The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 21 Issue 48

Monday 18 June 2001

Contents

Unexpected network congestion: remote consequences of Seti@Home
Steve Loughran
Site puts private cell calls on Web
Bruce Hamilton
European Commission "Net-security" site invaded by hackers
Declan McCullagh
Formula 1's string of control-system failures
Stellios Keskinidis
A320 Incident
Peter B. Ladkin
Re: Computer train trauma
Philip Nasadowski
Lincolnshire University offers first course on rail disasters
Tom Van Vleck
NYSE: "Throw up your hands and reboot"
Chris Norloff
Re: Billboard error messages
David M Chess
Response to LWN's statement about Linux security costs
Kevin Postlewaite via Gerrit Muller
Windows XP adds its own links
George C. Kaplan
Re: Office XP modifies what you type
Andy Newman
Gerard A. Joseph
Re: Steve Gibson's and Windows XP
Chris Dodd
Re: The risks of clueless marketing
Tony Martin-Jones
Re: And you thought Keith Lynch was kidding!
Phil Carmody
Paul Ward
Ken Knowlton
On the deceptiveness of pop-under ads
ocschwar
Info on RISKS (comp.risks)

Unexpected network congestion: remote consequences of Seti@Home

<"Steve Loughran" <slo4@iseran.com>>
Tue, 12 Jun 2001 17:10:24 -0700

I came across an interesting little article on Sun's best practices site,
titled, "Network Wedged by Little Green Men"
  http://dcb.sun.com/practices/devtales/network_wedged.jsp

It covers how a small firm's network kept on slowing down to a halt. The
problem was tracked down to Seti@home screen savers repeatedly trying to
connect to the Seti servers, which were inaccessible due to attempted cable
theft (as noted in past RISKS).  The local firm's Internet access used NAT
address translation, and each screen saver made multiple attempts to
connect.  Each connection attempt used a NAT assignment, an assignment which
took a while to be cleaned up. Before long the company had exhausted their
pool of 128 NAT addresses, even though only six people were present. Only
through router interrogation was the problem identified.

The article closes by saying the problem was "solved" by increasing the
number of available NAT addresses, although of course that didn't fix the
problem, merely caused it to 'go away'. A real solution would be to have the
screen-saver software implement incremental backoff and other mechanisms
designed to gracefully handle a complete loss of remote server access.

One would hope that the authors of the next generation of distributed
computation applications take heed of the lessons of the current batch.

-Steve


Site puts private cell calls on Web

<bruce_hamilton@agilent.com>
Thu, 7 Jun 2001 10:57:01 -0700

Citizens in Ottawa were probably not aware that they were providing content
for a new Web site that streams live audio onto the Net. The site uses
conversations pulled from a radio that scans cellphone frequencies in the
city.  *CTIA Daily News* <http://www.canoe.ca/OttawaNews/OS.OS-06-07-0003.html>

Bruce Hamilton bruce_hamilton@agilent.com  Tel: 650-485-2818  Fax: 650-485-8092
Agilent Technologies MS 24M-A, 3500 Deer Creek Road, Palo Alto CA 94303


European Commission "Net-security" site invaded by hackers

<Declan McCullagh <declan@well.com>>
Wed, 13 Jun 2001 09:58:18 -0400

European 'safer Internet' site hit by hackers, By Joris Evers (IDG)
http://www.cnn.com/2001/TECH/internet/06/11/safer.net.hack.idg/index.html

Hackers embarrassed the European Commission last week by identifying and
exploiting two security holes on a new commission-sponsored Web site that
promotes safer use of the Internet. One of the holes allowed the hackers to
get administrator privileges on the server that powers the Safer Internet
Exchange site [...]


Formula 1's string of control-system failures

<Stellios Keskinidis <stelliosk@optushome.com.au>>
Fri, 8 Jun 2001 18:35:48 +1000 (EST)

If you've been watching F1 over the past month or so you would of very
likely heard about making launch control and traction control systems
legal and how nearly all teams are using them. Unfortunately, not all
things have been going to plan for team I am the most a fan of -

"Since the electronic device was legalised by the FIA at the Spanish Grand
Prix, Mika Hakkinen has fallen foul of it once and Coulthard twice.
Software programming has been stated as being the main cause of its
malfunction."

