]]> Sat, 1 Mar 2008 13:17:33 PST RISKS List Owner http://lists.jammed.com/RISKS/2008/04/0001.html RISKS-LIST: Risks-Forum Digest Tuesday 22 April 2008 Volume 25 : Issue 12

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.12.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Industrial Control Systems Killed Once, Will Kill Again (Ryan Singel)
GPS leads a bus astray (David Caley)
Neighbor's data shows up in my browser (borborugmus)
Oklahoma Dept of Corrections Website URLs contain raw SQL (Jim Garrison)
Real-time spying on credit card holders (Nick Brown)
Larger Prey Are Targets of Phishing (John Markoff via Monty Solomon)
Aer Lingus economy 5-euro flights to the US after test data leaked to web
(Patrick O'Beirne)
Gone in 60 seconds: Spambot cracks Live Hotmail CAPTCHA (Emil Protalinki
via Monty Solomon)
Bouncing Merrily Along (Peter B. Ladkin)
The 10,000 web sites infection mystery solved (Bojan Zdrnja via Monty Solomon)
Re: Census to scrap handheld computers for 2010 count (Derek P Schatz)
Re: Search engine bait? (Randall Roberts)
Re: Another genuine mail that looks like a phish (Gregory Hicks)
Re: Nissan GT-R sports car and GPS (Peter Houppermans, JTaylor)
2008 IEEE Symposium on Security and Privacy (Yong Guan)
REVIEW: "Computer Security: Principles and Practice" (Rob Slade)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 11 Apr 2008 5:10:42 PDT
From: "Peter G. Neumann" <neumann@private>
Subject: Industrial Control Systems Killed Once, Will Kill Again (Ryan Singel)

On 10 Jun 1999 a 16-inch diameter steel pipeline operated by the now-defunct
Olympic Pipeline Co. ruptured near Bellingham, Washington, flooding two
local creeks with 237,000 gallons of gasoline. The gas ignited into a
mile-and-a-half river of fire that claimed the lives of two 10-year-old boys
and an 18-year-old man, and injured eight others.

Wednesday, computer-security experts who recently re-examined the Bellingham
incident called its victims the first verified human casualties of a
control-system computer incident. They argue that government cybersecurity
standards currently under debate might have prevented the tragedy. ...

Following the 1999 incident, a nearly three-year investigation by the
National Transportation Safety Board concluded that multiple causes
contributed to the deadly conflagration, including pipeline damage
inflicted by construction workers years earlier, and a misconfigured
valve.

But the factor that intrigues Joe Weiss (Applied Control Solutions) and
Marshall Abrams (MITRE) is a still largely unexplained computer failure that
began less than 30 minutes before the accident and paralyzed the central
control room operating the pipeline, preventing workers from releasing
pressure in the line before it hemorrhaged.

With support from the U.S. National Institute of Standards and Technology,
Weiss and Abrams pored over public government records on the incident,
looking at it through the lens of a pending cybersecurity standard called
NIST 800-53. The duo concluded that the requirements in the standard would
have prevented the explosion from occurring. ...

Security experts and government investigators have long warned that the
complex networks controlling critical infrastructures like the power grid,
and gas and oil pipelines, were not built with security in mind -- a point
driven home by several incidents of the systems failing. In January 2003,
the Slammer worm penetrated a private computer network at Ohio's Davis-Besse
nuclear power plant and disabled a safety-monitoring system for nearly five
hours. Later that year, a software bug in a General Electric
energy-management system contributed to a cascading power failure that cut
off electricity to 50 million people in eight states and a Canadian
province. [Source: Ryan Singel, Wired.com, Threat Level: Privacy, Security,
Politics and Crime Online, blog 9 Apr 2008; PGN-ed]
http://blog.wired.com/27bstroke6/2008/04/industrial-cont.html

------------------------------

Date: Thu, 17 Apr 2008 13:31:29 -0700
From: David Caley <dcaley@private>
Subject: GPS leads a bus astray

Another instance of directions from a GPS navigational device overriding
common sense:

A police report said the driver of a charter bus (11' 8") carrying 22
students told police he was following directions from a global positioning
device prior to a crash into a pedestrian overpass that was too low (9'
clearance). [Source: Seattle, KIRO TV, 17 Apr 2008]
http://www.kirotv.com/news/15912549/detail.html

------------------------------

Date: Sun, 13 Apr 2008 20:51:12 -0400
From: borborugmus <borborugmus@private>
Subject: Neighbor's data shows up in my browser

This weekend I was doing some last-minute work on my taxes, using TurboTax
Deluxe tax software. TurboTax has an online site, ItsDeductible.com, that
you can go to in order to get help in determining the value of non-monetary
charitable deductions you've made.

I had been to the ItsDeductible site once or twice in the past, and had had
a little trouble logging in. So I went to a section on the site to try and
change my login name, which I had made much too long. I started to type in
my current information, and when I typed in the first letter of my first
name, the auto-complete function put in the name "Jason" instead of my name.
That seemed very strange, because I am the only person who ever uses this
computer, and my name is not Jason.

I changed it back to my own first name, and typed in my last name. Then I
tabbed to the address field. As I typed in the first digit of my 3-digit
house number, the house number and street name of my next-door-neighbor
showed up in the auto-complete list! Since I know these neighbors, and know
that the homeowner's first name is "Jason", I next moved back up to the
"Last name" field of the form. I typed in the first letter of what I know
is Jason's last name. And Jason's last name came up in the auto-complete
list!

There seems to be some way that my next-door-neighbor's information got into
my PC. They always have their wireless internet on, but my wireless
reception is usually disabled. I really don't know how this could have
happened. Of course, since the problem showed up while I was doing my
taxes, I am even more paranoid about what information of mine might have
been swapped between households.

I tried to make the problem repeat after a reboot, but was unable to
duplicate the login screen. I also checked my "Identity Safe" passwords
from Norton, and see that only my own information is saved for that web
site. The browser I used was Firefox, but I can't find a way to see how it
has stored its auto-complete section.

------------------------------

Date: Tue, 15 Apr 2008 11:56:14 -0500
From: Jim Garrison <jhg@private>
Subject: Oklahoma Dept of Corrections Website URLs contain raw SQL

The Oklahoma DOC published a web interface where the URL contained the SQL
query executed to retrieve the data to be reported. Thus, any knowledgeable
user could execute general SQL queries against a database containing large
amounts of personal information -- including UPDATE statements (!) It was
taken down only after management was shown that THEIR personal information
was available.

http://thedailywtf.com/Articles/Oklahoma-Leaks-Tens-of-Thousands-of-Social-Security-Numbers,-Other-Sensitive-Data.aspx

------------------------------

Date: Fri, 11 Apr 2008 12:40:53 +0200
From: Nick Brown <Nick.BROWN@private>
Subject: Real-time spying on credit card holders

Business Week reports that Mastercard is to launch a new service which will,
among other things, allow the payer of a corporate or other card to receive
real-time alerts as to what the card is being used for.
http://www.businessweek.com/magazine/content/08_16/b4080031217154.htm

The risks are left as an exercise for the reader...

------------------------------

Date: Wed, 16 Apr 2008 08:53:03 -0400
From: Monty Solomon <monty@private>
Subject: Larger Prey Are Targets of Phishing (John Markoff)

An e-mail scam aimed squarely at the nation's top executives is raising new
alarms about the ease with which people and companies can be deceived by
online criminals. Thousands of high-ranking executives across the country
have been receiving e-mail messages this week that appear to be official
subpoenas from the United States District Court in San Diego. Each message
includes the executive's name, company and phone number, and commands the
recipient to appear before a grand jury in a civil case.

