The RISKS Digest
Volume 23 Issue 61

Wednesday, 8th December 2004

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Group urges Government to focus on cybersecurity
NewsScan
UK "Government department wiped out by IT upgrade disaster"
Bob Heuman
Cyberspace activism
NewsScan
"Midway scare is blamed on glitch"
D. McKirahan
Defibrillator maker issues recall, goes out of business
Caleb Hess
Exploding cell phones
PGN
Air Traffic Control blacked out by rodent
D. Joseph Creighton
'Virus-throttle' software from HP
NewsScan
E-mail notification
Drew Dean
When e-commerce and poor translation meet... terrorism?
Harry Neumann
Job posting follies
Stephen Cohoon
Re: New Standards for Elections
Atom 'Smasher'
Re: new standards for elections; voting anomalies
J.E. Cripps
More on the electoral process
J.E. Cripps
Voter touch-screen no good? Here's a pen!
Joel Garry
Re: Is Windows up to snuff for running our world?
Sander Tekelenburg
Deworming the Internet: addressing computer security market failure
Douglas Barnes
Info on RISKS (comp.risks)

Group urges Government to focus on cybersecurity

<"NewsScan" <newsscan@newsscan.com>>
Wed, 08 Dec 2004 10:22:59 -0700

The Cyber Security Industry Alliance is calling on the Bush administration
to beef up its cybersecurity operations, starting with elevating the
position of national cybersecurity director to assistant secretary
level. "There is not enough attention on cybersecurity within the
administration. The executive branch must exert more leadership," says
Alliance director Paul B. Kurtz, who's a former senior cybersecurity
official in the Bush administration. Kurtz was joined by Amit Yoran, the
former director of Homeland Security's National Cyber Security Division who
resigned in September. Meanwhile, a provision in the recently passed
intelligence overhaul bill that would have raised cybersecurity's profile in
the Homeland Security Department was stripped out before passage. The
Alliance's recommendations mirror those outlined in a report issued Monday
by the House subcommittee on cybersecurity, which also calls for the
administration to consider tax breaks and other incentives for businesses
that make computer security a top priority. In addition, both groups are
urging the Homeland Security Department to take the lead in creating a
disaster recovery and response plan, should the U.S. suffer debilitating
digital sabotage.  [*The Washington Post*, 8 Dec 2004; NewsScan Daily,
8 Dec 2004]
  http://www.washingtonpost.com/wp-dyn/articles/A45622-2004Dec7.html>


Report says "Government department wiped out by IT upgrade disaster"

<"R.S. (Bob) Heuman" <rsh@idirect.com>>
Fri, 26 Nov 2004 10:23:00 -0500

This is from the United Kingdom, and I really have to wonder how anyone can
download an 'incompatible system' to 80,000 computers in this day and age.
It boggles the mind!  Recovery in a day is not shabby, either, if true.

The Department of Work and Pensions (DWP) has suffered what has been
described as the biggest computer crash in government history after a
software upgrade that is believed to have downloaded an incompatible system
throughout the entire DWP network.  The government department lost 80 per
cent of its roughly 100,000 PCs following a "routine software upgrade", a
DWP spokeswoman confirmed today.  The problem lasted all of yesterday but
the "majority of our system is up and running now", she said.  Microsoft and
EDS run the DWP's network as part of a 2-billion pound IT contract.  The
situation had apparently been largely rectified by the next day.
  [Source: Government department wiped out by IT upgrade disaster;
  Another massive computer cock-up, this time at Work and Pensions.
  http://www.techworld.com/opsys/news/index.cfm?NewsID=2695&Page=1&pagePos=2
  By Laura Rohde, IDG News Service, 26 Nov 2004; PGN-ed]

R.S.(Bob) Heuman, Toronto, ON, Canada  Independent Computer Security Consulting
Web Site Auditing for Compliance with Standards  rheuman@rogers.com


Cyberspace activism

<"NewsScan" <newsscan@newsscan.com>>
Wed, 01 Dec 2004 09:07:27 -0700

The German-based Web portal Lycos Europe is offering a screensaver program
that chokes spam servers by flooding them with junk traffic. The company
argues that what it's doing is perfectly legal, but former FCC chief
technologist David Farber comments: "You don't stop a bad thing by being bad
yourself. The idea of somebody coming and hitting you and you hitting back,
you both end up very hurt. It just aggravates an already serious problem."
And noted computer security expert Dorothy Denning, a professor of defense
analysis at the Navy Postgraduate School, points out that cyberspace
activism of the kind offered by Lycos Europe is likely to have only minimal
impact on spam because "the cost of adding extra bandwidth may be worth the
reward" that spammers get from their activities. She adds: "The interesting
question is whether or not that company [an anti-spam activist company]
might be liable under some law, and would probably be liable, certainly, at
least under a lawsuit by the spammers."  [AP 30 Nov 2004; NewsScan Daily, 1
Dec 2004]
http://www.usatoday.com/tech/products/2004-11-30-lycos-attack-spam_x.htm?csp=34


"Midway scare is blamed on glitch"

<"D. McKirahan" <dmckirahan@comcast.net>>
Tue, 23 Nov 2004 05:39:43 -0600

Errors by screeners--not random computer glitches that the federal
government previously blamed--were responsible for false alarms over weapons
that sparked the recent evacuation of Midway Airport and two other U.S.
airports, according to the Transportation Security Administration.

The confusion that led to the terminal evacuation on 15 Nov was prompted by
a hand grenade appearing on an X-ray scanner. The image of the grenade, part
of an exercise used to test screeners, should have been stored in a computer
file by a security agency staff member as part of standard procedure before
an employee shift change at the screening checkpoint, said Amy von Walter,
spokeswoman for the security agency.

