The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 24 Issue 20

Friday 17 March 2006


A risk of laparoscopy
Barnaby Feder
Security flaws could cripple missile defense network
Bob Brewin via Gabe Goldberg
Tesco advertising SMS unsubscription requires loyalty card membership
Toby Douglass
Elevator software risk
Toby Douglass
When trusted systems fail
Steve Summit
It's now a crime to delete files
Scott Peterson
CIA Covert Agents found using fee based searches by Chicago Tribune (R.S.
Bob) Heuman
Another Paypal scam, social engineering against ethical people
Mark Batten-Carew
Mindless precision
Andrew Koenig
Re: Complexity causes 50% of product returns
Henry Baker
Re: Excel garbles microarray experiment data
D. McKirahan
Philip Nasadowski
John Deltuvia
Devon McCormick
Australian emergency number has incorrect address information
Josh Parris
IEEE Symposium on Security and Privacy, Program
Cipher Editor
Call For Proposals: Data Surveillance and Privacy Protection workshop
Simson Garfinkel
Info on RISKS (comp.risks)

A risk of laparoscopy

<"Peter G. Neumann" <>>
Fri, 17 Mar 2006 9:39:08 PST

To make a long story short, Kristina A. Fox received a supposedly minimally
invasive laparoscopy in 1998.  Unfortunately, the wand-like electrical tool
that cuts tissues and seals blood vessels was emanating an undetected stray
electrical charge that created a small hole in her colon.  The complications
resulted in 13 operations and serious complications.  Her lawsuit argues
that the risk of accidents from laparoscopic surgery could be sharply
reduced with the use of fault-detection static and dynamic testing devices
that are currently available but used by only 1/4 of U.S. hospitals.  A
gynecologist is quoted as saying "It wouldn't surprise me in the least if
[this problem] caused more than 100 deaths and 10,000 injuries annually."
[Source: Barnaby J. Feder, Surgical Device Poses a Rare but Serious Peril
*The New York Times*, 17 Mar 2006; PGN-ed; thanks to Lauren Weinstein for
noting this one.]

Security flaws could cripple missile defense network

<Gabe Goldberg <>>
Fri, 17 Mar 2006 14:34:35 -0500

The network that stitches together radars, missile launch sites and command
control centers for the Missile Defense Agency (MDA) ground-based defense
system has such serious security flaws that the agency and its contractor,
Boeing, may not be able to prevent misuse of the system, according to a
Defense Department Inspector General's report.

The report, released late last month, said MDA and Boeing allowed the use of
group passwords on the unencrypted portion of MDA's Ground-based Midcourse
Defense (GMD) communications network.

The report said that neither MDA nor Boeing officials saw the need to
install a system to conduct automated log audits on unencrypted
communications and monitoring systems. Even though current DOD policies
require such automated network monitoring, such a requirement ``was not in
the contract''.  [...]  [Source: Bob Brewin, *Federal Computing Week*, 16
Mar 2006]

Gabriel Goldberg, Computers and Publishing, Inc., 3401 Silver Maple Place,
Falls Church, VA 22042 <> 1-703-204-0433

Tesco advertising SMS unsubscription requires loyalty card membership

<Toby Douglass <>>
Wed, 08 Mar 2006 23:40:25 +0000

Buried deep, deep in the small print in the back pages of the Tesco (the
leading UK supermarket chain) mobile phone service information booklet, is a
brief sentence that if the customer wishes not to be involved in "market
research", to wit, having their demographic details tracked and shared, they
need to phone customer services and opt out.

Yesterday, my phone number transferred to the Tesco network and I put twenty
pounds into my account.

This morning, I received an advertising SMS from Tesco.

This reminded me I needed to call customer services regarding "market
research" and advertising SMSs.

Now, and here's where it gets interesting, they tell me I'm not involved in
"market research" because I don't have a club card (a loyalty card) - but
that for the same reason they *cannot unsubscribe me from advertising SMSs*.