A link embedded in the message purports to offer a copy of the entire
subpoena. But a recipient who tries to view the document unwittingly
downloads and installs software that secretly records keystrokes and sends
the data to a remote computer over the Internet. This lets the criminals
capture passwords and other personal or corporate information. Another
piece of the software allows the computer to be controlled remotely.
According to researchers who have analyzed the downloaded file, less than 40
percent of commercial antivirus programs were able to recognize and
intercept the attack.

The tactic of aiming at the rich and powerful with an online scam is
referred to by computer security experts as whaling. The term is a play on
phishing, an approach that usually involves tricking e-mail users - in this
case the big fish - into divulging personal information like credit card
numbers. Phishing attacks that are directed at a particular person, rather
than blasted out to millions, are also known as spear phishing.

The latest campaign has been widespread enough that two California federal
courts and the administrative office of the United States Courts posted
warnings about the fake messages on their Web sites. Federal officials said
they stopped counting after getting hundreds of phone calls from
corporations about the messages. At midday on 15 Apr 2008, one antispam
company, MX Logic, said in a Web posting that its service was still seeing
at least 30 of the messages an hour.

[Source: John Markoff, *The New York Times*, 16 Apr 2008; excellent long
article, PGN-ed]
http://www.nytimes.com/2008/04/16/technology/16whale.html?ex=1365998400&en=208591045a06cdff&ei=5090

------------------------------

Date: Fri, 18 Apr 2008 14:43:40 +0100
From: "Patrick O'Beirne" <pob@private>
Subject: Aer Lingus economy 5-euro flights to the US after test data
leaked to web

Aer Lingus blamed a technical fault for Wednesday's error, which saw up to
300 people book 5-euro business-class flights to the US. However, the
airline will provide economy-class seats to the customers who made the
reservations between 7.30am and 9am, when a promotional fare test webpagewas
mistakenly put up live. [The flights of course were not 5 euro but about
150 euro each when taxes and charges were added. PO'B] [Source: RTE news;
PGN-ed]

http://www.rte.ie/news/2008/0418/aerlingus.html
Patrick O'Beirne, Systems Modelling Ltd.
http://www.sysmod.com/ (+353)(0) 5394 22294

------------------------------

Date: Wed, 16 Apr 2008 08:05:12 -0400
From: Monty Solomon <monty@private>
Subject: Gone in 60 seconds: Spambot cracks Live Hotmail CAPTCHA

Emil Protalinski, 15 Apr 2008

Internet users are quite familiar with the Completely Automated Public
Turing test to tell Computers and Humans Apart (CAPTCHA), a quick method
that verifies whether or not the user trying to sign up is a person or a
bot. A picture with swirled, mangled, or otherwise distorted characters is
displayed and the user then types in the correct letters or numbers. Thus
far, the system has worked well to slow down malicious bots, but recently
the groups behind such software have made significant strides. A security
firm is now reporting that the CAPTCHA used for Windows Live Mail can now be
cracked in as little as 60 seconds.

Back in early February, a group cracked Windows Live Hotmail's CAPTCHA. A
few weeks later, Gmail's version followed suit. In just over a month's time,
some anti-spam vendors were forced to completely block the domain for the
popular service as bots signed up for thousands of bogus accounts and began
to flood the tubes with e-mail advertisements for lottery tickets and
watches. The close proximity of the two cracks has done everything but
sealed CAPTCHA's fate.

To make matters worse, Websense Security Labs is now reporting that the
method for getting around Windows Live Mail's CAPTCHA has been improved to
the point that a bot can decipher the text and make a guess in less than six
seconds, on average. Windows Live Hotmail's Anti-CAPTCHA automatic bot,
which hooks itself into Internet Explorer on a victim's machine, has a
success rate of about 10-15 percent. That means that it takes up to one
minute for a single bot to create a new account. ...

http://arstechnica.com/news.ars/post/20080415-gone-in-60-seconds-spambot-cracks-livehotmail-captcha.html

------------------------------

Date: Tue, 22 Apr 2008 09:04:10 +0200
From: "Peter B. Ladkin" <ladkin@private-bielefeld.de>
Subject: Bouncing Merrily Along

We recently reconfigured our mail SW and for a couple of days I got a few
hundreds of rejected-mail bounce messages. My e-mail address has been forged
by spammers for years and these bounces came from handling such fraudulent
messages.

No one in this world, so far as I know -- and I have searched the records
for years, and employed agents to help me -- has ever lost money by
underestimating the intelligence of the great masses of the mail system
administrators. And I can't be the first to have observed that. So I am
prepared to believe that there are at least a few hundred admins out there
who have never heard of spam and fraudulent "From:" lines.

But many if not most of these messages came from machines that either
advertised themselves as spam filters, or showed that the message had passed
through spam filters!

One could make it a legal offence to reply to the "From:" address of a
message one had classified as spam. It likely wouldn't curb the phenomenon,
but it would ensure a steady flow of cash to the state, which could then
redistribute it amongst Internet infrastructure providers.

Peter B. Ladkin, Causalis Limited and University of Bielefeld
www.causalis.com www.rvs.uni-bielefeld.de

[NOTE: neumann and risks From: addresses have been widely forged in
the past few weeks. PGN]

------------------------------

Date: Mon, 21 Apr 2008 10:49:21 -0400
From: Monty Solomon <monty@private>
Subject: The 10,000 web sites infection mystery solved

Published: 2008-04-16,
Last Updated: 2008-04-16 19:14:00 UTC
by Bojan Zdrnja (Version: 3)

Back in January there were multiple reports about a large number of web
sites being compromised and serving malware. Fellow handler Mari wrote the
initial diary at http://isc.sans.org/diary.html?storyid=3834 .

Later we did several diaries where we analyzed the attacks, such as the one
I wrote at http://isc.sans.org/diary.html?storyid=3823 . Most of the reports
about these attacks we received pointed to exploitation of SQL Injection
vulnerabilities.

Yesterday, one of our old friends, Dr. Neal Krawetz, pointed us to another
site hosting malicious JavaScript files with various exploits. While those
exploits where more or less standard, we managed to uncover a rare gem
between them - the actual executable that is used by the bad guys in order
to compromise web sites.

While we had a general idea about what they do during these attacks, and we
knew that they were automated, we did not know exactly how the attacks
worked, or what tools the attackers used. The strategy was relatively
simple: they used search engines in order to find potentially vulnerable
applications and then tried to exploit them. The exploit just consisted of
an SQL statement that tried to inject a script tag into every HTML page on
the web site.

The utility we recovered does the same thing. The interface appears to be is
in Chinese so it is a bit difficult to navigate around the utility, but we
did some initial analysis of the code (which is very big) to confirm what it
does. ...

http://isc.sans.org/diary.html?storyid=4294

------------------------------

Date: Wed, 9 Apr 2008 17:47:58 -0700
From: "Schatz, Derek P" <Derek.P.Schatz@private>
Subject: Re: Census to scrap handheld computers for 2010 count (RISKS-25.11)

And what would be the likelihood that the handheld computers could be
re-used for the 2020 Census? Would the vendor still support the more than
10-year-old hardware at that time? How many RISKS subscribers are still
using 10+ year old computers?

The risk: Spending gigantic wads of money on something that will be
obsolete before it can be used even a second time?

------------------------------

Date: Thu, 10 Apr 2008 12:12:05 -0500
From: "Randall Roberts" <randall.roberts@private>
Subject: Re: Search engine bait? (RISKS 25.09)

This might be a simple captcha hacking operation. Well designed
captchas are hard to break programmatically, so people put up stuff like
this to get people to do the work for them.

