Privatization vs privacy
Friedrich Knauss
TiVo watchers uneasy after post-Super Bowl reports
Monty Solomon
Cable modem hackers conquer the co-ax
Kevin Poulsen via Monty Solomon
Electronic copyrights
Jim Griffith
Opposition to SPF
Ian Jackson
Actually, SPF makes things worse
Markus Fleck-Graffe
Re: Drunk unlocks police car with own key
Crispin Cowan
Microsoft warns of widespread Windows flaw
Robert Lemos via Monty Solomon
'Mydoom' Creators Start Up 'Doomjuice'
Matti Huuhtanen via Monty Solomon
Re: MyDoom and SCO
Scott Miller
Don't rely on Social Security Numbers — AGAIN!
Robert Ellis Smith
Re: UK data protection laws ... Unintended Consequences
R M Crorie
An interesting spam-filter risk
Geoff Kuenning
NSF: Science of Design
Sol J. Greenspan via Gene Spafford
Info on RISKS (comp.risks)

Software bug contributed to blackout

<"Kevin L. Poulsen" <>>
Wed, 11 Feb 2004 19:38:06 -0800

A previously-unknown software flaw in a widely-deployed General Electric
energy management system contributed to the devastating scope of the 14 Aug
2003 northeastern U.S. blackout.

The bug in GE Energy's XA/21 system was discovered in an intensive code
audit conducted by GE and a contractor in the weeks following the blackout,
according to FirstEnergy Corp., the Ohio utility where investigators say the
blackout began. "It had never evidenced itself until that day," said
spokesman Ralph DiNicola. "This fault was so deeply embedded, it took them
weeks of pouring through millions of lines of code and data to find it."

On Tuesday, the North American Electric Reliability Council (NERC), the
industry group responsible for preventing blackouts in the U.S. and Canada,
approved a raft of directives to utility companies aimed at preventing a
recurrence of the outage. One of them gives FirstEnergy a June 30th deadline
to install any known patches for its XA/21 system, though the company says
it's already installed the fix. A NERC spokesperson said all electric
companies using GE's XA/21 system would likely be instructed to install the
patch in a final report due next month.

  [Also reported to RISKS by Chuck Weinstock.  PGN]

*WashPost* registration expired, newsroom hampered

<"Bill Hopkins" <>>
Mon, 9 Feb 2004 15:31:49 -0500

*The New York Times*, 6 Feb 2004, reported (and not *too* smugly) that
newsgathering at its rival *The Washington Post* was disrupted when
registration lapsed for, which the newsroom uses for e-mail.
The renewal notice from Network Solutions was delivered unnoticed to a
"dropbox" (whether e-mail or the old-fashioned kind was not clear).
However, the registration was renewed soon after the disruption started,
before any squatters could jump on it.  (Don't dwell on that image.)

GM will recall some Chevrolet Corvettes

<Monty Solomon <>>
Tue, 10 Feb 2004 17:11:00 -0500

General Motors will recall certain Chevrolet Corvettes to correct a
condition in which the vehicle can operate when the electronic steering
column lock fails to unlock.  The vehicles included in this recall are
1997-2000 Corvettes with automatic transmissions in the United States,
Canada, and Mexico; 1997-2004 Corvettes with automatic transmissions in
Europe and export countries; 1997-2004 Corvettes with manual transmissions
in North American, European, and export countries.  GM is still working to
determine the recall population and the breakdowns by countries; however,
the estimate is a total of about 127,000.  For manual transmissions, the
dealers will reprogram the Powertrain Control Module software, at no cost.
GM has not confirmed any occurrences of this condition in the field.  There
are no confirmed crashes, injuries, or fatalities related to the condition.
[Source: 10 Feb 2004, PR Newswire; PGN-ed]

Police face sack in ongoing privacy incidents

<"NewsScan" <>>
Thu, 12 Feb 2004 10:01:29 -0700

Australian Police in Victoria are facing an embarrassing new privacy scandal
after an internal audit found fresh evidence of improper access to
confidential computer files. The audit has found up to 35 police have used
the police Law Enforcement Assistance Program (LEAP) computer to check
information on a security guard charged with manslaughter over the death of
former Test cricketer David Hookes. All police who have accessed the files,
other than homicide squad police investigating the death, are expected to be
asked by ethical standards department police to justify their actions.
Police who cannot give legitimate reasons face the sack. This incident comes
in the wake of an investigation in 2003 into allegations that the files of
32 current and former Victorian Members of Parliament have been accessed
without legitimate reason.  [*TheAge*, 11 Feb 2004; NewsScan Daily, 12 Feb

