[risks] Risks Digest 22.59

From: RISKS List Owner (riskoat_private)
Date: Wed Feb 26 2003 - 17:07:43 PST


RISKS-LIST: Risks-Forum Digest  Weds 26 February 2003  Volume 22 : Issue 59

   FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/22.59.html>
and by anonymous ftp at ftp.sri.com, cd risks .

  Contents:
Star Wars exempt from OVERSIGHT, REPORTING, AND TESTING requirements? (PGN)
"Bugsplat"--collateral damage simulator (Daniel P.B. Smith)
Scientology critic fined for undeclared file (Mark Thorson)
eBay: Big Brother is watching you, and documenting (Monty Solomon)
Telepathy used to defend voting systems? (Rebecca Mercuri)
Voting machine engineer sues, alleges machine design flaws (Susan Marie Weber)
Latest spam scam (Jim Griffith)
Nigerian slain over e-mail scam (John F. McMullen)
Spain - Vodafone sees its network crash after maintenance (Henry Baker)
An unexpected bill (Geoffrey Brent)
Re: Surgeons transplant mismatched organs (K P)
Re: Deadly input validation? (Ed Ravin)
REVIEW: "Building Secure Wireless Networks with 802.11", Khan/Khwaja 
  (Rob Slade)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Mon, 24 Feb 2003 14:46:49 -0800 (PST)
From: "Peter G. Neumann" <neumannat_private>
Subject: Star Wars exempt from OVERSIGHT, REPORTING, AND TESTING requirements?

Noted deep in the White House's proposed FY2004 budget, the administration
is proposing to exempt the Pentagon's controversial national missile defense
system from operational testing legally required of every new weapons system
in order to deploy it by 2004.  The requirements are of course intended to
prevent the production and fielding of weapons systems that don't work [many
of which have been the subject of discussion in RISKS in the past].  Last
year, the Missile Defense Agency was already given managerial autonomy and
removed procurement procedures that were intended to ensure new weapons
programs remain on track and within budget.  [From the RISKS perspective of
having observed systems that do not work properly even with extensive
oversight and testing, this seems like a very unwise approach.]  [Source:
Missile Defense Waiver Sought; White House wants to exempt the Pentagon's
controversial weapons system from operational testing rules, a first for a
major program, by Esther Schrader, *Los Angeles Times*, 24 Feb 2003; PGN-ed]
  http://www.latimes.com/news/nationworld/nation/
  la-na-missile24feb24,1,5024689.story?coll=la%2Dhome%2Dheadlines

------------------------------

Date: Sat, 22 Feb 2003 09:48:12 -0500
From:  "Daniel P.B. Smith" <dpbsmithat_private>
Subject: "Bugsplat"--collateral damage simulator

  [Best code name since "carnivore."  DPBS]

US military planners hope to reduce the potential for civilian casualties in
war by using a new computer program called Bugsplat.  Instead of drawing
concentric circles representing blast effects, Bugsplat generates blob-like
images ("resembling squashed insects") that supposedly more precisely model
expected damage.  The hopes are that this program will help reduce
collateral damage.  QUOTE: "Because the program hasn't been used for actual
targeting, this will be 'learn as you go.'"  [Source: 'Bugsplat' program
gives planners hope, By Bradley Graham, *The Washington Post*, 22 Feb 2003;
PGN-ed]

------------------------------

Date: Thu, 20 Feb 2003 19:06:41 -0800
From: Mark Thorson <eeeat_private>
Subject: Scientology critic fined for undeclared file

A prominent French critic of Scientology has been fined 901 euros for
maintaining a Web site that contained the name of a Scientologist in
quotations from two published articles.  The Scientologist sued, claiming
his religious rights had been violated.

A 1978 French law intended to protect privacy requires computer files
containing names of people (even one name) to be declared with the National
Commission of Computers and Liberties (CNIL).  On 18 Feb 2003, Roger Gonnet
became the first person disciplined under this law for his Web site,
http://www.antisectes.net, which has been operating since March 1997.

The judgment against Gonnet was 450 euros for violating the law, 450 euros
for plaintiff's legal costs, and 1 euro for damages to plaintiff.
(Plaintiff had been asking for 15,000 euros.)

