The RISKS Digest
Volume 25 Issue 14

Friday, 2nd May 2008

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


U.S. Customs computer system fails nationwide
Protecting Yourself From Suspicionless Searches While Traveling
Jennifer Granick via Monty Solomon
Air marshals' names tagged on 'no-fly' list
Audrey Hudson via Monty Solomon
Italy posts salary details on web
Amos Shapir
Tot dies after Internet 911 call fails to reach dispatchers
Tony Toews
Canadian Human Rights Commission investigator hijacks woman's Internet connection
Kelly Bert Manning
Microsoft anti-encryption toolkit
David Lesher
"Default Password" exploits still work
William Nico
Protecting credit card holders
Kearton Rees
Police officer uses real witness statement as template document
Identity withheld by request
False alarm guaranteed after 7 years
Daniel P.B. Smith
Facial recognition in airports... please say it's April 1st.
Fred Cohen
Re: Face scans for UK air passengers
Peter Houppermans
Re: 30th Spamiversary
Amos Shapir
Re: Real-time spying on credit card holders
Nick Brown
Blown to Bits, Abelson/Ledeen/Lewis
Info on RISKS (comp.risks)

U.S. Customs computer system fails nationwide

"Peter G. Neumann" <>
Thu, 1 May 2008 9:52:37 PDT
The CNN Wire reported on 30 Apr 2008 that a nationwide computer failure shut
down terminals at U.S. Customs entry points.  However, a backup system on
laptops appears to have worked, instituted after previous system failures
(e.g., 18 Aug 2005, RISKS-24.02).

Protecting Yourself From Suspicionless Searches While Traveling

Monty Solomon <>
Thu, 1 May 2008 22:22:29 -0400
Protecting Yourself From Suspicionless Searches While Traveling
Posted by Jennifer Granick, 1 May 2008

The Ninth Circuit's recent ruling (pdf) in United States v. Arnold allows
border patrol agents to search your laptop or other digital device without
limitation when you are entering the country. EFF and many civil liberties,
travelers' rights, immigration advocacy and professional organizations are
concerned that unfettered laptop searches endanger trade secrets,
attorney-client communications, and other private information. These groups
have signed a letter asking Congress to hold hearings to find out what
protocol, if any, Customs and Border Protection (CBP) follows in searching
digital devices and copying, storing and using travelers' data. The letter
also asks Congress to pass legislation protecting travelers' laptops and
smart phones from unlimited government scrutiny.

If privacy at the border is important to you, contact Congress now and ask
them to take action!

In the meantime, how can international travelers protect themselves at the
U.S. border, short of leaving their laptops and iPhones at home? ...

Air marshals' names tagged on 'no-fly' list

Monty Solomon <>
Wed, 30 Apr 2008 09:05:22 -0400
Some federal air marshals have been denied entry to flights they are
assigned to protect when their names matched those on the terrorist no-fly
list, and the agency says it's now taking steps to make sure their agents
are allowed to board in the future.  [Source: Audrey Hudson, *Washington
Times*, 29 Apr 2008]

Italy posts salary details on web

Amos Shapir <>
Thu, 1 May 2008 17:27:21 +0300
"There has been outrage in Italy after the outgoing government published
every Italian's declared earnings and tax contributions on the Internet."
Apparently this was not a bug, but intentional.  In any case, the full
details of every Italian's income and tax returns were posted without
warning on the Net for anyone to see, for at least 24 hours.  (BBC report)

Tot dies after Internet 911 call fails to reach dispatchers

Tony Toews <>
Wed, 30 Apr 2008 23:30:58 -0600
18-month-old Elijah Luck died on 29 Apr 2008 after his aunt called 911 from
the family's Comwave VoIP phone at home in in Coventry, but an ambulance
reportedly took more than half an hour to arrive—with the call center
being slow in transfering the call to the Calgary dispatch.