Three degrees of outsourcing leads to data disclosure

<Ed Ravin <>>
Mon, 9 Feb 2004 21:15:51 -0500

According to Bob Sullivan, MSNBC, 8 Feb 2004

A programmer hired by a community college to manage a database for a child
care center posted the entire database onto an Internet site in order to
obtain help doing the database work.  The database contained sensitive
information like names, addresses, children's schedules, etc.  At one point
the fellow was warned that he shouldn't be posting confidential information,
but apparently he had a bit of trouble with the concept:

  On Jan. 26, another programmer — who requested anonymity — sent a
  message to Dennis, warning him of the possible privacy problems. He
  replied: "Thank you for the note. That was my mistake and I will be more
  careful in the future," according to the programmer. The next day, Dennis
  posted the same database in a different question.

The person who ended up doing the work (recruited via is
three outsourcing steps away from the county agency that maintained the data
in question.  It's fairly common for social service agencies to outsource
most of their work to non-profits, but it appears that neither the first
outsourcing level (the community college) nor the second (the alleged
"programmer", Dennis, who posted the databases) had the ability to actually
do the work.  At least no one seems to have sent this job to India...

Privatization vs privacy (Re: Three degrees of outsourcing ...)

<friedrich knauss <>>
Mon, 9 Feb 2004 16:21:49 -0800

[The previous item] exemplifies some of the risks of allowing private
corporations to manage sensitive data without adequate government oversight.
The current administration's efforts at increasing data collection against
its own citizens, along with its promotion of privatization, bodes for
similar future events on a national scale.

TiVo watchers uneasy after post-Super Bowl reports

<Monty Solomon <>>
Tue, 10 Feb 2004 22:21:05 -0500

Ben Charny, CNET, 5 Feb 2004

Janet Jackson's Super Bowl flash dance was shocking in more ways than one:
Some TiVo users say the event brought home the realization that their
beloved digital video recorders are watching them, too.  [On 9 Feb 2004,]
TiVo said the exposure of Jackson's breast during her halftime performance
was the most-watched moment to date on its device, which, when combined with
the TiVo subscription service, lets viewers pause and "rewind" live
television broadcasts, among other features.  TiVo said users had watched
the skin-baring incident nearly three times more than any other moment
during the Super Bowl broadcast, sparking headlines that dramatically
publicized the power of the company's longstanding data-gathering practices.

  [Evidently, it pays to keep abreast of TiVo's capabilities.  PGN]

Cable modem hackers conquer the co-ax (Kevin Poulsen)

<Monty Solomon <>>
Wed, 11 Feb 2004 20:21:07 -0500

Kevin Poulsen, SecurityFocus, 5 Feb 2004

A small and diverse band of hobbyists steeped in the obscure languages of
embedded systems has released its own custom firmware for a popular brand of
cable modem, along with a technique for loading it — a development that's
already made life easier for uncappers and service squatters, and threatens
to topple long-held assumptions about the privacy of cable modem
communications.  The program, called Sigma, was released in its final
version last month, and has reportedly been downloaded 350 to 400 times a
day ever since. It's designed to be flashed into the non-volatile memory of
certain models of Motorola's Surfboard line, where it runs in parallel with
the device's normal functionality. It gives users almost complete control of
their cable modem — a privilege previously reserved for the service

The project is the work of a gang of coders called TCNiSO. With about ten
active members worldwide, the group is supported by contributions from the
uncapping community — speed-hungry Internet users who rely on TCNiSO's
research and free hackware to surmount the bandwidth caps imposed by service
providers, usually in violation of their service agreement, if not the
law. To them, Sigma is a delight, because it makes it simple to change the
modem's configuration file — the key to uncapping, and, on some systems, to
getting free anonymous service using "unregistered" modems. "I've known
TCNiSO for two years now and I've done a lot of things with their
techniques," wrote a Canadian uncapper in an e-mail interview. "Sigma is the
greatest one I've seen."  ...  []

Electronic copyrights

< (Jim Griffith)>
Thu, 05 Feb 2004 18:46:54 -0500

In 1997, I wrote a piece for rec.humor.funny based on an idea by Steve
Lancaster, in which the Mars Pathfinder landing was reported from the
Martian point of view, a la Roswell.

