The RISKS Digest
Volume 23 Issue 19

Wednesday, 18th February 2004

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Mississippi voids November 2003 e-vote election for errors
Steve Corrick
Canadian medical tests give reversed results
Danny Burstein
911 mistake: Wisconsin rescuers go to wrong town; victim dies
David LaRue
Interesting device to steal ATM accounts
Mabry Tyson
Officials Say Mob Stole $200 Million Using Phone Bills
William K Rashbaum via Monty Solomon
Amazon reviewers identified — as the authors!
Alleged Trojan horse in Israeli anti-ballistic missile system
Gadi Evron
GAO Report Warns of Airline Security Shortcomings
Lillie Coney
GE says blackout bug patched
Kevin L. Poulsen
Strategic planning for VeriSign restart of "Site Finder"
Lauren Weinstein
FTC warning about private no-spam registry
TiVo's privacy policy
Terence Eden
Re: Privatization vs privacy
Challenge/Response spam blocking
Thomas Harrington
Social Security number as identity: not secure
Carl Fink
Re: Spirit Rover humbled
Timothy Prodin
Sputnik & garage door openers
Kyle York
Re: SPF and its critics
Lawrence Kestenbaum
Exploiting software
Gary McGraw
Info on RISKS (comp.risks)

Mississippi voids November 2003 e-vote election for errors

Sun, 15 Feb 2004 08:52:44 EST

  [via Rebecca Mercuri <>   PGN]

So the election machine companies say no one has every proved vote fraud on
the voting machines. However, the same cannot be said of massive machine
error.  Here's a real clincher to the line about voting machines being the
safest, most secure form of voting ever devised.

Mississippi Senate Declares Last November's Election Invalid

In the November 2003 election, Hinds County, Mississippi used the WINnVote
touchscreen machine (the same as the one used in Fairfax County, Virginia
disastrous election). Poll workers had trouble starting the machines, some
of the machines overheated and had to be taken out of service, poll workers
were scrambling to find enough paper ballots, and many voters left with
polls without voting because of the long delays.

The problems were investigated by a Mississippi Senate committee, and on
January 19, it recommended invalidating the outcome of the race for the
District 91 Senate seat and holding the election over. Two days later, the
Senate approved the recommendation. The new election is set for February 10.
The last we heard the Democratic candidate, Dewayne Thomas, was considering
pulling out of the race and conceding to his opponent, Richard White. We
hope Thomas doesn't allow faulty machines to determine an outcome that
should be decided by the voters.

Oh, and just for good measure...

  Venezuela had to cancel its 2000 national election because of voting
  machine problems

Let all our votes be counted,

Steve Corrick <>

Canadian medical tests give reversed results

<danny burstein <>>
Fri, 7 Nov 2003 23:50:38 -0500 (EST)

  [Apologies to Danny for this item taking so long to surface.  PGN]

About 3,000 people got opposite results when they were tested for gonorrhea
and chlamydia over an 18-month period.  Because of a faulty diagnostic
machine in Cranbrook (southeastern British Columbia), positive and negative
test results for the two sexually transmitted diseases were reversed.

About 3,000 people were tested. The 83 that were positive were incorrectly
told they were clean. The 2,900 or so that were negative were told they were
positive and were given the standard treatments.  From a health standpoint
the 83 sick folks come out the worst, because their treatment was delayed
for months or years. But even the folk who were well went through the drug
protocols and other exams and treatments — which have their own secondary
effects, plus, of course, the social/inter-personal problems which being
(mis)diagnosed with an STD will cause, especially with regard to patient
partner tracking.

One Would Have Thought that someone in the medical office or the lab or the
insurance or the pharmacy or somewhere..., looking at 3,000 test results,
would have quickly noticed that instead of finding a positive rate of 3%
these tests were coming back at 97%. One would Also Have Thought that enough
of these people would have gotten a second set of tests so as to raise
eyebrows a lot earlier.