  [Also noted by Mark Brader.  No guarantees on longevity of URLs.  PGN]

Canadian Human Rights Commission investigator hijacks woman's Internet connection

Kelly Bert Manning
Sun, 27 Apr 2008 16:40:10 -0400 (EDT)
  A woman caught up in a mysterious Internet hijacking scandal that has
  sparked a federal privacy investigation into the Canadian Human Rights
  Commission says she was shocked, angry and confused at suddenly finding
  herself publicly associated with white supremacists.  ...  In response to
  a subpoena, Bell Canada linked Jadewarr to Ms. Hechme's personal Internet
  account, and provided her address and telephone number at the public
  hearing.  [Source: Colin Perkel, Internet hijacking 'disturbing', says
  Ottawa woman, Canadian Press, 27 Apr 2008

Luckily for Ms. Hechme the Human Right of Privacy is protected by a
different Federal Commission in Canada.

Microsoft anti-encryption toolkit

"David Lesher" <>
Thu, 1 May 2008 16:11:13 -0400 (EDT)
Subject: Microsoft Helps Law Enforcement Get Around Encryption - New York Times

Microsoft Helps Law Enforcement Get Around Encryption, 30 Apr 2008

The growing use of encryption software like Microsoft's own BitLocker
by cyber criminals has led Microsoft to develop a set of tools that law
enforcement agents can use to get around the software, executives at the
company said.

Microsoft first released the toolset, called the Computer Online Forensic
Evidence Extractor (COFEE), to law enforcement last June and it's now
being used by about 2,000 agents around the world, said Anthony Fung,
senior regional manager for Asia Pacific in Microsoft's Internet Safety
and Anti-Counterfeiting group. Microsoft gives the software to agents for
free.  ...

Miscellaneous thoughts:

00) Who says it's only "cyber criminals" using file encryption; and
[what we used to think of was..] law enforcement using such tools?
Note Fung's group's title.

01) This reminds me of Spy vs. Spy; except where both sides work for the
same side. It brings in all the issues the NSA has faced over the decades:
("Do we plug this hole now; or will Boris see we did, and stop using
their version of X?")

Who is MSFT's real customer; the user or the LE/FI community? How long
before Redmond gets pressured to weaken BitLocker because COFEE can't
help? What will their response be?

10) Wigglers, a faux-use mouse designed to forestall a screen-saver activation,
have been around for a while. How long until some encryption code author
puts a random pop-up interrogation into their code? I.e. even if the
system is ""busy"" it suddenly asks for a response, a simple CAPTCHA.
When it gets a wrong answer, it stops and demands the full pass-phrase.
[Another approach would be to immediately demand same when a new device
is found by the OS.]

11) We are seeing more laptops & phones being searched and/or confiscated by
DHS at US borders. I suspect many multinational corporations will sacrifice
an encrypted laptop rather than reveal its contents.

100) Will shortcoming of COFEE push the legal system into a major
test case of coerced passphrase release? ["Give up your password or rot
in jail?"]

May you live in interesting times.

"Default Password" exploits still work

William Nico <>
Mon, 28 Apr 2008 14:16:42 -0700 (PDT)
An article in the Contra Costa Times 26 April under the headline
"1,500 gallons of gas swiped"
implies that the thief/thieves used an access code on the pumps, which
had not been changed from the manufacturer's default, to keep the
volume of pumped gas from being reported.  Here are a couple of
paragraphs excerpted from the article:

"... Between March 31 and April 7, he [the proprietor] noticed large
disparities between what his fuel counters were showing and what was
actually sloshing around in his station's underground storage tanks.  ...
"He contacted police and soon figured out that someone had unlocked a panel
on one of the pumps and punched in a code on an internal key pad.  The code
disables the pump from requiring remote authorization to activate. The
authorization system is legitimately used to cut off gas flow and allow
maintenance workers to clean valves.  ...  "... someone versed in fuel pump
maintenance was a likely culprit, since a lay person or even a station owner
like himself lacks the technical knowledge to pull off such a feat. ...
"[The proprietor] installed reinforced locks in his underground storage
tanks and entered a new authorization code inside the fuel pumps—changing
it from a default code entered by the pump manufacturer, which is why he
suspects the thief had trade knowledge."

