The RISKS Digest
Volume 23 Issue 35

Tuesday, 4th May 2004

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Computer glitch grounds Atlanta flights
Fredric Rice
TurboTax electronic filing option fails to send AMT Form 6251
Richard Mason
California bans e-vote machines
Kim Zetter via Monty Solomon
Ireland scraps electronic voting plans
Brent M.P. Beleskey
Sydney trains disrupted by software glitch
John Colville
Self-referential Patriot Act suppression of law suit
Millions of lost revenue from faulty speed cameras
Bertrand Meyer
Sasser worm is latest threat
Antivirus software prolongs viral life
Geoff Kuenning
Sasser eyed over train outage
New identity-theft scam
Geoff Kuenning
Gas explosion creates confidential litter
Sarah Hollins
Hybrid vehicles may be hazardous to rescuers' health
Joe Thompson
TCP, BGP, DoS, and BS
Rob Slade
Florida sues AT&T for billing errors
Frank Carey
Re: Traffic Signal Controllers
Jay R. Ashworth
FREEDOM 2.0, Washington, DC, 20-22 May 2004
REVIEW: "Non-Repudiation in Electronic Commerce", Jianying Zhou
Rob Slade
Info on RISKS (comp.risks)

Computer glitch grounds Atlanta flights

Tue, 4 May 2004 10:27:35 -0700

  A computer glitch kept Atlanta-bound Delta Air Lines flights on the ground
  for about two hours Saturday, but the company was gradually restoring
  service to its main hub.

  Delta told the Federal Aviation Administration it had a problem with
  dispatch computers, which calculate weight and balance and handle
  information related to preparation for flight, plus gate information, FAA
  spokeswoman Kathleen Bergen said.

Sounds reassuring.

TurboTax electronic filing option fails to send AMT Form 6251

<"Richard Mason" <>>
Tue, 4 May 2004 10:31:45 -0700

For taxpayers who do not owe Alternative Minimum Tax (AMT), but may have
sufficient items on their tax returns to require the preparation of Form
6251, TurboTax when using the electronic filing option does not send the
Form 6251. This has prompted refund delays and letters from the IRS
requesting the Form 6251 to be faxed or mailed. The number of taxpayers that
have this problem is not known, but may be significant.

Richard Mason, Assistant Professor, MAcc Program Director, University of
Nevada, Reno, College of Business Administration Reno, NV 89557 1-775-784-6886

California bans e-vote machines (Kim Zetter)

<Monty Solomon <>>
Sat, 1 May 2004 00:40:39 -0400

[Source: Kim Zetter,, 30 Apr 2004]

California Secretary of State Kevin Shelley ended five months of speculation
and announced on 30 Apr 2004 that he was decertifying all electronic
touch-screen voting machines in the state due to security concerns and lack
of voter confidence.  He also said that he was passing along evidence to the
state's attorney general to bring criminal and civil charges against
voting-machine-maker Diebold Election Systems for fraud.  "We will not
tolerate deceitful tactics as engaged in by Diebold and we must send a clear
and compelling message to the rest of the industry: Don't try to pull a fast
one on the voters of California because there will be consequences if you
do," he said.  Shelley said the ban on touch-screen machines would stay in
effect unless and until specific security measures could be put in place to
safeguard the November vote.,2645,63298,00.html

Ireland scraps electronic voting plans

<"Brent M.P. Beleskey" <>>
Tue, 4 May 2004 13:14:49 -0400

The Government has been forced to make an embarrassing U-turn on its
electronic voting plans.  Environment Minister Martin Cullen issued a
statement saying that plans to introduce electronic voting in all
constituencies for the local and European elections this June were being
scrapped, after the independent Electronic Voting Commission said the system
was open to potential interference and its accuracy could not be guaranteed,
and said it could not recommend the introduction of such a system.
[Source: PGN-ed from 30 Apr 2004 item]

Sydney trains disrupted by software glitch (Joseph Kerr)

Mon, 3 May 2004 09:09:20 +1000

[Source: CityRail gremlin could strike any day, Joseph Kerr, Transport
Reporter, *Sydney Morning Herald*, 3 May 2004: PGN-ed]

A mysterious computer software glitch halted half of Sydney's rail fleet on
2 May 2004.  Rail officials admit they do not know what caused the breakdown
in the system that keeps train drivers connected through a radio network,
but it left as many as 50,000 of the usual 300,000 Sunday train travellers
stranded for up to two hours.  While the computer network was fixed by
1.50pm, the gremlin wasn't found, leaving open the possibility of a repeat
performance on any given weekday — when up to 950,000 commuters could be
thrown into chaos.