Tesco can *add* you to their advertising SMS list without a club card, but
they cannot *remove* you without a club card.

What customer services do in this situation is that the shift manager visits
a store, picks up a blank club card, registers it to the customer and
unsubcribes them.

Elevator software risk

<"Toby Douglass" <>>
Fri, 10 Mar 2006 14:23:56 -0000 (GMT)

I work in a three-story office block.  Being so high, the building is
equipped with a pair of elevators, which appear to co-operate in handling
passenger traffic.  These are modern elevators, equipped with a female
chip-voice announcing which floor the elevator has arrived at and which
direction the elevator is about to travel in.

The upper floors of the building are lightly populated and so the bathroom
facilities on those floors are considerably more pleasant and less crowded.

I recently emerged from a pleasant, uncrowded bathroom and pressed the
button summoning an elevator.  An elevator arrived, its doors opened and a
female chip voice announced the arrival of the elevator at the first floor.

The chip voice was muffled since it was coming from the *other* elevator,
which was also on the first floor with closed doors.

I stepped inside and selected "down".

The muffled other elevator announced I was about "going down" and the doors
closed and the elevator took me to the ground floor.

The doors opened and the female chip voice from the floor above then floated
down to me..."ground floor".

I'm grateful that it was not necessary for me to operate the controls in the
other elevator.  If that had been so, I wonder if the emergency button would
still have worked?

When trusted systems fail

<Steve Summit <>>
Mon, 13 Mar 2006 19:13:31 -0500

On Friday, March 10, McAfee's antivirus program gave users a nice lesson on
the meaning of the term "trusted system".  Due to a faulty virus definition
file, the software began deleting or "quarantining" hundreds or thousands of
legitimate system files (including, among others, Microsoft's excel.exe).

It's now a crime to delete files

<Scott Peterson <>>
Sat, 11 Mar 2006 00:20:55 -0800

What: International Airport Centers sues former employee, claiming use of a
secure file deletion utility violated federal hacking laws.

When: Decided March 8 by the U.S. Court of Appeals for the 7th Circuit
Outcome: Federal hacking law applies, the court said in a 3-0
  opinion written by Judge Richard Posner.

What happened, according to the court: Jacob Citrin was once employed by
International Airport Centers and given a laptop to use in his company's
real estate related business. The work consisted of identifying ``potential
acquisition targets''.

At some point, Citrin quit IAC and decided to continue in the same business
for himself, a choice that IAC claims violated his employment contract.

Normally that would have been a routine business dispute. But the twist
came when Citrin dutifully returned his work laptop--and IAC tried to
undelete files on it to prove he did something wrong.

IAC couldn't. It turned out that (again according to IAC) Citrin had used a
``secure delete'' program to make sure that the files were not just deleted,
but overwritten and unrecoverable.

In most operating systems, of course, when a file is deleted only the
reference to it in the directory structure disappears. The data remains on
the hard drive.  But a wealth of programs like PGP, open-source programs
such as Wipe, and a built-in feature in Apple Computer's OS X called Secure
Empty Trash will make sure the information has truly vanished.

Inevitably, perhaps, IAC sued. The relevance for Police Blotter readers is
that the company claimed that Citrin's alleged secure deletion violated a
federal computer crime law called the Computer Fraud and Abuse Act.

That law says whoever ``knowingly causes damage without authorization'' to a
networked computer can be held civilly and criminally liable.

The 7th Circuit made two remarkable leaps. First, the judges said that
deleting files from a laptop counts as ``damage''.  Second, they ruled that
Citrin's implicit ``authorization'' evaporated when he (again, allegedly)
chose to go into business for himself and violate his employment
contract. ...

  [URL added in archive copy;

CIA Covert Agents found using fee based searches by Chicago Tribune

Sun, 12 Mar 2006 13:27:31 -0500

An interesting article, reiterating what we already know, that in the
present age of search tools, almost nothing can be hidden from those willing
to pay for someone to do a search.  The article basically says it succinctly.

