The Risks Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 23 Issue 51

Tuesday 31 August 2004

Contents

NASA Spirit nearly done in by DOS
Hank Nussbacher
Sum of a Glitch
Bev Harris via David Chessler and Dave Farber's IP
The case of the screaming telephone
Debora Weber-Wulff
The toll collection hassle in Germany
Debora Weber-Wulff
Website offers CNID falsification service
Kevin Poulsen via Monty Solomon
Rick Broadhead's Dear Valued Customer
Amit Asaravala via Monty Solomon
Canvas expiration 'bug': *not* a Mac OS issue
Matt Gough via Bob Grant
Accounting software number issues
Darryl Smith
Another animal-caused power interruption
Geoffrey Brent
Privacy concern over Australian e-mail law
NewsScan
Lack of sanity checking in Web shopping cart software
Richard Kaszeta
Correction to New Mexico, Florida, Bush & Gore
Jeremy Epstein
REVIEW: "Know Your Enemy", Honeynet Project
Rob Slade
Info on RISKS (comp.risks)

NASA Spirit nearly done in by DOS

<Hank Nussbacher <hank@mail.iucc.ac.il>>
Mon, 30 Aug 2004 11:44:22 +0300

 From Wired -
http://www.wired.com/news/space/0,2697,64752,00.html?tw=wn_tophead_3

Ctrl-alt-del: The communications failure that nearly brought NASA's Spirit
mission to Mars to an early end in January was caused by an unforeseen
aspect of the DOS file system, a Jet Propulsion Laboratory scientist said
Monday.  During a presentation at Stanford University's Hot Chips
conference, JPL software developer Robert Denise said his team did not
anticipate that a DOS file system containing directory information would
continue to grow after other files had been deleted from the Spirit rover's
flash memory.  This oversight, coupled with an instruction to copy the
contents of Spirit's flash memory into its limited random access memory
launched the rover into a nearly disastrous cycle of errors and reboots.
Fortunately for NASA, the JPL team was able to upload a software upgrade
and disable the copy instruction before the rebooting completely drained
the rover's batteries.

Spirit has performed well ever since, according to NASA. In April, the
agency extended the rover's mission -- along with that of its twin,
opportunity -- for an additional five months. Both rovers have already
detected evidence of the water that is thought to have once existed on Mars.


FWD: Sum of a Glitch (Bev Harris via Dave Farber's IP)

<David Chessler <chessler@usa.net>>
August 27, 2004 11:54:39 PM EDT

Sum of a Glitch, by Bev Harris

In the Alabama 2002 general election, machines made by Election Systems and
Software (ES&S) flipped the governor's race. Six thousand three hundred
Baldwin County electronic votes mysteriously disappeared after the polls had
closed and everyone had gone home. Democrat Don Siegelman's victory was
handed to Republican Bob Riley, and the recount Siegelman requested was
denied.  Three months after the election, the vendor shrugged. "Something
happened. I don't have enough intelligence to say exactly what," said Mark
Kelley of ES&S.

When I began researching this story in October 2002, the media was reporting
that electronic voting machines are fun and speedy, but I looked in vain for
articles reporting that they are accurate. I discovered four magic words, "
voting machines and glitch," which, when entered into a search engine,
yielded a shocking result: A staggering pile of miscounts was
accumulating. These were reported locally but had never been compiled in a
single place, so reporters were missing a disturbing pattern.

I published a compendium of 56 documented cases in which voting machines got
it wrong.

How do voting-machine makers respond to these reports? With shrugs. They
indicate that their miscounts are nothing to be concerned about. One of
their favorite phrases is: "It didn't change the result."

Except, of course, when it did:

In the 2002 general election, a computer miscount overturned the House
District 11 result in Wayne County, North Carolina. Incorrect programming
caused machines to skip several thousand party-line votes, both Republican
and Democratic. Fixing the error turned up 5,500 more votes and reversed the
election for state representative.

