The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 23 Issue 44

Saturday 3 July 2004


Acting Now to Prevent the Internet Meltdown
Court rules e-mail eavesdropping okay
Fed. Court Rules No Privacy For E-Mail Passing Through ISP Servers
Lauren Weinstein
Florida Felon list is wrong, wrong, wrongity wrong
Danny Burstein
Israeli Police losses laptop with critical agents information
Gadi Evron
DC Metro discovers flag-day issues with changeover in payment systems
Joe Thompson
Coca-Cola Cans as Security Threat
Jack M Dominey
Pharmacists worry about drug vending units
Daniel P. B. Smith
RFID could cost 4 million jobs by 2007
Barclays Bank of Zimbabwe suffers data theft
Bob Heuman
French authority forbids "DIDTHEYREADIT?" service
Bob Heuman from NewsScan
Web service maps tax codes to ID info
Re: Attacking the attackers: maybe not a good idea
Nick Brown
Curtis Karnow
REVIEW: "Exploiting Software", Greg Hoglund/Gary McGraw
Rob Slade
Info on RISKS (comp.risks)

Acting Now to Prevent the Internet Meltdown

<"Peter G. Neumann" <>>
Sun, 4 Jul 2004 08:12:11

Both the Internet and its users are under increasingly serious attacks from
numerous technical and non-technical threats.  If you are seriously
interested in helping to avoid an "Internet meltdown" that could negatively
and dramatically impact people around the world, please consider joining a
group of us who will be meeting in Los Angeles from July 26 - 28 to address
these issues under the aegis of People for Internet Responsibility (which I
co-founded with Lauren Weinstein).

The expanding program agenda is on the conference main Web page:

In contrast to many other meetings, the conference program is
oriented toward technology-related *policies* rather than to technical
details, and should be of interest to techies and non-techies alike.

Please note that conference registrations need to be received prior to
July 18 for the reduced conference rate, and that the hotel is offering
discounted room rates through July 11.

I'm looking forward to seeing many of you at the conference.

Peter G. Neumann
Principal Scientist, SRI International Computer Science Lab
Chairman, ACM Committee on Computers and Public Policy

Court rules e-mail eavesdropping okay

<"NewsScan" <>>
Thu, 01 Jul 2004 08:33:22 -0700

In a surprise decision, a federal appeals court has ruled that it was
acceptable for a company that offered e-mail service to peruse
messages sent by its subscribers. The case stems from 1998 when it was
discovered that Interloc, a now-defunct literary clearinghouse,
surreptitiously copied messages sent to its subscribers by rival
Amazon in order to "develop a list of books, learn about competitors
and attain a commercial advantage." An Interloc executive was later
indicted on an illegal wiretapping charge, but yesterday's ruling
upheld a federal judge's dismissal of that charge on the grounds that
the e-mails were copied while in "electronic storage" (during the
process of being routed through a network of servers to
recipients). The Wiretap Act prohibits unauthorized eavesdropping on
messages that are not stored -- such as a real-time telephone
conversation -- but does not afford the same protection to stored
messages. In a dissenting opinion, Appeals Court Judge Kermit Lipez
wrote that the ruling unravels "decades of practice and precedent
regarding the scope of the Wiretap Act" and essentially renders the
act "irrelevant to the protection of wire and electronic privacy."  In
a concurring statement, the Electronic Frontier Foundation said that
yesterday's ruling "dealt a grave blow to the privacy of Internet
communications."  [AP 30 Jun 2004; NewsScan Daily, 1 Jul 2004]

Fed. Court Rules No Privacy For E-Mail Passing Through ISP Servers

<Lauren Weinstein <>>
Fri, 02 Jul 2004 17:32:20 -0700

   		                  PFIR Bulletin

		 Federal Court Rules No Privacy in E-mail Stored
                      at ISPs, Even Temporarily in Transit

                                 July 2, 2004

    PFIR - People For Internet Responsibility -

   [ To subscribe or unsubscribe to/from this list, please send the
     command "subscribe" or "unsubscribe" respectively (without the
     quotes) in the body of an e-mail to "". ]

A federal appeals court has ruled that your e-mail passing through ISP
servers is virtually without privacy protections.  It is impossible to
overstate the potential significance of this astoundingly poor decision.

For the news story, please see:

The full text of the decision is at:

If generally upheld, it means that user e-mail stored on ISP servers
even temporarily or while in transit (Gmail, Hotmail, POP, IMAP, SMTP,
etc.) is vulnerable to legal monitoring or other abuses by ISPs and
others, including use for competitive or even prurient purposes,
without notification to the persons whose e-mails are involved.

