[RISKS] Risks Digest 24.68

From: RISKS List Owner (risko@private)
Date: Mon Jun 11 2007 - 15:30:00 PDT

RISKS-LIST: Risks-Forum Digest  Monday 11 June 2007  Volume 24 : Issue 68

Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at

US Flight Service Privatization system problems (Don Poitras)
FDA issues Class I recall for an algorithm (Richard Cook)
New Hampshire federal judge overrules privacy law (Ethan Ackerman)
IT industry has failed in desktop security (Munir Kotadia via PGN)
Belgian biometric passport (Jean-Jacques Quisquater)
Flawed Symantec update cripples Chinese PCs (PGN)
Facebook doesn't allow friends born before 1910 (Henry Baker)
Royal Bank of Scotland total failure of cash access systems (PGN)
Keyloggers used to steal city funds (Rick Damiani)
Want to Write a Virus? Take a Class (Erik Larkin via George Ledin)
Windows' ATMs (Mark Barnabas Luntzel)
Round Up, Round Down, or How one cent became a profitable event
  (Leon Kuunders)
Re: UK judge: "What's a website?" (Rob Slade)
Re: Broken Microsoft + Daylight saving (Len Spyker)
Engaging Privacy and Information Technology in a Digital Age (Jim Horning)
Abridged info on RISKS (comp.risks)


Date: Thu, 24 May 2007 08:36:48 -0400 (EDT)
From: Don Poitras <poitras@private>
Subject: US Flight Service Privatization system problems

Lockheed Martin has been converting Flight Service Stations (FSSs) to use
new software and digital interfaces to FAA computers since it won the
contract to run the stations in 2005. Part of the contract were guarantees
that certain response times were achieved.  Phone calls were to be answered
in 20 seconds, radio calls answered with 5 seconds and flight plans filed
within 3 minutes.

With the start of fair-weather flying by the majority of US private pilots
this spring, the system has come under stress and response times have been
abysmal, flight plans have been dropped and weather briefings have been
conducted by briefers with no local knowledge of weather conditions.


  "Several FAA officials indicated that the use of call off-loading has
  increased significantly since the contract was put in place.  In some
  cases, we found multiple facilities that had to adjust their operations in
  order to cover off-loaded calls from short-staffed facilities, which
  created a cascading effect across the country."


  "FS-21 requires digital capabilities and, per terms of the contract, must
  interface with FAA's Telecommunications Infrastructure Network.  To meet
  this requirement, FAA plans on installing digital connections between the
  Lockheed Martin hub facilities and the closing and continuing flight
  service stations.  While FAA has begun installing the digital connections,
  one FAA official noted that, based on the current schedule, there are only
  about 75 days between when the digital connections are installed and when
  operations at closing and continuing flight service stations are cut over.
  Given the tight timeframe, any delays or problems with the installation of
  these connections could hamper testing and operation of FS-21, possibly
  delaying the transition and increasing contractual costs."

AOPA's (Aircraft Owners and Pilots Association) Phil Boyer had this
to say:

  "In short, the FS21 (twenty-first century) system is in crisis and failing
  pilots. Based on the hundreds of complaints that AOPA has received in the
  past month, it is clear that the technical and operational problems
  plaguing FS21 are now affecting safety," said AOPA President Phil Boyer in
  a letter to FAA Administrator Marion Blakey.  "The FAA and Lockheed Martin
  must immediately address the problems and implement a plan to bridge the
  service gap and provide critical FSS safety of flight services."

There are several safety issues. If the automated system ends up sending you
to a weather briefer in another state, he might not be aware of local
conditions, e.g., wind coming over a local mountain might produce severe
turbulence, but he wouldn't know that and wouldn't have any reason to
mention it.

A more serious safety risk is just that pilots my avoid getting pre- flight
briefings altogether because they can't get through.

Personally, (and the reason I'm making this post) I was trying to get an IFR
clearance and ended up getting bounced around the system and ended up with a
briefer in Macon, GA (I'm in Raleigh, NC). He had to fumble through what was
obviously a labor intensive effort to get the call switched to
Raleigh. While talking to Raleigh, the call disconnected.

As I was going through this, the plane behind me was doing the same thing.
After about ten minutes he says to me (via the radio), "I'm on hold, the
ASOS (automated local weather recording) says 1500 feet, so I'm going VFR."

I ended up doing the same thing. Leaving VFR in marginal conditions means
that ATC will not be providing IFR separation services. They don't even know
you've left until you call them up. Well, they might see your VFR
transponder code, but they won't have any idea where you're going.


