The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 96

Saturday 18 October 2003


Building cleared after computers blow
Graham Smith
Car navigation system led tourist into supermarket
Michael Borek
The Joy of Good Design
Top 10 data disasters
Billboard slip adds to humiliation for Chicago Cubs
Bill Higgins
The Future of Surveillance
Bruce Schneier
Hacker charged with securities fraud
More on the California recall election
Rebecca Mercuri
Re: Something Fishy about Diebold
Doug Sojourner
Re: Continental taking back mistaken transactions
Phil Reed
Re: Satellite photo of Eastern North America during blackout
Mark Brader
Deadlock in Licensing Agreement, Dell Dumped
Mark Brader
'Lover Spy' software
Geoffrey Brent
Re: Unencrypted credit-card submission forms
Bill McGonigle
Re: Benjamin Franklin
Jay R. Ashworth
Re: W32/Swen: And I thought I had it bad...
Jon Seymour
Info on RISKS (comp.risks)

Building cleared after computers blow

< (Kildwick Smith Ltd)>
Thu, 16 Oct 2003 11:32 +0100 (BST)

I bet your company's business risk list doesn't include computers blowing
up! <grin>

submitted by Graham Smith from

Building cleared after computers blow
*Lincolnshire Echo*, 16 Oct 2003

An office building was evacuated on 15 Oct 2003 after 30 computers exploded.
Around 400 members of staff at HBS Business Services, in Brayford Wharf
North, Lincoln, left the building just after 12.15pm.  Computers in one
block of the building had blown up, producing smoke and setting off the fire
alarms.  Workers had to wait for more than 90 minutes before they could
return to their desks.  The cause was an electrical.  All the computers have
to be replaced.

Car navigation system led tourist into supermarket

< (Michael Borek)>
Thu, 16 Oct 2003 12:15:46 -0400

A US tourist's trip through Bavaria ended with an unexpected visit to a
supermarket when his car's navigation system led him straight through the
store's doors.  He depended entirely on the navigation system and did not
notice approaching the supermarket until entering it.  [Source: Ananova News]

There are details neither on the navigation system in use nor the reason why
it "thought" there was a carriageway there.  I could see the cause being
either inaccurate maps (data) or a failure in the resolution of the code
(assuming that the algorithms work, of course!).  In any case, the
inattention (or misplaced attention) of the driver, who had been
celebrating, is a significant factor.

The Joy of Good Design

<"NewsScan" <>>
Tue, 14 Oct 2003 09:05:00 -0700

Design guru Don Norman says the way a device looks, feels and gives pleasure
is just as important as how it works, and that good design can make up for
some — though not all — shortcomings. "How attractive something is will
mean people will overlook some of the bad functionality, but not
completely." His new book, "Emotional Design: Why We Love (or Hate) Everyday
Things," — due out in 2004 — focuses on the way design works at different
levels of brain perception. "The visceral level is the low biological level
and that's where beauty comes in and appearances matter.  On the surface
something looks attractive and feels good. That is very important and that
makes the brain function differently," says Norman. The behavioral level,
which controls muscles, perception and language, perceives an object's
usability and how it feels. But Norman says the most important aspect of
design is its ability to invoke the deeper level of reflection, the level
that dictates how we feel about things. "That is where having a good brand
name matters. Having a good brand name has to be earned because they stand
for trust." Good emotional design must incorporate all three levels, and
Norman cites Apple and Sony as two companies that have managed to do that
well.  [BBC News 14 Oct 2003; NewsScan Daily, 14 October 2003]

Top 10 data disasters

<"NewsScan" <>>
Thu, 16 Oct 2003 09:09:05 -0700

Although machine failure is at fault for the majority of lost data
disasters, humans are increasingly culpable as well, according to recovery
experts at Kroll Ontrack. "Despite being the easiest problem to prevent, we
are seeing more cases where human error is to blame. Interestingly, we see a
15 to 20% increase in calls to recover lost data on Mondays. This could be a
result of the rush to complete work and leave early for the weekend on
Friday afternoons, as well as a lack of staff concentration on Monday
mornings," says a Kroll spokesman. The Top 10 list of unusual data loss
stories includes laptops being shot or thrown against the wall in a fit of
e-rage; laptops suffering spills of red wine or latte because users were
"drinking on the job," laptops falling off mopeds or car roofs, then being
crushed by oncoming traffic; and PCs being thrown out a window or into a
river to destroy evidence of theft or fraud. Our favorite? The laptop that
slipped into the bathtub with its owner while he was working on accounts.
Amazingly, Kroll Ontrack says in all these cases, it was able to rescue and
restore computer files.  [BBC News 16 Oct 2003; NewsScan Daily, 16 Oct 2003]

