The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 24 Issue 11

Weds 7 December 2005


Hospital operates on wrong patient
Walter F. Roche Jr.
Mercedes brake test fiasco
Andre Kramer
Tens of thousands mistakenly put on terrorist watch lists
Anne Broache via Richard M. Smith
Security Flaw Allows Wiretaps to Be Evaded, Study Finds
John Schwartz and John Markoff via David Farber
DHS-Sponsored phishing report
Aaron Emigh
Poorly designed online interfaces make identity theft simple
Marty Lyons
School psychologist's student records accidentally posted online
Monty Solomon
Plain-text passwords: as RISKy as you'd think
Steve Summit
Jim Horning
Risks of naive date calculation
Mike Albaugh
Bye Bye BlackBerry?
Ian Austen via Monty Solomon
Nick Brown
Data disasters dog computer users
Amos Shapir
Online tax credit system closed
Amos Shapir
Re: Some Fast Lane accounts double-billed
Steve Summit
Stop speeding using a GPS?
Jeremy Epstein
Re: In-car GPS navigation
Henry Baker
Derek P Schatz
Ian Chard
Jack Christensen
Re: UK Police Vehicle Movement Database
Identity withheld
Info on RISKS (comp.risks)

Hospital operates on wrong patient

<"Peter G. Neumann" <>>
Fri, 2 Dec 2005 9:16:32 PST

In 1999, a 47-year-old woman was diagnosed with breast cancer in
Magee-Womens Hospital (part of the U. Pittsburgh Medical Center), and
underwent a mastectomy.  It was later discovered that the hospital lab had
switched biopsy specimens.  Ten cases against the hospital are now pending
in state courts, even though the hospital has passed federal inspections.
Similar lawsuits and complaints name other medical centers.

* In Maryland, a hospital lab sent out hundreds of HIV and hepatitis test
  results despite data showing that the results might be invalid and
  mistakenly lead infected patients to believe they were disease-free. The
  same laboratory had just received a top rating from CAP inspectors.

* In Yakima, Wash., eight emergency room doctors walked off their jobs to
  protest hospital deficiencies they said included lab mistakes, such as
  mixed-up blood samples. CAP had declared the lab "in good standing" the
  year before.

* At the famed Mayo Clinic in Minnesota, an allegedly misdiagnosed gall
  bladder cancer case led to revelations of a close relationship between the
  clinic and CAP. A Mayo pathologist serving on a CAP advisory panel twice
  sought and obtained accreditation renewals despite unacceptable lab
  practices cited by CAP inspectors.

[Source: Walter F. Roche Jr., Lab Mistakes Threaten Credibility, Spur
Lawsuits: Some top medical facilities are scrutinized as errors mount and
oversight is questioned, *Los Angeles Times*, 2 Dec 2005; PGN-ed],0,3901421.story?coll=la-home-headlines
  [Thanks to Lauren Weinstein for contributing this article.  PGN]

Mercedes brake test fiasco

<"Andre Kramer" <>>
Thu, 1 Dec 2005 09:59:25 -0000

*The Register* reports that an automotive journalist was fired for rigging a
radar enhanced (assumedly computer controlled) automobile brake system
demonstration. Apparently, the Mercedes engineers (under duress) helped
simulate the demonstration, which could not have worked in an enclosed
space, by manual braking. However, the demo went badly wrong and the article
correctly identified the risk of false trust in a new system that would have
resulted from the attempted smoke and black mirrors going undetected. [Risks
of lack of feedback from expensive car suspension systems could also be

Tens of thousands mistakenly put on terrorist watch lists

<"Richard M. Smith" <>>
December 6, 2005 10:11:36 PM EST

Tens of thousands mistakenly put on terrorist watch lists
Anne Broache, Staff Writer, CNET
December 6, 2005

Nearly 30,000 airline passengers discovered in the past year
that they were mistakenly placed on federal "terrorist" watch lists, a
transportation security official said Tuesday.

Jim Kennedy, director of the Transportation Security Administration's
redress office, revealed the errors at a quarterly meeting convened here by
the U.S. Department of Homeland Security's Data Privacy and Integrity
Advisory Committee.

Marcia Hofmann, staff counsel at the Electronic Privacy Information Center,
said this appeared to be the first time such a large error has been
admitted. "It was a novel figure to me," Hofmann said. "The figure shows
that many more passengers than we've anticipated have encountered difficulty
at airports. The watch list still has a long way to go before it does what
it's supposed to do."

