The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 23 Issue 39

Friday 28 May 2004

Contents

Air Force radios jamming garage-door openers in FL Panhandle
Paul Wexelblat
Boa triggers blackout in Honduras
M. Barnabas Luntzel
Online satire reported as truth
Jean L. Palmer
*Reason Magazine* custom covers
Charles Shapiro
New GAO Report on Government Data Mining
Barry Steinhardt via Dave Farber
Coming Soon: A Cellphone Directory
Jube Shiver Jr. via Monty Solomon
Maryland governor signs tough anti-spam law
Andy Sullivan via Monty Solomon
The Fight Against Spam, Part 3
F.J. de Kermadec via Monty Solomon
Now, two-thirds of all e-mail is spam
Bob Sullivan via Monty Solomon
Poor fallbacks on automated systems
Geoff Kuenning
Re: Ireland scraps electronic voting plans
Erling Kristiansen
'Pirate Act' raises civil rights concerns
Declan McCullagh
Re: New UK driving licence puts identity at risk
John Sawyer
Crash data recorders in cars
Fuzzy Logic
Re: FBI fingerprint screwup
Scott Miller
Risks of believing in testing, Re: GAO report
Chris Jewell
Re: Another method of password theft
A J Stiles
Banks don't understand phishing social risks
Michael Bacon
REVIEW: "The Teeth of the Tiger", Tom Clancy
Rob Slade
Info on RISKS (comp.risks)

Air Force radios jamming garage-door openers in FL Panhandle

<Paul Wexelblat <wex@cs.uml.edu>>
Wed, 19 May 2004 20:31:15 -0400

A new $5.5M military two-way radio system being tested at Eglin Air Force
Base in Florida is preventing garage doors from opening in the neighboring
communities of Niceville, Valparaiso and the Crestview area.  Motorola said
it will try to minimize the problem, altering the frequencies for the next
tests.  However, a news report suggests that homeowners "may have to change
the frequencies" on their remote controllers because the FCC indicates the
Air Force is operating within its licensed frequencies.  The problem is also
likely to propagate further: a similar system has been requested for the
Pensacola Naval Air Station and other bases.  [Source: AP item, *South
Florida Sun-Sentinel*, 19 May 2004; PGN-ed]

  Gee, if the avionics are jamming the garage door mechanisms, ya gotta
  wonder what the garage door openers are jamming.  PW


Boa triggers blackout in Honduras

<"M. Barnabas Luntzel" <mark@luntzel.com>>
Wed, 19 May 2004 16:44:58 -0700

A boa constrictor triggered a 15-minute nationwide blackout when it
slithered into a generator at a major hydroelectric plant that supplies 60%
of Honduras' electricity.  Power outages are common in Honduras; a failure
at the same dam left the nation without power for three hours in Sep 2003.
[Source: AP item from Tegucigalpa, 19 May 2004; PGN-ed.  Yes, the boa was
electrocuted, but earns the RISKS-archives size prize for animal-inspired
outages -- beating out the raccoons, rats, and 6 SRI squirrels.]
  http://www.sfgate.com/cgi-bin/article.cgi
  ?file=/news/archive/2004/05/19/international1934EDT0786.DTL


Online satire reported as truth

<"Palmer, Jean L." <jean.palmer@ngc.com>>
Fri, 28 May 2004 08:35:02 -0700

On 6 May 2004, the online satire magazine *The Daily Farce* ran a
tongue-in-cheek story saying that US Secretary of Defense Donald Rumsfeld
had banned the use of digital cameras in Iraq: "Donald Rumsfeld told
reporters in a press conference "those found guilty of following my orders,
I mean, of performing these acts will be tried and prosecuted by a jury as
effective as the one that prosecuted O.J. Simpson." He continued "Further,
to protect the Iraqi prisoners from any future abuses; any digital cameras,
camcorders, or cell phones with cameras are strictly prohibited anywhere in
any military compound in Iraq."
http://www.thedailyfarce.com/world.cfm?story=2004/05/world_moreabusepictures_05200400006

A few weeks later, someone picked this up and ran with it, rather than
recognizing it as a satire piece.  It reproduced and began appearing in news
media all over the world, especially overseas, as an established fact. A
search of Google News found it on at least 40 news sites, and a web search
found it on more than 4,000 sites.