Billboard slip adds to humiliation for Chicago Cubs

<Bill Higgins <>>
Wed, 15 Oct 2003 11:20:04 -0500

Last night's baseball game was a difficult and disappointing one for the
Chicago Cubs.  For most of the game, they were ahead of the Florida Marlins
in the struggle for the National League championship, entering the eighth
inning with a score of 3-0.  A fourth victory in the present series of
playoff games would send them to the World Series-- which the Cubs have not
reached since 1945-- so excitement was high.

During the eighth inning, a Cubs fan at the edge of the stands reached out
and deflected an incoming ball, causing a player to miss catching it. Even
worse, the Marlins began a fantastic rally that ended the eighth inning, and
ultimately the ballgame, with a score of 3-8.

So, as I write this, the playoff series is 3-3, and tonight's game will
decide the contest.

This morning I heard WXRT radio report that "somebody at Budweiser hit SEND
instead of DELETE," causing an animated highway billboard to spell out

Obviously Budweiser's advertising people had the message ready for the
contingency of a Cubs victory.

You don't suppose that the same fumble-fingered guy who knocked the ball
away from the Cubs' outfielder works at Budweiser as a billboard operator?

I hope that the appearance of the mistaken congratulations doesn't jinx the
Cubs, and that Budweiser will be able to re-use the message tomorrow.

Bill Higgins      Fermi National Accelerator Laboratory

  [Unfortunately for the Cubs, that did not work out.  But it was a great
  year for them anyway, and we are once again reminded that baseball is a
  game of inches.  Same thing for the Red Sox (and Giants and Athletics).
  Wait Till Next Year is always the operative slogan for all but the
  eventual winner.  PGN]

The Future of Surveillance

<Bruce Schneier <>>
Tue, 14 Oct 2003 22:58:28 -0500

  [From CRYPTO-GRAM, October 15, 2003]

At a gas station in Coquitlam, British Columbia, two employees installed a
camera in the ceiling in front of an ATM machine.  They recorded thousands
of people as they typed in their PIN numbers.  Combined with a false front
on the ATM that recorded account numbers from the cards, the pair was able
to steal millions before they were caught.

In at least 14 Kinko's copy shops in New York City, Juju Jiang installed
keystroke loggers on the rentable computers.  For over a year he
eavesdropped on people, capturing more than 450 user names and passwords,
and using them to access and open bank accounts online.

A lot has been written about the dangers of increased government
surveillance, but we also need to be aware of the potential for more
pedestrian forms of surveillance.  A combination of forces — the
miniaturization of surveillance technologies, the falling price of digital
storage, the increased power of computer programs to sort through all of
this data — means that surveillance abilities that used to be limited to
governments are now, or soon will be, in the hands of everyone.

Some uses of surveillance are benign.  Fine restaurants sometimes have
cameras in their dining rooms so the chef can watch diners as they eat their
creations.  Telephone help desks sometimes record customer conversations in
order to help train their employees.

Other uses are less benign.  Some employers monitor the computer use of
their employees, including use of company machines on personal time.  A
company is selling an e-mail greeting card that surreptiously installs
spyware on the recipient's computer.  Some libraries keep records of what
books people check out, and Amazon keeps records of what books people browse
on their website.

And, as we've seen, some uses are criminal.

This trend will continue in the years ahead, because technology will
continue to improve.  Cameras will become even smaller and more
inconspicuous.  Imaging technology will be able to pick up even smaller
details, and will be increasingly able to "see" through walls and other
barriers.  And computers will be able to process this information better.
Today, cameras are just mindlessly watching and recording, but eventually
sensors will be able to identify people.  Photo IDs are just temporary;
eventually no one will have to ask you for an ID because they'll already
know who you are.  Walk into a store, and you'll be identified.  Sit down at
a computer, and you'll be identified.  I don't know if the technology will
be face recognition, DNA sniffing, or something else entirely.  I don't know
if this future is ten or twenty years out — but eventually it will work
often enough and be cheap enough for mass-market use.  (Remember, in
marketing, even a technology with a high error rate can be good enough.)