With many ISPs forcing more users (especially typical dynamic-IP
customers) to route all mail through ISP servers (e.g., via blocking
of port 25), the implications are staggering.

Though ISPs may claim privacy policies that prohibit snooping,
policies are subject to change, and the legal barriers for access to
the mail by outside entities is also much lower in such cases.

Regardless of whether or not this decision stands, the underlying
facts should be very clear.  The most reliable and trustworthy path to
secure e-mail is via direct, end-to-end, encrypted connections that
are not forced to route through ISP mail servers.  This is one of the
goals of the PFIR "Tripoli" project ( ).

The court's ruling will also now be a topic at a legal issues
panel at our PFIR "Internet Meltdown" conference late in July
( ).  [See above.  PGN]

This is one of the worst and most dangerous court decisions ever
to appear relating to the Internet.

Lauren Weinstein or or
Tel: +1 (818) 225-2800
Co-Founder, PFIR - People For Internet Responsibility -
Co-Founder, Fact Squad -
Co-Founder, URIICA - Union for Representative International Internet
                     Cooperation and Analysis -
Moderator, PRIVACY Forum -
Member, ACM Committee on Computers and Public Policy

Florida Felon list is wrong, wrong, wrongity wrong

<danny burstein <>>
Sat, 3 Jul 2004 01:06:21 -0400 (EDT)

First, after a court battle, some news organizations and the Florida ACLU
got a judge to grant them access to the Florida Felon list - the one that
keeps people from voting ( a very painful topic we all recall from 2000):

> "TALLAHASSEE - In a victory for Florida voters, a Leon circuit court judge
> today struck down a state law that prevents copying a state list with
> names of more than 47,000 registered voters who may be deleted from the
> voter rolls because the state has identified them as possible ex-felons.

And to no one's suprise, a couple of days later we got stories like this:

Thousands of eligible voters are on felon list

More than 2,100 Florida voters -- many of them black Democrats --
could be wrongly barred from voting in November because Tallahassee
elections officials included them on a list of felons potentially
ineligible to vote, a Herald investigation has found.

A Florida Division of Elections database lists more than 47,000 people
the department said may be ineligible to vote because of felony
records.  But a Herald review shows that at least 2,119 of those names
-- including 547 in South Florida -- shouldn't be on the list because
their rights to vote were formally restored through the state's
clemency process...|Nobody|Y

Israeli Police losses laptop with critical agents information

<Gadi Evron <>>
Sat, 03 Jul 2004 04:39:18 +0200

The Israeli Police psychologist, in-charge of consulting and evaluating
police under-cover agents, lost her laptop.

The laptop was stolen in a break-in to her house.

According to Police sources the laptop held no names, rather than just
the psych evaluations and information.  Police said the loss is not
critical, but non-the-less, they invested a lot of resources in
locating the thieves and arranging for a buy.

The laptop was bought for _only_ 5K INS (a bit over 1K USD). When
bought, the information on the laptop was also deleted.  This suggests
that maybe the thieves were only after selling the laptop and were
completely unaware of the information it held or of its value.  When
were any of us last that lucky? I figure that's wishful thinking, but
that's only my opinion.

Heck, I personally hope they were lucky, but I've seen many such
warning signs completely ignored by different organizations until a
9/11 of sorts happens.  Maybe this will be enough of a shock for them
to bump-up information security enforcement. I am pretty sure they
already have a policy and regulations.

The laptop supposedly holding no names is a consolation. At least proper
compartmentalization policies were followed.

DC Metro discovers flag-day issues with changeover in payment systems

<Joe Thompson <>>
Tue, 29 Jun 2004 13:27:05 -0400

Recently the DC Metro discovered two things: 1) it was short on cash,
2) parking revenues weren't what they should be.  An audit implicated
theft by parking attendants as a contributor to the revenue shortfall.
 Accordingly, the decision was apparently made to ax the contract with
the company which provided the attendants and change over completely
to the existing automated "SmarTrip" smart-card system.

Yesterday was the first day of all-automated parking (with attendants
standing by in case of problems) and all failed to go quite according
to plan:

"New machines selling SmarTrip cards were installed in stations, but
many customers trying to use credit cards in those machines found they
were unable to. Metro said the volume of sales was too much."

...further annoying commuters already miffed at having to shell out $5
just to buy yet another card.  Apparently to buy a card in cash, the
machines would *only* accept a $10 bill.  (Here in DC and the
surrounding area, the $20 has been the bill of choice for some time
now.  They're known as "yuppie food-stamps" because so many people
have them and so few people can make change for them.)