	- http://www.formula1.com/news/headlines01/06/s5819.html

and further

"Coulthard stalled his car on the grid at the first traction control race
in Barcelona prompting team boss Ron Dennis (Team Boss), to accuse him of
'Brain fade'....  Dennis admitted that it was a software glitch and he was
wrong to have thought that it may have been down to driver error. "

	- http://www.formula1.com/news/headlines01/05/s5731.html

not to mention the four cars that stalled it on the grid in Austria

"Several teams have expressed their anxiety over the possibility of a
recurrence of the situation in Austria, where four cars failed to start.
With the narrowness of the makeshift pit straight on the Monte Carlo
street circuit there will be less room in which to manoeuvre cars and
avoid potential disaster."

	- http://www.formula1.com/news/headlines01/05/s5607.html

Are the cars becoming too computerised and resulting in more points of
failure? Are the teams throwing themselves out of the competition by not
testing properly, possibly due to the time constraints? The catch there is
that they think they are ready (in testing) when they are not in a live run
paying a costly price. Just another classic case of Software Engineering.

Cars can only go so fast around any track, I think within the next 5-10
years they will reach their limits in speed and the teams will focus more
than they are now, on the "computerisation" of the car where we will see
more failures/crashes and stalls on the grid.

This sounds all too familiar when the aviation industry embraced
technology. Are they repeating those mistakes?  It can now be said "Would
you hop into a car that travels over 300km/h that is controlled by
software you wrote".

One thing is for sure, this is soon to be race against technology and not
who was the better driver on the day and as if it wasn't already a 2-man
race anyway (Mclaren and Ferrari).

Stellios Keskinidis  http://members.optushome.com.au/stelliosk


A320 Incident

<"Peter B. Ladkin" <ladkin@rvs.uni-bielefeld.de>>
Mon, 18 Jun 2001 12:54:17 +0200

Tim van Beveren reported in *Flight International*, 22-28 May 2001, on a 20
Mar 2001 incident to a Lufthansa Airbus A320 on takeoff from Frankfurt.
This incident was reported at greater length and detail in *Air Safety Week*,
4 Jun 2001, by David Evans and Tim van Beveren.

The captain was Pilot Flying (PF). there was some degree of turbulence
during takeoff, shortly after rotation, which resulted in the left wing
moving down. The captain applied correction (right lateral roll control) but
the wing dipped further left, reaching 21 degrees bank, and the wingtip is
reported to have come within half a meter of the ground, and according to
computer modelling of the digital flight data recorder the airplane "came
within a few seconds of striking the ground".

The First Officer, the pilot not flying (PNF), realising there could be a
control problem, switched "priority" to his sidestick controller and
recovered the aircraft. The aircraft was flown up to 12,000ft on autopilot,
the crew confirmed the problem, that the CAP's sidestick was controlling for
roll in the reverse sense (normally, putting the sidestick to the left
commands left roll; to the right commands right roll.  Control-reversal here
means that CAP's sidestick gave right roll on a left movement and left roll
on a right movement).

The aircraft had just come out of maintenance. Maintenance is a known risk --
James Reason, an authority on human factors in aviation safety and Professor
of Psychology at the University of Manchester, amongst others, has detailed
how significant problems may arise through maintenance of complex systems.

It has happened many times that aircraft have come out of maintenance with
control systems reversed in one or more of the three axes (roll, pitch,
yaw). This has been the cause of a number of accidents with general aviation
aircraft, but my informal requests for information turned up no recent
accidents to commercial aircraft due to this cause. Evans and van Beveren
report that "reversed controls are deemed impossible on transport-category
aircraft" and that Boeing claims that the B737 aircraft cannot be
reverse-connected without it being discovered before flight, normally
through mandatory post-maintenance checks, but at the latest by the pilot's
preflight check, as the controls could not be moved.