The upshot of this is that you should consider the possibility, albeit
remote, that you are being observed whenever you're out in public.  Assume
that all public Internet terminals are being eavesdropped on; either don't
use them or don't care.  Assume that cameras are watching and recording you
as you walk down the street.  (In some cities, they probably are.)  Assume
that surveillance technologies that were science fiction ten years ago are
now mass-market.

This loss of privacy is an important change to society.  It means that we
will leave an even wider audit trail through our lives than we do now.  And
it's not only a matter of making sure this audit trail is accessed only by
"legitimate" parties: an employer, the government, etc.  Once data is
collected, it can be compiled, cross-indexed, and sold; it can be used for
all sorts of purposes.  (In the U.S., data about you is not owned by you.
It is owned by the person or company that collected it.)  It can be accessed
both legitimately and illegitimately.  And it can persist for your entire
life.  David Brin got a lot of things wrong in his book The Transparent
Society.  But this part he got right.

Kinko's story:

ATM fraud story:

Net spying:

Hacker charged with securities fraud

<"NewsScan" <>>
Fri, 10 Oct 2003 08:42:05 -0700

A 19-year-old student at Drexel University in Pennsylvania is being charged
by the Securities & Exchange Commission (SEC) of fraud and identity theft
for hacking into someone's investment account and making a complex and
illegal trade. The student is accused of using a program called the Beast to
monitor every keystroke typed on the target machine, and by doing so was
able to obtain the log-in and password for the investor's online brokerage
account with TD Waterhouse.  [*The New York Times*, 10 Oct 2003; NewsScan
Daily, 10 October 2003]

More on the California recall election

<"Rebecca Mercuri" <>>
Mon, 13 Oct 2003 17:31:08 -0400

The following Web site contains some useful information pertaining to the
California recall election and the resulting residual vote totals:

It provides polling data on questions that specifically asked "did you have
problems using the voting machines" (yes 2%) and also "did you not vote for
question xyz".  The latter result was off by 2% from the semi-official vote
totals indicating either that (a) the 2% of people that had problems using
the machine weren't able to cast their vote properly, or (b) there are 2% of
the votes being lost by the machines, or (c) the polling data is 2% low.  (I
am trying to find out how close they were on the totals for "what did you
vote for" to see if (c) is really the case rather than (a) or (b).)  Also,
please note the caveat that everything is unofficial until the SoS posts the
certified results, which will not occur until mid-November.

Re: Something Fishy about Diebold

<Doug Sojourner <>>
Thu, 16 Oct 2003 13:28:56 -0700

Actually, all these numbers are so small that I don't think there is much
here. The most significant case (Palmier) has the Diebold counties giving
3700 votes out of a total (in those counties) of 1300000, and outside
Diebold counties 1500 votes out of a total of 6500000. I believe this means
that in Diebold counties Palmier got 0.19% of the vote, with a sigma of
0.086%, and outside of Diebold counties 0.023% of the vote with sigma of
0.039%. With a null hypothesis that these both correspond to the same
underlying probability of being voted for, I believe that the likelihood of
this (the null hypothesis) happening is greater than f(0.19/0.86)*f(0),
which is about 3%. That leaves this on the edge of statistical significance.
The most dramatic case (Kunzman) actually has more than 8% chance that the
null hypothesis is true. I didn't compute any others, but I doubt they could
do better than Kunzman.

So even though I distrust Diebold, I'm not sure this is strong evidence of

  [On the other hand there are various alternative scenarios...  With all of
  the different ballot faces, the mapping of vote positions to vote tallies
  is always a potential problem, either accidentally or intentionally (and
  in the latter case, not necessarily deterministic).  Butterfly ballots add
  difficulties for the voters.  If there are many more more bad programmers
  than malicious ones, the election folks who insist that nothing can go
  wrong are seriously suspect.  PGN]

Re: Continental taking back mistaken transactions (RISKS-22.94)

<phil reed <>>
Fri, 10 Oct 2003 06:24:29 -0700 (PDT)

Reading the tale of Continental Airlines taking back free miles reminded me
of a tale of woe from a few years ago.