This crushing defeat never happened: Voting machines failed to tally "yes"
votes on the 2002 school bond issue in Gretna, Nebraska. This error gave the
false impression that the measure had failed miserably, but it actually
passed by a 2-to-1 margin. Responsibility for the errors was attributed to
ES&S, the Omaha company that had provided the ballots and the machines.

According to the Chicago Tribune, "It was like being queen for a day--but
only for 12 hours," said Richard Miholic, a losing Republican candidate for
alderman in 2003 who was told that he had won a Lake County, Illinois,
primary election. He was among 15 people in four races affected by an ES&S
vote-counting foul-up.

An Orange County, California, election computer made a 100 percent error
during the April 1998 school bond referendum. The Registrar of Voters Office
initially announced that the bond issue had lost by a wide margin; in fact,
it was supported by a majority of the ballots cast. The error was attributed
to a programmer's reversing the "yes" and "no" answers in the software used
to count the votes.

A computer program that was specially enhanced to speed the November 1993
Kane County, Illinois, election results to a waiting public did just that--
unfortunately, it sped the wrong data. Voting totals for a dozen Illinois
races were incomplete, and in one case they suggested that a local
referendum proposal had lost when it actually had been approved. For some
reason, software that had worked earlier without a hitch had waited until
election night to omit eight precincts in the tally.

A squeaker -- no, a landslide--oops, we reversed the totals -- and about
those absentee votes, make that 72-19, not 44-47. Software programming
errors, sorry.  Oh, and reverse that election, we announced the wrong
winner. In the 2002 Clay County, Kansas, commissioner primary, voting
machines said Jerry Mayo ran a close race but lost, garnering 48 percent of
the vote, but a hand recount revealed Mayo had won by a landslide, receiving
76 percent of the vote.

http://www.progressivetrail.org/articles/040825Harris.shtml

IP Archives at: http://www.interesting-people.org/archives/interesting-people/


The case of the screaming telephone

<Debora Weber-Wulff <weberwu@fhtw-berlin.de>>
Sat, 28 Aug 2004 21:27:47 +0200

The German IT giant, Siemens, has had to recall the entire production of its
fancy new x65 mobile phone family because of a software error. This phone,
which was filled to the brim with fancy stuff and on offer from most of the
mobile operators, has an unfortunate mis-feature. The telephone has a
default melody that it plays just before it dies on account of the battery
being too low,sort of a swan song.

The problem is that this melody is turned on by default and when it plays,
it plays at an ear-splitting noise level that is loud enough to possibly
cause hearing damage. Of course this only would happen in the case of
someone having it in their ear when it plays, which Siemens says is rare
[but has happened to me with my hands-free a few times in the past years -
dww]

No one had been reported hurt by the phone yet, but Siemens was able to
reproduce this in the lab, so the company decided to withdraw the phone and
caution customers to turn the feature off until they can get a software
update.  They do get extra points for being proactive about the problem [1]

This will surely wreak havoc in the balance sheet, and as my newspaper (the
Berliner Zeitung [2]) nastily notes, it chalks up one more disaster for
Siemens in the area of quality management. Just to mention three recent
problems, the Combino street car had to be recalled from all over the world
because the body was wrongly constructed, the diesel ICE trains have many
problems and the airport Skytrain in Düsseldorf has an annoying tendency
to stop for a reboot between stations. Risks readers will remember tales of
software controlled rail switches ...

Oh yes, glad you asked, many Siemens divisions seem to be ISO 900x
certified...

[1] Siemens press release
http://www.siemens.com/index.jsp?sdc_sectionid=4&sdc_langid=0&sdc_contentid=1207000

[2] http://www.berlinonline.de/berliner-zeitung/wirtschaft/371491.html
(but will probably get a new address in the archive, this is
called "Qualitätsproblem Siemens" and is written by Thomas H. Wendel.