Date: Wed, 06 Jun 2007 06:59:20 -0500
From: Richard Cook <ri-cook@private>
Subject: FDA issues Class I recall for an algorithm

> Date:    Tue, 5 Jun 2007 13:01:43 -0400
> Subject: FDA - MedWatch- Alcon Refractive Horizons LADAR6000 Excimer
> Laser System Class I Recall Because The Algorithm For Myopia With and
> Without Astigmatism Caused Cornea Abnormalities
> MedWatch - The FDA Safety Information and Adverse Event Reporting Program
> Alcon Refractive Horizons and FDA notified healthcare professionals and
> patients of a Class I Recall of the LADAR6000 Excimer Laser System for
> CustomCornea algorithm for myopia with astigmatism (M3) and myopia
> without astigmatism (A7).   This system is used for LASIK and wave-front
> guided LASIK treatment for the reduction or elimination of mild to
> moderate nearsightedness (myopia) and farsightedness (hyperopia) with or
> without astigmatism or for mixed astigmatism in patients who are 21
> years of age or older with documented stability of refraction for the
> prior 12 months. The product was recalled because use of the Alcon
> Refractive Horizons CustomCornea algorithm for myopia with and without
> astigmatism with the LADAR6000 Excimer Laser caused corneal
> abnormalities ("central islands") and decreased visual sharpness (visual
> acuity) in patients with myopia with and without astigmatism.  These
> "central islands" may not be correctable with lasers and the decrease in
> visual acuity may not be correctable with glasses or contact lenses.
> Patients with questions should call the company at 1-877-523-2784.
> Read the complete 2007 Safety Summary, including a link to the FDA
> Recall Notice regarding this issue at:
> http://www.fda.gov/medwatch/safety/2007/safety07.htm#LADAR6000

Recalling an algorithm is a relatively new phenomenon. Devices such as
infusion pumps typically have firmware and software that is integral to the
device. Complex devices such as LASIK systems allow the operator to select
amongst multiple functions using different algorithms. In February of this
year, Alcon told customers to stop using two algorithms (M3 and A7) and went
on to 'deactivate' these algorithms in U.S.  devices.  A Class I recall is
for "dangerous or defective products that predictably could cause serious
health problems or death. Examples of products that could fall into this
category are a food found to contain botulinal toxin, food with undeclared
allergens, a label mix-up on a life saving drug, or a defective artificial
heart valve."

Richard I. Cook, MD, University of Chicago, Anesthesia and Critical Care,
Chicago IL 60637 1-773-702-4890 http://www.ctlab.org/Cook.cfm


Date: May 22, 2007 5:30:43 PM EDT
From: Ethan Ackerman <eackerma@private>
Subject: New Hampshire federal judge overrules privacy law

1st Amendment protects reselling medical records.  [via Dave Farber's IP]

The New Hampshire Legislature recently enacted a law that bars pharmacies,
insurance companies, and similar entities from transferring or using both
patient-identifiable data and prescriber-identifiable data for certain
commercial purposes.  The law was enacted to protect patient privacy,
prescriber privacy, and to prevent drug industry 'targeting' of doctors who
prescribed generics.

It was promptly challenged by 2 data-mining companies who buy up
prescription records from pharmacies and resell the info to drug
manufacturers, and on April 30th was overturned by US District Court Judge
Paul Barbadoro.

Judge Barbadoro ruled that the data-miners had a 1st Amendment right to
resell the prescription records and the State of New Hampshire violated that
right in passing this law.

has a "big picture" treatment of the issue which mentions the case.

It also looks like the state plans to appeal:

  [IP Archives: http://v2.listbox.com/member/archive/247/=now]


Date: Fri, 25 May 2007 13:54:55 PDT
From: "Peter G. Neumann" <neumann@private>
Subject: IT industry has failed in desktop security (Munir Kotadia)

The IT industry has failed when it comes to desktop security for all major
operating systems.  Ivan Krstic, director of security architecture for the
One Laptop per Child project, kicked off the AusCert 2007 conference Monday
morning with a keynote speech that blasted desktop computer security --
including that of Windows, Linux and Macintosh machines -- because it is
based on a 35-year-old premise where software can run with the same
privilege as a user.  ...  One example of such a program, he said, is
Minesweeper <http://en.wikipedia.org/wiki/Minesweeper_(computer_game)>, a
single-player game that has shipped with virtually all versions of Microsoft
Windows.  [Source: Munir Kotadia, ZDNet AUStralia, Expert: IT industry has
failed in desktop security, *News.com*, 22 May 2007; PGN-ed]