Gonnet says, "At least 20 million French people are guilty of the same
'crime': they have individual names in their organizers, electronic agendas,
computers, laptops, CD Roms, DVD roms, hard disks, memory cards, and even in
their cell-phone memories, WAPs, texts, and Web sites, as well as the
employers and commercial employees or sellers have lists of their employees,
clients, associates, etc."

  ["What's In A Name?"  Oui!
   "What Name is In?"  Non!!!
  PGN]

------------------------------

Date: Thu, 20 Feb 2003 17:34:28 -0500
From: Monty Solomon <montyat_private>
Subject: eBay: Big Brother is watching you, and documenting

"I don't know another Web site that has a privacy policy as flexible as
eBay's," says Joseph Sullivan, director of the "law enforcement and
compliance" department at eBay.com, reportedly the world's largest retailer.
Sullivan was speaking to senior representatives of numerous law-enforcement
agencies at "Cyber Crime 2003".  His lecture was closed to reporters, but,
in a recording obtained by Haaretz, Sullivan says that eBay is willing to
hand over everything it knows about its Web users when asked by
investigators.  [Source: Yuval Dror, Haaretz; PGN-ed]
  http://www.haaretz.com/hasen/pages/ShArt.jhtml?itemNo=264863

------------------------------

Date: Tue, 28 Jan 2003 13:50:51 -0500
From: "Rebecca Mercuri" <notableat_private>
Subject: Telepathy used to defend voting systems?

The Canadian Broadcasting Corp. reported that balloting at the 25 Jan 2003
NDP leadership convention in Toronto was disrupted by the SQL Slammer DDoS
attack.  The system that was being used was one provided by election.com --
one of the vendors also vying for Internet voting contracts in the USA.
Apparently election.com's Earl Hurd thought it was a laughing matter when he
told the CBC: "Unless he died in the last few minutes because of the evil
thoughts in my brain, he or she is still out there."
  http://www.cbc.ca/cgi-bin/templates/print.cgi?/2003/01/25/ndp_delay030125

------------------------------

Date: Sun, 23 Feb 2003 09:26:12 -0800 (PST)
From: SusanMarieWeberat_private
Subject: Voting machine engineer sues, alleges machine design flaws

Bev Harris, Black Box Voting <http://www.blackboxvoting.com/>, 21 Feb 2003

Dan Spillane, a voting machine test engineer, filed a lawsuit against his
former employer, DRE touch-screen voting machine manufacturer VoteHere.
Georgia recently approved VoteHere's machines, and the military is
considering them for overseas voting.  The company does business also in
Sweden and England, and appears to be manufacturing, or planning to
manufacture, components for other voting machine companies.

Spillane alleges in his lawsuit that he reported over 250 errors in the 
system, including critical errors of "severity 1" which include errors 
that may prevent the machines from correctly registering the votes. He 
sought meetings with company officials to express concerns about system 
integrity flaws, and created logs and reports of such flaws.

His complaint indicates that VoteHere did not address the flaws, and 
that the VoteHere system was certified by independent testing labs 
despite known flaws. Just when the testing lab began its examination of 
system integrity, VoteHere fired Spillane.

VoteHere's board of directors includes former CIA director Robert Gates.
VoteHere's Chairman is Admiral Bill Owens, who was senior military assistant
to Secretaries of Defense Frank Carlucci and Dick Cheney.  Carlucci, of
course, now heads the Carlyle Group and Cheney is Vice President.

I will retrieve a copy of the lawsuit early next week, case #
03-2-18779-85SEA, filed in King County, Washington. If possible we will post
it later in the week.

Bev Harris

------------------------------

Date: Mon, 24 Feb 2003 21:10:21 -0500
From: griffithat_private (Jim Griffith)
Subject: Latest spam scam

I just received the following:

  From: dlj4tbad5at_private (Former NetGaming Programmer)
  Subject: Please help me

  Hello dear friend,

  I'm the developer who made the software for the NetGaming Casino.
  But since they still did not paid me for last six month of work I decided
  to reveal the backdoor in that casino I made for myself.
  This backdoor allow easily win the roulette.
  So: What do you need to win? Read below:
  1. Go to the following secret link::
     http://www.[deleted]/?affiliate_id=230083&campaign_id=20016
  2. Open an account  (click "Join Now").
  3. Play roulette until "13" turn out. That's it! The next turn will be "27"!