The Glenbrook rail disaster inquiry recommended that all trains needed radio
communication.  According to a CityRail spokeswoman, Jane Lavender, the
radios on most suburban trains are connected to a central computer so rail
control and other workers can be constantly aware of the location of every

Red-eyed technicians had worked through Saturday night and much of yesterday
to repair the computer fault. But CityRail train drivers arriving at work in
the morning found their radios would not communicate properly with central
control.  Realising this, RailCorp officials decided about 5am to switch to
alternative communications: the mobile phones and pagers carried by every
train guard.

RailCorp's chief executive officer, Vince Graham, admitted it took some time
to switch over and this caused train delays, and that the impact would have
been much more grave on a weekday.  CityRail called in 109 buses to replace
the cancelled trains yesterday. It made announcements through the morning
calling on passengers to avoid trains if they could, delay their journey or
"make their own arrangements".

John Colville, Dept of Computer Systems, University of Technology, Sydney,
PO Box 123, Broadway NSW Australia 2007 +61-2-9514-1854

Self-referential Patriot Act suppression of law suit (Dan Eggen)

<"Peter G. Neumann" <>>
Tue, 4 May 2004 11:46:52 PDT

The American Civil Liberties Union disclosed on 28 Apr 2004 that it filed a
lawsuit on 6 Apr 2004 challenging the FBI's methods of obtaining many
business records, but the group was barred from revealing even the existence
of the case until now, to avoid violating secrecy rules contained in the USA
Patriot Act.  The ACLU was allowed to release a redacted version of the
lawsuit only after weeks of negotiations with the government.  The ACLU
alleges that a section of the act is unconstitutional because it allows the
FBI to request financial records and other documents from businesses without
a warrant or judicial approval.  The group also says such requests are being
used much more broadly than they were before the Patriot Act.
[Source: Patriot Act Suppresses News Of Challenge to Patriot Act
Dan Eggen, *The Washington Post*, 29 Apr 2004 (Page A17); PGN-ed]

Millions of lost revenue from faulty speed cameras

<Bertrand Meyer <>>
Sat, 01 May 2004 14:44:42 +0200

Given the attention this story has been commanding in Australia, I was
surprised to find no record in RISKS. The country is proud of its strictness
in enforcing speed rules, sometimes fining motorists for driving one
kilometer above the posted limit (however absurd that sounds). The state of
Victoria has numerous speed cameras.  Last year their accuracy was
questioned after reports that a truck with a maximum speed of 140 km/h was
caught traveling at 164 km/h, and other similar incidents. After the first
such report the Assistant Commissioner said (Melbourne Age, 11 Nov 2003):

  "There's no evidence to support that any of the other cameras are
  malfunctioning [...] in any other way,"

but he later had to change to:

   "It's embarrassing for everybody... Technology is technology and I think
  we have had indications where it doesn't say the right thing."

The state government then ordered tests of all the cameras in the system,
and had to suspend fines from all fixed cameras. According to the Age of 29
April 2004, the problems were supposed to "take six weeks to fix" but:

  almost six months after the State Government suspended the issuing of
  fines from Victoria's fixed speed cameras, problems with the cameras are
  still unresolved [...] A State Government spokesman confirmed yesterday
  that the 47 fixed cameras were still under review.  He was unable to say
  when the issue would be resolved.