Kennedy said that travelers have had to ask the TSA to remove their names
from watch lists by submitting a "Passenger Identity Verification Form" and
three notarized identification documents. On average, he said, it takes
officials 45 to 60 days to evaluate the request and make any necessary

Travelers have been instructed to file the forms only after experiencing
"repeated" travel delays, he said, because additional screening can occur
for multiple reasons, including fitting a certain profile, flying on a
one-way ticket, or being selected randomly by a computer.  ...

Security Flaw Allows Wiretaps to Be Evaded, Study Finds [from IP]

<David Farber <>>
Wed, 30 Nov 2005 06:54:22 -0500

The technology used for decades by law enforcement agents to wiretap
telephones has a security flaw that allows the person being wiretapped to
stop the recorder remotely, according to research by computer security
experts who studied the system. It is also possible to falsify the numbers
dialed, they said.  Someone being wiretapped can easily employ these
"devastating countermeasures" with off-the-shelf equipment, said the lead
researcher, Matt Blaze, an associate professor of computer and information
science at the University of Pennsylvania.  "This has implications not only
for the accuracy of the intelligence that can be obtained from these taps,
but also for the acceptability and weight of legal evidence derived from
it," Mr. Blaze and his colleagues wrote in a paper that will be published
today in Security & Privacy, a journal of the Institute of Electrical and
Electronics Engineers.  [...]
[Source: John Schwartz and John Markoff, *The New York Times*, 30 Nov 2005]

DHS-Sponsored phishing report

<"Aaron Emigh" <>>
Tue, 29 Nov 2005 01:11:02 -0800

Online identity theft, a.k.a. "phishing," refers to attacks that exploit a
wide variety of RISKS, using both technology and social engineering, to
illicitly obtain and profit from confidential information.  A new report on
online identity theft, sponsored by the US Department of Homeland Security
and SRI International, provides a holistic treatment of the subject.  The
report discusses technologies used by phishers, breaks down the flow of
information in a phishing attack, identifies chokepoints at which an attack
can be thwarted, and discusses technical countermeasures that can be applied
at each chokepoint.  While technology alone cannot solve the phishing
problem, substantial opportunities to mitigate the losses are identified.

The report is titled "Online Identity Theft: Phishing Technology,
Chokepoints and Countermeasures," and is available at

Aaron Emigh, Radix Labs, 415-297-1305

Poorly designed online interfaces make identity theft simple

<Marty Lyons <>>
Thu, 17 Nov 2005 13:11:22 -0800

I recently had to renew my membership with the American Automobile
Association (the equivalent to the CAA in Canada, or the RAC in the UK).  In
the past there was no web interface, but AAA has now moved online.  To sign
up for an account, I needed to supply a membership number (printed on your
plastic member card), and my name (also printed on the card), along with an
email address, and a chosen account name.  A few seconds later, I was logged
in, and was able to check my account info, including mailing address, and
type of credit card used for membership.

There was no verification of identity at all during account establishment.
At a minimum, mandating that a user-entered postal code match the AAA
database prior to creating the account would have afforded some protection.

So with a AAA member number and name, someone is well on their way to
identity theft -- the rest of your wallet not required.  Since many places
take AAA cards to provide discounted services (hotels, car repair,
restaurants, movie theatres, etc.) you can imagine the RISK.  I've sent a
letter to the organization letting them know their web registration needs to
be redesigned.

School psychologist's student records accidentally posted online

<Monty Solomon <>>
Sat, 3 Dec 2005 13:47:29 -0500

A school psychologist's records detailing students' confidential information
and personal struggles were accidentally posted to the school system's Web
site and were publicly available for at least four months.  A reporter for
*The Salem News* [Mass.] discovered the records last week and alerted school
officials, the newspaper said in a story Friday.  To protect students'
privacy, the newspaper said it withheld publishing the story until the
documents were removed from the Internet, which occurred Wednesday.  [...]
[Source: *The Boston Globe*, 2 Dec 2005; PGN-ed]

Plain-text passwords: as RISKy as you'd think

<Steve Summit <>>
Fri, 18 Nov 2005 12:55:57 -0500

A nice report of an investigation into how many plain-text passwords one can
almost trivially sniff in public-access places like hotels, conference
centers, and open wireless hotspots:

The article also makes the point that although the passwords so sniffed are
often "unimportant" ones, for services such as mere e-mail access or
gambling site logins, people are often known to use their same passwords for
these and for their "secure" systems such as Windows network logins.