  I'll be happy if you ruin them by winning lots of money.

Either it's legitimate, in which case the Web site is totally screwed, or
(far more likely) it's the most recent devious way to attract unsuspecting
suckers.

------------------------------

Date: Sat, 22 Feb 2003 11:11:05 -0500 (EST)
From: "John F. McMullen" <observerat_private>
Subject: Nigerian slain over e-mail scam

Nigeria's consul in the Czech Republic, Michael Lekara Wayid, was shot and
killed by a Czech citizen at the Nigerian Embassy in Prague on 19 Feb 2003.
The suspect had been victimized by a now-classical Nigerian scam, which
resulted in the contents of his bank account vanishing.
  [Source: Michelle Delio, Wired News; PGN-ed]
    http://www.wired.com/news/culture/0,1284,57760,00.html?tw=wn_ascii

  [This type of scam still seems to sucker in enough people to make it worth
  the effort to keep the e-mail solicitations flowing.  In the past week
  alone, SpamAssassin has picked out 150 Nigerian scam spams in my mailbox,
  out of 2400 redirected spams; in the past two weeks, it has trapped over
  300 such scam spams addressed to RISKS, out of almost 1500 spams in all.
  So it is definitely a booming industry.  PGN]

------------------------------

Date: Fri, 21 Feb 2003 11:10:50 -0800
From: Henry Baker <hbaker1at_private>
Subject: Spain - Vodafone sees its network crash after maintenance

FYI -- 'Causative Maintenance' ?

Vodafone Spain's network virtually collapsed for almost 7 hours on 21 Feb
2003, following what was thought to be basic maintenance work.  The company
has 8.7 million customers.  No substantial explanation has been given.

------------------------------

Date: Sun, 23 Feb 2003 19:27:05 +1100
From: Geoffrey Brent <g.brentat_private>
Subject: An unexpected bill

A friend of mine who is a postgraduate student at the University of New
South Wales recently logged on to the university Web site to check the fees
due for Semester 1, 2003. He was rather surprised to be told that his debt
was slightly in excess of three million Australian dollars - by a strange
coincidence, the sum owed was exactly equal to his student number.

Perhaps a little range-checking is in order?

------------------------------

Date: Mon, 24 Feb 2003 05:47:51 -0800 (PST)
From: K P <mrzebat_private>
Subject: Re: Surgeons transplant mismatched organs (RISKS-22.58)

Patients who need transplants are entered into the national transplant
waiting list maintained by United Network for Organ Sharing (UNOS, Richmond
VA) through a federal contract.  The list includes many items including
blood type, height and weight, how sick they are, and the hospital where
they are waiting.  Nationally, more than 80,000 people are waiting for
hearts, lungs, kidneys, livers and pancreases.

When donor organs become available, information about blood type, size and
location of the donor are entered into the computer generating a "match run"
-- a list of all patients who are a medical match for that donor. They are
listed in order of priority, determined by a complex calculation including
components of illness and how near they are to the donor.  A completed match
run can range from tens of thousands to fewer than 10.  Some organs are
placed on the first call; others take hours.

According to news reports, in Jesica's case, Duke officials say transplant
coordinators called to offer the heart to two of their patients. The heart
was the wrong size for one, and the other was not medically ready for a
transplant.  Jesica's doctor then asked about giving the heart and lungs to
Jesica.  Although she was not listed on the match run, the transplant
coordinator said OK.  Neither the coordinator nor the doctor realized that
she was not the right blood type - the reason she was not on the computer's
list of possible patients.

The UNOS systems didn't make the mistake.  Humans intervened and ultimately
caused the mistake.

It's sad that Jesica died as a result.  But we will never know who else
died because they didn't get the organs they should have in the first place.