Date: Sat, 09 Jun 2007 14:26:55 +0200
From: Jean-Jacques Quisquater <jjq@private>
Subject: Belgian biometric passport

A research team in cryptography (Gildas Avoine, Kassem Kalach and
Jean-Jacques Quisquater) from the Catholic University of Louvain
(Louvain-la-Neuve) disclosed serious weaknesses in the Belgian biometric
passport, the only type of passport distributed in Belgium since the end of
2004. The work carried out in Louvain-la-Neuve during the course of May 2007
show that Belgian passports issued between end 2004 and July 2006 do not
include any security mechanism to protect the personal data embedded in the
passport's microchip. Passports issued after July 2006 do benefit from
security mechanisms but these ones are flawed. This means that anyone
possessing a little electronic reading device, which is easy and cheap to
acquire, can steal the passport content while it is still in the pocket of
the victim owners and thus without their knowing.  Face and signature are
among the data at risk. This news is all the more surprising because Karel
De Gucht, the Belgian Minister for Foreign Affairs, declared in the Belgian
Parliament on 9th January 2007 that the Belgian passport benefited from the
security mechanisms advocated by the International Civil Aviation
Organization. Skimming (that is, reading remotely these passports without
the consent of the holder) is thus very easy and is true for 720.000
passports valid till end 2009 at least, out of all 1.500.000 valid Belgian
passports.  [Probably gratuitous for most of you but note that
Belgian "." = American ","]

The risk is evident for the privacy of their holders.  From the obtained
information such flawed passports are the only ones in the world.

More at http://www.dice.ucl.ac.be/crypto/passport/index.html


Date: Thu, 24 May 2007 12:58:05 PDT
From: "Peter G. Neumann" <neumann@private>
Subject: Flawed Symantec update cripples Chinese PCs

  [TNX to Keith A Rhodes.  PGN]

An erroneous Symantec antivirus signature update caused Norton Internet
Security 2007 and Norton 360 antivirus software to identify two critical
system files (netapi32.dll and lsasrv.dll) as the Backdoor.Haxdoo Trojan in
the Simplified Chinese version of Windows XP (with Service Pack 2 and a
particular patch), resulting in those files being quarantined.  As a result,
millions of PCs throughout China were crippled, unable to be
rebooted. ``According to Symantec, the problem was caused when Symantec made
a change to the automated process used by the company's security response
team to detect malicious software.''  [Source: Article by Aaron Tan, CNET
News.com; PGN-ed]


Date: Thu, 24 May 2007 14:43:23 -0700
From: Henry Baker <hbaker1@private>
Subject: Facebook doesn't allow friends born before 1910

Facebook discriminates against centenarians!  You can't get an account
unless your birthday is 1910 or later.  (Of course, most centenarians won't
have the prettiest faces for Facebook, but everything is relative...)

  [According to Wikipedia, there are 55K centenarians in the US and 25K in
  Japan, so this is not a small market.  I think that the founder of
  Facebook is about 23 years old, so perhaps he doesn't trust anyone over
  100.  I've got 40 years before worrying about this, but I don't want to
  run into a Y2K-type problem with 100+ ages.  (Actually, there already is
  such a problem, as many websites only allow 2 digit ages.)  HB]


Date: Sat, 2 Jun 2007 11:58:13 PDT
From: "Peter G. Neumann" <neumann@private>
Subject: Royal Bank of Scotland total failure of cash access systems

The Royal Bank of Scotland (RBS), which also owns NatWest, has apologised
after its cashpoint, online, and telephone banking systems all crashed.  A
spokeswoman said: "We are very sorry, and we're working to sort it out."
[Source: BBC, courtesy of Keith Rhodes; PGNed]


Date: Fri, 1 Jun 2007 17:49:37 -0700
From: "Rick Damiani" <rick@private>
Subject: Keyloggers used to steal city funds ...

... $450,000.00 in attempted wire transfers, but the city was able to freeze
all but $45,000.00.  *LA Times*

Interesting quote:

"Avilla said she still doesn't know how her computer was targeted. She said
she doubts it had the latest security software patch protections - something
sheriff's detectives and bank investigators told her is essential in
safeguarding her computer."

Two-factor authentication wasn't mentioned, so my guess is that the city's
bank doesn't offer it or the city chose not to use it.