Risks:
1. News organizations assuming that everything they read online must be true
2. Reporters using questionable sources for facts
3. (perhaps) Non-native english speakers not recognizing satire
4. Humans assuming that everything reported by a newspaper -- especially an
   online newspaper -- is fact.
Jean Palmer, Northrop Grumman  jean.palmer@ngc.com  1-410-993-2627

[5. Some folks might think it true, and are happy to pass it on as such.
 6. Some folks, knowing it is bogus, want to poke at the underlying situation.
 7. Some folks get fooled even on April Fools' Day.
and lots more.  PGN]


*Reason Magazine* custom covers

<Charles Shapiro <cshapiro@nubridges.com>>
28 May 2004 09:58:34 -0400

*Reason Magazine* (http://reason.com) got some coverage in both slashdot and
the New York Times for their May cover, which was tailored individually to
feature an aerial photo of the residence of and the name of each
subscriber. Alas, it looks like someone screwed up the columns in one of
their SQL queries. The article on the inside of the cover was intended to
give some more entertaining facts about the subscriber, but for me it said
"...the same information networks that tell me that 1.82% of your neighbors
have college degrees or that Rep Denise percent of the kids in your ZIP code
are cared for by their grandparents...".  I cannot tell whether the 1.82%
number is accurate, but I have my doubts. Denise Majette is my
representative, but I think they really wanted a number there. They also
mixed up the column headings on the table of demographic data printed at the
bottom of the inside cover, although the nature of the data there makes it
possible to sort out what number goes where. I'm most curious to know how
general these problems were in the print run, which featured close to 40,000
different covers.

This illustrates one of the many ways that you can screw up while using a
database to characterize your customers, clients or suspects. In this case
the consequences are minor, but a supermarket which guesses too wrong will
lose a lot of money, and a government could victimize exactly the wrong
people.


New GAO Report on Government Data Mining (via Dave Farber's IP)

<Barry Steinhardt <Bsteinhardt@aclu.org>>
May 27, 2004 1:10:03 PM EDT

A new report on "data mining" , which is being released today by the General
Accounting Office, reveals that practice is widespread in the the Federal
government and that there are, at least, four programs that may be accessing
and analyzing private-sector databases in ways that are reminiscent of the
Pentagon's Total Information Awareness Program.  The report was prepared at
the request of Senator Daniel Akaka of Hawaii.

The GAO's investigation uncovered 199 government uses of the statistical
analysis techniques known as data mining, 54 of which use private-sector
data.  Such information could include any data held in corporate or other
private hands, including credit-card records and Internet logs.

In an appendix to its report, the investigators listed those programs,
providing a brief description of each and indicating its purpose and whether
it contained personal information, or made use of private-sector data and
data from other government agencies.

The 4 programs of special concern are:

* Verity K2 Enterprise - Defense Intelligence Agency (DIA). Mines
  data "to identify foreign terrorists or U.S. citizens connected to
  foreign terrorism activities." (Page 30 of GAO report)
* Analyst Notebook I2 - Department of Homeland Security.
  "Correlates events and people to specific information." (p. 44)
* PATHFINDER - DIA.  "Can compare and search multiple large databases
  quickly" and "analyze government and private sector databases." (p. 30)
* Case Management Data Mart - DHS. "Assists in managing law
  enforcement cases" Using private-sector data. (p. 44)

According to the GAO descriptions, all four programs draw on private-sector
databases, contain personally identifiable information, and appear to
constitute dragnets on the general population.

Of course, many of the other programs listed by the GAO raise questions
about how they are using information, including private-sector information --
and the GAO's list did not include programs run by the Central Intelligence
Agency and the National Security Agency, which did not respond to its
requests for information.

The ACLU, together with the Electronic Privacy Information Center and the
Center for Democracy and Technology, today sent a joint letter to Senator
Akaka praising his efforts and the report.

The joint letter to Sen. Akaka is online at
http://www.aclu.org/Privacy/Privacy.cfm?ID=15858&c=130

The GAO [report] should be on their Web site shortly at http://www.gao.gov/.