  [Dan Graifer noted that lengthy articles appeared in *The Washington Post*.
  PGN]
    http://www.washingtonpost.com/wp-dyn/articles/A56656-2003Feb24.html 
    http://www.washingtonpost.com/wp-dyn/articles/A2700-2003Feb25.html
  
------------------------------
  
Date: Sun, 23 Feb 2003 12:42:37 -0500 (EST)
From: "Ed Ravin" <eravinat_private>
Subject: Re: Deadly input validation? (Adams, RISKS-22.58)

  [Although the original item was only marginally computer-related,
  we include this item to correct the archival record.  PGN]

Some corrections and clarifications:

* It was four teenagers in the rowboat, not two.

* The phone call from the distressed teenagers lasted about 12 seconds --
the 911 operator only heard that they were in a boat on Long Island Sound
and were taking in water before the call was cut off.

* The correct thing for the 911 operator to have done was to have assigned
the call to the police harbor unit.  The operator did not know this
information, so he or she went to the supervisor for guidance.

* All supervisors had previously received a notice clarifying what to do
with marine distress calls -- but this supervisor apparently had forgotten
about that and also didn't know what to do with the call.

* The supervisor is getting departmental charges, and could be demoted
or dismissed.  The operator received a "letter of instruction" but
was not otherwise disciplined.

* The cops claim that even if the harbor unit had been notified in time,
with the scant amount of information available it was unlikely they would
have found the boys in time.

More details at:

 http://www.nynewsday.com/news/local/wire/ny-bc-ny--missingteens0218feb18.story

And no doubt in other NYC-area daily newspapers.

Despite what the cops say, things might have been different if they had
properly logged the call - for example, the calling number for the cell
phone should have been recorded, and had the police looked for the owner of
the cell phone they might have been able to find one of the boys' parents
and gotten a better idea of what was going on.  However, given that the call
was received on a frigid January evening, there probably wasn't much else
that could be done until the next morning.

------------------------------

Date: Tue, 25 Feb 2003 07:47:39 -0800
From: Rob Slade <rsladeat_private>
Subject: REVIEW: "Building Secure Wireless Networks with 802.11", Khan/Khwaja

BKBSWNW8.RVW   20030208

"Building Secure Wireless Networks with 802.11", Jahanzeb Khan/Anis
Khwaja, 2003, 0-471-23715-9, U$40.00/C$62.95/UK#29.95
%A   Jahanzeb Khan
%A   Anis Khwaja
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2003
%G   0-471-23715-9
%I   John Wiley & Sons, Inc.
%O   U$40.00/C$62.95/UK#29.95 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0471237159/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0471237159/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0471237159/robsladesin03-20
%P   330 p.
%T   "Building Secure Wireless Networks with 802.11"

As with any hot topic, there are lots of people willing (eager!) to tell you
about the security of wireless local area networks, without first making
sure that they really know the subject.

Part one is an introduction to wireless LANs.  Chapter one is a history of
networks, an outline of topologies (concentrating on cabling, interestingly
enough), and a review of the TCP/IP (actually OSI, [Open Systems
Interconnection] protocol stack.  The last page gives too little information
for an exercise in setting up a home LAN.  Terms in regard to wireless
technology are listed in chapter two, but the material is verbose without
being informative.  The explanations given for spectrum multiplexing are
unclear, and seem to be delivered by rote without any understanding.  The
discussion does not build on that from chapter one to, for example, point
out that ad hoc wireless networks are similar to bus topologies, while
infrastructure networks are more akin to stars.  The various IEEE (Institute
of Electrical and Electronics Engineers) 802.11 standards are listed in
chapter three.  However, there is a great deal of material repeated from
prior text (the discussion of spectrum is reprised almost word for word),
and, other than some frequency and maximum bandwidth information, there is
little additional detail.  (Repetition and duplication is rife throughout
the book, as well as a good deal of space wasted with pointless figures and
graphics.  On page 125 we are told that "The 40- bit shared key is
concatenated with a 24-bit long initialization vector" and referred to
figure 6.1.  Figure 6.1 tells us "Concatenated-Key = Shared-Key + IV."  Not
very helpful.)  Chapter four is supposed to help you decide whether a
wireless LAN is right for you, but only has some vague opining, a little
content on wireless ISPs (Internet Service Providers: hardly suitable for
LAN discussions), and almost no analysis or details.