More than 40,000 fines notified to motorists have been suspended until the
results are in. This represents a total sum of over six million Australian

For details:
(30 Apr 2004)
(29 Apr 2004)
(11 Nov 2003)

Bertrand Meyer
ETH Zurich / Eiffel Software  — http: //

Sasser worm is latest threat

<"NewsScan" <>>
Mon, 03 May 2004 09:57:37 -0700

A fast spreading worm known as "Sasser" surfaced over the weekend and is
making its way around the globe, warn computer security experts at Finland's
F-Secure. The worm shares many characteristics with the Blaster worm that
infected hundreds of thousands of PCs last year, says F-Secure antivirus
research director Mikko Hypponen, who notes that both worms exploit
relatively new holes in the Windows operating system and frequently cause
computers to repeatedly reboot. However, this time more companies appear to
be ready to take preventive action, which may mitigate Sasser's damage
potential. "With Sasser it seems that companies are (using software) patches
better and more quickly than last year (with Blaster), but for those that
are hit, they are hit hard," says Hypponen, who adds that he believes Sasser
originated in Russia. The worm does not need to be activated by
double-clicking on an attachment and can strike even if no one is using the
PC at the time.  [Reuters/*The Washington Post*, 3 May 2004; NewsScan Daily,
3 May 2004]

Antivirus software prolongs viral life

<Geoff Kuenning <>>
Mon, 3 May 2004 16:03:38 -0700 (PDT)

I was reading up on the Sasser worm this afternoon and came across the
following rather interesting recommendation on Symantec's Web site:

2. To disable System Restore (Windows XP) If you are running Windows XP, we
   recommend that you temporarily turn off System Restore. Windows XP uses
   this feature, which is enabled by default, to restore the files on your
   computer in case they become damaged. If a virus, worm, or Trojan infects
   a computer, System Restore may back up the virus, worm, or Trojan on the

   Windows prevents outside programs, including antivirus programs, from
   modifying System Restore. Therefore, antivirus programs or tools cannot
   remove threats in the System Restore folder. As a result, System Restore
   has the potential of restoring an infected file on your computer, even
   after you have cleaned the infected files from all the other locations.

   Also, a virus scan may detect a threat in the System Restore folder even
   though you have removed the threat.

   For instructions on how to turn off System Restore, read your Windows
   documentation, or "How to turn off or turn on Windows XP System Restore"
   Note: When you are completely finished with the removal procedure and are
   satisfied that the threat has been removed, re-enable System Restore by
   following the instructions in the aforementioned documents.

Clearly, the "System Restore" feature has not been carefully thought out!

Geoff Kuenning

Sasser eyed over train outage

<"NewsScan" <>>
Tue, 04 May 2004 08:17:36 -0700

In Australia, RailCorp has dispatched software engineers to find the source
of the outage that left up to 300,000 commuters stranded yesterday, saying
the new Sasser worm, which has already spawned two variants, is being
evaluated as a possible cause. A RailCorp spokesman confirmed that software
engineers were investigating the problem, which prevented drivers from
talking to signal boxes. A virus attack was one possibility being
investigated. RailCorp was unable to confirm when the investigation would be
complete.  RailCorp chief executive Vince Graham raised the possibility of a
virus attack at a press briefing yesterday: "There is no evidence that
hacking is an issue here, the viral infection could have been introduced by
one of our own people not taking sufficient care."  [*The Australian*, 3 May
2004 (Received from John Lamp, Deakin Univ.); NewsScan Daily, 4 May 2004],7204,9455677%5E15306%5E%5Enbv%5E,00.html

New identity-theft scam

<Geoff Kuenning <>>
Thu, 29 Apr 2004 16:50:54 -0700 (PDT)

Our campus just received word of a sophisticated new identity-theft scam:

> The other night, a woman was outside Collins Hall offering pre-paid phone
> cards and T-shirts to students who filled out and signed a form and let her
> take a digital picture of their drivers' licenses. Apparently, when Campus
> Safety arrived, she told them she was from the Alumni Association. One
> student later pressed her about it and she left, but he believed she had
> gotten information (including photos of licenses) from several students by
> that point.

Wow.  Geoff Kuenning

Gas explosion creates confidential litter

<Sarah Hollins <>>
Sun, 2 May 2004 06:37:54 -0700

Both the Disaster Recovery Guide and the ISO 17799 Newsletter report a story
of a major banking group getting major business continuity issues right, but
the small details badly wrong. There's an irony to it somewhere.

They had been diligent in spending time and money on their disaster recovery
planning operation. Indeed, it went swimmingly well when a gas explosion
occurred in their offices on a Sunday afternoon.

Recovery from the actual damage was swift, but not from the fall out from,
of all things, staff leaving papers and documents on desks! These, which
included confidential information on customer accounts, where scattered
throughout the streets for days afterwards.