Rick Damiani, Applications Engineer, The Paton Group
California: (310)429-7095 Hawaii: (808)284-3033


Date: Tue, 22 May 2007 16:10:49 -0700
From: George Ledin <ledin@private>
Subject:  Want to Write a Virus? Take a Class (Erik Larkin, *PC WORLD*)

  [Ironically, the story is spreading... like a virus!  George]

Want to Write a Virus? Take a Class.  Erik Larkin, 22 May 2007

A college computer course that teaches students how to write computer
viruses is riling up security companies once again, according to a story in
a local California paper today.

Per the story, a computer science professor [George Ledin] at Sonoma State
University in California is teaching the course in order to train his
students how to design better defenses. Security companies, on the other
hand, have always vigorously decried any attempts to create new malware as
automatically unethical, no matter the end goal. And at least three
companies are sending Ledin letters saying they will boycott hiring Ledin's
students, according to the story.

This is an ongoing debate.
Other colleges have previously taught such classes, and Consumer Reports
took major heat when it created new malware to test antivirus software.

So who's right? Is Ledin violating an unwritten Hippocratic oath of computer
security? Or is this an important thing to teach, and learn, and test?

Personally, I think the genie's out of the bottle. Unlike with biological
viruses, it's not hard to create a new piece of malware.  You don't need a
lab, expensive equipment or even much techie know-how; There has long been
software available that allows any aspiring online thug to easily create a
new piece of malware.

What's more, malware writers are constantly spewing out new variants in an
attempt to evade antivirus programs. The recent
Storm Worm blast was a great example.

So I don't really think it makes us less safe if a few students create new
malware in order to learn how they're built. Even if one of them escapes its
protected environment, it will be a drop in the bucket compared to the
already existing deluge of new virus variants that come out all the time.

And such training may help with what's really important: Developing
effective proactive defenses that can block attacks whether they're old or
brand new.


Date: Mon, 11 Jun 2007 09:01:00 -0700
From: "Mark Barnabas Luntzel" <mark@private>
Subject: Windows' ATMs

Here is a Russian ATM with a Windows Product Activation screen:

  Your Windows product must be activated within 7 days.
  Do you want to activate Windows now?



Date: Tue, 29 May 2007 09:32:47 +0200
From: Leon Kuunders <leon@private>
Subject: Round Up, Round Down, or How one cent became a profitable event

One Dutch energy company, Eneco, offers an extra service to other
organisations, they act as an collecting agent. My local cable television
company Rekam is using that service to have their monthly payments
collected.  One of the invoices I received recently showed a to-be-collected
amount of 5,01. I immediately got triggered by this number: where did this
one cent originate from?

Quick research showed the cable company charges you with 5,00 for
administration costs. Including 19% VAT. When the energy company tried to
calculate the costs without VAT they got into a nasty problem: the amount
excluding VAT comes down to 4,2016806722 .. etc. Rounded this would be
4,20. When they calculated 19% VAT of 4,20, it equals 0,798. Dutch taxrules
require to round down such a number to ... 0,79.

This would leave them with a total amount of 4,99. But hey! That wasn't
enough! So they decided to round up the amount excluding VAT to 4,21 and
then calculate the 19% VAT: 0,7999. Then they decided that this number was
close enough to round up to 0,80 (against dutch tax rules ...). The total
amount then was 4,21 + 0,80 = 5,01.

In a conversation with the general manager of the cable company he ensured me
that there was no way around this, and offered to sent me a direct bill of
15,00. Because they had outsourced their billing department they had to
increase direct bills with ₁ 10,00 administration costs. ...

The risks of this event are as follows: because the energy company
automatically debits the accounts of their customers this one cent will
automatically be transferred to their account. The cable company does not
collect this amount, nor do they pay it to the dutch tax services. So
somewhere somebody enjoys these orphaned one cent payments.

In the last letter I received from the cable company the general manager told
me I could go to court to get this issue resolved. My lawyer has confirmed
that that was the best news she had in years.

http://leon.kuunders.info  M: +31 6411 64 995  F: +31 848 359 359


Date: Sat, 19 May 2007 17:14:26 -0800
From: Rob Slade <rMslade@private>
Subject: Re: UK judge: "What's a website?" (Knowlton, RISKS-24.67)


I can't really tell if this is a good thing or a bad.  Possibly some of the
evidence in regard to identity hangs on who accessed a website (or had
ownership of it).  In that case I would assume that a solid understanding of
the technology would be necessary.  A faulty understanding might result in
an incorrect decision (as seems to be the situation with the Amero case in
the US).

Certainly I can have sympathy with another comment in the story:

  "Later he said he hoped a computer expert would give `simple' evidence
  when called to the stand -- because otherwise he would not understand it.
  "Judge Openshaw said: `Will you ask him to keep it simple? We've got to
  start from basics.'"