It was well-received, and I'm rather proud of that piece.  In early January,
some anonymous nitwit took my original piece, changed about four words to
make it fit Spirit instead of Pathfinder, tacked on a couple of brand new
paragraphs, and sent it circulating again, anonymously.  This modified
version has now shown up in various monthly astronomy publications, always
without attribution.

As moderator of RHF, I understand the difficulties of identifying the
original source of a piece, and the ease with which people remove
attributions.  I'm disturbed by the casual way so many publications blindly
printed the piece without doing a serious attempt to identify the source or
the original version.  Granted, that source isn't immediately obvious, but a
reasonable Google search or a date-sorted Google Groups search would have
definitively identified both the author and the original wording.  In
effect, Google Groups is now my primary hope for preserving my original
copyright (although I did have the foresight to encode in the piece an
in-joke that only I know — and the plagiarized versions preserve that
in-joke).  Had I originally distributed the piece via e-mail, I'd now have
no hope of ever claiming credit or preserving the original version.

I'm mainly disturbed by the ease with which the original piece was
corrupted, and that that corruption was blindly accepted and propagated.  It
is now the case that corrupted version is more prevalent than the original.
This is disappointing, given that an advantage of electronic communications
is supposed to be the way it preserves information.  I wonder if we'll find
that in a hundred years, the most popular Internet version of "Romeo and
Juliet" is one with a new, happier ending?

Opposition to SPF (Re: Rose, RISKS-23.16)

<Ian Jackson <>>
Wed, 4 Feb 2004 14:25:33 +0000

Andrew Rose <> writes:
> The technical work on SPF is now complete and adoption has started.

I strongly disagree that technical work on SPF is complete:

* The current specification is absolutely terrible, when one looks at the
  details.  (As an experienced developer of networking software including a
  DNS resolver and an SMTP mail rejection agent, and participant in
  standards processes, I should know.)

* SPF proponents haven't taken the proper route through the IETF for their
  `standard' — where the details of the spec might have been fixed.
  Instead, they're going for a publicity campaign to `bounce' people into

* Many people I respect (myself not included) think that the principle of
  operation of SPF is broken for technical reasons.  I'm sure those people
  can explain that themselves.

For a personal perspective from a member of the IESG, see

Actually, SPF makes things worse (Re: Rose, RISKS-23.16)

<Markus Fleck-Graffe <>>
Wed, 04 Feb 2004 03:28:47 +0100

Re: Defeating phishing  scams, Andrew Rose, RISKS 23.16
> The technical work on SPF is now complete and adoption has started.
> Several thousand domains have published SPF records including some very
> large domains such as

The SPF scheme requires all e-mail forwarders to rewrite the sender's e-mail
envelope and return-path addresses. For example, each posting to a mailing
must be rewritten to a local domain of the list host before redistribution.

To enable (administrative) e-mail bounce notifications, each forwarding host
is also more or less required to generate specially encoded one-time
"sender" addresses for each forwarded e-mail, and keep a corresponding
database of "reverse mappings" for an unspecified period of time.

The SPF website calls this an "unfortunate" problem — extremely unfortunate
because every pre-existing mail transport agent in the world is incompatible
with the SPF scheme and will lead to silent discarding of lots of legitimate
(forwarded) e-mail (which would be considered forged by SPF-gnostic receiver

Worst of all, SPF will not stop spammers and viruses/worms from spreading -
spammers will just start to set up their own SPF infrastructures (with
throw-away domain names), and worms will just use legitimate e-mail
addresses of compromised host PCs. (In fact, spammers nowadays are
increasingly using compromised third-party PCs for their mass mailings as
well, preferably badly secured ones with high-bandwidth connectivity to the
Internet such as through cable modems OR xDSL lines.) In addition, the
backwards-mapping database of SPF-aware mail forwarders must itself be
secured against abuse of the e-mail bouncing mechanism by spammers and worms
- by introducing even more stateful data keeping to their forwarding
databases. The SPF site even proposes adding time-limited cookies to secure
against this "open (back-)relay" problem — what an awful hack! [1]

The RISKS? Several e-mail providers are adopting a half-baked non-solution
with obvious deficiencies and a potential for silently sinking lots of
legitimate e-mail into a black hole.  And a proprietary three-letter ISP is
trying to force their (centralized!) single-server world-view of
communication protocols onto the Internet.