For the time being, commuters can buy a traditional Metro farecard for
the exact amount of the parking fee and hand that in to the
attendants, but no one has addressed what happens when the attendants
are gone and the SmarTrip machines are all that remains.

Also unaddressed, to my knowledge, are questions about the degree of
redundancy and the failure modes in the SmarTrip system.  Even before
the changeover it was a regular occurrence for SmarTrip card readers
in parking-lot exit gates to fail, leaving the gate down and forcing
everyone to shift to another exit line.  After fully-automated
operation commences, will a single failed telephone or network line
incapacitate all readers in a station's lot (or more than one
station's lot)?  Is there a contingency plan in place for that?  Will
gates be changed to automatically lift if communications with the
card-authorization system are lost?  Have they been changed to do so
already, and if so, has the change been tested?

(The SmarTrip cards appear to store the current value in the chip
embedded in the card, but some kind of communication does go on since
registered cards' value is protected from the time the card is
reported lost or stolen.)

What puzzles me is why the existing paper farecards aren't an option
for automated parking payment.  The readers for those much predate the
SmarTrip system and the farecard vending machines are much more

RISKS: Making major system changes without sufficient forethought and
testing for what are essentially political reasons. -- Joe

Coca-Cola Cans as Security Threat

<"Dominey, Jack M, NEO" <>>
Wed, 30 Jun 2004 08:48:23 -0400

Following message forwarded by my boss.  I wonder what they think of
this at Coca Cola HQ?

Subject:	SCIF Security Advisory

Security Managers:

The Coca Cola Company has a summer game promotion running from 5/17 -
7/12/04 in all 50 states and the District of Columbia that has the
capability to compromise classified information.  The company has
intermixed approximately 120 Coca-Cola cans that actually contain GPS
locators equipped with a SIM card, keypad and GPS chip transponder so
it functions as a cell phone and GPS locator.  The cans are concealed
in specially marked 12, 18, 20, or 24 can multi-packs of Coca-Cola
Classic, Vanilla Coke, Cherry Coke and Caffeine Free Coke.  The
hi-tech Coke "Unexpected Summer" promotion can has a button,
microphone, and a tiny speaker on the outside of the can.  Pressing
the larger red button starts the game in process, thus activating the
GPS signal and a cell phone used by the customer to call a special
hotline.  Consumers who find these cans, activate the technology, and
call the hot line must agree to allow Coke "search teams" using the
GPS tracker (accurate to within 50 feet), to surprise them anyplace,
anytime within three weeks to deliver a valuable prize.

In accordance with DIA, no specific policy for this promotion will be
issued.  However, DISA employees with access to SCIFs should take a
common sense approach and if one of these cans are found inside a
SCIF, they should treat it as they would any two-way electronic device
in a SCIF and remove it immediately. Until such time as this sales
promotion ends and all 120 cans are accounted for, Coca-Cola packages
should be opened and inspected before taking them into any area marked
as a" Restricted Area" or classified meetings/discussions, etc. are in
progress or have the potential to occur at any time.

Scott Addis, Chief, SSO, Defense Information Systems Agency

RISKS submission from Jack Dominey, AT&T Network Disaster Recovery

"Pharmacists worry about drug vending units"

<"Daniel P. B. Smith" <>>
Sat, 3 Jul 2004 06:54:06 -0400

Boston Globe, July 3, 2004. Available (for 48 hours) at

"...[The Beth Israel Deaconess network] wants to introduce automatic
prescription machines to their clinics in the Boston area. From afar, a
pharmacist sends a message from his computer telling the machine which
prepackaged bottles of pills to dispense. A staffer at a clinic
retrieves the bottle, affixes a label, and gives it to the patient.
...Telepharmacy Solutions Inc., ...pioneered the concept in the 1990s.
The automated dispensers cost about $60,000 each, and so far a
smattering of public health centers, hospitals, and Veterans
Administration clinics around the country use them. The VA has 55
machines in different states and is considering wider use."

"...[A machine at the Thundermist Clinic in Warwick, Rhode Island] The
West Warwick machine carries 50 branded and generic drugs in preset
doses and bottle sizes, including antibiotics, blood-pressure
medication, Lipitor for cholesterol, and several kinds of
antidepressants. 'I liken it to a Coke machine,' said Stephanie
McCaffrey, Thundermist's vice president for program development. 'You
put the order in, and plop, it comes out.' To get drugs, a doctor faxes
the patient's prescription to a pharmacist in Woonsocket. The
pharmacist reviews it and sends an electronic message via a secure
computer link to the vending machine telling which drug to dispense.
Bar codes on the pills and on the labels ensure the right medicine is
given to the right patient."