At Lufthansa's code-sharing partner, United Air Lines, certified inspectors
must be stationed both inside and outside the cockpit to conduct a
functional check after the flight control system has been worked on; a
flight test is also required before the aircraft is returned to service
after this kind of repair. It is believed that either of these measures
would have caught the control-reversal problem, and so general maintenance
procedures at Lufthansa Technik will be subject to detailed inquiry.

There have been a number of reports as to what fault caused the lateral
control reversal, including the two sources above. However, I have found
none of the explanations so far satisfactory, as they raise further puzzles
that they do not solve.

The following architectural description of the A320 primary flight control
system (PFCS) is drawn from Cary R. Spitzer, Digital Avionics Systems,
Second Edition, McGraw-Hill 1993. The A320 sidestick controller generates
input to five of the seven flight control computers which form part of the
primary flight control system (PFCS). These five are the two Elevator
Aileron Computers (ELACs) and the three Spoiler Elevator Computers (SECs).
Each wing has two outboard ailerons, and five inboard spoilers (overwing
surfaces which can be raised). Lateral (roll) control proceeds via four of
the five spoilers and the two ailerons. Each of the two ELACS and three SECs
control some combination of these 12 control surfaces. There is a
significant amount of control redundancy.

Initial reports said that Lufthansa Technik personnel had been repairing
one of the two ELACs, and had found a damaged pin on a connector. They
had replaced the connector and this had apparently caused the control
reversal. This explanation made no sense to me as it stood, because
(a) the connectors are standardised. Replacing one with another should
    give exactly the same connections as were there before;
(b) if one ELAC was receiving reversed signals, and the other was not,
    and the three SECs were not, then
  (i) the PFCS architecture would detect a discrepancy on the channels, and
  (ii) on each side, one aileron would operate counter to the other, but
       all spoilers would operate correctly-sensed, and it is hard to see
       how this could lead to the extreme control discrepancy reportedly
       experienced by the PF.

The Aviation Safety Week report on June 4 suggested that "Repair work
involving complete rewiring "upstream" of the connector pins was conducted
over several work shifts". The ELAC connector with the damaged pin has 140
pins and is one of four such for the ELAC, for a total of 560 pins.

It seems to me that to get control reversal without the phenomena in (b)
above, there must have been a reversed signal downstream of the sidestick
but upstream of where the sidestick movement is multiplexed into the five
input signals to the five PFCS computers which receive them. I do not yet
have, nor have I heard, a coherent suggestion as to how that could occur.

There has been considerable discussion of and speculation concerning:
maintenance procedures at Lufthansa Technik, which has one of the very
highest reputations for maintenance quality; wiring, wiring conventions and
connectors in the A320 series; why the pilots did not discover the
discrepancy during the usual preflight control checks (the A320 displays
control surface displacement on the cockpit display, the ECAM, when the
sidestick is intentionally moved and the airplane is on the ground, as
during a preflight control system check). I think it is fair to say that few
hard facts have emerged yet concerning any of these, and I find it hard to
make any useful inferences about what actually went on from the publicly
available information.

What emerges most clearly so far from this incident is that the simple
physical complexity of the control system has confused some. Amongst other
things, explanations have been proposed by presumably technically competent
people that do not fit the control system architecture. It is hard to see
how that phenomenon could have occurred with the simpler architectures of
mechanical control systems. On the other hand, the PNF was able to take over
normal control of the aircraft with one button push (the "control priority"
takeover on the sidestick), which could also not happen with the simpler
mechanical architectures.

We have very little information so far on the incident. It is certain that
the puzzles will be solved further along the investigative line, and very
likely that the results of the investigation will be highly significant for
the care and feeding of fly-by-wire architectures.