[Thousands Given Wrong STD Results (Associated Press, 30 Oct 2003; PGN-ed
from Danny's initial abstracting]

Also, see US Gov't FDA recall notice (which suggests there were similar
incidents in other places) :

Canadian local coverage:

911 mistake: Wisconsin rescuers go to wrong town; victim dies

<"David LaRue" <Huey.DLL@GTE.Net>>
Thu, 12 Feb 2004 23:26:15 -0500 (EST)

Rescue personnel from the Neenah-Menasha Fire Rescue service responded to a
911 emergency call for a possible heart attack victim within two minutes.
However, it was the right address in the wrong town.  (Both towns had the
identical address.)  [Source: An AP article (from the *Star Tribune*,
datelined Neenah, Wisconsin) PGN-ed.]

Whereas there are procedures and database checks to prevent incorrect
locations in the 911 databases, it is still possible for neighboring cities
to have identical addresses.  The risks here are that the data may look
correct and even validate, but still be wrong.

  [We have reported at least one similar case previously.  PGN]

Interesting device to steal ATM accounts

<Mabry Tyson <Tyson@AI.SRI.COM>>
Fri, 13 Feb 2004 16:40:46 -0800

Bank ATMs Converted to Steal Bank Customer IDs

A team of organized criminals is installing equipment on legitimate bank
ATMs in at least 2 regions to steal both the ATM card number and the
PIN. The team sits nearby in a car receiving the information transmitted
wirelessly over weekends and evenings from equipment they install on the
front of the ATM (see photos). If you see an attachment like this, do not
use the ATM and report it immediately to the bank using the 800 number or
phone on the front of the ATM.

The equipment used to capture your ATM card number and PIN is cleverly
disguised to look like normal ATM equipment. A "skimmer" is mounted to the
front of the normal ATM card slot that reads the ATM card number and
transmits it to the criminals sitting in a nearby car.

At the same time, a wireless camera is disguised to look like a leaflet
holder and is mounted in a position to view ATM PIN entries.

The thieves copy the cards and use the PIN numbers to withdraw thousands
from many accounts in a very short time directly from the bank ATM.

Officials Say Mob Stole $200 Million Using Phone Bills (Rashbaum)

<Monty Solomon <>>
Thu, 12 Feb 2004 03:11:31 -0500

New York organized crime figures reportedly bilked millions of unsuspecting
consumers out of more than $200 million over five years by piggybacking
bogus charges on their telephone bills ("cramming").  [Source: William
K. Rashbaum, *The New York Times*, 11 Feb 2004; PGN-ed]

Amazon reviewers identified — as the authors! (NewsScan)

<"NewsScan" <>>
Tue, 17 Feb 2004 07:59:24 -0700

Authors in the news — unintentionally

A software glitch exposed the real identities of book reviewers at Amazon's
Canadian Web site — thereby revealing that some authors are in the practice
of posting anonymous glowing reviews of their own work.  [Surprise.]  One
defender of the practice is author John Rechy, who wrote a favorable review
of his latest book, posting the review anonymously as "A Reader From
Chicago."  Rechy says: "That anybody is allowed to come in and anonymously
trash a book to me is absurd.  How to strike back?  Just go in and rebut
every single one of them."  The glitch has since been unglitched.  [AP/*San
Jose Mercury News*, 14 Feb 2004; NewsScan Daily, 17 Feb 2004]

Alleged Trojan horse in Israeli anti-ballistic missile system

<Gadi Evron <>>
Wed, 18 Feb 2004 18:36:02 +0200

On 15 Feb 2004, an article appeared in one of Israel's leading newspapers,
*Maariv*, claiming a Trojan horse _might_ have been installed by Egypt in
the Israeli Arrow anti-ballistic missile system.  You can find an article I
wrote on the subject, specifying the known facts at:

Also  +972-50-428610 (Cell)

GAO Report Warns of Airline Security Shortcomings (*LATimes*)

<Lillie Coney <>>
Thu, 12 Feb 2004 10:23:30 -0500

In its report (released on 13 Feb 2004), a General Accounting Office study
notes that CAPPS II (intended to pick out potential terrorists from among
millions of air passengers) has run into "significant challenges" posing
"major risks" to its deployment and public acceptance.  Problems include
overall system reliability and false positives, and resolving the rights of
those falsely identified.  Passenger-provided information would be
outsourced to government contractors for analysis, the government would
check supposedly validated identities against a watch list, and the result
would be a green, yellow, or red risk rating for each would-be passenger.
Allegedly only about 4% would be rated yellow, and "an average of only one
or two people a day" would be rated red.  [Remember that even a 1% false
positive rate would mistakenly identify tens of thousands of travelers.]