Re: Drunk unlocks police car with own key (Brunberg, RISKS-23.17)

<Crispin Cowan <>>
Thu, 05 Feb 2004 02:06:13 -0800

> What are the odds of having not only a matching door/ignition key, but
> also the keyless entry remote?

Apparently pretty good odds :)

I heard 2nd- or 3rd-hand of an inventive software security person (name
omitted because I want them to still talk to me :) who wanted to investigate
precisely this problem when keyless entry first came out.  Apparently the
initial key space for keyless entry was only 16 bits, and so my friend built
a device to brute-force the keyspace with a fairly powerful radio
broadcaster attached.  Friend then took the device to a large parking lot,
turned it on, and watched with amusement as dozens of cars around the
parking lot started honking and unlocking.

I *think* the keyspace has improved since then, but I would bet it has
not improved enough.

Crispin Cowan   CTO, Immunix
Immunix 7.3

  [Things have improved enormously since the early garage-door openers, many
  of which opened and closed each time the orbiting Russian Sputnik went
  overhead.  I have not noted that marvelous case here since RISKS-8.38,
  which appropriately was issued on the Ides of March 1989, so it is worth
  recalling for newer readers.  Don't forget, all the RISKS archives are
  searchable at Lindsay Marshall's Web site (  PGN]

Microsoft warns of widespread Windows flaw

<Monty Solomon <>>
Tue, 10 Feb 2004 17:43:55 -0500

Microsoft has a message for Windows users: Patch your computers quickly.
Robert Lemos, CNET, 10 Feb

On Tuesday, the software giant released a fix for a networking flaw that
affects every computer running Windows NT, Windows 2000, Windows XP or
Windows Server 2003. If left unpatched, the security hole could allow a worm
to spread quickly throughout the Internet, causing an incident similar to
the MSBlast attack last summer.  ...

What You Should Know About the Windows Security Updates for February 2004

Microsoft Security Bulletin MS04-007
ASN.1 Vulnerability Could Allow Code Execution (828028)

Microsoft Security Bulletin MS04-006
Vulnerability in the Windows Internet Naming Service (WINS) Could
Allow Code Execution (830352)

Microsoft Security Bulletin MS04-004
Cumulative Security Update for Internet Explorer (832894)

'Mydoom' Creators Start Up 'Doomjuice'

<Monty Solomon <>>
Tue, 10 Feb 2004 15:22:31 -0500

Finnish computer security experts warned Tuesday of a new worm, known as
"Doomjuice," that is expected to attack computers infected by "Mydoom,"
despite the fact it's programmed to stop spreading later this week.  The
virus, first detected by F-Secure on Monday night, has so far infected at
least 30,000 computers worldwide since it was activated Sunday, said the
company's director of antivirus research, Mikko Hypponen.

Like Mydoom.A and Mydoom.B, the new worm is designed to strike Microsoft
Corp.'s Windows operating systems and is programmed to launch a worldwide
attack on the web site of SCO, one of the largest UNIX vendors in the world.
[Source: Matti Huuhtanen, Associated Press, 10 Feb 2004, AP Online]

Re: MyDoom and SCO (Wildstrom, RISKS-23.17)

<Scott Miller <>>
Wed, 4 Feb 2004 18:58:46 -0500

> Writing on Feb. 2, it's very hard to assess what the real impact of the
> MyDoom-generate denial of service was on SCO.

I find it curious that with about a week's notice of the actions of the
MyDoom.A payload, SCO found it impossible to prepare an effective strategy
in advance of the attack.  I also find it somewhat curious (but anecdotal)
that all of the MyDoom infected e-mail messages received on my personal POP
account ~appeared~ to be sourced from the domain, with admin
contacts listed as physically located in Utah.  As a result of the nature of
the MyDoom.A payload and of the consequent reward offered by SCO, Darl
McBride and his misbegotten (IMO) anti-Linux campaign have received a great
deal of publicity and a reprieve from what appeared to be an imminent slip
from the public consciousness.  A cynical person (not I, heaven forfend)
might be tempted to speculate whether SCO could have been involved in the
release of the worm, or at best, played willing victim.