Barry Steinhardt, Director Technology and Liberty, American Civil Liberties
Union (ACLU), 125 Broad Street, NYC 10004  www.aclu.org

  IP Archives: http://www.interesting-people.org/archives/interesting-people/


Coming Soon: A Cellphone Directory (Jube Shiver Jr.)

<Monty Solomon <monty@roscom.com>>
Fri, 21 May 2004 10:19:35 -0400

Privacy advocates fear consumers will face a flood of unwanted calls
and junk e-mail, Jube Shiver Jr., *Los Angeles Times*, 20 May 2004:

After years of anonymity, the numbers of most of the nation's mobile phones
will be compiled later this year in the first wireless directory.  The
database being assembled by the Cellular Telecommunications and Internet
Assn. is expected to include about 75% of the 163 million mobile phones in
the United States, making looking up a wireless number as easy as dialing
411. ...

http://www.latimes.com/la-fi-cellphones20may20,1,3236420.story

  [NO OPT OUT???  Beware!  PGN]


Maryland governor signs tough anti-spam law (Andy Sullivan)

<Monty Solomon <monty@roscom.com>>
Fri, 28 May 2004 08:59:37 -0400

[Source: Andy Sullivan, Reuters, 26 May 2004; PGN-ed]

Internet "spam" purveyors who hide behind false e-mail addresses could face
up to 10 years in jail and fines of $25,000 per day under The Maryland Spam
Deterrence Act signed on 26 May 2004 by Maryland Governor Robert Ehrlich.
The law allows state officials to arrest and fine those who engage in a
variety of deceptive tactics to send junk e-mail.

But one anti-spam activist said it would do little to stop the unsolicited
bulk messages that now account for up to 83 percent of all e-mail, because
most of those already violate anti-fraud laws.  ...

  http://finance.lycos.com/home/news/story.asp?story=41660480


The Fight Against Spam, Part 3

<Monty Solomon <monty@roscom.com>>
Mon, 24 May 2004 12:06:18 -0400

The Fight Against Spam, Part 3, by Francois Joseph de Kermadec, 21 May 2004

Editor's note: In part one, F.J. focused on laying the foundation for an
anti-spam strategy and he covered how to block most of your unwanted
mail. Then in part two, he fine-tuned this strategy, plus he took a closer
look at the technologies inside of Mail.app. Now in part three, the
conclusion of this series, F.J. covers rules and additional tools and
techniques you can use to avoid becoming buried in spam.  ...

http://www.macdevcenter.com/pub/a/mac/2004/05/21/spam_pt3.html


Now, two-thirds of all e-mail is spam (Bob Sullivan)

<Monty Solomon <monty@roscom.com>>
Sat, 22 May 2004 12:59:56 -0400

According to MessageLabs Inc., in its monitoring of e-mail traffic for 8500
customers in April 2004, spam accounted for two-thirds of all e-mail
traffic, and 80% of e-mail the United States.  The first figure was 50% a
year ago, and MessageLabs predicts 90% in another year.  [Source: Bob
Sullivan, MSNBC, 21 May 2004; PGN-ed]
  http://msnbc.msn.com/id/5032714/


Poor fallbacks on automated systems

<Geoff Kuenning <geoff@cs.hmc.edu>>
25 May 2004 01:33:20 -0700

I pay my bills through Paytrust.com.  They have a "feature" called
"SmartBalance", which attempts to infer the balance in your checking account
including allowances for outstanding checks.  Of course, this is possible
only if you never use an ATM, write a check outside their system, incur bank
service charges, etc., but that doesn't seem to bother them.  The
SmartBalance system requires that you provide them with the password to your
online banking account so that they can fetch current information.

A recently added misfeature tries to warn users if they are writing a check
that would overdraw their account.  So far, so good, despite the glaringly
unavoidable inaccuracies.  But if you haven't given them a password for your
bank account, they assume it's zero -- and then make you walk through a
"Please click OK" screen to "protect" you from the consequences of an
overdraft.