I came across this link in Bruce Schneier's excellent "Crypto-Gram"
newsletter at, which I'm sure is
known to many RISKS readers, but which I had neglected to read in a while.
It's worth keeping up with.


<"Jim Horning" <>>
Wed, 30 Nov 2005 11:53:33 -0800

My employer has outsourced the administration of its 401(k) plan to
TruSource, a division of Union Bank of California, N.A.  This week I
received annual enrollment material from TruSource.  It contains generic
blurbs about 401(k)s and retirement planning, in addition to material
particular to our plan.  Part of the latter is a summary page for each of
the available investment options.  These pages are clearly labeled
"Copyright (c) Standard & Poor's, a division of The McGraw-Hill Companies."

The page for each fund contains a graph of "GROWTH OF $10,000."  I think the
format and content are specified by the SEC, and they are presumably
automatically generated from some kind of database.  For some reason, I
happened to look more closely than usual at one of the charts, and noticed
something odd about the labeling of the year axis, and started inspecting
them all.  Most of them contain dates in the 31st and 41st centuries!

For example, the chart for the Pioneer High Yield Fund "(SINCE 03/31/98)" is
labeled with consecutive years

  4098 3099 2000 1001 4001 4002 2003 1004 4004 3005

Apparently the dates escaped the notice of the humans (if any) at
McGraw-Hill and TruSource who were in the loop in the preparation of these
documents.  It is interesting to speculate what combination of programming
errors would yield this precise sequence of dates.

Jim H.

Risks of naive date calculation

<Mike Albaugh <>>
Wed, 23 Nov 2005 12:48:48 -0700

 I have in my possession a box of Nyakers (that should be an A-ring, BTW)
"Authentic Swedish Apple Snaps" that is


Lazy Programmer? Faulty date-manipulation library?  Or do the Swedes know
something about the depths to which lawmakers will stoop in calendar

The computer scientist in me wants to know if the comparison to a
(currently) non-existent date should:

 * always fail (Cookies are stale now),
 * always succeed (Cookies will never get stale)
 * throw an exception (Cookies should not exist in this universe)

Bye Bye BlackBerry?

<Monty Solomon <>>
Sun, 4 Dec 2005 01:45:19 -0500

A ``long-running patent infringement battle between the maker of BlackBerry,
Research In Motion, and NTP, a tiny patent holding company, might cause a
service shutdown, perhaps within a month. ...  R.I.M., which is based in
Waterloo, Ontario, promises it has a solution that will keep its beloved
BlackBerries humming even in the face of an injunction. While most analysts
view the prospects of a shutdown as unlikely, they have little faith in the
proposed solution, which has potential legal pitfalls of its own. What's
more, the history of the struggle between the companies means that no
outcome is certain.''  [Source: Ian Austen, Bye Bye BlackBerry?, What if
your BlackBerry screen went dark?  *The New York Times*, 3 Dec 3005; PGN-ed]


<Nick Brown <>>
Mon, 28 Nov 2005 17:17:20 +0100

A new UK-based service called SafetyText (
enables you to send a text message which will be delivered after a certain
delay unless canceled.

The idea seems to be that, before exposing yourself to danger, you send a
text - say, "Help, I'm being attacked by rabid bats" before entering a cave
- and then it will be sent if you don't emerge from the cave in time to
cancel it.

The risks are left as an exercise to the reader, but here are some pointers
to get you started:

- SMS messaging delivery is inherently unreliable, so maybe your "help"
  text won't get through...

- ... or maybe your "cancel" text won't get through.

- Many people receiving such a text, regardless of how it's phrased, will
  tend to assume the worst (despite the "don't panic" instructions on the
  service's Web site) and will send in the emergency services on a possibly
  unnecessary search for someone who just happens to be out of GSM service

I'm also slightly worried that the same short number used for the SafetyText
service - 63344 - appears in the banner advert above the site's start page,
which at the present time invites me to send the name of Coldplay's lead
singer to win tickets to see them in concert.  I hope they don't launch a
particularly popular game while I'm being attacked by the rabid bats.

Data disasters dog computer users

<"Amos Shapir" <>>
Wed, 07 Dec 2005 14:58:20 +0200

A laptop crammed with dead cockroaches tops a list of data disasters
compiled by computer experts.