Randy Roberts, Global Network Security Capability EDS,Security & Privacy
Service Line, MD 354 4000 North Mingo Road Tulsa, OK 74116 +1 918 939-4844

[Also noted by Joseph Gwinn. PGN]

------------------------------

Date: Wed, 9 Apr 2008 20:35:22 -0700 (PDT)
From: Gregory Hicks <ghicks@private>
Subject: Re: Another genuine mail that looks like a phish (Piper, RISKS-25.11)

Let's just say this: If you're running a marketing campaign for some
company, you'd want to have some way of collecting metrics that allow you to
go back to the sponsoring company and say "Look, we got you this many
qualified leads. Of these, this many bought your product. So you owe us $X
plus $Y as a bonus..."

Anyway, that is why a company will send you an e-mail, expect you to click a
link and end up at the client company's website.

------------------------------

Date: Thu, 10 Apr 2008 12:49:29 +0200
From: Peter Houppermans <peter@private>
Subject: Re: Nissan GT-R sports car and GPS (Clark, RISKS-25.11)

If the onboard navigation system was designed by TomTom it will probably ask
you all these questions whilst you're driving. TomTom appears to have
decided in Navigator 6 that certain things like setting up a data link for
traffic information are important enough to divert your attention from the
road, and there's no disabling that question. It would be nice if someone
added an 'adult' mode where you can take some of those decisions yourself
again, and just once instead of every time..

Tomtom have a watchdog idea too, and the potential flaws in both this and
the Nissan approach are identical: a flawed map or analysis will make a mess
of the conclusion. In the case of Tomtom, maps include in some places speed
limit information which is in itself not such a bad idea.

The idea went off the cliff by making display modifications based on the
speed data. When you exceed the "map limit", the speed indicator goes red.
When you go WELL over the speed limit it starts blinking, not normal-inverse
but visible-invisible, at approx a 1Hz frequency.

In other words, for a precise speed indication you may have to take your
eyes off the road for a full second in the worst possible conditions. Duh.
Oh, and no way to disable that feature either.

But no fears of Big Brother speed limits via GPS: not only did I find the
speed limit data far from accurate, even when corrected there's another fly
in the ointment: variable limits.

In various countries, multiple speed limits are deployed, adjusted according
to situation (snow, pollution, accidents etc). Which speed limit do you
store?

All I'm waiting for now is a government imposed feature where speeding
drivers will be automatically diverted into the nearest traffic jam..

------------------------------

Date: Thu, 10 Apr 2008 12:10:54 GMT
From: <jtayNOSPAMlor@private>
Subject: Re: Nissan GT-R sports car and GPS (Clark, RISKS-25.11)

> Then after thrashing it on the track, you must take it for a $1000 Nissan
> High Performance Center safety check or the warranty is void.

GPS jammers cost less than $100. Does the car work if it can't get a GPS
fix?

------------------------------

Date: Fri, 18 Apr 2008 23:35:46 PDT
From: "Peter G. Neumann" <neumann@private>
Subject: 2008 IEEE Symposium on Security and Privacy

PROGRAM:
http://www.ieee-security.org/TC/SP2008/oakland08.html

May 18-21, 2008, The Claremont Resort
Berkeley/Oakland, California, USA
Claremont Hotel Group Rate Deadline: April 25, 2008

Contact: Yong Guan <guan@private>

------------------------------

Date: Mon, 14 Apr 2008 12:34:38 -0800
From: Rob Slade <rmslade@private>
Subject: REVIEW: "Computer Security: Principles and Practice",
William Stallings/Lawrie Brown

BKCMSCPP.RVW 20080204

"Computer Security: Principles and Practice", William Stallings/Lawrie
Brown, 2008, 978-0-13-600424-0
%A William Stallings williamstallings.com/CompSec/CompSec1e.html
%A Lawrie Brown
%C One Lake St., Upper Saddle River, NJ 07458
%D 2008
%G 0-13-600424-5 978-0-13-600424-0
%I Prentice Hall
%O 800-576-3800 416-293-3621 +1-201-236-7139 fax: +1-201-236-7131
%O http://www.amazon.com/exec/obidos/ASIN/0136004245/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0136004245/robsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASIN/0136004245/robsladesin03-20
%O Audience i+ Tech 2 Writing 3 (see revfaq.htm for explanation)
%P 798 p.
%T "Computer Security: Principles and Practice"

I am woefully laggard in getting this review out, particularly since I
reviewed the text in process, last fall, and therefore have to declare
a possibility of bias.

The preface states that the book is intended as the text for a one- or
two-semester course in computer security. The work is also addressed
to professionals as a basic reference. In that latter regard it may
come up short, missing elements of infrastructure, fire protection,
investigation, forensics, and being rather weak in terms of
architecture and business continuity planning.

There is a rather interesting chapter zero in the volume (it and
chapter one are presumably "part zero," which is sound computing
theory, but somewhat bemusing in a book) laying out the structure of
the text, as well as pointing to the technical resource and course
Website, noted above. Chapter one defines fundamental security terms
and concepts from various sources. The list is comprehensive, but,
given sometimes conflicting positions, little attempt is made to
analyze, integrate, or unify the material. There is an excellent set
of references and a solid set of questions and problems, as well as a
brief appendix addressing security standards and documents.

Part one involves computer security technology and principles. Chapter two
introduces cryptographic tools. The basic ideas of cryptography are
presented, but one must go to other chapters and appendices for details and
usage of the technology. This structure is unusual in cryptographic
literature, but the new perspective may demonstrate somewhat stale
abstractions in a fresh way. It is rather odd that the coverage of
authentication, in chapter three, does not note the IAAA model of
Identification, Authentication, Authorization, and Accountability. Access
control, in chapter four, is limited to data access. ( The authors also
follow the original paper describing Role-Based Access Control as a form of
mandatory access control, even though RBAC is now frequently used in
discretionary access control environments.) Chapter five's discussion of
database security emphasizes the theoretical aspects of that specialty.
Intrusion detection is introduced in chapter six. Malicious software is
given a scholarly, rather than practical, treatment in chapter seven, but
the content is more accurate than is usual even in the security literature.
Denial of service attacks are addressed in chapter eight. Chapter nine's
review of firewalls concentrates, almost exclusively, on stateful
inspection, and the material on intrusion prevention systems repeats, to a
large extent, chapter six. Trusted computing and multilevel security, in
chapter ten, are discussed in terms of formal security models and security
architecture.

Part two deals with software security, with chapter eleven being
devoted to the topic of buffer overflows, and the other software
subjects covered comprising chapter twelve.

Part three contains topics the authors consider to be management
issues. These are (in order through chapters thirteen to eighteen),
physical and infrastructure security, human factors (primarily policy
and awareness concerns), auditing security management and risk
assessment, security controls (plans and procedures), and legal and
ethical aspects.

Part four details cryptographic algorithms, and the material is as good as
one might expect from the author of "Cryptography and Network Security"
(cf. BKCRNTSC.RVW). Symmetric encryption and message confidentiality,
illustrated by the Data Encryption Standard and the advanced Encryption
Standard, is the topic of chapter nineteen. Asymmetric cryptography and
hashes are in twenty.

Part five turns to Internet security. Some Internet security protocols and
standards are listed in chapter twenty-one. A detailed look at Kerberos
leads off chapter twenty-two's examination of authentication applications.

Operating systems security is the subject of part six, with a look at the
Linux model in chapter twenty-three, and Windows in twenty-four.

Appendices at the end of the book provide information on number theory,
pseudorandom number generation, projects for teaching security, standards
and standards organizations, and the TCP/IP protocol suite.