Another Paypal scam, social engineering against ethical people

<"Mark Batten-Carew" <>>
Mon, 13 Mar 2006 22:18:39 -0500

My wife just received what from the Subject line looked like a Paypal buyer
payment notice to her, as a seller. But she hasn't recently sold anything.
Having been taught to be very careful, she looked at the message source
before opening it.  She then checked Paypal to confirm there had been no
payment to her corresponding to this message.  So far so good, but now come
the gotchas....

When she went to forward the message (using Outlook Express) to spoof AT, of course the message was opened and displayed.  I figured this
was safe, since she would not open any attachments.  But, it turns out the
content of the message was a small bit of HTML, composed of just an image
with a clickable area.  In recent versions of IE, such images would be
prevented from being downloaded unless approved.  Not so in Outlook Express.
It retrieved the image, presumably identifying my wife's computer to the
originating web site. Oops.

But the interesting part is that the image was a good likeness of a Paypal
message, with a complete bogus transaction (to pay money to my wife) and a
button to click labeled "Dispute Transaction".  They are specifically
preying on people who want to correct mistakes and give money back.  That
is, preying on ethical people, not greedy people.  We didn't click on it.  I
have no idea what would have happened next, but probably a request to log
into her account to confirm the transaction was incorrect.

Mindless precision

<"Andrew Koenig" <>>
Fri, 10 Mar 2006 19:01:17 -0500

When I worked at Bell Labs, before the breakup of the Bell System in 1984,
once in a while a memo would come around describing a change to some piece
of hardware or other that I knew nothing about.  The reason would be that
the hardware was so widely used throughout the company that the easiest way
to reach everyone who might care about it was to send a memo to every member
of management.  As an "exempt" employee, I was considered a member of
management although I had no one reporting to me.

One day I received a memo that announced that as of some date,
0.511-microfarad capacitors were going to be replaced by 0.51-microfarad
capacitors, and the old ones would no longer be available.

The punchline?  In both cases, the capacitors had +/- 10% tolerance.

  [Unfortunately, the capacity of management often has a tolerance
  greater than +/- 10%.  PGN]

Re: Complexity causes 50% of product returns (RISKS-24.19)

<Henry Baker <>>
Thu, 16 Mar 2006 13:14:16 -0800

This problem affects more than consumer devices.  When I was working on a
project for the Army in the very early 1970's regarding repairing tank
engines, a significant fraction (1/4 - 1/3) of tank engines that were sent
back from Viet Nam had "nothing wrong" with them.  (I don't know how they
came up with this statistic -- we've all gotten our cars back from the
repair shop, only to find that the problem that we took the car into the
shop for in the first place had not been fixed.)

Of course, a number of the broken engines had been "hacked" -- i.e.,
"hot-rodded" by some good ol' boys, so they failed in a sometimes spectacular
manner.  But that is a different story...

Re: Excel garbles microarray experiment data (RISKS-24.19)

<"D. McKirahan" <>>
Fri, 10 Mar 2006 17:05:23 -0600

Frequent users of MS-Excel know to format the cells as Text *before*
entering data or put a single quote in front of any data to have it stay

    '1DEC              won't change to     01-Dec
    '2310009E13   won't change to     2.31E+19

Re: Excel garbles microarray experiment data (RISKS-24.19)

<Philip Nasadowski <>>
Sun, 12 Mar 2006 15:12:43 -0500

I'm glad (well, not really) I'm not the only one who's seen their data
swallowed by Excel.  I have seen this with data provided by a custom
application for a 'large northeastern USA transit operator'.  Basically,
there's certain data that's represented in hexadecimal format.  When the
output file (comma separated values, csv) is brought into Excel, Excel
'helpfully' converts some of these into scientific notation!  And you can't
turn it off or unformat it, period.  It's converted and that's that.  I
haven't bothered calling MS, representing data as typed is apparently too
advanced a concept for them to understand...