  [That would be a tough roach to hoe.  PGN]

Online tax credit system closed

<"Amos Shapir" <>>
Mon, 05 Dec 2005 17:12:37 +0200

Organised fraud forces HM Revenue and Customs to stop accepting online
applications for tax credits.  Full story:

Re: Some Fast Lane accounts double-billed (Solomon, RISKS 24.09)

<Steve Summit <>>
Sun, 04 Dec 2005 14:17:37 -0500

Monty Solomon forwarded an item to RISKS 24.09 about a batch of
Massachusetts Turnpike drivers who were doubly charged for their
electronic tolls, due to one day's worth of records being mistakenly
processed twice.

If anyone's keeping a canonical list of "bugs that are way easy to
make and deserve special handling", this scenario clearly belongs.
We've been hearing variations on the same song for decades: it used
to be the phone company accidentally double-running a billing tape
containing the call records from a long-distance switch, but to this day
it can still easily happen any time there are batches of transactions
created by system A and later processed or reconciled on separate system
or subsystem B.  (And I can't personally be at all smug about this: in a
former life I ran a small, simple, homebrew, but high-volume e-commerce
site, and I committed this same mistake once or twice myself.  Fortunately
I was also in a position to synthesize and inject automatic refunds to
the credit card accounts of affected customers, well before most of them
even noticed.)

I'm sure that any organization large enough to address this risk
responsibly has implemented the obvious sorts of double-checks (perhaps
involving explicit batch serial numbers which are logged and checked
by the processing system, in order to reject inadvertent duplicates).
But since the need for such double-checks is all too likely to be
recognized only *after* the double-billing problem has bitten a
particular system at least once, and since new systems having this
vulnerability are continually being written, it's a problem that,
unfortunately, will continue to happen.

Stop speeding using a GPS?

<Jeremy Epstein <>>
Sun, 4 Dec 2005 15:06:26 -0500

Transport Canada is testing a device that figures out where you are using
GPS, and causes your car to increase the resistance in the gas pedal if you
try to exceed the speed limit.

Bad idea.  I'm not an expert in GPS systems, but I've seen them get
confused, especially when there are nearby parallel roads.  I wouldn't want
it to hold my speed to 25 MPH because it thinks I'm on the dirt road that
runs parallel to a highway.  And if the device changes its mind suddenly,
the results could be catastrophic - I'm pushing hard on the accelerator
because (for whatever reason) I decide to exceed the speed limit, and
suddenly it decides the speed limit has increased - now I'm flooring the car
because it reduces its resistance factor.  Conversely, if I have a normal
pressure on the accelerator, and the speed limit drops, the device might
cause my speed to drop precipitously.  I'm sure there are lots of other
GPS-based risks - what does the device do if it can't find a GPS signal?

Hopefully the designers of the device considered the risks, but the article
doesn't mention any - only the advantages of improved road safety, reduced
fuel usage, etc.

Article at
which references a Toronto Globe & Mail article at

Re: In-car GPS navigation (Scott, RISKS-24.10)

<Henry Baker <>>
Sun, 27 Nov 2005 18:09:42 -0800

For the last year or so, if you rented a Hertz car with its "Neverlost"
(Magellan) GPS system, you couldn't get out of Boston's Logan Airport -- at
least if you listened to the "Neverlost" system.  It tried to route you onto
a one-way street in the airport itself (the other direction was closed off
due to construction).  Now everyone who has been in Boston in the last
several years knows about the construction at the airport and the Big Dig,
but here's a system that clearly is failing in its primary task!

On the whole, GPS is a very big win, but you do have to take every
"recommendation" it gives you with some level of skepticism.  Within the
canyons of Manhattan, the GPS system often thinks that you are in the middle
of Central park.  Also around NYC (and probably many other places), the GPS
system isn't accurate enough to get you into the correct lane for turning,
which sometimes means that you get off at the wrong exit or get onto the
wrong level of the George Washington Bridge.  The net result is that you end
up in New Jersey instead of Manhattan.

