The RISKS Digest
Volume 23 Issue 90

Wednesday, 15th June 2005

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Details of F/A-22 crash December 2004
Peter B. Ladkin
Database error makes half of Norway's cellphones go offline
Olav Langeland
When Crypto/Signature Plans Go Wrong: Sony PSP Exploit
Lauren Weinstein
Encryption Illegal in Minnesota
Al Macintyre
Seven voting machines under scrutiny in Wayne County
Lillie Coney via PGN
LSAC gives SSNs to recommenders
Jerry Saltzer
Risks of letting marketing spec your messages
Mike Albaugh
Microsoft censoring blogs in China
The Scramble to Protect Personal Information
Tom Zeller via PGN
ID Theft vs. Colorado Attorney General
Al Macintyre
Private, Personal Medical Info Faxed To Wrong Location
Bob Heuman
What Europe can teach us about identity theft
Amos Shapir
Paris Hilton Hack Started With Old-Fashioned Con
Brian Krebs via Monty Solomon
Ted Koppel: Take My Privacy, Please!, 13 Jun 2005
Monty Solomon
Mom charged with stealing identity of soldier son
Julia Silverman via PGN
Re: Plane diverts after erroneous hijack alert
Michael Bacon
Andrew Koenig
Rob Bailey
Re: Challenge/response e-mail filtering
David Cantrell
REVIEW: "CISSP Exam Notes", K. Wan
Rob Slade
Info on RISKS (comp.risks)

Details of F/A-22 crash December 2004

<"Peter B. Ladkin" <>>
Wed, 15 Jun 2005 11:10:34 +0200

On 20 Dec 2004, an F/A-22 Raptor, the USAF's new air-superiority fighter,
crashed 11 seconds after takeoff from Nellis AFB, Nevada. It is the first
production aircraft to be lost.  They are said to cost $133 million
each. The results of the investigation from the USAF Accident Investigation
Board (AIB) are reported in this week's Flight International (14-10 June,
2005, p9).

The pilot ejected with the aircraft near-inverted. The aircraft struck the
end of the runway going backwards.

There are three rate-sensor assemblies (RSA), manufactured by BAE Systems in
the flight control system (FCS). There is a known "quirk" in the RSA, which
is "programmed so that it could interpret a momentary power loss [to the
FCS] as an instruction to enter test mode, which freezes or "latches" the
unit, according to the AIB report."

The pilot shut down the engines during a maintenance check pre-take-off,
thinking the FCS was continuously powered by the auxiliary power unit
(APU). The FCS in fact loses power briefly during a shutdown, and that
appeared to suffice to latch all three RSAs. "The AIB attributed the pilot's
mistake to "ambiguous" language in the aircraft's technical orders."

The manufacturer, Lockheed Martin, has returned about 20 RSAs to BAE Systems
for suspected latching events. Before  this crash, such events only affected
one or two  of the RSAs, not  all three together.  There is  a pilot warning
for partial RSA latching, but no warning if all three latch.

The RSA has been redesigned and is being installed on the fleet.

Peter B. Ladkin, University of Bielefeld, Germany

Database error makes half of Norway's cellphones go offline

<"Olav Langeland" <>>
Wed, 15 Jun 2005 14:08:46 +0200

Customers of Netcom, the second largest cellular provider in Norway,
experienced sporadic or close to no service for days earlier this week.
Companies that earlier abandoned "normal" phones and went all cellular are
now installing land phones and/or IP phones.

  "Hundreds of thousands of customers and a government minister alike
  remained up in arms Tuesday, after losing use of their mobile telephones
  in recent days.  ...  NetCom has actively promoted the concept of the
  "wireless office," and companies from building giant NCC to Aftenposten
  have made the switch, also as a means of saving money. Instead, it's left
  them vulnerable to communications breakdown and even dangerous

Problem? Database indexing issues, after a upgrade the previous week.

More details here:

When Crypto/Signature Plans Go Wrong: Sony PSP Exploit

<Lauren Weinstein <>>
Wed, 15 Jun 2005 12:33:14 -0700

As we know, often even the most elaborate attempts at controlling
access to hardware and software, even using the very latest
technologies, may be less than entirely successful.

An example is the just-announced "exploit" of Sony's powerful and
popular new "PSP" portable gaming system (which includes WiFi and
other advanced capabilities).  The unit employs digital signing and
hardware AES encryption to try prevent the running of "unofficial"

However, as I detail in two messages on the EEPI (Electronic
Entertainment Policy Initiative - ) discussion
list, the PSP exploitation door has apparently been opened quite
wide both for piracy and a vast array of homebrew applications.