Peter Ladkin, University of Bielefeld, http://www.rvs.uni-bielefeld.de


Re: Computer train trauma (RISKS-21.47)

<Philip Nasadowski <nasadowsk@mail.hartford.edu>>
Sat, 16 Jun 2001 21:45:17 -0400

  [PGN notes: Lord Wodehouse forwarded Philip's reply to his message
  in RISKS-21.47, with this comment:
    As we make systems more complex and clever, they become when they fail,
    less reliable and more stupid. The present efforts to overcomplicate
    engineering solutions in the name of progress and efficiency thus
    continues the themes explored in Edward Tenner's book Why Things Bite
    Back published 1996, which although I do not like his term "revenge
    effect", because it is too emotive, is a good description of various
    well intentioned(?) ideas and efforts that have had surprising(?)
    results, which were not what was intended. Pharmaceutical companies not
    excepted either!  John]

I'm in the US, and we have the same stupidity over here too.  The new GE
locomotives for Amtrak (our national joke of a railroad) are excessively
computerized, and grind to a halt on occasion - requiring a lengthy (10
minutes!) reboot.  This is especially bad when one dies on approach to NY
city!

The recent Long Island Rail Road cars have had numerous problems too: The
automated announcements are always not working (to the extent of announcing
stations in an order that cannot exist), worse, the computerized door
systems were an early nightmare - they would sometimes open the doors
enroute (imagine a standing room only train going 60 - 80 mph over rough
track), or refuse to open the doors when stopped.  The latter was caused
because the system will "lock out" any door panel where the conductor
(guard) presses a door open/close button repeatedly (which was needed with
the old pneumatic system on the old cars).

Most disturbing was the early brake failures.  The computer-controlled
braking systems would on occasion react very slowly to braking commands.
This caused a number of trains to be removed from service, enroute.

Oddly enough, the 30 year old electric units the LIRR has, which have been
battered and poorly maintained, seem to run just fine without all this
computer stuff in them.


Lincolnshire University offers first course on rail disasters

<Tom Van Vleck <thvv@multicians.org>>
Mon, 18 Jun 2001 12:03:50 -0400

  http://dailynews.yahoo.com/h/nm/20010618/od/college_dc_1.html


NYSE: "Throw up your hands and reboot"

<"Chris Norloff" <cnorloff@norloff.com>>
Thu, 14 Jun 2001 08:11:00 -0400

When the New York Stock Exchange computer systems crashed for 85 minutes (8
Jun 2001), Andrew Brooks, chief of equity trading at Baltimore mutual fund
giant T. Rowe Price, was quoted as saying "Hey, we're all subject to the
vagaries of technology. It happens on your own PC at home. You just throw up
your hands and reboot."

The RISKS?

Thinking that a world trading center needs no more reliability than a
desktop PC.

A certain company (who's "not a monopoly") is training legions of users to
expect computer systems to be unreliable.

source:
http://www.washingtonpost.com/ac3/ContentServer?articleid=A42885-2001Jun8&pagename=article

Chris Norloff


Re: Billboard error messages (RISKS-21.45,46)

<"David M Chess" <chess@us.ibm.com>>
Wed, 13 Jun 2001 16:53:44 -0400

The most notable example I've seen was one of those portable highway-side
signs that was declaring in foot-high letters "BATTERIES NEED RECHARGING".
I suffered momentary brain-lock trying to figure out how it could know that
some car going by had a battery problem.

The general risk, of course, is in piping STDERR to STDOUT.  Web sites that
send complex error dumps to visitors' browsers are doing the same pointless
thing...


Response to LWN's statement about Linux security costs

<"Kevin Postlewaite" <kevin.postlewaite@tumbleweed.com>>
Date:  Thu, 31 May 2001 12:25:25 -0700

  [From Linux Weekly News, courtesy of Gerrit Muller, Re:
    http://www.extra.research.philips.com/natlab/sysarch/]

In LWN's front page article about the relative security costs of Linux
versus Windows, you wrote:
  "While it is nice to see a (hopefully) objective result that favors Linux,
  it is also a little disappointing. 5-15% is a fairly small margin; we
  should really be able to do better than that. It's a start, anyway. "

I used to work for PricewaterhouseCoopers auditing computer security of our
clients.  We would go in and try to penetrate our clients' systems (with
their permission, of course).  The main flaws that existed did not have to
do with the particular OS but depended on the skill and conscientiousness of
the system administrators, as well as the computer-security education of the
company's employees.  The most successful penetrations were obtained when
some sysadmin would set the root password to root (or better yet, none at
all) or have the Windows Administrator password be Administrator.  Also, a
surprisingly high number of employees would gladly give out useful
information (including accounts and passwords) to people that they didn't
know over the phone.  People were the weakest link, not the OSes.  Thus, I
wouldn't expect that the underlying OS would affect the expected damages by
much.  Far more important than installing Linux is educating the users(not
that they shouldn't install Linux anyway :-) ).