Being involved in certain aspects of forensics, I recognize that a number of
"experts" simply seem to want to be able to give an opinion without being
challenged, questioned, or having to explain their reasoning and opinions.

(Given the way the story is written, I can easily recognize the risks of
admitting that you need help with technical concepts outside your field ...)

rslade@private     slade@private     rslade@private
http://victoria.tc.ca/techrev/rms.htm www.syngress.com/catalog/?pid=4150


Date: Thu, 24 May 2007 13:21:53 +0800
From: "Len Spyker Perth Australia" <lspyker@private>
Subject: Re: Broken Microsoft + Daylight saving

Dag-Erling Sm=F8rgrav disagrees in RISKS-24.67 to my stating in RISKS-24.66
that fixing the Microsoft RTC design bug would break a few thousand apps.

He asserts that as only high level system calls are used and they would see
no changes and all would be well.

While I agree in principle, reality was different.

I recently worked on a 6 months software project involving monitoring many
mine sites and ports, in the middle of which our state government introduced
daylight saving for the FIRST time ever, on barely 4 week notice.

We had the expected breaking of legacy boxes that had no notion of daylight
saving, OK.

However the biggest surprise was the number of state of the art corporate
databases from well known global companies that broke badly.

They appeared to contain code fudges to work around the MS ambiguity and
other problems I mentioned.

Some of these global databases had no sense of a UTC time stamp and used
"local" time stamps only!

We uncovered a rat's nests of daylight or no daylight savings kludges at
every system level by every vendor and applications writers that another
$500K barely made a dent in.

If you can't trust your OS high level system time calls 100.0% and you have
to work around them, then it still doesn't help.


Date: Fri, 25 May 2007 13:03:42 -0700
From: "Jim Horning" <Jim.Horning@private>
Subject: Engaging Privacy and Information Technology in a Digital Age

This book <http://books.nap.edu/catalog.php?record_id=11896> will, I think,
be of interest to many USACM members interested in IT privacy issues as
viewed from a variety of perspectives outside our usual computer-oriented
view.  Now available for pre-order from the National Academies Press, it is
the result of a multi-year study committee on Privacy in the Information Age
(of which I was a member), sponsored by the Computer Science and
Telecommunications Board (CSTB) of the National Research Council (NRC).
Privacy is a growing concern in the United States and around the world.  The
spread of the Internet and the seemingly boundaryless options for
collecting, saving, sharing, and comparing information trigger consumer

Online practices of business and government agencies may present new ways to
compromise privacy, and e-commerce and technologies that make a wide range
of personal information available to anyone with a Web browser only begin to
hint at the possibilities for inappropriate or unwarranted intrusion into
our personal lives. Engaging Privacy and Information Technology in a Digital
Age presents a comprehensive and multidisciplinary examination of privacy in
the information age. It explores such important concepts as how the threats
to privacy evolving, how can privacy be protected and how society can
balance the interests of individuals, businesses and government in ways that
promote privacy reasonably and effectively? This book seeks to raise
awareness of the web of connectedness among the actions one takes and the
privacy policies that are enacted, and provides a variety of tools and
concepts with which debates over privacy can be more fruitfully
engaged. Engaging Privacy and Information Technology in a Digital Age
focuses on three major components affecting notions, perceptions, and
expectations of privacy: technological change, societal shifts, and
circumstantial discontinuities. This book will be of special interest to
anyone interested in understanding why privacy issues are often so

The full draft text is available free online
<http://books.nap.edu/catalog.php?record_id=11896>, and will be replaced
with the final version when it is published.  Much credit is due to the
editors, Jim Waldo, Herb Lin, and Lynnette Millett for imposing a
substantial amount of coherence to disparate contributions from one of the
most diverse committees I have ever served on.  (I think that both the
lawyers and the philosophers outnumbered the three "computerists" on the
committee--it was a very broadening experience.)

I must confess that I am now much less confident that much privacy can be
salvaged than I was when the study was started.


Date: 2 Oct 2005 (LAST-MODIFIED)
From: RISKS-request@private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.   The mailman web interface can
 be used directly to subscribe and unsubscribe:
 Alternatively, to subscribe or unsubscribe via e-mail to mailman your
 FROM: address, send a message to
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe@private or risks-unsubscribe@private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users should contact <Lindsay.Marshall@private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks@private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
 http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing


End of RISKS-FORUM Digest 24.68

This archive was generated by hypermail 2.1.3 : Mon Jun 11 2007 - 15:58:45 PDT