In ("The Waiting Tide? Major PSP Exploit May Appear in a Few Hours ...")
I discuss the imminent release of the exploit:

and in ("PSP Exploit Apparently Confirmed")
I've provided additional information and thoughts:

Lauren Weinstein  Tel: +1 (818) 225-2800
Co-Founder, PFIR ( Co-Founder, EEPI (
Lauren's Blog:  DayThink:

Encryption Illegal in Minnesota

<Al Mac <>>
Sat, 28 May 2005 06:55:10 -0500

We are all being encouraged to use encryption to protect sensitive files
from data theft, but a Minnesota Court of Appeals has declared that merely
having the ability to do encryption is de facto proof of criminal intent.  It
may be that courts not need to prove what criminal act you did, just having
encryption software is like having burglary tools, or high explosives.  It
is assumed that only burglars have burglary tools, so mere possession means
conviction, and the legislature can decide what constitutes a burglary tool.

I got this summary from

Title: PGP use ruled relevant in child abuse case
Source: The Register
Date Written: 2005-05-25
Date Collected: 2005-05-27

The Minnesota State Court of Appeals has rejected an appeal from David Levie
on charges of soliciting a nine-year-old girl to pose for naked pictures,
ruling that the prosecution's introduction of an encryption program on his
computer as evidence was admissible. During a search of his computer, police
found the PGP (Pretty Good Privacy) encryption program.  Levie's lawyers
argued that forensic examination yielded no evidence of any encrypted files
on his computer and so the presence of encryption software should not be
used as evidence against Levie. One police officer testified that PGP may be
included with every Apple computer on the market. The appeals court ruled
that the presence of encryption software was relevant to the prosecution's
case and refused to order a retrial, though the case will be sent back for
re-sentencing. The case could establish a precedent in Minnesota of
accepting the presence of encryption software as evidence of criminal

Al Macintyre

Seven voting machines under scrutiny in Wayne County

<"Peter G. Neumann" <>>
Wed, 25 May 2005 19:06:45 PDT

  [Courtesy of Lillie Coney <>, Associate Director, Electronic
  Privacy Information Center (EPIC) 1718 Connecticut Avenue, NW, Washington,
  DC 20009  1-202-483-1140 x111, National Committee for Voting Integrity,]

The accuracy of some Republican votes cast 17 May 2005 in seven voting
booths in three Wayne County voting districts is being investigated,
potentially affecting the outcome of two township supervisor races.  For
example, in Lehigh Township, 163 Republicans voted, but 211 votes were
counted.  [Source: Andrew M. Seder, Seven voting machines under scrutiny in
Wayne County, Scranton Times-Tribune, 25 May 2005; PGN-ed]

LSAC gives SSNs to recommenders

<Jerry Saltzer <>>
Sat, 11 Jun 2005 16:55:50 -0600

This note came from a faculty member at a California University:

  I'm doing a letter of recommendation for a student who wants to go to law
  school. He is required to submit all recommendation letters to a
  clearinghouse called the Law School Admission Council.

  He gave me their form, which has pre-printed his name, home address, birth
  date, and Social Security Number.  Pretty lame, and he is required to use
  it. What is really amazing is they also list his LSAC Account number which
  is not the SSN.

If you visit the LSAC web site and propose to create an account, it will
present a form that requests your SSN. The HELP button next to the SSN field
responds with this explanation:

  This information is needed to match your online account to your LSAC
  records.  It also allows LSAC to match such items as transcripts, letters
  of recommendation, score reports, and law school requests to your
  file. Your Social Security number or Social Insurance number is necessary
  to obtain your username and password or to reset your password if you
  forget it.

In other words, everyone who has anything to do with your application will
learn your SSN.  And by the way, it is also a secret key to your password.

Given all of the recent publicity about identity theft and of organizations
that have managed to lose track of customer data, "lame" is an

Risks of letting marketing spec your messages

<Mike Albaugh <>>
Mon, 13 Jun 2005 16:08:31 -0700

The spam-filter of my web-based e-mail provider is not perfect, so I (like
most of you, probably) periodically check my "probable spam" folder for
false positives. Today it contained a "change of address" e-mail from a
casual correspondent. Of course, it was not just a plain-text message from
the old, well-known address indicating the new one. Rather, it was
HTML-Mail, with a couple largeish images, sent "on behalf of" my
correspondent, from the new address, with the essential part buried in an
endorsement of the ease of switching e-mail addresses via this nifty new
service. Even human eyeballs would count it as spam at first glance, and
since we do not often correspond, there is a high probability I would not
have any idea "where he went" when I did send him e-mail (at the old
address), if I didn't regularly rummage through my trash. And he, of course,
will never know how many of his friends tossed his notice, unless he
notifies them some other way, which makes the whole "easy switching" deal

I'm assuming that this service is offered primarily as a way to get people
to upload their address books for future spamming, so it wouldn't kill them
to make it more effective at its purported task, and less like spam.