William R. Nico, California State University East Bay Hayward, CA 94542-3092 (510)885-3386 Math. and Comp. Science Emeritus

Protecting credit card holders

Tue, 29 Apr 2008 14:45:26 +0100
A BBC consumer programme "Watchdog" reported recently (28 Apr 2008) on cases
where credit card companies' computer based fraud detection systems were
disabling users cards when they detected unusual, and possibly fraudulent,
spending patterns. However, all the users concerned were on holiday abroad
(New York, South Africa & Rome ) and left stranded with little or no money
it then took four or five days and a lot of effort to get the cards
re-enabled. In some case this caused the users to have to cancel significant
chunks of a 'holiday of a life-time'. In one case the bank *had* tried to
contact the user by sending an e-mail to his home address, whilst he was
stuck in New York with no money.

The bank's responses were essentially that these systems were there to
protect their users from fraud and that users should let their banks know
when they are likely to be going somewhere different so that such situations
can be avoided. However, the cancellations had happened to some users
despite doing this. It seems the decisions were made solely by the computers
with no recourse to the users' branch manager (for example) or to any
information provided by the user on their whereabouts.

The banks mentioned seemed to only be prepared to pay a small amount of
compensation (100 pounds max for the situations in the programme), nothing
near what it cost some users to call their bank's customer services from
South Africa. (Being able to contact the banks' customer services
departments easily from abroad was another sore point.)

The main learning point is that you should always take several different
means of paying when you go abroad.

British Telecommunications plc Adastral Park, Martlesham, Ipswich, UK, IP5 3RE |

Police officer uses real witness statement as template document

<[Identity withheld by request]>
Mon, 28 Apr 2008
I was recently the victim of a (very minor) assault. This was reported to
the police, and in due course I went to the police station to provide a
formal witness statement. The officer charged with making the statement said
that,to save time, he would type up the statement as I gave it rather than
writing it down by hand and then typing it up later. He then led me into a
computer room, much as one would find in a school or university for use by
the students (indeed, some of the notices on the wall seemed to imply that
the room was often used for training courses but happened to be vacant at
that time) and logged in to Windows. He then opened up a folder with a large
number of MS Word documents and clicked on one to open it. Initially I
assumed that this was a template file, but when it appeared on the screen it
didn't appear to have the blank spaces and "WRITE WITNESS' NAME HERE"
phrases that one would expect. Intrigued, I looked closer and saw that the
text appeared to be a witness statement about another assault that had
happened about a week before mine. This was confirmed when the officer asked
me not to look at the text at the bottom of the screen, because it was a
private witness statement about another crime.

The officer then set about typing up my witness statement thus: he added
several blank lines at the beginning of the document and then began cutting
and pasting sentences or sometimes whole paragraphs from the bottom half
(the old statement) to the top half (my statement). After pasting each
section in, he went over it changing the details as appropriate. The reason
he gave for doing this was that he wanted to make sure that he had included
all the necessary sections and formulaic wording so that it would be
acceptable in court. Once he had finished taking my statement, he chose
'Save As' and entered a filename, saving it in the same folder. All the file
names were prepended with a date (presumably he had not discovered, or not
been allowed to use, the 'sort by date' option).

I would say "The RISKS are obvious", but given recent discussion I feel I
ought to attempt to enumerate them.

1. I was shown the personal data of another victim. Of course, I looked away
   as soon as I suspected it was not just an "example crime" (which was
   before he told me that it was real) but others might not have been so

2. As featured in previous RISKS bulletins, Word files can sometimes retain
   data that had supposedly been deleted. If the witness statement is sent
   electronically to the other parties in the case, they too may be able to
   extract confidential information about the case used as a template (and
   perhaps the one used as a template for that file, and so on).

3. I have used a similar editing method in the past when writing less
   important documents such as homework assignments, and in my experience it
   is very easy to accidentally omit a section or leave it unchanged from
   the previous version. Especially in the case of omitting a section, this
   error could then propagate to subsequent statement files and potentially
   invalidate several pieces of evidence.

4. The file was kept under the old name (but not saved) until the end of the
   interview (which lasted over an hour). If there had been a power cut or
   system crash, the file would presumably have been lost. Conversely, if
   the file had been saved accidentally, or even autosaved, presumably the
   old statement would have been overwritten.

I prefer to remain anonymous to protect the officer involved from being made
a scapegoat for what are obviously, at least to a certain extent,
institutional failings.  I will however name the police force involved:
Cambridgeshire Police [England].