A former employer (now defunct) was implementing a direct-deposit function
for their payroll. The actual payroll processing had been outsourced for
some time to a large company that does this sort of thing routinely (name
left out because they are still in business). As part of setting up the
direct deposit, the payroll group collected bank account numbers and passed
them along to the outsourcing company, who entered them in their various
databases. Everything normal, nothing exceptional.

As part of the checking process that looked for routine data entry errors,
the outsourcing company's strategy was to run a complete end-to-end sequence
that would perform an actual deposit of $0.00 into everybody's account. This
would cause all the invalid bank account numbers to show up on the normal
error report, so they could be corrected before running an actual payroll
and accidentally not paying somebody on payday.

You can probably guess what happened next: the test deposit was run, but
with actual payroll amounts, not with a zero dollar deposit. The error was
discovered after about an hour, and it took another couple of hours to
prepare a "reverse deposit" transaction to get the money back out of the
accounts. During that 3 hour window, a handful of people (almost all of them
spouses of factory workers) discovered the extra money and withdrew it from
their checking account. Some of them immediately spent it.

I don't know who it was that had to tell those workers that they had to
return the money, but I cannot imagine that it was a very pleasant job.

Re: Satellite photo of Eastern North America during blackout (R-22.88)

< (Mark Brader)>
Fri, 10 Oct 2003 01:28:51 -0400 (EDT)

  [Originally submitted 29 Aug 2003, lost in the shuffle.  Sorry.  PGN]

In addition, if the UTC timestamps on the two photos are correct, then the
labeling as "20 hours before" and "7 hours after", seen both in the images
and their URLs, is wrong — as is obvious because the two times are about 24
hours apart!  The blackout actually at 4:10 pm EDT (give or take a couple of
minutes, depending on location): that's 20:10 UTC, so the pictures are 19
hours before and 5 hours after.  The first error looks like someone forgot
about daylight saving time, but the second is harder to guess an explanation

> However, there is a surprising amount of light still on, ...

I don't see why John is surprised at this, since the article Andrew quoted
says that "in the New York region .. nearly 20 percent of the available
electricity remained on..."  It seems natural that at the scale of a
satellite photo we would not be able to tell which areas of the city were
darkened and which were not.

(Toronto, as noted, is pretty much gone in the second photo — and that's
correct.  During the blackout I was listening to local radio stations that
invited people to phone in with information about their neighborhood, and
there sure weren't any calls that said "we never lost power".)

Deadlock in Licensing Agreement, Dell Dumped

< (Mark Brader)>
Fri, 10 Oct 2003 01:30:22 -0400 (EDT)

  [Also originally submitted 29 Aug 2003]

Ian Goldberg writes at <> about his
recent experience buying a Dell computer in Canada.  In brief, the startup
screen required him to declare that he had first read and then agreed to the
relevant license agreements — but the agree- ments themselves were
shrink-wrapped and could not be read without first agreeing to them.

Deadlock, and nobody he could reach at Dell even saw it as a problem.

'Lover Spy' software

<Geoffrey Brent <>>
Tue, 14 Oct 2003 09:57:18 +1000

As reported in various news outlets recently, 'Lover Spy' offer a
service for jealous lovers looking to spy on their partners:

"Using this very web site, you can very easily send Lover Spy as an
e-greeting card. The e-card looks just like a normal e-greeting card sent
via e-mail. When opened, it will display a graphic of your choice, whether
it be romantic flowers, a funny e-joke, or kittens. But silently, this
e-card will secretly install our award-winning spy software on their PC !

The spyware then reports back to Lover Spy's customer with a record of
websites visited, chat sessions logged, passwords captured, etc etc.  Site
is currently down (hopefully for good), but can be viewed in Google's cache: (full Google link at the end of this message, for
those who don't like tinyurl).

There are several very obvious reasons why this is a Bad Thing (not to
mention illegal), and I doubt anybody on RISKS needs to be told the risks
this poses to the unwitting recipient of the greeting card.  However, at
least one message-board poster (see link below) has suggested a more subtle
angle: presumably this service also requires the customer to install some
form of software on their own computer to receive the data collected from
their unsuspecting partner.