"A staffer gives the bottle to the patient with printed information
showing the drug's side effects and warnings. The patient is asked
whether he or she wishes to speak to a pharmacist. If the answer is
yes, the patient is directed to a telephone."

In addition to the obvious RISKS (machines never make a mistake--make a
mistake--make a mistake), we have yet another area where automation is
being used to handle the easy part of a difficult task, one that
traditionally involved the personal participation of very highly
skilled humans. No doubt the bulk of today's pharmaceutical practice
consists of repeatedly dispensing the "top forty hits" of the drug
world on a routine basis. This will now be handled by machines, by
remote access, and by relatively lower-skilled persons that "give the
bottle to the patient" (at least until someone decides these staffers
can be eliminated, too). At clinics with the machines which "plop" out
drugs, the functions for which pharmacists train for six years will
theoretically still be available. But now it will be the exception
rather than the rule, and over time these services may become rarer and
harder to access. Today, what happens in those rare occasions when a
prescription actually needs to be compounded? What will happen ten
years from now?

Daniel P. B. Smith,

RFID could cost 4 million jobs by 2007

<"NewsScan" <>>
Fri, 02 Jul 2004 08:32:22 -0700

The Yankee Group, a prominent market research firm, is predicting that
RFID tags will cost four million U.S. jobs by 2007, throughout
numerous industries. (RFID stands for Radio Frequency Identification,
a technology embedded for inventory and tracking purposes into
products, materials, and shipments.) However, Yankee Group analyst
Adam Zabel thinks that most workers who lose their jobs due to
increased efficiencies made possible by RFID technology will be able
to obtain 'more value-added' positions.  [Vnunet 2 Jul 2004; NewsScan
Daily, 2 Jul 2004]

Barclays Bank of Zimbabwe suffers data theft

<Bob Heuman <>>
Fri, 02 Jul 2004 10:34:47 -0400

No new risk in the following article, but under the government of Robert
Mugabe it is possible that this theft was government sponsored!

Barclays victim of data robbery
GodFrey Marawanyika /Anita Fleming

  Barclays Bank of Zimbabwe has become the second financial institution
  to fall victim to computer data robbery, the Zimbabwe Independent
  has established.  Barclays lost computer hard drives which contained
  classified information on the bank and its clientele. The hard drives
  were stolen over the weekend.  Barclays has since informed the central
  bank of the incident.

The FIRST financial institution was robbed of a hard drive in
February, [when] NMB fell victim to hard-drive robbery and up to now
the case is still to be resolved.

French authority forbids "DIDTHEYREADIT?" service

<Bob Heuman <>>
Fri, 02 Jul 2004 19:59:00 -0400

To me via NewsScan Daily, 2 Jul 2004 ("Above The Fold")

And what is the risk to someone from outside of France who has this type
of service and flies into France? Do they too risk a 5 year prison term
and a substantial fine?  If so, Yankee stay home! This service seems to
be offered almost all over North America, after all...

> From: "NewsScan" <>:

CNIL, the French data protection authority, has declared Rampell
Software's new  mail-service 'Did they read it?' to be illegal.

(Subscribers to "DidTheyReadIt?" get a report about the exact time their
e-mail was opened, for how long, on what kind of operating system and if
the mail was forwarded to other people.)

The CNIL finds the service unacceptable under French privacy
Legislation; as a result, any French subscriber to this service risks a
prison sentence of 5 years plus a substantial fine.

(EDRIgram 1 Jul 2004)  Rec'd from Jim Sterne via Mark Gibbs

Web service maps tax codes to ID info

<"John" <>>
Thu, 1 Jul 2004 19:30:23 +0200

The Lombardia Region (Italy) local administration has set up a web
service to help citizens obtain a certificate of free entitlement to
medical treatment (form E111) for travel to other European Union
countries.  The web service asks for only your tax code as proof of
identity and then proceeds to supply you the following information:

- Forename and Surname
- Health authority district of registration
- Health authority registration number

So, if I have only the tax code of a Lombardia resident I can at least
find out their full name and their health district (which is more or
less certain to be in the same area of their home address).

The risk is providing a service without user authentication which gives out
id information to unknown users if they are in possession of a valid tax

When challenged about this, the technical staff replied that they had
examined the possibility that someone could make up a valid tax code
by trial and error. They believed this to be quite remote (and I agree
with them). The risk is that they hadn't considered the circumstances
where someone might come into possession of a real tax code and then
use it to complete the ID info.

Re: Attacking the attackers: maybe not a good idea (RISKS-23.43)

<Nick Brown <>>
Wed, 30 Jun 2004 23:40:16 +0200

It's now common practice for viruses to leverage the expected
countermeasures of security software, as part (or all) of their payload.
For example, the authors of the various Netsky (etc) worms know that for
every mail their software sends, at least one more of the "you sent us a
virus" variety will be sent by a corporate e-mail gateway virus scanner.