Microsoft censoring blogs in China

<"Peter G. Neumann" <>>
Wed, 15 Jun 2005 11:23:03 PDT

Microsoft is cooperating with China's government to censor MSN's Spaces
Chinese-language Web portal.  Bloggers are prevented from posting words such
words as *democracy*, *human rights*, and *Taiwan independence*.  5 million
blogs have been created since the service started on 26 May 2005.  China
reportedly has 87 million online users.  [Source: AP item by Curt Woodward,
14 Jun 2005, seen in the *San Francisco Chronicle*.]

  [I wonder whether this issue of RISKS will be blocked because of those
  OFFENSIVE words?  (And I thought *democracy* and *human rights* were
  DEFENSIVE words?)  PGN]

The Scramble to Protect Personal Information (Tom Zeller)

<"Peter G. Neumann" <>>
Fri, 10 Jun 2005 12:05:45 PDT

In Feb 2004, a Japanese division of Citibank had a mag tape disappear during
shipment by truck from its data management center in Singapore, with
information on about 120,000 customers.  The tape has never been found.
This week it happened again to a box of tapes sent by United Parcel Service,
with info on nearly 4,000,000 American customers.  Citigroup is apparently
in the process of responding to the Singapore case with the company-wide
introduction of "secure electronic channels" — although that process is not
yet complete.  [Tom Zeller Jr., *The New York Times*, 9 Jun 2005; PGN-ed]]

  Zeller's article has more on ChoicePoint, 10 million consumers falling
  victim to identity theft each year, discussion of the 2003 California law
  that mandates reporting, and this delightful quote from Mike Gibbons
  (former FBI chief of cybercrime investigations, now a consultant for

     "I think there are some people who dismiss this as a sky-is-falling
     problem.  But the sky has already fallen and it's just a
     matter of when a piece hits you in the head."

  Also a quote from Bruce Schneier:

    "There are social expectations about security that can't be met,
    but the practices are still so shoddy."

ID Theft vs. Colorado Attorney General

<Al Mac <>>
Mon, 13 Jun 2005 11:59:41 -0500

Colorado Attorney General John Suthers became a victim of identity theft
when checks issued by a credit card company for a cash advance promotion
were stolen from his home mailbox last week, police said.

The lessons here:

* How easy is it for someone to break into your mail box and steal stuff,
  especially stuff you not know you be getting, like some promotion from a
  credit card company?

* I think for people living in a rural area with mail boxes out on the
  street for the convenience of the postal service, they need to rethink how
  they get their mail, perhaps lobby for the postal service to categorize
  some mail to go to lock boxes at the post office, where you periodically
  pick up that which could put you at id theft risk if it is stolen.

* If you live in an apartment complex, with "locked" mail boxes, how many
  people have the key?
   - you and your family
   - whoever rented the apartment before you
   - the mailman [and substitutes]
   - apartment management and maintenance
   - former employees of the above
   - anyone who knows how to "pick" a lock
   [and so on.  PGN]

Private, Personal Medical Info Faxed To Wrong Location

<"R S (Bob) Heuman" <>>
Tue, 17 May 2005 22:06:19 -0400

Once more, with no good answer as to why, and no good reaction to the
report of the problem... Oh well... Full details 16 May 2005 at:

40 pages of private medical information for hundreds of people was
incorrectly faxed to a Seminole County Florida airplane parts business,
containing the usual sensitive stuff.  The recipient tried to call a HIPPA
hotline, the response from which was that they were not interested.

What Europe can teach us about identity theft

<"Amos Shapir" <>>
Mon, 13 Jun 2005 21:40:00 +0300

An article of that title, by Liz Pulliam Weston:

There's some good advice there (which may seem obvious to regular RISKS
readers), but IMHO, most of the supposed advantages of the European system
stem mostly from the fact that European financial institutes (and
fraudsters) haven't caught up yet with their US counterparts.