What are the chances that the customer-end software is *also* spyware?  As
any con-man knows, the easiest way to hoodwink your mark is to let him think
he's hoodwinking somebody else. And when the scheme they sign up for is
illegal - as this one most certainly is - then they're much less likely to
squeal when they find out who the real target is. You're already giving
Lover Spy your credit card number just by signing up for your service - and
captured bank account details etc. could be the icing on the cake.

<Bill McGonigle <>>
Fri, 10 Oct 2003 11:48:42 -0400

One of the criticisms of the HTTPS/SSL/TLS protocol is that it provides both
encryption and authentication without the option to forgo either.  In this
case, the host has used a default certificate name generated by, probably,
the OpenSSL toolkit.  Note, it's not a sample certificate, it's randomly
generated at install time, so the user needn't fret a man-in-the-middle
attack.  So, in this case, you have encryption but not authentication.  If
you're confident of the host name and can somehow verify that a DNS spoof
isn't being employed (known IP, DNSSEC), you're good to go.  Of course, it's
not reasonable for the general population to make this verification.

For the princely sum of up to $900 per year per hostname, SSL vendors like
Verisign will sign a certificate for you saying that you are who you claim
to be.  Your web browser will trust the certificate and not display a
warning because, e.g. Verisign's certificate is built into your web browser.
The trouble is, the amount of verification many certificate vendors go
though is minimal (some require only a faxed letter on company letterhead),
you have to trust the signer, and your certificates can be stolen (only some
browsers support certificate revocation).  So, critics charge that all you
have is a false sense of security, which can be a greater risk.  Some people
fail to buy a 'real' certificate for cost reasons and some for philosophical
reasons. Most just go ahead and pony up the cash to make the warning go away
for the users.

Re: Benjamin Franklin (RISKS-22.93-94)

<"Jay R. Ashworth" <>>
Mon, 13 Oct 2003 14:06:05 -0400

> Ben's original quote also gives the Patriot Act guys plenty of wiggle room,
> by using the phrases "essential liberty" and "temporary safety."  Who's to
> judge "essential" and "temporary"?

Franklin himself, I think.  He wasn't providing interpretative wiggle room
there, IMHO, he was making *another* value judgment: that liberty *is*
essential, and security often only temporary.  Remember the environment
*they* lived in... it was, likely, much closer to today's America than 3
years ago's America... and yet they did what they did.

Why can't *we* (, Mr Ashcroft)?

Jay R. Ashworth, Baylink, The Suncoast Freenet, Tampa Bay, Florida   +1 727 647 1274

Re: W32/Swen: And I thought I had it bad...

<Jon Seymour <>>
Fri, 17 Oct 2003 09:27:59 +1000

Admittedly I was quickly disavowed of that notion by a few private
responses to my last RISKS post - mine was but a mild dose of W32/Swen

And then this, from

  The Swen virus has been blamed for delaying e-mails to BigPond customers
  by up to several days.  On 14 Oct 2003, BigPond reported its customers
  were receiving e-mails late due to a rapid rise in messages being sent and
  received through the network.  E-mail messages had increased on average
  from about eight million to 13 million daily.

  Spokeswoman Kerrina Lawrence today said the Swen virus was responsible for
  the sudden surge in traffic.  "Telstra's technical staff has been working
  around the clock to establish additional network capacity to cater for the
  unexpected ... increase in e-mail traffic," she said in a statement.  Ms
  Lawrence said the additional capacity will help cater for the rise in
  messages.  "Telstra understands that the virus/worm has been taking over
  customers' computers and using them to send large amounts of junk e-mails
  (spam)," Ms Lawrence said.

So, if only 1/2 of this 5 million per day increase is due to the e-mail
containing the Swen worm (being generous and allowing for bounce messages),
then Telstra is busily working to add an extra 2.5 *1,000,000 * 145kB /
(24*3600) * 8 =~ 32Mbps capacity to their e-mail network.

One presumes that they are also doing something about filtering so that
all that extra capacity does not get eaten up by the worm, but then
perhaps I presume too much.

Please report problems with the web pages to the maintainer