False alarm guaranteed after 7 years

"Daniel P.B. Smith" <>
Sun, 27 Apr 2008 19:56:37 -0400
Last night I was awakened at 2 a.m. by an alarm beeping every thirty
seconds. A few minutes of stumbling around trying to find the high- pitched,
hard-to-localize sound revealed it to be our Kidde Nighthawk carbon monoxide
detector. Its digital display was reading "Err." It was not showing a low
battery condition, but just to be sure, I replaced the batteries, to no
avail. I then took the unit down and looked for directions on the back. A
sticker on the back said "UNIT ERROR: Intermittent audible alarm every 30
seconds. Refer to User's Guide for details."

Was there any cause for concern? Well, probably not, since this obviously
was not the ALARM CONDITION, signaled by a different pattern of beeps. On
the other hand, it is human nature to ignore real warnings through wishful
thinking (radar echoes at Pearl Harbor in 1941 must be incoming __American_
planes). I didn't want to make that mistake, so I decided I should at least
check the User's Guide... but could I find it? Not likely. I was wide awake
by now, so I figured I might as well try to download it from the
manufacturer's website. Among other things, if I had enough mental clarity
to do this it would prove to me that I wasn't anoxic. I found it, downloaded
it, and in the "unit malfunction" section I learned that

"Seven years after initial power up, this unit will 'chirp' every thirty
seconds to indicate that it is time to replace the alarm. The unit will not
detect CO in this condition."

Since the sticker on the back showed it was assembled in November, 2000, I
figured that the mystery was solved, took the batteries out, went back to
sleep, and replaced the unit the next day.

Apart from this planned obsolescence being "very convenient," as the Church
Lady used to say, the RISK is of confusing users just in a situation where
things should be as clear and unambiguous as possible.

Was there really not enough room on the back of the device itself to note
that it would beep and show "Err" seven years after installation? And was it
really impossible to program a different message than "Err" for the
seven-year expiration condition?

Facial recognition in airports... please say it's April 1st.

Fred Cohen <>
Mon, 28 Apr 2008 04:00:22 -0700
[Re: Face scans for air passengers to begin in UK this summer (Brian
Randell), RISKS-25.13]

> Officials say automatic screening more accurate than checks by humans

True enough. Assuming the goal is to match a face to a known face.  People
are notoriously terrible at this. To do better is not that hard today. But,
presumably, that's not what the guards do - match a face to a face. If they
did, I would never get through any airport anywhere. My hair is shorter and
grayer, my face is thinner, I don't have a mustache anymore, and I am slowly
balding. But I don't think that's what they are there to do - at least not

> But there is concern that passengers will react badly to being rejected by
> an automated gate. To ensure no one on a police watch list is incorrectly
> let through, the technology will err on the side of caution and is likely
> to generate a small number of "false negatives" - innocent passengers
> rejected because the machines cannot match their appearance to the
> records.

"False negative"? False rejection or false positive or false detection is
more like it. Given that the system is designed to detect mismatches, it is
a "false negative" when it fails to detect a mismatch. A false negative
would be allowing someone through when they should not go through.

> They may be redirected into conventional passport queues, or officers may
> be authorised to override automatic gates following additional checks.

Seems to me like this is no better than randomly picking off one in 20
passengers for more detailed scrutiny.

> Ministers are eager to set up trials in time for the summer holiday rush,
> but have yet to decide how many airports will take part.  If successful,
> the technology will be extended to all UK airports.  ...

So they want to do it when there are lots and lots of passengers instead of
when the traffic is light and delays relatively short. That way when it
fails it will be a huge disaster instead of a small one?

Will the passengers have to frown to get on a plane now? I predict they will
be frowning anyway with all of the security crap they will have to go

Fred Cohen, 572 Leona Drive, Livermore, CA 94550 1-925-454-0171  Join

Re: Face scans for UK air passengers (RISKS-25.13)

Peter Houppermans <>
Sun, 27 Apr 2008 21:08:55 +0200
The last time I renewed my passport I got the new EU issue, with facial RFID
embedded.  It imposed huge quality demands on the passport picture, and I
can only assume there is somewhere a check comparing old with new (would be
a bit daft otherwise).