At least what we're looking at isn't super critical, and Excel is only one
tool that we use.  The scary thing, though, is there's no warning, and you
can't turn it off.  Who knows what other liberties MS takes with your

Re: Excel garbles microarray experiment data (RISKS-24.19)

Mon, 13 Mar 2006 09:52:05 -0500

I do not see this as a problem in Excel, which is a spreadsheet program
designed primarily for accounting calculations - calculations which commonly
use numbers and dates.

Rather, this is a problem introduced by the designer(s) of the "new
bioinformatics programs", who seem to have decided to use Excel as a
database program.  A crowbar can be used as a hammer, but one runs the risk
of making a large hole in a wall instead of simply driving in the nail.
Similarly, using Excel as a database instead of Oracle, or SQL Server, or
even MS Access (if for some reason use of the MSOffice suite is desired)
runs the risk of non-accounting data being interpreted as accounting data.

John J. Deltuvia, Jr, Technology Unit, NJAOC Probation Services - CSES

Re: Excel garbles microarray experiment data (RISKS-24.19)

<"Devon McCormick" <>>
Mon, 13 Mar 2006 15:54:30 -0500

Excel doesn't play well with others.  This is not the only kind of data
Excel garbles.

In the financial world, we use CUSIPs (8 or 9 character codes) or tickers
(1- to 5-letter codes) to identify equities.  Excel typically garbles these
by being over-helpful as mentioned in the article on micro-array data.  So,
CUSIPs are sometimes left alone and often treated as numbers because they
are a mix of letters and numerals with the a preponderance of numerals.
Tickers are less commonly mangled though there is a company with the ticker
"TRUE" which Excel decides is the value "TRUE", not the character string.

However, potentially even more insidious is the fact that Excel does not
properly handle .CSV files.  This "Comma-Separated Values" format has been
around for decades but Excel has never handled it properly.  Both on input
and output, it will often ignore the double-quotes that are intended to
distinguish character from numeric fields.

Because of this, the obvious solution of putting CUSIPs and tickers in
quotes does not work with Excel.

Perhaps even worse, there are applications that expect the Excel variant of
.CSV files and reject properly-formatted ones.  To see how ridiculously
complicated this can get, look at the section "Excel vs. Leading Zero &
Space" in

Thus the risk of the popular error propagating, muddying the waters for
years to come.

Australian emergency number has incorrect address information

<Josh Parris <>>
Tue, 14 Mar 2006 10:18:42 +1100

The local emergency number, 000, is reported to have incorrect address

There is no media release on the Telstra website relating to this.

IEEE Symposium on Security and Privacy, Program

<"Cipher Editor" <>>
Fri, 17 Mar 2006 10:46:53 -0700

The Symposium will be held May 21-24 at the Claremont Resort in Berkeley,
California. See

Session: Signature Generation (Christopher Kruegel)

Towards Automatic Generation of Vulnerability-Based Signatures
David Brumley, James Newsome, Dawn Song, Hao Wang, and Somesh Jha
Carnegie Mellon University, USA, and University of Wisconsin, USA

Misleading Worm Signature Generators Using Deliberate Noise Injection
Roberto Perdisci, David Dagon, Wenke Lee, Prahlad Fogla, and Monirul Sharif
University of Cagliari, Italy, and Georgia Institute of Technology, USA

Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms
       with Provable Attack Resilience
Zhichun Li, Manan Sanghi, Yan Chen, Ming-Yang Kao and Brian Chavez
Northwestern University, USA

Session: Detection (Robert Cunningham)

Dataflow Anomaly Detection
Sandeep Bhatkar, Abhishek Chaturvedi and R. Sekar
Stony Brook University, USA

Towards a Framework for the Evaluation of Intrusion Detection Systems
Alvaro A. Cardenas, Karl Seamon and John S. Baras
University of Maryland, USA

Siren: Detecting Evasive Malware (Short Paper)
Kevin Borders, Xin Zhao and Atul Prakash
University of Michigan, USA

Session: Privacy (Carl Landwehr)