"But the GAO report found that the agency has not adequately addressed seven
of eight concerns raised by Congress.  These include preventing abuses,
protecting privacy, creating an appeals process, assuring the accuracy of
passenger data, testing the system, preventing unauthorized access by
hackers and setting out clear policies for the system."  GAO investigators
concluded that, though the agency was making advances in all these areas,
progress was incomplete.  [Source: Ricardo Alonso-Zaldivar, *Los Angeles
Times*, 12 Feb 2004; PGN-ed],1,3293045.story

GE says blackout bug patched (Re: RISKS-23.18)

<"Kevin L. Poulsen" <>>
Thu, 12 Feb 2004 16:08:13 -0800

GE Energy has now acknowledged the bug reported by SecurityFocus earlier
this week ("Software bug contributed to blackout," RISKS-23.18).
The AP reports that the company says it distributed an advisory and a
fix to more than 100 utility customers last fall.

Strategic planning for VeriSign restart of "Site Finder"

<Lauren Weinstein <>>
Tue, 10 Feb 2004 17:17:27 PST

Given that VeriSign is strongly hinting that they'd like to soon restart
their notorious and disruptive Site Finder domain diversion scheme
I believe it would be prudent for the Internet community to begin
planning now for appropriate legal, business, and technical actions and
reactions for that or related possible eventualities.

The PFIR Forum on "E-Mail Issues, Problems, and Solutions":
is available immediately for this purpose as a starting point (even though
Site Finder issues transcend e-mail).  I can spin off a separate forum for
this discussion later if traffic and circumstances warrant it.  We need to be
discussing these issues now so that if and when VeriSign starts the clock on
a Site Finder reactivation we won't be blindsided again.

Also, any e-mail on this topic that is not suitable for the public
discussion forum is invited at:

Lauren Weinstein
Tel: +1 (818) 225-2800
>>> "The VeriSign Song": <<<

FTC warning about private no-spam registry

<"NewsScan" <>>
Tue, 17 Feb 2004 07:59:24 -0700

The Federal Trade Commission has cautioned computer users not to fall victim
a Web site claiming to offer an e-mail version of the federal do-not-call
registry.  Despite the official-looking appearance of the site's URL, the
"Do Not E-mail Registry" has no affiliation with the U.S. government, and is
apparently a scam for collecting e-mail addresses on behalf of spammers.
However, the site's operators say their registry serves "legitimate direct
marketers" who want to make sure their mailings don't go to spam opponents.
The e-mail addresses collected by the registry are made available to bulk
mailers in an encrypted form allowing them to check for any overlap with
their own mailing lists without seeing the actual addresses.  [*The
Washington Post*, 15 Feb 2004; NewsScan Daily, 17 Feb 2004]

TiVo's privacy policy

<Terence Eden>
Fri, 13 Feb 2004

TiVo has always been very open about its data retention policy.  It has the
ability to review every IR command sent to the box and can track what people
watch and how they watch certain programmes.  When signing up to the TiVo
service, people are explicitly asked if they want to opt-***IN*** to the
monitoring scheme.  Anecdotally, most people are happy to be monitored in
the hope of improving the quality of TV programming.

The RISK?  Assuming that all data retention is unasked for, unwarranted and

Re: Privatization vs privacy (Knauss, RISKS-23.18)

<Aaron <>>
Fri, 13 Feb 2004 17:27:07 -0700

> [The previous item] exemplifies some of the risks of allowing private
> corporations to manage sensitive data without adequate government oversight.

The item has nothing to do with government/private interaction, except
for the fact that it was a government/private interaction.

The risks apply to *any* sensitive database, public or private.  Should we
be asking for "adequate government oversight" of *private* databases?

Trying to get sensitive work done on the cheap, without oversight, without
verifying qualifications, is asking for trouble no matter who owns the
database, no matter what's in the database.  If the agency couldn't afford
proper maintenance, the solution should have been to not have the database
at all.

The current administration does not have a monopoly on stupidity; it's quite
abundant in the universe and easy to stumble over.  Politicizing the risk
only obscures the issue.