However, I noted immediately that:

(a) The scanning equipment had not arrived at the issuing embassy.  Thus,
  no final check to see if the chip actually worked, and AFAIK there's no
  data on field failure rates yet.

(b) There did not appear to be any shielding for the chip as the U.S.
  passports have.  So principally the EU passport creates an extra risk for
  me in hostile areas, which is an interesting take on my human rights..

There is, however, a flipside to this lack of shielding.  Given (a) above,
and given that I occasionally work with broadcast equipment it is not
inconceivable my jacket has already passed through the beam of a microwave
transmitter whilst dangling off my bag.


Re: 30th Spamiversary (RISKS-25.13)

Amos Shapir <>
Thu, 1 May 2008 17:22:13 +0300
It is interesting to note that among the reactions to this first spam (those
quoted in the article, anyway) only Richard Stallman had recognized the
features which would in time make the net great: the ability to focus
messages to specific well selected groups of people, as well as the inherent
freedom of expression.  IMHO this shows the difference between visionaries
and high-talkers.

Re: Real-time spying on credit card holders (Garret, RISKS-25.13)

Nick Brown <>
Fri, 2 May 2008 10:14:49 +0200
> Perhaps Mr. Brown would be so kind as to elucidate exactly what he thinks
> the RISKS are?

Unfortunately his e-mail address did not appear, so I'll reply to the list.
I apologise if this is redundant, but I guess maybe some other people asked
themselves the same question.

Here are some of the risks which I thought of within a few minutes of
reading the original article:

* Real-time financial transaction data being sent "by e-mail", as if e-mail
  guaranteed either delivery of the message (full mailbox, spam filter badly
  configured) or that only the intended recipient of the mail would see it.
  The first of those means that the person paying for the service may well
  not get it (with potentially hilarious consequences in the form of
  lawsuits, as experts try to prove to a court exactly where an e-mail got
  lost); the second means that the information may be retransmitted to a
  number of "interested" parties ("hey Martha, I thought Joe was in
  Cleveland, turns out he's in New York" - yeah, negotiating a takeover, and
  trying to do it quietly).  At one site with which I am very familiar and
  which I have no reason to believe is untypical, there is a complete
  parallel network of information between the administrative assistants of
  directors who have delegate access to their bosses' e-mail.  (This gets
  particularly interesting when someone changes jobs and their delegation
  privileges are forgotten.)

* Overreaction by managers, especially since the corporate culture of a
  company which signs up for this service is unlikely to be particularly
  laid-back when it comes to expenses.  Example: I'm on my way to the
  airport and I find I've left my ticket at home.  No big deal, it's fully
  refundable, I'll charge another one to the company card and we'll sort out
  the refund when I return.  Only the meeting is in somewhere "nice", and
  when my boss gets the ticket, he decides I'm taking my wife (etc.) along
  and cancels the card while I'm in the air.

The bottom line is that if you're going to give employees a company card,
you have to have the procedures and accountability in place to control its
usage after the fact.  If you're worrying that your staff may charge a $400
dinner contrary to policy, don't give them the card.  Maybe the junior
executive charging that meal had to do so because the CEO got a big call
from Tokyo halfway through the meal.  But the credit card terminal only has
room to enter "Tip", not "note to corporate finance".

Perhaps Ron works for a nicer organisation than many other people.  I ran
the above paragraphs past a couple of colleagues and they both smiled

Nick Brown, Strasbourg, France.

PS: And, of course, there's our oldest friend, plain simple programming and
operational errors.  A field shifts by one while someone at Mastercard is
reorganising chunks of their database in Excel and hey presto, someone at
Google gets a copy of someone at Microsoft's expenses.

Blown to Bits, Abelson/Ledeen/Lewis

"Peter G. Neumann" <>
Tue, 29 Apr 2008 14:29:43 PDT
Keep an eye out for this book:

  Hal Abelson, Ken Ledeen, Harry Lewis
  Blown to Bits:
  Your Life, Liberty, and Happiness after the Digital Explosion
  Addison Wesley, June 2008

"There is no simpler or clearer statement of the radical change that digital
technologies will bring, nor any book that better prepares one for thinking
about the next steps."  Lawrence Lessig (from the cover)

Please report problems with the web pages to the maintainer