The risks of not locking away sensitive materials manifested themselves in a
most unexpected and spectacular way.


Hybrid vehicles may be hazardous to rescuers' health

<"Joe Thompson" <>>
Wed, 05 May 2004 02:44:20 +0800

As reported by CNN from AP, hybrid vehicles pose special concerns for
accident responders:

"Chris Peterson, a service training instructor for Toyota, said the Prius'
electric system should shut down if anything goes wrong. 'There should not
be high voltage in those cables, but I'm not going to stand up and say there
isn't,' he said."

Apparently various hybrids run high-voltage power cables through places
rescuers normally use to disassemble vehicles in emergencies, like doors.
Also, there appears to have been no or little thought given to the necessity
to quickly cut power for such purposes — the standard advice noted in the
article is to turn off the key and disconnect the battery, but if you can't
do that, no one seems to have any good ideas besides "watch where you put
that thing."

Can anyone in the audience with auto-engineering experience give an idea of
the extent to which making things easy for rescuers is incorporated into
vehicle design? — Joe

[Joe added a note just as this issue was going out:]

Slashdot picked up the story later this afternoon and in all the discussion,
the following points emerged:

* Many people, some Prius owners and some not, assert that the high-voltage
  does not actually run through the doors, but along the frame rails.

* Many people point out that the biggest hazard in hybrid cars is the risk
  of delayed airbag detonation while rescuers are cutting apart the car.
  This risk exists for modern non-hybrids just as much as hybrids.

The question I ended with, though, still seems relevant in light of that
last point: when designing vehicles, how much, if any, thought is given to
the safety of everyone involved *after* an accident? — Joe

  [last url split:

TCP, BGP, DoS, and BS

<Rob Slade <>>
Thu, 22 Apr 2004 13:07:33 -0800

The sky is falling!  We're all going to die!

No, it's not.  No, we're not

The latest "death of the net" rumour has to do with a recent paper that
discusses the fact that something called "session hijacking" can be used to
force an end to a specific connection (connected sessions over the Internet
use an arrangement called TCP).  If the session is ended or disconnected,
you will be effectively denied the service you were attempting to obtain.
Connected sessions are used for everything from transferring files to
connecting to the Internet in special ways to virtual private networks.
Sometimes they are used to transfer information between the machines that
decide where Internet traffic goes (called routers).  If the routers can't
keep up to date, the Internet will not be as effective as it should be.

So you will have heard that there is a new threat to the Internet, that it
is a denial of service attack, that it can disconnect you from the net, that
it can kill your sessions, that it affects the routers (and a router
protocol called BGP), and that sessions can be hijacked.

None of this is new.  What is new is a paper that was originally presented
in England, caught the attention of the media there, and has spread, kinda
like a hoax virus warning, from media outlets to bandwagon jumpers in the
security field and back to the media, around the world.

Denial of service attacks are not new.  Session hijacking is not new.  Using
TCP resets and session hijacking in combination has not been used in
specific attacks before, but all the parts of this attack are well known to
people who deal with such things.  There are even ways to protect against
this attack, and some institutions use them.

So, rather than talking about the death of the net, and "The Man Who Saved
the Internet":
  Net not dead, but was coughing up blood last night.  Phlegm at 11.    or

Florida sues AT&T for billing errors

<Frank Carey <>>
Sat, 1 May 2004 19:52:31 EDT

Florida Attorney General Charlie Christ is suing AT&T, accusing the giant of
overcharging for long distance service and billing people who are not even
AT&T customers.  A week ago Christ issued a consumer alert urging all
telephone customers to check their bills carefully for possible billing
errors by AT&T.  Since the alert was issued, more than 600 Florida residents
have contacted Christ's office.  Christ is seeking up to $10,000 restitution
for each allegation of wrong billing.  He also said the company violated the
state's unfair and deceptive business law.  Company officials have
acknowledged that a computer problem erroneously assessed long distance
charges on the bills of one million people nationwide.  [Source: Associated
Press, *Florida Today*, 1 May 2004, p. 10B]

Re: Traffic Signal Controllers (Perry, RISKS-23.34)

<"Jay R. Ashworth" <>>
Sat, 1 May 2004 11:30:28 -0400

> shouldn't there be a failsafe that wouldn't allow two greens no matter what?