The RISKS are numerous:

* Assuming that you can make a valid calculation with partial information.
* Continuing with a calculation when some data is unavailable.
* Warning the user of an error condition when it is impossible to avoid
  false positives.
* Teaching the user to depend on an error warning when it is impossible to
  avoid false negatives.

They would almost have been better off to hook the whole system up to a
random number generator; the accuracy would have been roughly the same, and
they would have saved an immense amount of programming time.

Geoff Kuenning   geoff@cs.hmc.edu   http://www.cs.hmc.edu/~geoff/


Re: Ireland scraps electronic voting plans (Beleskey, RISKS-23.35)

<Erling Kristiansen <erling.kristiansen@xs4all.nl>>
Sat, 22 May 2004 21:07:11 +0200

There is an interesting additional twist to this story:

The voting machines purchased by the Irish authorities are produced by the
Dutch company Nedap. Essentially the same machines have been used in The
Netherlands for several years, and did not attract much attention, at least
not in the general press, until the Irish rejection.

When questioned in the Dutch parliament, the responsible minister De Graaf
declared that "he found the machines reliable". This statement seemed to
suffice to avoid debating the matter further.

It has also transpired from the discussion that the machines have been
tested by an independent test lab, TNO. The reports were, however, kept
secret. Until the problems started in Ireland. The Dutch TNO reports have
now been released in Ireland! It turns out that "The reports by KEMA Quality
BV and TNO were not concerned with either the accuracy or the security of
the machines". The tests seem to have mainly addressed robustness of the
machines, not the voting or counting itself.

The whole affair has gotten very little media coverage in The Netherlands so
far, most of the available information comes from newsletters of privacy
groups like Bits of Freedom (in Dutch) (http://www.bof.nl/) and EDRI (in
English) (http://www.edri.org/).

So it looks like what was rejected in Ireland is happily being accepted in
The Netherlands, without attracting much attention, neither by the
government nor by the media.


'Pirate Act' raises civil rights concerns (Declan McCullagh)

<Monty Solomon <monty@roscom.com>>
Fri, 28 May 2004 01:42:52 -0400

Declan McCullagh, Staff Writer, CNET News.com, 26 May 2004

File swappers concerned about getting in trouble with record labels over
illegal downloads may soon have a major new worry: the U.S.  Department of
Justice.

A proposal that the Senate may vote on as early as next week would let
federal prosecutors file civil lawsuits against suspected copyright
infringers, with fines reaching tens or even hundreds of thousands of
dollars.  The so-called Pirate Act is raising alarms among copyright lawyers
and lobbyists for peer-to-peer firms, who have been eyeing the recording
industry's lawsuits against thousands of peer-to-peer users with
trepidation. The Justice Department, they say, could be far more ambitious.

One influential proponent of the Pirate Act is urging precisely that.  "Tens
of thousands of continuing civil enforcement actions might be needed to
generate the necessary deterrence," Sen. Orrin Hatch, R-Utah, said when
announcing his support for the bill. "I doubt that any nongovernmental
organization has the resources or moral authority to pursue such a
campaign."

The Pirate Act represents the latest legislative priority for the Recording
Industry Association of America (RIAA) and its allies, who collectively
argue that dramatic action is necessary to prevent file-swapping networks
from continuing to blossom in popularity.  ...

  http://news.com.com/2100-1027-5220480.html


Re: New UK driving licence puts identity at risk (Malme, R-23.38)

<John Sawyer <jpgsawyer@btopenworld.com>>
Fri, 28 May 2004 09:53:54 +0100 (BST)

Chris Malme in RISKS-23.38 noted that the UK Post Office offers the option
of checking your documents for you and indeed they do, unless you are
exchanging a drivers license from a foreign country. In this case you have
no option but post your Passport, the foreign drivers license to the
DVLA. Your Passport is then returned to you via normal postage. Even if you
include a postage paid recorded delivery self address envelope.

This Risk of having to include all your identification documents in the same
envelope should be evident for all and to require it on someone's arrival in
the country seems somewhat dangerous. The only truly safe option seems to be
to go down to Swansea to submit your documents in person but event then you
can not collect them in person. (Swansea isn't exactly central to most of
the UK population either as nice a part of the country as it surely is.)

For a government so intent on introducing ID cards to prevent immigration
fraud to have an agency acting in this manner is to my mind amazing.