-Kevin


Windows XP adds its own links

<"George C. Kaplan" <gckaplan@ack.Berkeley.EDU>>
Thu, 07 Jun 2001 20:37:04 -0700

Walter S. Mossberg's "Personal Technology" (*Wall Street Journal*, 7 Jun
2001) describes a new "feature" of Internet Explorer under Windows XP: it
will turn some words on web pages you view into hyperlinks, pointing to
Microsoft web sites.

So, first we have Office XP changing your documents as you type them,
without telling you (Jonathan Arnold, RISKS-21.42).  Now Internet
Explorer will edit your documents for you at the other end:  when
people read them.

Mossberg discusses this feature and the associated risks in detail.
Microsoft's arrogance shines through brilliantly in one quote: the new
feature "will spare users from 'under-linked' sites".

Words fail me.

George C. Kaplan, Communication & Network Services
University of California at Berkeley 510-643-0496 gckaplan@ack.berkeley.edu


Re: Office XP modifies what you type (Deegan/Arnold, RISKS-21.42)

<Andy Newman <andy@silverbrook.com.au>>
Thu, 14 Jun 2001 08:42:32 +1000

Thanks to the many who pointed out my mis-reading of the RFC and the missing
of the empty path segment.  Therefore MS *are* wrong in modifying the path.
The interesting thing is I fell into the risk I pointed out - seeing a
collection of '/' separated tokens (empty or not) made me apply a file
system interpretation to a URL and stopped me even contemplating what use an
empty path component is and why it should be valid.

Andy Newman, Silverbrook Research, <andy@silverbrook.com.au>


Re: Office XP modifies what you type (Deegan/Arnold, RISKS-21.42)

<"Gerard A. Joseph" <gerard@ozemail.com.au>>
Wed, 13 Jun 2001 17:05:56 +1000

I am in total agreement with the people complaining about
automatically-enabled mechanisms that unilaterally correct textual input.

I have just migrated to Windows 2000 and am now in a state of euphoria that
I can actually enter a one-word folder name in upper case without the second
and subsequent letters being preemptively and irreversibly changed to lower
case.  Imagine, I can now name a folder NSA without it reappearing as Nsa.
(If it was possible to do this in Windows 95, no one was able to tell me
how.)

For years, I have had to put up with such aberrations as letters addressed
to "Mr Ga Joseph", a combination of an autocorrect feature that is enabled
by default (or by an administrator), and an imbecilic writer who (a) omits
periods between initials, (b) doesn't know how to either turn off the
feature or reverse its individual perpetrations, (c) accepts as gospel
anything the word processor dishes up from his input, and (d) lacks the
intelligence or good manners to care about any of the foregoing.  And then
all those well-known organizations Ibm, Cia, Hr, Po, Cert, Un, etc.

Of course, at the spiritual heart of all this nonsense is the bone-headed
spelling checker, one of the stupidest abominations ever unleashed on a
para-literate user community.

There's a universal truth, as true in textual composition as it is in
computer security: no piece of technology can substitute for appropriate
human practices.


Re: Steve Gibson's and Windows XP (Crooke, RISKS-21.46)

<chrisd@reservoir.com (Chris Dodd)>
Fri, 15 Jun 2001 06:19:25 -0000

> It is also time for backbone providers to introduce sensible firebreaks
> and reduce their trust in traffic passing through their systems.