Prof. Dr. Debora Weber-Wulff, FHTW Berlin, FB 4, Internationale
Medieninformatik Treskowallee 8, 10313 Berlin Tel: +49-30-5019-2320


The toll collection hassle in Germany

<Debora Weber-Wulff <weberwu@fhtw-berlin.de>>
Sat, 28 Aug 2004 21:30:17 +0200

The Berlin newpaper "Tagesspiegel" reports [1] that there is a real danger
of the new attempt to get the toll collection scheme up and running by the
beginning of the year failing. Only 37 000 updated so-called "on-board
units" have been built into trucks, there need to be at least 400 000 by
January 1 in order for the system to work. The truck owners are being
offered 50 € if they have one of the first 200.000 new OBUs built in by
the end of the year. Of course, many already paid to have a previous version
of the OBU installed, so they are understandably reluctant to run out and
have this radio-sized box installed in their cabs.

This is the third attempt to get it to work, the system was originally
supposed to begin in the summer of 2003 so that the German government can
reap in money to pay for roads projects for the world soccer championships
in 2006.

A speaker for Toll Collect, the consortium responsible for the mess, says
that they can actually start with less OBUs, although this will make long
lines at rest stops and gas stations as drivers purchase tickets. A
government spokeperson is quoted as being unaware of any problems that might
delay the third start.

Toll Collect is run by DaimlerChrysler Services AG (45%), Deutschen Telekom
AG (45%) and the French company Cofiroute S.A. (10%).

[1] http://archiv.tagesspiegel.de/archiv/27.08.2004/1324184.asp

[I played with one of the terminals at a rest stop and actually managed to
print a toll ticket for myself. I was able to enter a completely stupid
route, the system had no problems with this. The usability of the menu
system leaves a bit to be desired, this will surely contribute to nice long
lines if they ever get this going -dww]

Prof. Dr. Debora Weber-Wulff, FHTW Berlin, FB 4, Treskowallee 8, 10313 Berlin
Tel: +49-30-5019-2320  http://www.f4.fhtw-berlin.de/people/weberwu/


Website offers CNID falsification service (Kevin Poulsen)

<Monty Solomon <monty@roscom.com>>
Tue, 31 Aug 2004 08:50:55 -0400

By Kevin Poulsen, SecurityFocus, 27 Aug 2004

Overdue debtors beware: You may not be able to rely on CNID [Calling Number
Identification] to screen out those annoying bill collectors much longer. A
California entrepreneur has a plan to bring the hacker technique of CNID
spoofing to the business world, beginning with collection agencies and
private investigators.  Slated for launch next week, Star38.com would offer
subscribers a simple Web interface to a CNID spoofing system that lets them
appear to be calling from any number they choose. "It creates an extra
avenue for them to have someone pick up the phone," says founder Jason
Jepson.

CNID spoofing has for years been within the reach of businesses with certain
types of digital connections to their local phone company, and more recently
has become the plaything of hackers and pranksters exploiting permissive
voice over IP systems. But Star38.com appears to be the first stab at
turning CNID spoofing into a commercial venture. Jepson claims the service
will charge a twenty-five cent connection fee for each call, and seven to
fourteen cents per minute.  ...
  http://securityfocus.com/news/9419
    [Lightly PGN-ed for RISKS]


Rick Broadhead's Dear Valued Customer (Amit Asaravala)

<Monty Solomon <monty@roscom.com>>
Fri, 27 Aug 2004 14:40:55 -0400

Amit Asaravala, Loser Delivers Laughs, Wired.com, 27 Aug 2004

In the struggle between humanity and technology, humanity is clearly getting
its ass kicked.  That is the conclusion one comes to after reading Rick
Broadhead's Dear Valued Customer, You Are a Loser ($10, Andrews McMeel
Publishing), a hilarious look at the maddening tendency for technology to
create as many problems as it solves.  Published in May with little fanfare,
the 315-page paperback is a compilation of more than 100 true stories of
technological blunder and misfortune. Some of the stories are bizarre, some
are pathetic -- but all are highly entertaining.

Take, for instance, the case of the Ukrainian businessman who put 50 new
pagers -- a gift for his employees -- in the back seat of his car and then
promptly crashed into a lamppost when they all began beeping at the same
time. The culprit? A welcome message sent by the pager company to each of
the pagers.