Fundamental Limits on the Anonymity Provided by the MIX Technique
Dakshi Agrawal, Dogan Kesdogan, Vinh Pham, Dieter Rautenbach
IBM T J Watson Research Center, USA, RWTH Aachen, Germany,
     and University of Bonn, Germany

Locating Hidden Servers
Lasse O/verlier and Paul Syverson
Norwegian Defence Research Establishment, Norway, Gjøvik University
College, Norway, and Naval Research Laboratory, USA

Practical Inference Control for Data Cubes (Extended Abstract)
Yingjiu Li, Haibing Lu and Robert H. Deng
Singapore Management University, Singapore

Deterring Voluntary Trace Disclosure in Re-encryption Mix Networks
Philippe Golle, Xiaofeng Wang, Markus Jakobsson and Alex Tsow
Palo Alto Research Center, USA, and Indiana University, Bloomington, USA

New Constructions and Practical Applications for Private Stream
  Searching (Extended Abstract)
John Bethencourt, Dawn Song and Brent Waters
Carnegie Mellon University, USA, and SRI International, USA

5-minute Work-in-Progress Talks

Session: Formal Methods (Susan Landau)

A Computationally Sound Mechanized Prover for Security Protocols
Bruno Blanchet
CNRS, Ecole Normale Supe'rieure, Paris, France

A Logic for Constraint-based Security Protocol Analysis
Ricardo Corin, Ari Saptawijaya and Sandro Etalle
University of Twente, The Netherlands, and University of Indonesia, Indonesia

Simulatable Security and Concurrent Composition
Dennis Hofheinz and Dominique Unruh
CWI, The Netherlands, and University of Karlsruhe, Germany

Session: Analyzing and Enforcing Policy (Tuomas Aura)

Privacy and Contextual Integrity: Framework and Applications
Adam Barth, Anupam Datta, John C. Mitchell and Helen Nissenbaum
Stanford University, USA, and New York University, USA

FIREMAN: A Toolkit for FIREwall Modeling and ANalysis
Lihua Yuan, Jianning Mai, Zhendong Su, Hao Chen, Chen-Nee Chuah and
  Prasant Mohapatra
University of California, Davis, USA

Retrofitting Legacy Code for Authorization Policy Enforcement
Vinod Ganapathy, Trent Jaeger and Somesh Jha
University of Wisconsin-Madison, USA,
     and Pennsylvania State University, USA

Session: Analyzing Code (Doug Tygar)

Deriving an Information Flow Checker and Certifying Compiler for Java
Gilles Barthe, David A. Naumann and Tamara Rezk
INRIA Sophia-Antipolis, France, and Stevens Institute of Technology, USA

Discovering Malicious Disks with Symbolic Execution
Paul Twohey, Junfeng Yang, Can Sar, Cristian Cadar, and Dawson Engler
Stanford University, USA

Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities
Nenad Jovanovic, Christopher Kruegel and Engin Kirda
Vienna University of Technology, Austria

Cobra: Fine-grained Malware Analysis using Stealth Localized-Executions
Amit Vasudevan and Ramesh Yerraballi
University of Texas Arlington, USA

Session: Authentication (Paul Van Oorschot)

Integrity (I) codes: Message Integrity Protection and Authentication
  Over Insecure Channels
Mario Cagalj, Srdjan Capkun, Ramkumar Rengaswamy,
  Ilias Tsigkogiannis, Mani Srivastava and Jean-Pierre Hubaux
Ecole Polytechnique Federale de Lausanne (EPFL), Switzerland,
  Technical University of Denmark, Denmark,
  and University of California, Los Angeles, USA

Cognitive Authentication Schemes Safe Against Spyware
Daphna Weinshall, Hebrew University of Jerusalem, Israel

Cache Cookies for Browser Authentication (Extended Abstract)
Ari Juels, Markus Jakobsson and Tom N. Jagatic
RSA Laboratories, USA, RavenWhite Inc., USA, and Indiana University, USA