Challenge/Response spam blocking

<Thomas Harrington <>>
Thu, 12 Feb 2004 18:30:18 -0700

Many of you have probably noticed that people who use Earthlink can now
opt for a challenge/response spam-protection system.  As Earthlink
implements this, the first time you send an e-mail to someone using this
feature, you get an autoresponse directing you to a web page where
you're supposed to prove yourself to be human, providing your name and
optionally a short message.  Do so and the message goes through.

To defeat auto-completion of this web page by scripts they include an
image showing five random letters, which is distorted in the hope of
defeating OCR software.  You're supposed to type in the five letters in
a box in the web form.

Only those images aren't all that random.

Because of some business requirements I won't go into just now, I end
up confronting this page quite frequently.  And my web browser
auto-completes forms-- which is nice, since I'm inevitably filling in
the same information.  What's surprising is that when doing this, my
web browser often fills in the "random" image text correctly.  It's not
always right at first, but if I type the first letter (or sometimes the
first two), it completes the rest of the letters correctly.

Some experimenting indicates that in dozens of visits to this challenge
page, I've only seen about a dozen distinct "random" text images.  I hardly
ever type more than the first one or two letters showing anymore.  Getting
one of 12 right on a random guess is a low success rate by most measures.
But consider that the spammers who are supposed to be blocked by this are
already operating a business model where one success in several million is
reputedly enough to be profitable.

Addendum 15 Feb 2004: Challenge/Response spam blocking

I just wanted to add some additional information that's come to light in the
past few days.

1. Earthlink's challenge-response system seems to be buggy.  Today, despite
numerous attempts, it keeps telling me I've misread the letters image, for
multiple e-mails I'm trying to send.  I have a couple of customers at
Earthlink who are probably going to think I'm ignoring them, but Earthlink
is just not letting me send them messages.  After doing this a few times I
decided to try their help link for visually-impaired people (I'm not
visually impaired, but saw no other option).  This directed me to an online
web-based chat from which I was repeatedly disconnected until I gave up.
Hopefully this customer won't be too upset at what would look to him like
I'm not listening to him...  Right now Earthlink's spam-blocker is so
effective that it's preventing even legitimate e-mail from getting through.

2. As a side-effect of this I've discovered what happens if you enter the
image text incorrectly (or at least the server thinks you've entered it
incorrectly): You get to try again, apparently as many times as you like.
Given my previously-discovered non-randomness of the challenge images, it'd
be short work for a spammer to load up a script with a collection of correct
answers to the challenge, and just have it keep trying until it gets the
right one.  As I've described previously, the set of correct answers is very
small, so this would be nowhere near as challenging as a typical
dictionary-style attack.

Social Security number as identity: not secure

<Carl Fink <>>
Thu, 12 Feb 2004 22:01:35 -0500

I needed to use my corporate travel web site today, after not using it since
I first signed up.  As you might expect, I had forgotten my password.

To have a password mailed to me, I enter my user ID and request it.  No
problem, except the user ID is my Social Security number, and the password
is mailed back unencrypted.

In other words, anyone who knows my SSID and has access to the corporate
mail system can hijack my account.  My employer's travel web site is a
service of

Carl Fink <>

  [We've been over this topic many times here, but the message still
  needs to be reinforced.  PGN]

Re: Spirit Rover humbled (RISKS-23.15)

<"Prodin, Timothy (T.R.)" <>>
Tue, 03 Feb 2004 22:24:51 -0500

What the Rovers do not have is a simple precaution that would prevent the
continuous reset loop that Spirit went through.  A simple counter that
tracked the number of resets per Sol, the mission timekeeping unit, would
have allowed the Rover to degrade gracefully to an "Operator Intervention
Required" state.  The current strategy came close to putting Spirit into an
unrecoverable condition; cut into useful life of the mission; and, most
importantly, obscured valuable diagnostic information.

The RISK?  Using a reset to clear from unrecoverable errors can get you
in trouble if the reset does not clear the root cause of the error state.