Part two purports to emphasize secure wireless LANs.  Chapter five has
random topics regarding network security.  Most of it is irrelevant to the
specific needs of wireless situations or is not discussed in terms of the
particular needs of wireless networks.  (Physically securing the components
of a wireless LAN has some importance in overall security, but may be
pointless if someone driving by can take over the network).  Securing the
IEEE 802.11 wireless LAN is not reviewed well in chapter six.  There is more
duplication of content, few details about WEP (Wired Equivalent Privacy),
and some clear evidence of misunderstanding of the base technologies.  (If
you are going to talk about 40 bit keys at the low level, higher level
security should be 104, rather than 128, bit.  And a 128 bit key is *not*
equivalent to 64 characters, in anybody's representation.)  When security
aspects are discussed, often they relate to issues that are beyond the
control of the user, such as moderation of signal strength.

Part three collects topics related to the building of secure wireless LANs.
Chapter seven is a simplistic overview of generic LAN planning.  Shopping
for the right equipment is important, but the list of product specifications
in chapter eight fails to address vital areas, such as driver availability,
default key length, and the existence of default accounts.  More space is
devoted to where you can buy equipment than how to evaluate it.  The
installation instructions, in chapter nine, pretty much ignore security
considerations.  Chapter ten supposedly deals with advanced wireless LANs,
including security, but has little new material aside from screenshots of
Microsoft Windows utilities with some relationship to VPNs (Virtual Private
Networks).

Part four covers troubleshooting and maintenance.  Chapter eleven touches on
a number of possibly wireless connectivity problems.  A collection of text
repeated from prior chapters is in chapter twelve.

There is a glossary included with the book.  It is quite limited, and, in
particular, does not deal well with acronyms.  In fact, the book is full of
TLAs (Three Letter Acronyms) and other abbreviations that get used before
they are defined, and do not appear in either the glossary or the index.
This can be quite aggravating, particularly in cases where the acronyms
aren't standard.  (The authors use "PHY" to refer to the physical layer of
the OSI model, which is not commonly so represented in either communications
or security literature.)

The text of the book is excessively padded with useless verbiage and
irrelevant material.  The actual content pertinent to the security of
wireless LANs is barely enough to fill a decent magazine article.  Overall,
the book is poorly structured, limited in detail, and bloated with
meaningless or repetitious content.

copyright, Robert M. Slade, 2003   BKBSWNW8.RVW   20030208

------------------------------

Date: 29 Mar 2002 (LAST-MODIFIED)
From: RISKS-requestat_private
Subject: Abridged info on RISKS (comp.risks)

 The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  Alternatively, via majordomo,
 send e-mail requests to <risks-requestat_private> with one-line body
   subscribe [OR unsubscribe]
 which requires your ANSWERing confirmation to majordomoat_private .
 If Majordomo balks when you send your accept, please forward to risks.
 [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
 this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
 Lower-case only in address may get around a confirmation match glitch.
   INFO     [for unabridged version of RISKS information]
 There seems to be an occasional glitch in the confirmation process, in which
 case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
   .UK users should contact <Lindsay.Marshallat_private>.
=> The INFO file (submissions, default disclaimers, archive sites,
 copyright policy, PRIVACY digests, etc.) is also obtainable from
 http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
 The full info file will appear now and then in future issues.  *** All
 contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
=> ARCHIVES are available: ftp://ftp.sri.com/risks or
 ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
   [volume-summary issues are in risks-*.00]
   [back volumes have their own subdirectories, e.g., "cd 21" for volume 21]
 http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
   Lindsay Marshall has also added to the Newcastle catless site a
   palmtop version of the most recent RISKS issue and a WAP version that
   works for many but not all telephones: http://catless.ncl.ac.uk/w/r
 http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
 http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    http://www.csl.sri.com/illustrative.html for browsing,
    http://www.csl.sri.com/illustrative.pdf or .ps for printing

------------------------------

End of RISKS-FORUM Digest 22.59
************************



This archive was generated by hypermail 2b30 : Wed Feb 26 2003 - 18:05:55 PST