Paris Hilton Hack Started With Old-Fashioned Con

<Monty Solomon <>>
Sun, 29 May 2005 03:14:46 -0400

The privacy violation of heiress Paris Hilton (RISKS-23.76) in which her
wireless phonebook had been compromised was actually the result of one phone
call and a little social engineering, with one of the culprits posing as a
cell-phone company operative.  Exploitation of security flaws then resulted
from the information gathered.  [Source: Brian Krebs, subtitled Source Says
Hacker Posed as T-Mobile Employee to Get Access to Information, *The
Washington Post*, 19 May 2005; PGN-ed]

Ted Koppel: Take My Privacy, Please!, 13 Jun 2005

<Monty Solomon <>>
Tue, 14 Jun 2005 09:25:16 -0400

The Patriot Act - brilliant! Its critics would have preferred a less
stirring title, perhaps something along the lines of the Enhanced Snooping,
Library and Hospital Database Seizure Act. But then who, even right after
9/11, would have voted for that?

Precisely. He who names it and frames it, claims it. The Patriot Act,
however, may turn out to be among the lesser threats to our individual and
collective privacy.

There is no end to what we will endure, support, pay for and promote if only
it makes our lives easier, promises to save us money, appears to enhance our
security and comes to us in a warm, cuddly and altogether nonthreatening
package.  [...]

Mom charged with stealing identity of soldier son

<"Peter G. Neumann" <>>
Fri, 10 Jun 2005 14:56:04 PDT

[Source: Julia Silverman, AP, 9 Jun 2005; KATU 2 News - Portland, Oregon,, via Jim Schindler,]

An Oregon National Guardsman recently returned from Iraq and discovered
$10,000 missing from his bank account.  A police investigation resulted in
charging his mother with aggravated theft, identity theft, and fraudulent
use of a credit card, and concluded that she had opened up mail with his new
ATM card and pin number.  His mother said that she used the money for video
poker, electronic entertainment devices, medical expenses, and daily living
expenses.  "The 'maternal bond' made me do it."

Re: Plane diverts after erroneous hijack alert (RISKS-23.89)

<"Michael \(Streaky\) Bacon" <>>
Sat, 11 Jun 2005 07:13:37 +0100

In RISKS-23.89 Geoff Kuenning wrote about the airliner's hijack warning that
could not be turned off.  He makes the point that 'duress' alarms should not
be easily cancelable.  In this particular instance, the aircraft was
escorted by fighters to another country.  The outcome might have cost the
airline a penny or two and might have annoyed and possibly scared the
passengers, but at least it ended without loss of life.

Now consider the case where the accidental alert was generated when the
aircraft was already over American soil, perhaps close to a major city.  The
outcome could very well have been terribly tragic.

The article does not make clear whether the original alert was accidentally
triggered manually or by a malfunction ("the plane's transponder ... had
inadvertently sent code used for hijack warnings").  However, the article
does appears to suggest that the operator is investigating the technical
reason for "a malfunction which meant that ... the crew were unable to shut
it off", but this could be journalistic licence or lazy sub-editing .

There is no easy answer to these puzzles, but perhaps the design and
inherent reliability of the alerting system in question would bear

At least some of the RISKS lie in deciding which is the greater RISK,
coupled with designing, installing, maintaining and operating a 'fail-proof'

Michael 'Streaky' Bacon

Re: Plane diverts after erroneous hijack alert (Kuenning, R-23.89)

<"Andrew Koenig" <>>
Fri, 10 Jun 2005 17:40:44 -0400

I haven't flown in a while, and the procedures may have changed, but the
situation is actually slightly more complicated (and, I think, more
reasonable) than Geoff suggests.

Every airplane used for airline transportation is equipped with a
transponder, which, when hit by a radar signal, sends back a coded signal
that includes the airplane's altitude and a 12-bit code that the pilot can

If you're not talking to a controller, you set 1200 (octal).  If you are
talking to a controller, the controller gives you a code to set.

There is a specific code that means "I am being hijacked."  Once you set
that code, the controller's radar will pick it up.  Once that happens, the
controllers are supposed to assume a hijack is in progress even if the code
subsequently changes.

So there is no need for a latching mechanism in the cockpit, which could
presumably be defeated by disconnecting the circuit breaker on the
transponder.  And yes there has to be such a breaker.  What else do you do
if the thing catches fire?

Re: Plane diverts after erroneous hijack alert (RISKS-23.89)

<Rob Bailey <>>
Fri, 10 Jun 2005 14:59:45 -0400

When I was an attorney for the United States government, we had panic alarms
under our desks. If one got pressed accidentally (by a knee, for example),
we could not shut it off, as suggested was a good idea in RISKS-23.89, so a
cadre of US Marshals would come charging into our office to see what was
going on. [The alarms used a little button that took a key to reset.]