Crash data recorders in cars

<Fuzzy Logic <bob@arc.ab.ca>>
Fri, 28 May 2004 11:30:53 -0600

I recently watched a repeat of a consumer show called Market Place. This
one was on crash data recorders in cars and how they are being used more
and more by police and insurance companies. The transcript of the show can
be found here:

http://www.cbc.ca/consumers/market/files/cars/blackboxes/index.html

Apparently they are installed in over 25 million North American vehicles.
My concern is the accuracy of these devices (odds are there are going to be
a few duds) and the likelihood that they will win out in court over the
drivers' word. Honest I wasn't speeding, black box says otherwise. Claimant
refused insurance claim and probably has their insurance canceled.


Re: FBI fingerprint screwup (PGN, RISKS-23.38)

<Scott Miller <SMiller@unimin.com>>
Thu, 27 May 2004 16:37:34 -0400

  [... In Mayfield's case, certain Muslim associations seem to have added
  circumstantial credibility to the confidence associated with the presumed
  match.  Once again, some caution is needed in believing in digital
  evidence -- especially with only partial prints.  PGN]

My read on the "circumstantial credibility" is that it was flimsy in the
extreme.  He married a Muslim and once defended someone accused of a
terrorism-related crime.  Not to mention that apparently the Spanish
authorities almost immediately informed the FBI the fingerprint was
definitely not Mayfield's, but the FBI did not act until a positive match
was found (by Spain).  I also must wonder if what you cited is the true
extent of the risk?  The reliability of fingerprint and DNA evidence seems
to go pretty much uncontested in criminal trials, and the examples of which
I am aware are largely those in which the defendant can afford an adequate
defense.  I wonder how many persons could possibly be incarcerated on
evidence no stronger than that on which Brandon Mayfield was detained?
Particularly in cases where the defendant was represented by a public
defender or other hired gun of less than top caliber?  Combine this
possibility with the sort of prosecutorial misconduct that seems to be all
too common, and the imagination can conjure up some scary scenarios.  I
think that this might be worthy of further investigation...


Risks of believing in testing, Re: GAO report (RISKS-23.38)

<Chris Jewell <chrisj@puffin.com>>
27 May 2004 16:20:10 -0700

What jumped out at me from the first page of the GAO report referenced
in RISKS-23.38 was ...

> As the amount of code on weapons systems increases, it becomes more
> difficult and costly to test every line of code.

Can it possibly be that the GAO (and DOD procurement people) have not yet
noticed that testing every line of code is a completely inadequate way to
demonstrate the correctness of a software system, and that testing can
demonstrate the presence of errors, but never the absence?

How long ago was Edsger Dijkstra railing against the folks who didn't
realize that a program can contain errors even though each line of code has
passed a test?  I think that was in the 1970s, yet many people still haven't
heard the message.


Re: Another method of password theft (Renken, RISKS-23.38)

<A J Stiles <ajs2@adyx.co.uk>>
Fri, 28 May 2004 10:58:00 +0100

I work for an ISP and, for a while, we had a Web mail system running on
our servers; and we used to get all sorts of what we could only assume were
AOL and Hotmail logins and passwords being entered.

Given the human tendency to re-use passwords across services -- or at least,
to use minimal munging between uses -- I suspect that anyone putting up a
form with the appropriate fields could get a lot of passwords, as long as
they got listed on the search engines.  As the original poster says, the
promise of MP3s, porn, pictures of pop stars &c. is a powerful motivating
factor.

I'm sure I remember something similar to this, dating back to the BBS days of
the early '90s; it may even have cropped up in RISKS.


Banks don't understand phishing social risks

<"Michael (Streaky) Bacon" <himself@streaky-bacon.co.uk>>
Fri, 21 May 2004 07:03:06 +0100

In RISKS-23.37, Samuel Liddicott reported that "Banks don't understand
phishing social risks".  I reported a similar instance in Risks 21:59 in
regard to another UK bank, but without comment on the "phishing" aspects.
The banks are making a rod for their own backs by their approach to
authentication, and their systems designers appear ignorant of the basic
security that needs to be applied.  Of course, many of their customers are
still trusting of the bank ... but sadly these contain a number who "trust"
the phishers and scammers.