Then there's the story of the German couple who carefully followed the
driving directions given by their car's satellite navigation system -- right
up until it guided them into a river.  ...
  http://www.wired.com/news/culture/0,1284,64734,00.html


Canvas expiration 'bug': *not* a Mac OS issue (Matt Gough)

<Bob Grant>
Fri, 27 Aug 2004 18:35:29 -0500

Please see the recently expanded thread at Macintouch which reveals that the
problem stems from a deliberate decision by Deneba to have Canvas disabled
at a time of their choosing. It has nothing to do with the normal and
correct functioning of the Macintosh system clock.
  http://www.macintouch.com/canvas.html

Relevant excerpt by Matt Gough

With reference to the problem with Canvas expiring soon, the response
from Deneba (now ACD Systems) is utter nonsense.

The System clock on the Mac flipped over to a 'negative' value on Wednesday,
January 19, 1972 at 3:14:08 am, and so has been negative since long before
the Mac existed.

I have been debugging Canvas here using the venerable Macsbug and have
determined that it will deliberately expire at 12:30pm on 31st August 2004.

Thankfully this expiry date is stored in a resource within Canvas, and so
anyone with a copy of ResEdit can fix their Canvas to alter this expiry
date.

  = = = = = = =

There follows (at the above link) a ResEdit patching technique, provided by
Mr. Gough, to restore functionality until 31 August 2039.  Bob


Accounting software number issues

<"Darryl Smith" <Darryl@radio-active.net.au>>
Thu, 26 Aug 2004 11:51:00 +1000

Here in Australia, the MYOB (www.myob.com.au) Accounting software is very
popular. Like many other vendors they are also bundling services like credit
card merchant services, superannuation and the like.

When someone makes a payment you will be notified the next day by email with
a file that automatically updates your accounting file. For services like
paying my superannuation account (like a 401K), I need to send a message
authorizing the transaction from the accounting software connecting to their
server.

Today I got a notification informing me that this service will be our for
four hours on Saturday. Nothing wrong with that. Just that the footer of the
email had some of my data on in.

  Company: Radioactive Networks Pty Ltd
  Serial Number: 6.16054E+11

The serial number used to be a seven digit number until the beginning of
this year. They have now updated all numbers, increasing the number of
digits. As you can see they forgot to update their email system to handle
the long numbers correctly.

Not only have they converted to Scientific Notation, but they have also
rounded. I am just wondering where else they round their numbers.

Darryl Smith, VK2TDS POBox 169 Ingleburn NSW 2565 Australia
Mobile 0412 929 634 [+61 4 12 929 634 Intl]  www.radio-active.net.au\blog\


Another animal-caused power interruption

<Geoffrey Brent <g.brent@student.unsw.edu.au>>
Thu, 26 Aug 2004 08:59:33 +1000

This may be a new size record:

"A hydroelectric plant in Nova Scotia remained closed Tuesday after a
wayward humpback whale swam through the underwater gates connecting the
facility with the Atlantic Ocean...  The plant was shut down because
officials were concerned the whale could get trapped in its
turbine.  Canada's Fisheries Department spokesman Jerry Conway said the whale
did not appear to be in immediate danger."

http://story.news.yahoo.com/news?tmpl=story&cid=517&ncid=753&e=3&u=/ap/20040825/ap_on_re_ca/canada_whale_trapped


Privacy concern over Australian e-mail law

<"NewsScan" <newsscan@newsscan.com>>
Tue, 31 Aug 2004 07:25:20 -0700

Civil libertarians say that a proposed Australian law could allow
authorities easy access to private, stored e-mails without a warrant, giving
many new government bodies to access private e-mails, voicemail messages and
SMS messages. Under current laws, unopened e-mails can only be accessed if
they involve serious crime and only with a telecommunications intercept
warrant. If the bill is passed authorities would need only a search warrant,
or in some cases no warrant at all, according to online civil liberties
group Electronic Frontiers Australia (EFA).  [*The Australian* 30 Aug 2004;
NewsScan Daily, 31 Aug 2004, Rec'd from J. Lamp]

http://australianit.news.com.au/articles/0,7204,10613440%5E15306%5E%5Enbv%5E,00.html