The difference between that system and the "hijack alarm" to which the news
article article in RISKS-23.89 might have been referring explains why the
hijack alarm can't be un-resettable: It, too, is not impossible to
accidentally activate, but it serves another important purpose to which the
pilot would be denied access if the alarm couldn't be reset, presumably
until the plane landed and was serviced.

The hijack alarm was probably just the pseudo-secret transponder code for
"Help! I'm being hijacked." There are a couple of these codes, for "Help,
Emergency," "My radios have stopped working; please don't shoot me down,"
and so on. They are set by flipping four thumbwheel switches, buttons, etc.,
one at a time to dial up the right code.

Occasionally, it's possible to "scroll by" one of the special codes when
switching from one transponder code to another. For example, if you were
assigned to squawk 3456, and then reassigned 2222, you would probably
briefly transmit codes 4456, 5456, 6456, etc., as you scrolled the first
digit around to two. Then you'd probably transmit 2556, 2656, 2756, etc.,
and 2266, 2276, etc., and finally, 2227, 2228, etc.

If any one of these codes meant something special and you "fell across" it,
you'd want to keep going, but couldn't if you couldn't leave the special

Re: Challenge/response e-mail filtering (RISKS-23.89)

<David Cantrell <>>
Mon, 13 Jun 2005 16:26:23 +0100

> [e-mail challenge-response] allows two distinct failure modes:
>   1) I ignore the challenge and a legitimate message is not delivered
>   2) I acknowledge the challenge and spam is delivered, "From" me [...]

I also know some who would deliberately respond to the challenge and so make
the spam go through in a misguided attempt to punish the person using the
broken challenge-response system.

Mr. Smasher misses a third failure mode, one which concerns me far more than
the other two.  That is that it's not generally possible for a recipient of
a challenge to tell if it's real or not.  It is conceivable that it could
have been sent from a spammer attempting to verify that the recipient
address is read by a person, and when they respond they are doomed to an
eternity of exciting special offers on penis refills and toner cartridge

REVIEW: "CISSP Exam Notes", K. Wan

<Rob Slade <>>
Thu, 19 May 2005 16:14:18 -0800

BKCISPEN.RVW   20050330

"CISSP Exam Notes", K. Wan, 2003, 988-97323-1-9, U$24.95
%A   K. Wan
%C   Hong Kong
%D   2003
%G   988-97323-1-9
%I   KP Lab Limited
%O   U$24.95
%O   Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   196 p. (PDF ebook)
%T   "CISSP Exam Notes - All you need to pass the exam"

This appears to be a self-published ebook, available from the author, in PDF
format.  Despite the fact that an ebook softcopy could readily be edited, it
has not been updated in the two years since it was published: some of the
CISSP requirements have changed since then, and the book does not reflect

The ten domains of the CISSP CBK (Common Body of Knowledge) are covered in
ten chapters, with the material provided in point form.  The structure and
flow of the material bears a striking resemblance to the slides in the
(ISC)^2 CISSP review seminar.  However, given minor discrepancies, I suspect
that the book is not directly based on the (ISC)^2 slides, but rather on
another course that, itself, was based on the (ISC)^2 CBK review seminar.
(In response to the initial draft of this review, the author responded that
his ebook was based on the other books that followed the course outline,
rather than on the course itself.)  (Wan's company, KP Lab, seems to be
restricted to producing training guides for various certifications.)

As noted, the points in the book follow the structure of the course slides.
There is usually a sentence or phrase expanding or explaining each point
from the Common Body of Knowledge listing, so the material is slightly
longer than the subject outline that is available from the (ISC)^2 site.
The explanations are, however, briefer even than those in the first edition
of "The CISSP Prep Guide" by Krutz and Vines (cf.  BKCISPPG.RVW), which is,
itself, one of the tersest guides on the market.  As with that work, and
other similar texts, if you do not already know the content, this tome will
not help you very much.  Unlike most other CISSP study guides, there are no
"sample" questions.

Overall, the points are reasonably well selected.  (The section on malware
is very disappointing, and the section on legal concepts is rather weak.)
The material is more up-to-date than any other besides the "Official (ISC)^2
Guide to the CISSP Exam" (cf. BKOIGTCE.RVW).  In terms of books dealing with
an overall familiarization with the topics to be covered on the CISSP exam,
this one does have an advantage in price, and in speed of access.  (I
requested a copy directly from the author by e-mail, and got it within two
hours.  If, for example, you are in a boot camp course situation, you may
need all the help you can get, quickly.)

copyright Robert M. Slade, 2005   BKCISPEN.RVW   20050330    or

Please report problems with the web pages to the maintainer