Secure Device Pairing based on a Visual Channel
Nitesh Saxena, Jan-Erik Ekberg, Kari Kostiainen and N. Asokan
University of California, Irvine, USA, and Nokia Research Center, Finland

Session: Attacks (Kevin Fu)

SubVirt: Implementing malware with virtual machines
Samuel T. King, Peter M. Chen, Yi-Min Wang, Chad Verbowski, Helen J. Wang,
  Jacob R. Lorch, University of Michigan, USA, and Microsoft Research, USA

Practical Attacks on Proximity Identification Systems (Short Paper)
Gerhard P. Hancke, University of Cambridge, UK

On the Secrecy of Timing-Based Active Watermarking Trace-Back Techniques
Pai Peng, Peng Ning and Douglas S. Reeves, North Carolina State University, USA

Session: Systems (Helen Wang)

A Safety-Oriented Platform for Web Applications
Richard S. Cox, Jacob Gorm Hansen, Steven D. Gribble, and Henry M. Levy
University of Washington, USA, and University of Copenhagen, Denmark

Tamper-Evident, History-Independent, Subliminal-Free Data Structures
  on PROM Storage -or- How to Store Ballots on a Voting Machine
  (Extended Abstract)
David Molnar, Tadayoshi Kohno, Naveen Sastry and David Wagner
  University of California, Berkeley, USA, and University of California,
  San Diego, USA

Analysis of the Linux Random Number Generator
Zvi Gutterman, Benny Pinkas and Tzachy Reinman
Hebrew University, Israel, Haifa University, Israel, and Safend, Israel

The Final Nail in WEP's Coffin
Andrea Bittau, Mark Handley and Joshua Lackey
University College London, UK, and Microsoft, USA

Call For Proposals: Data Surveillance and Privacy Protection workshop

<Simson Garfinkel <>>
Sat, 11 Mar 2006 17:03:05 -0500

CRCS Workshop 2006: Data Surveillance and Privacy Protection

* Can you find the terrorist in your database?
* Do hospital admission records hold the secret to catching and
  confining Avian Flu outbreaks in humans?
* What do banks really know about their customers?
* What's the real purpose behind that RFID tag on your sweater?

On June 3, 2006 Harvard University's Center for Research on Computation and
Society will hold a day-long workshop on Data Surveillance and Privacy

Although there has been significant public attention to the civil liberties
issues of data surveillance over the past few years, there has been little
discussion of the actual techniques that could be employed in any but the
most restricted settings. Likewise, there has been little discussion of
methods and technologies for conducting data surveillance while respecting
privacy and preserving civil liberties.

Today's newspapers and TV shows are preoccupied with NSA wiretaps and the
accidental release of names and social security numbers.  Meanwhile, a far
more pervasive surveillance infrastructure is being created around us: the
routine use of database information for law enforcement, counter-terrorism,
and commercial markets.

The Center for Research on Computation and Society (CRCS) is a new research
center with a mission to develop a clear understanding of issues of
technology and public policy where the actual technology makes a difference,
and to pursue innovative computer science and technology research informed
by that understanding.

Some of the issues that we would like to explore at the workshop include:

* Techniques for mining databases within and between organizations without
  exposing proprietary or privacy-sensitive information.

* Techniques that are planned for deployment (or are actually being used) to
  survey hospital admissions data for evidence of epidemics or bioterror

* Techniques that have been tried, or proposed, for finding terrorists or
  criminals through the examination of transactional information.

* Techniques that could be used to automatically detect phishing attacks or
  other kinds of financial fraud.

The workshop will take place on June 3, 2006. Registration for the workshop
will open in early May.


The CRCS Workshop Organizing Committee is looking for academics, government
officials, business leaders, and individuals who are interested in
submitting papers or making presentations at the June 3rd workshop. If you
are interested, please send us a 2-paragraph abstract of your proposed paper
or presentation.

Send proposals to

For more information, check out wiki at:

Please report problems with the web pages to the maintainer