Don't rely on Social Security Numbers — AGAIN!

<"Robert Ellis Smith" <>>
Mon, 9 Feb 2004 09:42:50 -0500

Terry Ward in RISKS-23.17 reports that to cancel another person's insurance,
credit, etc., "I simply presented a plausible sounding story, knew his
social security number ***"

And yet lots of professionals and private citizens still think that the key
to preventing identity theft is MORE reliance on Social Security numbers.
The reality is that SSNs are no longer private bits of information, if they
ever were, and no longer serve to authenticate an individual's identity. So
each of us has to cease going along with this deceit.
Robert Ellis Smith, Privacy Journal

Re: UK data protection laws ... Unintended Consequences (R-23.14,15)

<R M Crorie <>>
Tue, 03 Feb 2004 21:58:35 -0000

Mark Brader states (RISKS-23.15):

> It's for failing to get the criminal tried and convicted back then.  And
> even this is only true if the earlier alleged offenses were genuine.

Errrmm... and even if "genuine" (=true?), how would they achieve that,
precisely? If there was insufficient evidence to pass the first
(evidential) test by which Branch Crown Prosecutors decide whether or not
to prosecute, presumably the recommendation here is to manufacture
more...?  :-)

> For police, it *is* reasonable to consider that someone previously
> suspected should be suspected again: this is all right precisely because a
> police suspect is not, ipso facto, a criminal.

But that is at the heart of the argument: to know about the previous
suspicion, the data about the (unsubstantiated) allegation would need to be
retained for that purpose, which is precisely what is not *explicitly*
provided for in the Act.  My understanding is that the Information
Commissioner was already pressing two other forces to delete data for that
very reason, i.e. some non-conviction information was being retained by them
for "longer than necessary", but there is nothing to explain what
"necessary" actually means — in fact, the only explicit guidance is that it
was, and is, for forces themselves to make that decision!

In any event, any evidence supporting the allegation(s) not proceeded with
is completely inadmissible in proceedings for any new allegation.  That's
the way society has made the rules, that's the way they are followed.

Damned if you do, and damned if you don't...

An interesting spam-filter risk

<Geoff Kuenning <>>
Mon, 9 Feb 2004 12:09:12 -0800 (PST)

I'm a member of a mailing list in which one of the members has chosen to
sign up for one of those "identity verification" services for preventing
spam.  Every time anybody sends to the list, we get an autoresponse from
"", who asks us to go out of our way to prove that
we're humans.

The RISKs of this approach are well known, and most list maintainers (PGN
included) refuse to allow subscribers to use these services.

The problem in the current case is that nobody can figure out which of our
950+ subscribers is the culprit!  That has led one member to propose that a
group of volunteers divide up the subscriber list and send test e-mails to
people until we discover one that produces the annoying bounce.

Geoff Kuenning

NSF: Science of Design

<Gene Spafford <>>
Wed, 11 Feb 2004 11:18:48 -0500

This message is to inform you that a new NSF funding opportunity called
SCIENCE OF DESIGN [Solicitation NSF 04-552] has been posted by the CISE
Directorate. The CISE web page ( has a link to the
program page under "CISE FY04 Emphases" and there is additional information
under "Hot Topics" on the CISE web page.  [See the Program URL:]

The goal of this solicitation is to stimulate research and education
projects that build the Science of Design. This solicitation focuses on the
scientific study of the design of software-intensive systems that perform
computing, communications and information processing. Complex
interdependencies strain our ability to create, maintain, comprehend and
control these systems. The Science of Design seeks to rectify this situation
by building a foundation for the systematic creation of software-intensive
systems. This foundation will consist of a body of theoretical and empirical
knowledge on design, computational methods and tools for design, and new
design curriculum for the next generation of designers.

Sol J. Greenspan, Ph.D., Chair, Science of Design Coordinating Group
Directorate for Computer and Information Science and Engineering  [PGN-ed]

  [If you have learned anything from reading RISKS, it might be quite
  relevant here!  PGN]

Please report problems with the web pages to the maintainer