Sputnik & garage door openers (Re: RISKS-23.18)

<Kyle York <>>
Tue, 17 Feb 2004 09:24:02 -0800

> Things have improved enormously since the early garage-door openers, many
> of which opened and closed each time the orbiting Russian Sputnik went
> overhead.  I have not noted that marvelous case here since RISKS-8.38,  PGN]

This piqued my curiosity so I thought I'd look around.  I've not found the
Sputnik/garage door opening to be more than an urban legend and was
wondering if you've references to the contrary.  Most of what I've found
seems to derive from the same source.  It seems sunspots are a more logical

  From alt.folklore.urban:

The full link if you're interested:

  The 20MHz frequency of Sputnik was not used for things like garage door
  openers, which probably used the 27MHz frequency band (the same one used
  by CB in later years). That band was allocated by the FCC for low-power
  devices (under 100 milliwatt), including remote controls, and cheap toy
  walkie-talkies. It continued to be used for walkie talkies after CB became
  big, but other remote-controlled devices were moved off this band up into
  the VHF frequencies after the CB craze hit.

  [Can anyone provide evidence that this is NOT an urban legend?  PGN]

Re: SPF and its critics (RISKS-23.18)

<Lawrence Kestenbaum <>>
Fri, 13 Feb 2004 01:49:33 -0500 (EST)

Ian Jackson and Markus Fleck-Graffe (in RISKS 23.18) offer some technical
criticisms of the SPF proposal.  I am not competent to judge the networking
pros and cons, but the e-mail system as it exists is most assuredly broken.

My e-mail address has been public for years, and appears on my web site,
which gets hundreds of thousands of visitors per month.  I get a steady
stream of unsolicited (yet valuable) personal mail from web site users.  And
I do get at least a couple hundred spam and virus/worm e-mails per day.  I

But the junk has suddenly reached a new level.

Starting in early January, some spamhaus started using my e-mail address in
the From: and Reply-to: lines of a large quantity of bulk messages
advertising a product claimed to change the size of a body part.  As a
result, I received thousands of bounce and rejection notices from all over
the world.  The flow diminished for a couple of days, then resumed in full
force, as the spammer sent out new waves of bulk mail, now advertising a
get-rich-quick scheme.  It's February 13 now, and the bounces are still
pouring in.

Of course the actual miscreant is hidden because the spams themselves are
originated from what are probably DSL or cable modem connected Windows
machines under remote control by the spammers.  For a while, I read headers
and sent complaints about obviously compromised machines to abuse@ the
applicable ISP, but some of those bounced, and most of the rest ignored me.
Of course a lot of the spam-bounce messages didn't send enough of the
headers back to even figure out who I could complain to.

Especially annoying are nastygrams from spam detection services, which
should know that spam headers are forged.  I have also received rejection
notices which announce that the e-mail was refused because it originated at
or forwarded through a spammer-compromised server — so why are they sending
ME a rejection notice?

On top of this came the MyDoom outbreak.  Almost every Windows-based virus
or worm scans browser caches for e-mail addresses, where (mostly) webmaster
addresses are to be found.  Therefore, when an outbreak occurs, anyone with
a popular web site suddenly gets thousands of copies of the latest plague.

I can cope with that.  But the malware ALSO uses the same list of found
addresses to forge From: lines.  Hence, thousands of virus/worm e-mails
generated in other places have my address in the header.  And when the
recipient isn't deliverable, thousands of bounce messages come to me, and
are obviously harder to filter out than the actual virus.

Worse yet are virus protection programs which generate autoreplies to the
forged address, to inform me that my server (a Unix box) is infected with
MyDoom.  Um, if your software is smart enough to recognize MyDoom (or any
other virus of recent years), why is it too dumb to know that the From: line
has nothing to do with the origin of the item?

The critics of SPF suggest that spammers would simply find or invent other
addresses to use.  Frankly, I don't care about that, so long as they stopped
plastering my personal address on hundreds of thousands of fraudulent and
disreputable spam messages and viruses, and clogging my server's net
connection with vast piles of misdirected bounces.

Lawrence Kestenbaum, P.O. Box 2563, Ann Arbor MI 48106,
The Political Graveyard,

Exploiting software

<"Gary McGraw" <>>
Wed, 18 Feb 2004 14:32:49 -0500

What are the RISKS of publishing a book on how to break software?  What are
the RISKS of pretending software exploits are really dumb and building lame
technology to "stop" them?  How do these RISKS trade off?  Judge for
yourself by reading *Exploiting Software* by Greg Hoglund and Gary McGraw
(Addison-Wesley 2004).

Early review:

Gary McGraw  CTO, Cigital

Please report problems with the web pages to the maintainer