Of the various domains of information systems security, there is limited
material in regard to the security implications of various aspects of
computer hardware and architecture, the formation of an architectural model
for security design, and business continuity planning. Otherwise, however,
the coverage is quite comprehensive, much more so than in other course texts
such as Gollman's excellent but now aging "Computer Security"
(cf. BKCOMPSC.RVW), Bishop's rather abstract "Computer Security: Art and
Science" (cf. BKCMSCAS.RVW), and Stamp's interesting, but sometimes spotty,
"Information Security: Principles and Practice" (cf. BKINSCPP.RVW).
Anderson's "Security Engineering" (cf. BKSECENG.RVW) is, of course, not only
a solid text, but also a useful professional reference, and Stalling and
Brown might wish to examine the practical issues dealt with in that work. A
range of editions of the "Information Security Management Handbook" (cf.
BKINSCMH.RVW) would have similar overview, and more detail, but hardly in a
single volume. There is also the "Official (ISC)^2 Guide to the CISSP Exam"
(cf. BKOIGTCE.RVW), and now the "Official (ISC)^2 Guide to the CISSP CBK,"
but Stalling and Brown's work, while less broad and detailed, is more
academically rigorous.

copyright Robert M. Slade, 2008 BKCMSCPP.RVW 20080204
rslade@private slade@private rslade@private
http://victoria.tc.ca/techrev/rms.htm

------------------------------

Date: 17 Oct 2007 (LAST-MODIFIED)
From: RISKS-request@private
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman web interface can
be used directly to subscribe and unsubscribe:
http://lists.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-request@private
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe@private or risks-unsubscribe@private
depending on which action is to be taken.

Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
The full info file may appear now and then in RISKS issues.
*** Contributors are assumed to have read the full info file for guidelines.

=> .UK users should contact <Lindsay.Marshall@private>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risks@private with meaningful SUBJECT: line.
*** NOTE: Including the string "notsp" at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
<http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 25.12
************************

]]> Tue, 22 Apr 2008 17:32:17 PDT RISKS List Owner http://lists.jammed.com/RISKS/2008/03/0003.html RISKS-LIST: Risks-Forum Digest Tuesday 1 April 2008 Volume 25 : Issue 10

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.10.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
A modest proposal for the improvement of Daylight Saving (Tony Finch)
A Current Affair: Lauren Weinstein, Inside Risks, CACM April 2008 (PGN)
Chaos Computer Club publishes Minister's fingerprint - and more
(Peter Houppermans)
DST transition time mismatches (Tony Finch)
Mini-Y2K fears over Aussie daylight saving change (Max Power)
NYPD erases crime statistics for February 29 (Ed Ravin)
More flights canceled as Heathrow remains in chaos (Alan Cowell via
David Farber's IP)
Heathrow: The risks of hubris (Diomidis Spinellis)
GPS Errors are riskier than you may imagine: consider
Liability-Critical Applications (Bern Grush)
Re: Securing The Wrong Spaces: A Lesson (Rick Damiani)
Re: Arrest over phone system bug: Trailing zeroes (Graham Reed)
Re: Thieves become victims? (stanley)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 1 Apr 2008 06:24:00 +00:52
From: Tony Finch <dot@private>
Subject: A modest proposal for the improvement of Daylight Saving

At this time of year we enjoy the twice annual collection of stories about
problems caused by time zone adjustments. DST is a cunning way of getting
people to adjust their habits to make better use of sunlight when it is
available. We know from the turbulent history of DST in the USA that people
will not make this adjustment without external influence, or if they do they
will not do so with consistent start and end dates or indeed any regard for
the inconvenience of those around them. (See David Prerau's book, "Saving
the Daylight".)

So DST is beneficial provided it is applied consistently over a reasonably
large area. However it is a crude and arbitrary mechanism. It offends those
who think time should be a matter of natural philosophy, not of politics. It
is a great inconvenience to us technologists when the politicians cannot
stop themselves from messing around with the schedule. It causes many
problems when the clocks suddenly jump by an hour twice a year.

I believe there is a way to enjoy the benefits of DST while avoiding these
drawbacks. The essential idea is that our clocks should be set using sunrise
as a benchmark instead of noon. This is an entirely scientific way of
adjusting our clocks (and therefore our habits) to seasonal conditions, so
it is immune to political fiddling. Our clocks would run fast by about a
minute a day in the spring, and slow by a minute or two a day in the autumn,
so there would be no unpleasant disruptions to our sleep. If we forget to
make an adjustment we won't be embarrassingly early or late.

It is obviously not sensible for clocks in Land's End and John O'Groats to
tell different times just because of their differing latitudes. Therefore,
just as we use standard longitudes to define our time zones, we would use
standard latitudes to define sunrise time. Let us use the time of sunrise at
the tropic of cancer, 23.44 degrees north, as our standard. The difference
between this time and that latitude's latest sunrise, 06:44, gives us an
offset to add to our zone's standard time. This adjustment varies smoothly
between nothing in January and an hour and a half in June, giving us even
more evening sunlight to enjoy. Southern countries would use the same
mechanism, but with the tropic of capricorn as their standard latitude.

Some will argue that it is inconvenient to adjust one's watch every day
for most of the year. We were happy enough to do so with mechanical
watches in the past, so I don't think this is a big deal, and lazy people
can probably get away with adjusting theirs once a week. I also see it as
an opportunity for innovative new intelligent clocks and watches. There
may be slightly more difficulty checking relative times when communicating
between northern and southern sunrise time zones, but the time difference
tables will only be about 40 times larger. It is also a great way for
geophysicists to remain involved in timekeeping after leap seconds are
abolished.

I recommend this proposal to you, and hope that it is as successful as
William Willett's idea one hundred years ago.

f.anthony.n.finch <dot@private> http://dotat.at/

------------------------------

Date: Tue, 1 Apr 2008 00:03:00 GMT
From: Peter G Neumann <neumann@private>
Subject: A Current Affair: Lauren Weinstein, Inside Risks, CACM April 2008

The April 2008 issue of the *Communications of the ACM* includes an
important Inside Risks article by Lauren Weinstein. (It is of course
subject to CACM copyright, so I won't reproduce his article here, but
suggest that it is worth reading.) It is online on my Inside Risks website:
http://www.csl.sri.com/neumann/insiderisks08.html#214

------------------------------

Date: Sun, 30 Mar 2008 14:23:23 +0200
From: Peter Houppermans <phobos@private>
Subject: Chaos Computer Club publishes Minister's fingerprint - and more

The last publication of the Chaos Computer Club (CCC) has published a
fingerprint of the Interior Minister Wolfgang Schäuble (quoting the
oft-heard mantra "if you have nothing to hide you should have nothing to
fear"), together with a tongue in cheek "collection album" page where
readers can fill in fingerprints of other ministers if they manage to
collect them.

http://www.ccc.de/updates/2008/schaubles-finger (sorry, only in German).

The CCC didn't stop there: for good measure they also repeat their 2004
guide in both English and German on how to lift fingerprints and use them as
your own, complete with links to videos of the process and how it has been
used to defeat a pay-by-fingerprint system of a German supermarket chain.

http://www.ccc.de/biometrie/fingerabdruck_kopieren?language=de (German)
http://www.ccc.de/biometrie/fingerabdruck_kopieren?language=en (English)

The usual "we'll sue you" noises are already being heard, which highlights
interesting questions about the fingerprints you leave behind..

------------------------------

Date: Fri, 28 Mar 2008 12:31:28 +0000
From: Tony Finch <dot@private>
Subject: DST transition time mismatches

The following cartoon makes an amusing observation about the recently
increased mismatch between European and American DST schedules.

http://www.telegraph.co.uk/money/graphics/2008/03/28/calex28.gif

f.anthony.n.finch <dot@private> http://dotat.at/

------------------------------

Date: Thu, 27 Mar 2008 16:58:52 -0700
From: Max Power <dist23@private>
Subject: Mini-Y2K fears over Aussie daylight saving change

My view has been and always will be:

Australia & NZ should totally abandon Daylight Savings Time (DST).