The bank in question in my original posting has recently changed the log-in
process for their e-banking Web site.  Previously, in addition to other
identification, one had to type in two randomly requested letters from a
"password".  These were entered in a form box with the usual asterisks being
displayed instead of the letters.  A redesign (in the interests of improving
security) now forces the user to select the letters from two drop-down
boxes, and the actual letters remain displayed on the screen.

Yet another example of Hutber's Law: "Improvement means deterioration".
The RISKS are inherent.


REVIEW: "The Teeth of the Tiger", Tom Clancy

<Rob Slade <rslade@sprint.ca>>
Fri, 28 May 2004 08:41:49 -0800

BKTTHTGR.RVW   20040306

"The Teeth of the Tiger", Tom Clancy, 2003, 0-399-15079-X,
U$27.95/C$40.00
%A   Tom Clancy
%C   10 Alcorn Ave, Suite 300, Toronto, Ontario, M4V 3B2
%D   2003
%G   0-399-15079-X
%I   Penguin Putnam
%O   U$27.95/C$40.00 416-925-2249 Fax: 416-925-0068 service@penguin.ca
%O  http://www.amazon.com/exec/obidos/ASIN/039915079X/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/039915079X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/039915079X/robsladesin03-20
%P   431 p.
%T   "The Teeth of the Tiger"

It is interesting to note, reading the reviews on Amazon, that even
die-hard Clancy fans are starting to lose faith.  Clancy has moved
from curmudgeon to outright maverick in this work.  The plot doesn't
just depend on bending the rules, but by going completely outside them
and playing God.  (In which regard, I'm fairly sure that quite a few
Catholics would take issue with the assertion that as long as you
*think* you are doing the right thing, God can't say anything about
it.)  The "good guys" luck out a lot, but are extremely sloppy, and
any group that did operate in this manner would tend to kill a lot of
innocent people.  Despite crises of conscience (very brief ones), none
of the characters in this tale are attractive or sympathetic: they all
seem to be pretty thin.  But that isn't what we are here to talk
about.

Clancy demonstrated in "The Bear and the Dragon" (cf. BKBRDRGN.RVW)
that he didn't understand cryptography, and he proves his lack of
comprehension again here.  Sun makes good workstations, but they
aren't supercomputers.  Single pass DES (Data Encryption Standard) has
fallen to brute force attacks, but serious users have plenty of
algorithms to choose from that haven't.  Clancy has moved the myth of
the NSA providing encryption standards with backdoors built into it
slightly out of the house, but it's still a myth.  (Yes, the NSA does
have smart people, but the one time they did really try it, with the
Clipper/SKIPJACK key escrow system, it failed.  Ironically, the
failure didn't lie in their ability not to get caught, since they were
completely open about it, but in a weakness that meant the escrowing
system could be broken.)  As far as getting everyone to buy into a
proprietary, unreviewed encryption system and use it pretty much
universally for several years without anybody twigging as to what was
going on, forget it.  There are a number of players in the crypto
market, everybody serious enough to study the field knows not to buy
snake oil, and anyone following the security field at all knows that
backdoors get found every day.

Just because you use the same accounting system as someone else
doesn't mean that you can read all their files.  (In fact, if you are
breaking in to someone's system, it is often easier to grab the data
files themselves and process them with your own tools.)  There is no
discussion about getting access to files on remote systems at all:
Clancy just seems to assume that it can be done.  Admittedly, he is
assuming a backdoor into Echelon, and assuming that Echelon can, in
fact, collect all the transmission of voice and data anywhere in the
world.  (We'll leave that tall order for the moment, since it isn't
inherently impossible, however unlikely.)  The data under
investigation, however, isn't in transit: it resides on a bank
computer.

This book has annoying errors in technology, flat characters, a shaky
premise, and very little of the old Clancy flair.

copyright Robert M. Slade, 2004   BKTTHTGR.RVW   20040306
rslade@vcn.bc.ca      slade@victoria.tc.ca      rslade@sun.soci.niu.edu
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

Please report problems with the web pages to the maintainer

Top