Lack of sanity checking in Web shopping cart software

<Richard Kaszeta <rich@kaszeta.org>>
Fri, 27 Aug 2004 14:25:19 -0500

The Lack of Sanity Checking in Web Shopping Cart Software
or "The Story of the 1.1 Cocktail Shakers"

Recently, I was browsing the web site of a large Burlington,NJ-based
retailer, and decided to add a cocktail shaker to my shopping cart.

Due to some slightly twitchy fingers resulting from my morning coffee, I
accidentally entered the number 1.1 (instead of 1) to the the "quantity
desired" box, and found myself with a shopping cart containing 1.1 cocktail
shakers at $9.99/each, for a grand total of $10.99 plus shipping of $5
(shipping is $5/item, for a total of $5.50 for 1.1 items).  At this point
curiosity got the best of me, and I decided to check out.  To my surprise,
the site's shopping cart software never did a sanity check on the data, and
simply confirmed my order for 1.1 cocktail shakers, and I also received an
email confirmation for "Qty: 1.1."  My credit card was charged for $16.49.

Due to the atomic nature of cocktail shakers, it's obvious that at some
point something was going to have to give, and this apparently happened in
the shipping department: my "Shipping Confirmation Notice" listed the
quantity shipped as "1", but confirmed that the total charges were still
those for 1.1 shakers ($16.49) instead of the appropriate charges for a
single shaker ($14.99).  Indeed, as expected, I received a single cocktail
shaker in the mail, with a receipt for "Cocktail Shaker, Qty 1", also
listing the inappropriate price.

It was relatively easy to square the charges away, but the company's
customer service representative had to get a supervisor involved, as they
apparently hadn't seen this before.

The RISK is obvious: a lack of sanity checking on input data resulted in a
spurious order being sent through the system, with additional lack of
double-checking resulting in a discrepancy between what was shipped and what
was billed.  Months later, the error remains uncorrected, and you can still
order fractional items, with the additional risk that a dishonest customer
may be able to able to get a discount by ordering slightly less than a
single item and hope for a "roundup" when it gets shipped.

Really, it's too bad, because I was really thinking that my cocktail shaker
is a bit small, and could use another 10% of volume. :) That, or perhaps I
should buy 0.9 shakers to go with my 1.1 shakers to make a matched pair.

Richard W Kaszeta <rich@kaszeta.org>  http://www.kaszeta.org/rich

  [On the other hand, a round-down would be more consistent: Suppose you
  had ordered .99 shakers.  You probably would have been billed for .99
  shakers and received none.  Shake-ri-la.  PGN]


Correction to New Mexico, Florida, Bush & Gore

<Jeremy Epstein <jeremy.epstein@cox.net>>
Mon, 30 Aug 2004 8:15:00 -0400

At the conclusion of my note in RISKS 23.50, I wrote "Had Gore won Florida,
New Mexico's five electoral votes...".

Steve Klein pointed out that regardless of the result in New Mexico, it
wouldn't have impacted the result, and whoever carried Florida won the
election.  Specifically:

> Bush won the electoral vote by 271-266; 270 votes are needed to win.
> (There are a total of 538 electors; one abstained.)
>
> In 2000, Florida had 25 electoral votes, and New Mexico had 5.
> (Due to apportionment, Florida will have 27 electoral votes in 2004.)
>
> If Gore won Florida and New Mexico, he'd have 291 electoral votes.
> If Gore won Florida but lost New Mexico, he'd have 286 electoral
> votes.
>
> Either way, Gore would have won, and New Mexico would not have made a
> difference.

Obviously losing votes is a very bad thing, but my conclusion was incorrect.
Thanks to Steve for pointing this out.