DST has no place in Australasia because most of Australia and NZ are
Semitropical or Temperate -- with the corresponding reduced variation in
sunrise and sunset times. The only region of Australasia that may even be
nominally affected by this change are the NZ provinces South of Canterbury
(where Christchurch is, South Island).

As part of the this region's attempts to reduce its carbon (CO2) output, a
policy of reasonable workplace scheduling needs to be instated. With the
abolition of Australia's "Work Choices" and some minor tweaks to NZ
employment contracts laws -- this can be done without disenfranchising
anyone.

As a matter of state policy, the Australia & NZ "Fee Trade Agreement" (FTA)
and the "Uniform Commercial Code" (UCC) needs to be amended to abolish DST,
as it creates a "NONUNIFORM competitive environment." Using DST is probably
more responsible for the loss of global competitiveness in Australasia, as
it creates totally unnecessary work in the commercial and governmental
sectors -- and needlessly endangers people's lives.

I hope the new Rudd government issues a Y2036/Y2038 compliance law that
forces the Federal and State governments to Audit their systems and
gradually impose compliance benchmarks as time goes on. The Unix/POSIX time
problem will negatively impact Australia's (and NZ's) global competitiveness
if it is allowed to remain unfixed.

Max Power, CEO, Power Broadcasting HireMe.geek.nz

Mini-Y2K fears over Aussie daylight saving change // By ASHER MOSES - SMH
| Friday, 28 March 2008
http://www.stuff.co.nz/4454030a28.html

The decision to extend daylight saving in south-eastern Australia could
create a mini-Y2K by putting the internal clocks on computers, smartphones
and corporate servers out of sync.

>From this year on, daylight saving in NSW, Victoria, ACT, Tasmania and South
Australia will end a week later than usual on the first Sunday in April and,
with the exception of Tasmania, recommence three weeks earlier on the first
Sunday in October.

The change was intended to harmonise daylight saving dates across the
country and give Australians more daylight hours, which in turn benefits the
environment by reducing evening electricity use.

Many electronic devices with internal clocks are set to adjust automatically
for daylight saving but, as a result of the recent date changes, the
adjustments this year will be incorrect.

The fallout for regular consumers could include missed meetings or
appointments, but corporations face bigger headaches as their internal
servers, fleets of BlackBerry devices and automated systems such as payroll,
stock trading and manufacturing are operating under the old daylight saving
regime.

Clocks must therefore be adjusted manually or via software updates from the
device makers.

A similar issue occurred in the United States last year when daylight saving
was changed to kick in three weeks earlier and end a week later. At the
time The New York Times reported it would cost public companies $US350
million to make computer fixes to deal with the changes.

Microsoft has issued an advisory to users of its Windows, Outlook and
Windows Mobile products recommending they download an update from
microsoft.com.au that will synchronise computer clocks with the daylight
saving changes.

"The synchronisation [issue] is not exclusive to Microsoft products. It
affects all devices that update automatically according to the old daylight
saving schedule," Microsoft's customer and partner experience director, Hugh
Jones, said.

IDC analyst Liam Gunson said widespread problems could occur if people were
not made aware of the issue and did not take action to fix it.

He said the same problems were predicted in New Zealand last year when
daylight saving changes were made but no serious problems eventuated.

"It was really just a matter of education and people knowing that they need
to download a certain patch or look at their IT systems and it appears that
most people did," he said.

The issue has been likened to the Y2K or millennium bug, albeit on a far
smaller scale and with less serious consequences.

Y2K caused chaos leading into the new millennium as it was feared computer
systems, which stored years as only two digits, would be unable to recognise
dates from 2000 onwards.

Governments spent hundreds of billions of dollars working to fix the
problem, with computer engineers predicting doomsday scenarios such as that
critical finance and electricity industries would stop operating and planes
would fall out of the sky.

However, when the year 2000 finally arrived, there were no major computer
disasters. There is debate over whether this was a result of the immense
preparation for Y2K or people overstating the seriousness of the problem.

------------------------------

Date: Wed, 19 Mar 2008 17:34:31 -0400
From: Ed Ravin <eravin@private>
Subject: NYPD erases crime statistics for February 29

*The Village Voice* reports that the New York City Police Department's
"CompStat" report for the 9th Precinct shows zero homicides in 2008. In
spite of Tina Negron having been murdered in an East Village supermarket on
February 29, 2008:

You have to go to the fine print - an asterisk at the bottom of the stats
- to get what's kind of an explanation: "Crime figures for February 29,
2008 ... were excluded to ensure accurate comparisons."

Negron wasn't the only victim who was victimized again by the stats. A
total of 248 felonies, including two murders, occurred citywide on
February 29. But they were excluded from the CompStat analysis - the
NYPD's method of tracking seven "major" crime categories (murder, rape,
robbery, felonious assault, burglary, car theft, and grand larceny). [...]

The NYPD press office's top CompStat guru didn't return several phone
calls from the Voice. But according to published reports in 2004, the NYPD
stopped counting Leap Day statistics in 2000. Attributing the reasons to
an unnamed police spokesman, a Daily News story explained that Leap Day is
withheld from CompStat because "adding the extra day ... could show an
unreliable increase in crime in comparison with the prior weeks and months
and cause changes in deployment when it is not really necessary."

Full story at:

http://www.villagevoice.com/news/0812,The-NYPD-Ignores-Leap-Day-Crimes,381244,2.html

The cooked statistics from the NYPD for the 9th Precinct are viewable here:

http://nyc.gov/html/nypd/downloads/pdf/crime_statistics/cs009pct.pdf

[note that the footnote that crime stats for Leap Day were excluded does not
appear in that PDF, but it does appear on other CompStat reports at the same
web site]

See also my post in RISKS-13.69 describing how the NYPD played computer
games with a performance metric in their 911 dispatch system, and
RISKS-24.28 on much more blatant (and unauthorized) rigging of the crime
statistics in a different precinct by a high-ranking cop who wanted to
improve his numbers.

Crime statistics have been used as political bludgeons for years in NYC and
it's not surprising that the NYPD takes every step possible to avoid looking
bad. I wonder what crimes happened on February 29, 2000, that prompted that
policy change in the first place?

[Also noted by Danny Burstein, who noted that other big cities (such
as LAPD) include leap-day numbers. PGN]

------------------------------

Date: Fri, 28 Mar 2008 15:12:09 -0700
From: David Farber <dave@private>
Subject: More flights canceled as Heathrow remains in chaos [IP]

More flights canceled as Heathrow remains in chaos
By Alan Cowell The New York Times
Friday, March 28, 2008

British Airways canceled dozens of flights at Heathrow's glittery new
Terminal 5 on Friday as its staff struggled for the second day with
state-of-the-art technology that was supposed to hasten check-in procedures
and make flying a pleasure.

The hitches since the terminal opened to passengers on Thursday were
"definitely not British Airways' finest hour," the airline's chief
executive, Willie Walsh, said as he offered a personal, public apology for
disrupting the travel plans of thousands of people.

British Airways canceled almost 70 flights on Thursday, after a day of
delays caused by baggage handling problems. On what was supposed to be the
first full day of operations at Terminal 5, many flights took off with their
holds empty, carrying passengers with just cabin baggage.

Some passengers slept overnight in the steel-and-glass terminal - reviving
precisely those images of delay and decline in British aviation that British
Airways said it would banish with the opening of the new terminal.

As a result, Walsh said, about 36 flights out of Terminal 5 - mainly
short-haul and domestic - were canceled in advance Friday to ease pressure
on staff members dealing with unfamiliar procedures and systems.

Walsh said there had been "problems in the car parks, airport areas,
computer glitches and the baggage system."