Once any type of automated retaliation is in place, exactly the same thing
will happen.  Indeed, there's plenty of potential for DOS attacks, eg if
someone in company X can forge an attack as being "from" their rivals at
company Y.

Re: Attacking the attackers: maybe not a good idea (RISKS-23.43)

<Curtis Karnow <>>
Mon, 28 Jun 2004 11:39:52 -0700 (PDT)

Attacking the attacker may or not be a good idea: there are public
relations, and practicalities to consider. In many cases, it's a very
bad idea. But if done correctly (accurate, targeted, no or
[relatively] little collateral damages) it might be legal.  See my
"Launch On Warning: Aggressive Defense of Computer Systems, 8
Cyberspace Lawyer 4 (March 2003); rewritten and published at

REVIEW: "Exploiting Software", Greg Hoglund/Gary McGraw

<Rob Slade <>>
Mon, 28 Jun 2004 08:23:22 -0800

BKEXPLSW.RVW   20040531

"Exploiting Software", Greg Hoglund/Gary McGraw, 2004, 0-201-78695-8,
%A   Greg Hoglund
%A   Gary McGraw
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2004
%G   0-201-78695-8
%I   Addison-Wesley Publishing Co.
%O   U$49.99/C$71.99 416-447-5101 fax: 416-443-0948
%P   471 p.
%T   "Exploiting Software: How to Break Code"

I have learned to beware of books with titles like this, which
generally indicate a hastily compiled set of old vulnerabilities,
benefitting nobody save the author.  This work, however, turns out to
have a lot of value for those interested in security of software.

Although it does not deal with the factors inherent in software that
almost ensure problems, chapter one outlines the fact of bugs in
software, the relative rate and increasing prevalence, and future
developments that may exacerbate the issue.  Chapter two provides
taxonomies of general types of software problems (distinguishing, for
example, between a bug and a flaw), patterns of attack activities
(pointing out that most exploits are used in combination), and types
of system scanning activities (used to determine specific attacks that
might be effective).  This material is very useful in structuring the
debate about software exploits and attacks in general, but,
ironically, the chapter (and book) itself could benefit from better
organization.  Reverse engineering, both via black box testing and
through code analysis, is described in chapter three.  The discussion
is general, and presents the different activities that can be
undertaken, usually at a fairly abstract level.  (This is not true in
all cases: there is a chunk of twelve pages of code for a plug-in
module and eight pages of script for the IDA disassembler, which is of
questionable utility, depending on the familiarity the reader may have
with that particular program.)

At this point in the book, the issue of the validity of the "learn to
exploit in order to learn to protect" philosophy should be addressed.
In general, the "hack to protect" books do not provide much that is of
value for the defenders.  That statement is not necessarily true of
this work.  Since most of the presentation is at a conceptual level,
it is the ideas, and not particular exploits, that are being reviewed.
The authors are explaining tools and techniques that, yes, can be used
by attackers, but can equally be used by those who wish to probe a
given system for weaknesses in order to determine vulnerabilities to
be patched.  (There appears to be only one exception in chapter three:
the authors note that vendor patches tend to act as a roadmap for
vulnerabilities, and it is difficult to say how this technique is
useful for defence, other than to note that the probability of an
exploit increases after a patch has been issued.)

Chapter four lists types of attacks on server software, while five
looks at clients, primarily web browsers.  Indications pointing to
patterns of malformed input that are likely to generate successful
exploits are described in chapter six.  The classic and ubiquitous
buffer overflow gets a detailed explanation (supported with a number
of examples) in chapter seven, which has a strangely extensive section
on RISC (Reduced Instruction Set Computer) architectures.  Chapter
eight is rather disappointing in light of the tone of the rest of the
book: it is primarily concerned with how to create and program
rootkits, and the worth for defence is doubtful.

While ultimately of greatest use to a rather select audience (those
specifically concerned with finding and patching loopholes in
software), this book does have a lot to say to most security
professionals.  The security aspects of software development tend to
be glossed over too quickly in most general works on security.
Specific examples of malformed input are used, in too many security
texts, as evidence of the author's superior security erudition, rather
than to explain the underlying concepts.  Hoglund and McGraw have
prepared solid tutorials and definitions of these important ideas
(although one could wish that they had prepared the arrangement of the
book with the same degree of care).

copyright Robert M. Slade, 2004   BKEXPLSW.RVW   20040531    or

Please report problems with the web pages to the maintainer