REVIEW: "Know Your Enemy", Honeynet Project

<Rob Slade <rslade@sprint.ca>>
Tue, 3 Aug 2004 07:59:29 -0800

BKKNYREN.RVW   20040618

"Know Your Enemy", Honeynet Project, 2004, 0-321-16646-9,
U$49.99/C$71.99
%A   Honeynet Project project@honeynet.org www.honeynet.orb/book/
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2002
%G   0-321-16646-9
%I   Addison-Wesley Publishing Co.
%O   U$49.99/C$71.99 416-447-5101 fax: 416-443-0948
%O  http://www.amazon.com/exec/obidos/ASIN/0321166469/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0321166469/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321166469/robsladesin03-20
%P   768 p. + CD-ROM
%T   "Know Your Enemy, Second Edition: Learning About Security
      Threats"

The first edition of "Know Your Enemy" was a lot of fun, and it also
contained some valuable advice if you were brand new to the idea of a
honeypot, and wanted to get started quickly.  This second edition has taken
advantage of another couple of years in the development of honeypots and
honeynets, and provides guidance on a new generation of the technology.
More than that, it promises, and mostly provides, more detailed information
on the analytical aspects of honeynet operation, including the all-too-often
neglected topic of network forensics.  The page count has more than doubled.

I have frequently said that any book with "hack," or any variant thereof, in
the title is automatically suspect.  This work helps prove my point, first,
because the Honeynet Project members have not used the term (they refer to
attackers as blackhats), and the text also notes the problems with "exploit"
type books: they list old and known attacks, most of which are protected
against, and say nothing about the attackers and how they work.

Part one describes the honeynet.  Chapter one points out the value of
"knowing the enemy" and the history of the Honeynet Project.  Chapter two
explains what a honeypot is, leading to details on how a honeynet works, in
terms of architecture, policies, and the risks and responsibilities of
operating one, in chapter three.  Building a first generation honeynet, in
chapter four, presents specific details, although a number of concepts have
already been given.  The lessons from the early years of the project have
led to a second generation of design, which is outlined in chapter five.
Using a single machine to create a virtual network of simulated machines is
described in chapter six.  Chapter seven extends all of this into
distributed networks of machines.  A number of legal issues are discussed in
chapter eight: specific citations are primarily from US laws, but general
concepts are also examined.

Part two concerns the analysis of data collected from the Honeynet.  Chapter
nine looks at the various sources of evidence.  Network forensic ideas and
tools are reviewed in chapter ten, although the material does tend to jump
abruptly from Networking 101 to an assumption that the reader can parse
Snort captures.  Fundamentals of the data recovery aspects of computer
forensics are given in chapter eleven, leading to the specifics of UNIX
recovery in chapter twelve, and Windows in thirteen.  (These chapters
contain details of up to date tools not available in most of the standard
computer forensic texts.)  I was delighted to see that chapter fourteen
addresses reverse engineering, although only in a limited subset of the full
range of software forensics.  Chapter fifteen reiterates the sources from
chapter nine, and suggests centralized collection and management of data.

Part three explains what the project has determined about "the enemy" by the
types of attacks that have been launched and detected.  Chapter sixteen
takes a random crack at several topics related to the blackhat community: a
number of points are interesting, but few are very helpful.  A general
overview of attacks in given in chapter seventeen.  Specific attacks, and
analyses, on Windows, Linux, and Solaris are detailed in chapters eighteen
to twenty.  Future trends are projected in chapter twenty one.

The repetition of material that plagued the first edition has been cleaned
up to a great extent, although the text would still benefit from a
tightening up of the material in some chapters.  In addition, the early
examples are not thoroughly explained, making the reader initially feel that
only a firewall audit log specialist would be able to understand what is
being said.  However, as with the first edition, most of the book is written
clearly and well, and it is certainly worth reading.  In addition, the new
material definitely makes this not merely an interesting read, but something
that has the potential to be a serious reference in the forensic field.

copyright Robert M. Slade, 2004   BKKNYREN.RVW   20040618
rslade@vcn.bc.ca      slade@victoria.tc.ca      rslade@sun.soci.niu.edu
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

Please report problems with the web pages to the maintainer