About the prospects for the weekend, he said Friday: "I would expect some
disruption tomorrow, but I think it will become better as we become
accustomed to the building and the quirks of the systems."

Travelers arriving early Friday confronted what one traveler, Tony Pascoe,
35, called chaos as they stood in line for several hours only to be told
their flight had been canceled.

"It was chaotic," he told Britain's Press Association, "Everyone who had
been queuing were annoyed and a lot of jostling and arguing started. Then
the desk just crashed so everyone stood there.

"It is diabolical. I am a frequent traveler and this is the worst experience
ever - it is absolutely shocking."

"This is a public relations disaster at a time when London and the U.K. are
positioning themselves as global players," said David Frost, director
general of the British Chambers of Commerce. "We can only hope that this
will provide a wake-up call as we gear ourselves up to host the Olympics in
2012."

Heathrow is one of the world's busiest airports, handling about 67 million
passengers a year. The new terminal - reserved exclusively for use by
British Airways - was designed to counter the airport's image as an
unpleasant place for travelers. The building cost about $8.7 billion and has
10 miles of baggage-conveyor belts supposed to carry up to 12,000 items of
luggage an hour. But the baggage system has been at the heart of the
start-up problems.

Other airlines, excluded from Terminal 5, took some delight in claiming to pick up business from British Airways as travelers switched to carriers operating out of Heathrow's older terminals.


And a private aviation company, Netjets, said in a statement that the number
of people seeking private business flights had risen by 88 percent over a
24-hour period as "travelers sought to bypass the chaos of the opening of
Terminal 5 at Heathrow."

http://www.iht.com/articles/2008/03/28/europe/heathrow.php

Archives: http://www.listbox.com/member/archive/247/=now

------------------------------

Date: Sat, 29 Mar 2008 12:14:43 +0200
From: Diomidis Spinellis <dds@private>
Subject: Heathrow: The risks of hubris

I assume other comp.risks contributors will by now have provided the details
and the background regarding the problems of Heathrow's terminal 5: the
parking sign snags, the baggage processing backlog, the canceled flights,
and the resulting chaos. A related interesting angle is an email that
British Airways circulated to its customers on the day of the terminal's
opening. Here are some notable excerpts, as highlighted by a colleague who
brought this to my attention:

- - - -

Dear Mr [...],

Five and a half years ago the building of our new home began in our most
visionary project to date. Today we opened the doors. There is no more
waiting... Terminal 5 welcomes you.

*At Terminal 5 everything has been streamlined and designed to make your
journey through the terminal calm and relaxed.* And this morning we saw all
the planning fall into place.

The next time you fly in to, or on from Terminal 5, *you'll experience for
yourself how all the planning and careful design has fallen into place.* The
arrivals Gates are conveniently located to minimise your walk from the plane
and if you're transferring to another flight, Flight Connections is so
smooth, you'll be through in 20 minutes.

*A state-of-the-art baggage system*, a shopping concourse that rivals
London's West End, and an array of tempting restaurants, bars and cafes to
choose from, you'll discover nothing has been overlooked to ensure *your
time at Terminal 5 is spent in a most relaxing and enjoyable way.* [...]

In this case the risk is that the making of grandiose claims about
yet-to-be-established performance can easily backfire.

Diomidis Spinellis - Athens University of Economics and Business
http://www.dmst.aueb.gr/dds

------------------------------

Date: Sun, 23 Mar 2008 02:16:14 -0400
From: "Bern Grush" <bgrush@private>
Subject: GPS Errors are riskier than you may imagine:
consider Liability-Critical Applications

re: http://catless.ncl.ac.uk/php/risks/search.php?query=gps

I note, after searching this RISKS database of items on "GPS", that a
considerable number of observations from your writers re GPS errors are
actually errors in the mapping data bases that are used in navigation system
applications (e.g., automotive navigation), rather than a GPS positioning
error due to signal errors per se. This distinction may not be interesting
when you are lost in your car, but it is critical in other applications.

GPS position estimates have inherent errors (generally of a couple of meters
in "open sky" circumstances, but possibly 100s of meters on some occasions
due to "non-line-of sight multipath error" in especially built-up urban
areas. Some GPS-Auto-Nav users will have noted temporary errors such as
their position being displayed on the wrong road. The difficulty is more
subtle than writers surmise. There are indeed errors in the maps being
used. Even if a map is correct when installed in your device, roads change.
But at any one moment how can you be sure an error is in the positioning
estimate or on the map. You really need to rely on signage if it is
available.

But worse than all this is that we are on the cusp of deploying GPS-based
road-tolling systems, the majority of which will depend on map-matching
algorithms to determine which road you are on or which "cordon" you are in
to calculate a charge. These tolling systems will be subject to error for
the same fundamental two reasons signal errors and map errors.

The risk here is that tens of companies are building and tens of
municipalities and tens of counties are considering investing in GPS-tolling
systems that will critically rely on map-matching.

Considering that the very first such system (Germany) cost far in excess of
Euro 10^9, these companies, cities and countries are about to put many, many
billions at risk. Any decent lawyer could cobble together a class action
suit to defeat charges based on map-matching. They only need your
collection of emails to show negligent system design.

Bern Grush, Chief Scientist | skymetercorp.com
desk +1 416 673 8406 | cell +1 647 218 8600

------------------------------

Date: Sat, 15 Mar 2008 18:14:56 -0700
From: "Rick Damiani" <rick@private>
Subject: Re: Securing The Wrong Spaces: A Lesson (Ferguson, RISKS-25.06)

This isn't actually a design flaw or oversight. Naval vessels (like every
other ocean-going ships) are equipped with surface search radar, but naval
vessels often don't use it. RADAR emissions can be detected at twice the
distance they can 'see', so a warship running it's surface search RADAR is
both broadcasting it's position and telling everyone how far away they can
stay and not be detected. That's often not the most useful thing a warship
could do.

The real failure here was undoubtedly much more complex than simply not
running the RADAR though. The underway watch team charged with safe
operation of the ship (i.e. those actually involved in navigation and
maneuvering) on a military vessel usually includes a couple of dozen people,
including several equipped with nothing more sophisticated than binoculars
and a sound-powered phone. That all of them missed seeing the boat until
they hit it speaks less of electronic failures and more of some kind of
systemic personnel issue.

Rick Damiani, Applications Engineer, The Paton Group, California: (310)429-7095

------------------------------

Date: Thu, 27 Mar 2008 20:31:20 -0400
From: Graham Reed <greed@private>
Subject: Re: Arrest over phone system bug: Trailing zeroes (RISKS-25.09)

The "trailing zeros" bug Rick Damiani wrote about in RISKS 25.09 reminded me
of a similar, but fortunately far less intrusive, problem a friend of mine
had with his ADSL connection.

I had recommended the ISP I had recently begun using, and he'd happily
signed up and got his modem and router configured and working
perfectly... well, mostly perfectly. A few web sites, without any apparent
relation, just wouldn't work when he went to them with his new DSL account.
Switching back to the old account, everything was fine. (And I'd thought
PPPoE could never have a benefit.)

Since I'd recommended the ISP, I was on the hook here, especially since my
connection had been, and continues to be, quite reliable.

So I did the usual pings and traceroutes and didn't notice anything other
than the usual "ICMP is scary" lossage. No two of the failing web sites
seemed to be network-ologically related, so it didn't look like a particular
carrier having issues with that ISP... and, anyway, I could get to all of
them--via the same hops.

In desperation, we went into his router's set-up. It didn't _feel_ like a
Path MTU discovery problem, but I was out of ideas. Then I noticed the IP
address of his modem: x.y.z.0/32. A perfectly legitimate host address for a
point-to-point connection.