Re: In-car GPS navigation (Scott, RISKS-24.10)

<"Schatz, Derek P" <>>
Wed, 23 Nov 2005 11:43:24 -0800

Mike Scott appears to be making issue of something that the GPS navigator
companies have already clearly avoided liability for.  Every mapping system
I've ever seen warns that map results may not be completely accurate and
that you need to verify things for yourself.  Those of us who have been
driving for many years have learned the hazards of taking your eyes off the
road to futz with something inside the car (then again, some still haven't).
I don't see a risk with the GPS system here, but rather a risk with the
son's friend's driving abilities.  Besides, it takes London cabbies years to
learn the intricacies of the city's streets (some 400 years of intricacy) --
how could we expect a GPS system to have that same knowledge?

Now, it might be a different situation if the car had an auto-pilot system
relying on that GPS guidance...

Re: In-car GPS navigation (Scott, RISKS-24.10)

<Ian Chard <>>
Thu, 24 Nov 2005 09:33:21 +0000

The disclaimers displayed by such systems (including the one I use, Tomtom)
aren't just there to get the manufacturers out of trouble.  One-way systems
change so frequently that there's no reasonable way you could expect a sat
nav device to be completely up-to-date.  I've been asked to drive through
buildings, across fields and against traffic restrictions, but as the driver
I have ultimate control and therefore ultimate responsibility.

To misquote the age-old schoolboy admonition, "if a sat nav system told you
to jump off a cliff, would you do it?" :)

Ian Chard, Unix & Network Administrator, Systems and Electronic Resources
Service Oxford University Library Services 80587 / (01865) 280587

Re: In-car GPS navigation (Scott, RISKS-24.10)

<"Jack Christensen" <>>
Sat, 26 Nov 2005 17:18:48 -0500

I had a friend whose vehicle had a built-in GPS navigation and map system.
When you started the vehicle, the first thing on the screen was a disclaimer
(which, if I recall correctly, had a fair amount of similarity to that of
the Garmin unit.)  The unit would not go into operational mode until you
touched a button on the screen to "acknowledge" the disclaimer.

At first, I laughed at this, but upon thinking about it a little more, I
wasn't so surprised.  I am not a lawyer, so I don't know the actual legal
worth of this approach, or how it might fare in court.

Jack Christensen, Grand Blanc, MI, USA

Re: UK Police Vehicle Movement Database (RISKS-24.09)

<Identity withheld by request>
Sun, 20 Nov 2005 9:42:58 PST

The vehicle isn't flagged when the "tax" (Vehicle Excise Licence) is
renewed, so this is a misunderstanding of how the system works.  The "VEL
expired" marker is only added, retrospectively, some time after the renewal
falls due, and only if it isn't relicensed as expected.  So there is a
delay before such a marker is removed following relicensing, but from the
foregoing readers can see that a vehicle with an unbroken relicensing
history is therefore never added to the database.

> He then had to spend 5 mins filling in a form as this had to be regarded
> as an official "stop" event...

Yes, the real value of this is highly questionable (he's fast, if he
completed the form in only 5 minutes), and as one stop form has to be
completed for each member of a group, you might want to ask your MP if it's
a good use of police time to spend up to an hour standing in the street
filling in the forms if, say, an officer checks a group of half-a-dozen
youths who are the subject of a complaint by a local resident...  But that's
the reality for officers, and it has been imposed to fulfill a political
agenda irrespective of the actual financial cost, the opportunity costs, or
the inconvenience to those being spoken to (who, of course, don't actually
need to give their details - but the forms still have to be filled in...).

Re: UK Police Vehicle Movement Database

<mathew <>>
Sun, 4 Dec 2005 12:44:29 -0600

 > Hence technology + Automation + DVLA = 5 mins wasted police time

It could be worse. In Massachusetts, cities charge you excise tax each year
if you own a vehicle.

When you register a vehicle with the Massachusetts Registry of Motor
Vehicles (RMV), they inform the city you live in that you have a vehicle and
should pay tax.

When you de-register a vehicle--e.g. move to another state, sell the
vehicle, return your license plates, and so on--the RMV doesn't bother to
inform the city you were in of the new information.

Hence when I bought a car and left Massachusetts permanently, almost a year
later I got a completely incorrect tax bill which had been sent to the wrong
address. (This was the first I had heard about excise tax, in fact.) MA
expected me to pay the incorrect bill and then argue with them to get the
money back, or else pay extra non- payment fees. What's more, because they
had sent the bill to the wrong address, it had taken so long to arrive I was
already subject to non-payment fees.

I can only imagine that this brokenness is deliberate because it monetarily
favors the state.

Please report problems with the web pages to the maintainer