And the answer, of course, is yes.  When I was growing up, my dad was a
traffic and parking coordination officer for the City of Boston,
Massachusetts.  Among his duties was interacting with contractors who did
sign and signal work for the city, which, in addition to resulting in some
pretty cool tchotchkes for a 10 year old, gave me the opportunity to feed
the Elephant's Child, and that was one of the questions I asked.

At least in that (late 70's) generation of controllers, yes, there was a
physical interlock: the clocked drum on those motor-driven controllers
switched the light heads through relays, as opposed to directly, and the
wiring of the relays was such that it was not physically possible to cause
the controller to display opposing greens, unless you managed to have *two*
stuck relays — it might even have been three.

Jay R. Ashworth, Member of the Technical Staff Baylink The Suncoast Freenet
Tampa Bay, Florida +1 727 647 1274

FREEDOM 2.0, Washington, DC, 20-22 May 2004

<EPIC News <>>
Mon, 3 May 2004 18:24:37 -0400

Freedom 2.0: Distributed Democracy, Dialogue for a Connected World
The Washington Club in Washington, DC, 20-22 May 2004

  (Early registration deadline deadline 5 May.)
Special conference events include
  and Spy Museum

Confirmed speakers include: Anita L. Allen, David Banisar, Ann Bartow,
Francesca Bignami, James Boyle, David Burnham, Vinton G. Cerf, Enrique
Chaparro, David Chaum, Julie E. Cohen, Lillie Coney, Amitai Etzioni, David
J. Farber, David H. Flaherty, Oscar H. Gandy, Deborah Hurley, Jerry Kang,
Ian R. Kerr, Judith F. Krug, Elizabeth Longworth, Gary Marx, Pedro
Mendizábal, Mary Minow, Peter G. Neumann, Stephanie Perrin, Katitza
Rodriguez, Pamela Samuelson, Paul M. Schwartz, Bruce Schneier, Barbara
Simons, Brooke Singer and Jamie Schulte (SWIPE), Robert Ellis Smith, Daniel
J. Solove, Edward G. Viltz, Paul Wolfson.

REVIEW: "Non-Repudiation in Electronic Commerce", Jianying Zhou

<Rob Slade <>>
Tue, 20 Apr 2004 08:46:21 -0800

BKNNRPDT.RVW   20031205

"Non-Repudiation in Electronic Commerce", Jianying Zhou, 2001,
1-58053-247-0, U$89.00/C$131.95
%A   Jianying Zhou
%C   685 Canton St., Norwood, MA   02062
%D   2001
%G   1-58053-247-0
%I   Artech House/Horizon
%O   U$89.00/C$131.95 617-769-9750 800-225-9977 fax: +1-617-769-6334
%P   200 p.
%T   "Non-Repudiation in Electronic Commerce"

The preface outlines non-repudiation as a security service in its own right,
with supporting requirements, rather than an effect of another security
mechanism.  This position is in rather interesting contrast to most works
that tag non-repudiation onto the list of functions that can be accomplished
by asymmetric (public key) cryptography: a benefit, but a bit of an

Chapter one gives us an introduction to the basics of non-repudiation, in
both electronic mail and electronic commerce.  Various parties to a
transaction, the means, requirements, and forms of evidence all make up the
fundamentals of non-repudiation in chapter two.  Digital signatures are the
traditional, but not the only way to prevent repudiation of a transaction or
message, and chapter three examines four approaches for maintaining their
validity.  Chapter four investigates the concept of fairness in a
non-repudiation system, ensuring that where the transaction is not completed
neither side is able to obtain an advantage over the other.  In general,
fairness requires either gradual disclosure (in an ad hoc situation) or the
involvement of a trusted third party.  Specific "Fair" protocols are
reviewed in chapter five.  Chapter six looks at the ISO's (International
Standards Organization) non-repudiation mechanisms.  Case studies of the
detailed requirements and proposed protocols for an online lottery (which
also involves anonymity) and mobile (wireless) billing are in chapter seven.
Chapter eight has a summary of the main points in the book, and appendix A
deals with formal verification of non-repudiation.

A detailed and interesting account of a rather neglected but important

copyright Robert M. Slade, 2003   BKNNRPDT.RVW   20031205    or

Please report problems with the web pages to the maintainer