So we called up the ISP's support desk, and told the guy there what was
happening and my suspicion about the "trailing 0" being a problem. It
wasn't _wrong_, but it was the only thing odd I could see. The guy at the
ISP agreed, right down to the "it's not wrong but it's unusual" feeling, and
assigned a new IP with a non-zero final octet to my friend. Sure enough,
all the missing web sites turned up.

My guess was that some providers were dumping packets purporting to be from
a /24 network address, making the assumption that an all-zeroes final octet
must mean the packet is spoofed. Which is fine for /24 all the way up to
/31. But for anything else, you're at RISK of having a legitimate host
address junked.

/24 is common. Really, really common. But we all know the RISKs that arise
when we treat "common" as if it was "only". You can't tell what my address
structure is; even before CIDR, I was regularly working in subnetted class A
space, and our netmasks never left the building.

(Either that, or someone had heard the old saw that "auditors reject any
line item that ends in 5 or 0.")

------------------------------

Date: Thu, 27 Mar 2008 18:35:48 -0700 (PDT)
From: stanley@private
Subject: Thieves become victims?

In RISKS-25.09, Mark Brader wrote a submission with the subject: "Hoax on
Craiglist causes duped victims to steal property." A demonstration of how
making the "long story short" changes the story completely. [PGN-ed and
oversimplified; don't blame Mark.]

The victim was not unsuspecting when he returned home. He had received a
phonecall while away from home from someone about the horse, which was in
much better shape than it should have been had it been abandoned. While
driving home, he passed several people with truckloads of property he knew
was his. When stopped and told they had his property, they ignored him. When
he arrived home, he found more people, some of whom showed him a printout of
the craigslist entry as proof that they could steal his property, and many
of them drove off with more of his stuff, after being told they were
stealing.

There were no "duped victims". The victim cannot, by definition, steal his
own property. Those who stole were dupes, but they aren't the victims here
in any reasonable sense of the word. The people who got the property
profited.

The local sheriff has already gone on record as saying that those who took
the property face criminal charges if caught, but have been given an
opportunity to return what they took with no questions asked.

Let's not allow technology cloud the ethics and results. Sometimes dupes are
the victims, as in 419 scams, but here the victim was the fellow whose
property was stolen. Those who were presented with a "too good to be true"
opportunity this time are the thieves, and could have prevented a lot of
damage had they simply called the fellow whose stuff they wanted to take to
make sure.

------------------------------

Date: 17 Oct 2007 (LAST-MODIFIED)
From: RISKS-request@private
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman web interface can
be used directly to subscribe and unsubscribe:
http://lists.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-request@private
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe@private or risks-unsubscribe@private
depending on which action is to be taken.

Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
The full info file may appear now and then in RISKS issues.
*** Contributors are assumed to have read the full info file for guidelines.

=> .UK users should contact <Lindsay.Marshall@private>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risks@private with meaningful SUBJECT: line.
*** NOTE: Including the string "notsp" at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
<http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 25.10
************************

]]> Mon, 31 Mar 2008 17:17:06 PDT RISKS List Owner http://lists.jammed.com/RISKS/2008/05/0000.html RISKS-LIST: Risks-Forum Digest Friday 2 May 2008 Volume 25 : Issue 14

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.14.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
U.S. Customs computer system fails nationwide (PGN)
Protecting Yourself From Suspicionless Searches While Traveling
(Jennifer Granick via Monty Solomon)
Air marshals' names tagged on 'no-fly' list (Audrey Hudson via Monty Solomon)
Italy posts salary details on web (Amos Shapir)
Tot dies after Internet 911 call fails to reach dispatchers (Tony Toews)
Canadian Human Rights Commission investigator hijacks woman's Internet
connection (Kelly Bert Manning)
Microsoft anti-encryption toolkit (David Lesher)
"Default Password" exploits still work (William Nico)
Protecting credit card holders (Kearton Rees)
Police officer uses real witness statement as template document
(Identity withheld by request)
False alarm guaranteed after 7 years (Daniel P.B. Smith)
Facial recognition in airports... please say it's April 1st. (Fred Cohen)
Re: Face scans for UK air passengers (Peter Houppermans)
Re: 30th Spamiversary (Amos Shapir)
Re: Real-time spying on credit card holders (Nick Brown)
Blown to Bits, Abelson/Ledeen/Lewis (PGN)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Thu, 1 May 2008 9:52:37 PDT
From: "Peter G. Neumann" <neumann@private>
Subject: U.S. Customs computer system fails nationwide

The CNN Wire reported on 30 Apr 2008 that a nationwide computer failure shut
down terminals at U.S. Customs entry points. However, a backup system on
laptops appears to have worked, instituted after previous system failures
(e.g., 18 Aug 2005, RISKS-24.02).

------------------------------

Date: Thu, 1 May 2008 22:22:29 -0400
From: Monty Solomon <monty@private>
Subject: Protecting Yourself From Suspicionless Searches While Traveling

Protecting Yourself From Suspicionless Searches While Traveling
Posted by Jennifer Granick, 1 May 2008

The Ninth Circuit's recent ruling (pdf) in United States v. Arnold allows
border patrol agents to search your laptop or other digital device without
limitation when you are entering the country. EFF and many civil liberties,
travelers' rights, immigration advocacy and professional organizations are
concerned that unfettered laptop searches endanger trade secrets,
attorney-client communications, and other private information. These groups
have signed a letter asking Congress to hold hearings to find out what
protocol, if any, Customs and Border Protection (CBP) follows in searching
digital devices and copying, storing and using travelers' data. The letter
also asks Congress to pass legislation protecting travelers' laptops and
smart phones from unlimited government scrutiny.

If privacy at the border is important to you, contact Congress now and ask
them to take action!

In the meantime, how can international travelers protect themselves at the
U.S. border, short of leaving their laptops and iPhones at home? ...

http://www.eff.org/deeplinks/2008/05/protecting-yourself-suspicionless-searches-while-t

------------------------------

Date: Wed, 30 Apr 2008 09:05:22 -0400
From: Monty Solomon <monty@private>
Subject: Air marshals' names tagged on 'no-fly' list

Some federal air marshals have been denied entry to flights they are
assigned to protect when their names matched those on the terrorist no-fly
list, and the agency says it's now taking steps to make sure their agents
are allowed to board in the future. [Source: Audrey Hudson, *Washington
Times*, 29 Apr 2008]

http://www.washingtontimes.com/apps/pbcs.dll/article?AID=/20080429/NATION/782525487/1001

------------------------------

Date: Thu, 1 May 2008 17:27:21 +0300
From: Amos Shapir <amos083@private>
Subject: Italy posts salary details on web

"There has been outrage in Italy after the outgoing government published
every Italian's declared earnings and tax contributions on the Internet."
Apparently this was not a bug, but intentional. In any case, the full
details of every Italian's income and tax returns were posted without
warning on the Net for anyone to see, for at least 24 hours. (BBC report)
<http://news.bbc.co.uk/1/hi/world/europe/7376608.stm>

------------------------------

Date: Wed, 30 Apr 2008 23:30:58 -0600
From: Tony Toews <tony@private>
Subject: Tot dies after Internet 911 call fails to reach dispatchers

18-month-old Elijah Luck died on 29 Apr 2008 after his aunt called 911 from
the family's Comwave VoIP phone at home in in Coventry, but an ambulance
reportedly took more than half an hour to arrive -- with the call center
being slow in transfering the call to the Calgary dispatch.
<http://www.canada.com/calgaryherald/news/story.html?id=3cb08a17-9abf-4a50-9665-51a15732df5d&k=39015>