IMO this conclusion is completely wrong -- the whole point of the Internet
is that the component parts need not be trusted to be infallible.  Its never
been the case that the endpoints are entirely trustworthy, but as the
Internet grows, this problem becomes more noticeable.  As far as the
proposed solution is concerned, its already the case that potentially useful
features of the Internet (such as source routing) are mostly useless due to
the fact that many routers don't follow the protocol in the name of
security.  Source IP filtering (at least as proposed by RFC 2827) is even
worse, as it breaks things that are actually being used, such as Mobile IP
(RFC 2002).  What's more, it wouldn't even do anything to stop the attack
reported by Steve.

The real RISK here is in the rush to improve security (at least for some
people), we end up seriously impairing the functionality of the Internet for
everyone.

Chris Dodd <chrisd@reservoir.com>


Re: The risks of clueless marketing (J.McCarthy RISKS-21.46)

<tmj@enternet.com.au (Tony Martin-Jones)>
Thu, 14 Jun 2001 06:48:09 +1000 (EST)

On the contrary: as "XP" are the Greek letters of the chi-rho, the monogram
for the name of Christ, they obviously hope it will be Micros**t's saviour.


Re: And you thought Keith Lynch was kidding! (RISKS-21.47)

<Phil Carmody <fatphil_without_this_suffix@altavista.com>>
Thu, 14 Jun 2001 17:31:03 GMT

It's not really the 'HEX' that is the gz file, it's the 'binary', written in
LSB-last format (and the LSB is byte-aligned).  For reference, it is not the
whole of the source that has been zipped, as that was too large to
mathematically prove as prime -- it is just the descramble functions.  My
justification was that copyleft's 2 T-shirts did the same split, and they
were subpoenaed for them both. No attempt was made to be clever, I simply
wanted source code that had been already accused of being a circumvention
device to be propagated.

 [My favourite headline was "When Mathematicians Turn Bad", in *The Register*.]

Phil

    [Phil noted subsequently that Keith's posting was two months after
    Phil's earlier postings, and that RISKS is actually recycling a topic
    that has been beaten to death elsewhere.  Apologies to readers of
    elsewhere.  PGN]


Re: And you thought Keith Lynch was kidding! (PGN, RISKS-21.42)

<pasward@styx.uwaterloo.ca>
14 Jun 2001 10:28:43 -0400

One of the strangest consequences of copyright law is that it would seem to
outlaw possession of certain integers, as does trademark and trade secret
law.  In fact, any piece of intellectual property can be encoded as a single
integer, which would be protected.  Don't blame DMCA for what is an inherent
property of all intellectual property law.

paulward (DrGS)


Re: And you thought Keith Lynch was kidding!

<KCKnowlton@aol.com>
Wed, 13 Jun 2001 21:11:32 EDT

Illegal possession of certain integers (RISKS Vol 21 Issue 47) is not really
new.  Any 10-color, 200x200-pixel image of child pornography is simply a
40,000-digit integer that I think, for quite some time now, has been illegal
for you to possess.

Ken Knowlton


On the deceptiveness of pop-under ads (Re: RISKS-21.47)

<"The guy named after an Om Kalthoum song" <ocschwar@MIT.EDU>>
Thu, 14 Jun 2001 03:55:13 -0400

Nytimes.com and latimes.com do indeed use pop-unders, but if you look at the
script used to pop them, you will find that in the NY Times version, there
is a myDelay variable, but it is set to 0, and no such variable in the LA
Times version.

The folks in fastclick.net ought to kick themselves for even thinking of
delaying the pop-unders, without which their ethics would be less likely to
fall under criticism.  The folks in nytimes.com deserve both credit and
discredit for setting myDelay to 0. Of course, this still leaves them open
to reprobation if someone visits their site while his computer is under a
heavy load, and the pop-under takes a while to pop under.

Pop-unders, when their origin isn't concealed, are actually a smart idea.
One of the problems with web advertising for funding the Web is that under
that scheme writers attract viewers only to send them to who-knows-where.
This solves that problem by attracting the viewer to the ad after he is done
reading the article and thus more likely to have a look-see.

And the RISK? There is no need to compromise
your own reputation by writing the equivalent of this:
" $I_Am_Slimy = 0; if ($I_Am_Slimy) { ... }" when
you can just choose not to be slimy.

Please report problems with the web pages to the maintainer

Top