[Also noted by Mark Brader. No guarantees on longevity of URLs. PGN]
http://www.ctv.ca/servlet/ArticleNews/print/CTVNews/20080501/voip_911call_080501/20080501/?hub=TopStories&subhub=PrintStory
http://calsun.canoe.ca/News/Columnists/Platt_Michael/2008/05/02/5448331-sun.php

------------------------------

Date: Sun, 27 Apr 2008 16:40:10 -0400 (EDT)
From: bo774@private (Kelly Bert Manning)
Subject: Canadian Human Rights Commission investigator hijacks woman's Internet connection

A woman caught up in a mysterious Internet hijacking scandal that has
sparked a federal privacy investigation into the Canadian Human Rights
Commission says she was shocked, angry and confused at suddenly finding
herself publicly associated with white supremacists. ... In response to
a subpoena, Bell Canada linked Jadewarr to Ms. Hechme's personal Internet
account, and provided her address and telephone number at the public
hearing. [Source: Colin Perkel, Internet hijacking 'disturbing', says
Ottawa woman, Canadian Press, 27 Apr 2008
http://www.theglobeandmail.com/servlet/story/RTGAM.20080427.whijacknet0427/BNStory/National/home

Luckily for Ms. Hechme the Human Right of Privacy is protected by a
different Federal Commission in Canada.

------------------------------

Date: Thu, 1 May 2008 16:11:13 -0400 (EDT)
From: "David Lesher" <wb8foz@private>
Subject: Microsoft anti-encryption toolkit

Subject: Microsoft Helps Law Enforcement Get Around Encryption - New York Times
X-URL: http://www.nytimes.com/idg/IDG_852573C4006938808825743900804723.html?ref=technology&pagewanted=print

Microsoft Helps Law Enforcement Get Around Encryption, 30 Apr 2008

The growing use of encryption software like Microsoft's own BitLocker
by cyber criminals has led Microsoft to develop a set of tools that law
enforcement agents can use to get around the software, executives at the
company said.

Microsoft first released the toolset, called the Computer Online Forensic
Evidence Extractor (COFEE), to law enforcement last June and it's now
being used by about 2,000 agents around the world, said Anthony Fung,
senior regional manager for Asia Pacific in Microsoft's Internet Safety
and Anti-Counterfeiting group. Microsoft gives the software to agents for
free. ...

Miscellaneous thoughts:

00) Who says it's only "cyber criminals" using file encryption; and
[what we used to think of was..] law enforcement using such tools?
Note Fung's group's title.

01) This reminds me of Spy vs. Spy; except where both sides work for the
same side. It brings in all the issues the NSA has faced over the decades:
("Do we plug this hole now; or will Boris see we did, and stop using
their version of X?")

Who is MSFT's real customer; the user or the LE/FI community? How long
before Redmond gets pressured to weaken BitLocker because COFEE can't
help? What will their response be?

10) Wigglers, a faux-use mouse designed to forestall a screen-saver activation,
have been around for a while. How long until some encryption code author
puts a random pop-up interrogation into their code? I.e. even if the
system is ""busy"" it suddenly asks for a response, a simple CAPTCHA.
When it gets a wrong answer, it stops and demands the full pass-phrase.
[Another approach would be to immediately demand same when a new device
is found by the OS.]

11) We are seeing more laptops & phones being searched and/or confiscated by
DHS at US borders. I suspect many multinational corporations will sacrifice
an encrypted laptop rather than reveal its contents.

100) Will shortcoming of COFEE et.al. push the legal system into a major
test case of coerced passphrase release? ["Give up your password or rot
in jail?"]

May you live in interesting times.

------------------------------

Date: Mon, 28 Apr 2008 14:16:42 -0700 (PDT)
From: William Nico <nico@private>
Subject: "Default Password" exploits still work

An article in the Contra Costa Times 26 April under the headline
"1,500 gallons of gas swiped"
[http://www.contracostatimes.com/lafayette/ci_9057588?nclick_check=1]
implies that the thief/thieves used an access code on the pumps, which
had not been changed from the manufacturer's default, to keep the
volume of pumped gas from being reported. Here are a couple of
paragraphs excerpted from the article:

"... Between March 31 and April 7, he [the proprietor] noticed large
disparities between what his fuel counters were showing and what was
actually sloshing around in his station's underground storage tanks. ...
"He contacted police and soon figured out that someone had unlocked a panel
on one of the pumps and punched in a code on an internal key pad. The code
disables the pump from requiring remote authorization to activate. The
authorization system is legitimately used to cut off gas flow and allow
maintenance workers to clean valves. ... "... someone versed in fuel pump
maintenance was a likely culprit, since a lay person or even a station owner
like himself lacks the technical knowledge to pull off such a feat. ...
"[The proprietor] installed reinforced locks in his underground storage
tanks and entered a new authorization code inside the fuel pumps -- changing
it from a default code entered by the pump manufacturer, which is why he
suspects the thief had trade knowledge."

William R. Nico, California State University East Bay Hayward, CA 94542-3092
www.mcs.csueastbay.edu/~nico (510)885-3386 Math. and Comp. Science Emeritus

------------------------------

Date: Tue, 29 Apr 2008 14:45:26 +0100
From: <kearton.rees@private>
Subject: Protecting credit card holders

A BBC consumer programme "Watchdog" reported recently (28 Apr 2008) on cases
where credit card companies' computer based fraud detection systems were
disabling users cards when they detected unusual, and possibly fraudulent,
spending patterns. However, all the users concerned were on holiday abroad
(New York, South Africa & Rome ) and left stranded with little or no money
it then took four or five days and a lot of effort to get the cards
re-enabled. In some case this caused the users to have to cancel significant
chunks of a 'holiday of a life-time'. In one case the bank *had* tried to
contact the user by sending an e-mail to his home address, whilst he was
stuck in New York with no money.

The bank's responses were essentially that these systems were there to
protect their users from fraud and that users should let their banks know
when they are likely to be going somewhere different so that such situations
can be avoided. However, the cancellations had happened to some users
despite doing this. It seems the decisions were made solely by the computers
with no recourse to the users' branch manager (for example) or to any
information provided by the user on their whereabouts.

The banks mentioned seemed to only be prepared to pay a small amount of
compensation (100 pounds max for the situations in the programme), nothing
near what it cost some users to call their bank's customer services from
South Africa. (Being able to contact the banks' customer services
departments easily from abroad was another sore point.)

The main learning point is that you should always take several different
means of paying when you go abroad.

British Telecommunications plc Adastral Park, Martlesham, Ipswich, UK, IP5 3RE
Kearton.Rees@private | www.btbrand.bt.com

------------------------------

Date: Mon, 28 Apr 2008
From: [Identity withheld by request]
Subject: Police officer uses real witness statement as template document

I was recently the victim of a (very minor) assault. This was reported to
the police, and in due course I went to the police station to provide a
formal witness statement. The officer charged with making the statement said
that,to save time, he would type up the statement as I gave it rather than
writing it down by hand and then typing it up later. He then led me into a
computer room, much as one would find in a school or university for use by
the students (indeed, some of the notices on the wall seemed to imply that
the room was often used for training courses but happened to be vacant at
that time) and logged in to Windows. He then opened up a folder with a large
number of MS Word documents and clicked on one to open it. Initially I
assumed that this was a template file, but when it appeared on the screen it
didn't appear to have the blank spaces and "WRITE WITNESS' NAME HERE"
phrases that one would expect. Intrigued, I looked closer and saw that the
text appeared to be a witness statement about another assault that had
happened about a week before mine. This was confirmed when the officer asked
me not to look at the text at the bottom of the screen, because it was a
private witness statement about another crime.

The officer then set about typing up my witness statement thus: he added
several blank lines at the beginning of the document and then began cutting
and pasting sentences or sometimes whole paragraphs from the bottom half<