Federal security officials initially said a malfunction in a software
program used to test screener performance prompted a computer-generated
image of the grenade to appear randomly on the X-ray screen. A screener
operating the X-ray scanner thought the grenade, artificially projected
inside a carry-on bag, was real.

If the screener were being tested, the grenade image would have disappeared
when the screener tapped a button on the device's console to acknowledge
seeing the item. In this case, the grenade did not vanish.
But the passenger was able to leave the security checkpoint with the suspect
bag before screeners could search its contents, leading to the evacuation
order.

[DMcK submitted two items, a week apart.  This is PGN-ed from the more
recent and more accurate.  Source: Jon Hilkevitch, Screeners blamed for
bomb scare, *Chicago Tribune*, 23 Nov 2004]
  http://www.chicagotribune.com/news/local/chi-0411230350nov23,1,4870091.story
  ?coll=chi-newslocal-hed


Defibrillator maker issues recall, goes out of business

<Caleb Hess <hess@cs.indiana.edu>>
Fri, 12 Nov 2004 13:29:55 -0500

A manufacturer of Automated External Defibrillators (AED) recently announced
a recall due to failure modes in which AEDs failed to deliver a shock when
needed, or "turned themselves on" and subsequently failed to function
(presumably due to drained batteries?). The maker claimed a failure rate of
less than one percent, although it is not clear how that figure was obtained
(many of these units are deployed in public buildings or other settings where
few of them will actually be called upon to operate).

Aside from the risk of shipping an inadequately tested product, the article
below raises some other interesting points:

The manufacturer says that no patient has died because of either failure
mode - which should be obvious, since an AED is only to be applied to a
patient who is already technically dead (pulseless).

A fire chief cites the obvious concern of carrying a piece of equipment
that may not work when needed.

An EMS director notes that, where units cannot be immediately replaced,
their removal turns a 1% probability of not defibrillating into a 100%
probability.

The AP article is at
http://cms.firehouse.com/content/article/article.jsp?sectionId=17&id=36601


Exploding cell phones

<"Peter G. Neumann" <neumann@csl.sri.com>>
Wed, 24 Nov 2004 9:30:01 PST

Exploding Cell Phones a Growing Problem;
Injuries From Exploding Cell Phones Prompt Recalls;
Bad Batteries or Chargers Often the Culprit (ABC News, AP item, 24 Nov 2004)

Safety officials have received 83 reports of cell phones exploding or
catching fire in the past two years, usually because of bad batteries or
chargers.  Burns to the face, neck, leg and hip are among the dozens of
injury reports the Consumer Product Safety Commission has received. The
agency is providing tips for cell phone users to avoid such accidents and
has stepped up oversight of the wireless industry. There have been three
voluntary battery recalls, and the CPSC is working with companies to create
better battery standards.  U.S. phone makers and carriers say most fires and
explosions are caused by counterfeit batteries and note that in a country
with some 170 million cell phone users, the number of accidents is extremely
low.   [PGN-abst]


Air Traffic Control blacked out by rodent

<"D. Joseph Creighton" <djc@cc.umanitoba.ca>>
Fri, 19 Nov 2004 10:27:30 -0600

Some local wildlife decided to get warm and intimate with power lines,
blowing a transformer, and causing a cascade shutdown of substations across
much of the city of Winnipeg, Canada.
  http://winnipeg.cbc.ca/regionalnews/caches/mb_hydro20041118.html

This left every plane in central Canada (Saskatchewan, Manitoba, NW Ontario)
flying blind for some eight minutes as YWG Center went down.  Although power
was restored after one minute — backup power also failed — the radar and
communication systems took seven more minutes to restart.
  http://winnipeg.cbc.ca/regionalnews/caches/mb_powerout20041118.html

D. Joseph Creighton [ESTP] | Info. Technologist, Database Technologies, IST
Joe_Creighton@UManitoba.CA | University of Manitoba  Winnipeg, MB, Canada, eh?


'Virus-throttle' software from HP

<"NewsScan" <newsscan@newsscan.com>>
Wed, 01 Dec 2004 09:07:27 -0700

Software engineers at Hewlett-Packard are developing "virus-throttling"
software to slow the spread of viruses and worms on the Internet by
identifying suspicious behavior. HP chief technology officer Tony Redmond
says, "Any worm or virus that depends on its ability to spread itself will
be hurt by this technology." Alan Paller, director of research at the SANS
Institute, says the overall idea "makes sense," and adds, "It's an arms
race, not a simple war. I've been hearing people talk about the notion of
throttling for a long time, and it's a spectacular idea if HP can get it to
work."  [*The Washington Post*, 30 Nov 2004; NewsScan Daily, 1 Dec 2004]
  http://www.washingtonpost.com/wp-dyn/articles/A23527-2004Nov30.html


E-mail notification

<Drew Dean <drew.dean@sri.com>>
Fri, 3 Dec 2004 13:21:22 -0800

I recently received e-mail from Southwest airlines informing me of an
e-ticket.  The only problem is that I didn't make the reservation, and it's
not for me.

While there's a Reply-To: header in the message, with the same address
as the From: header, there's a note at the bottom saying please don't
reply to this address, and the message provides no way to reach
Southwest's customer service department.

I suppose I can dig around their website, or call their general
toll-free number to try and remedy this, but why on earth don't they
include a customer service contact in their e-mail?

  [To Southwest's credit, they did NOT include a credit card number in the
  e-mail.]

Drew Dean, Computer Science Laboratory, SRI International


When e-commerce and poor translation meet... terrorism?

<bo025@freenet.carleton.ca (Harry Neumann)>
Sat, 04 Dec 2004 14:00:43 -0500 (EST)

I was recently looking to purchase some items from an online grocer
in Germany, www.lila-se.de , which offers service in both English and
German.  Everything seemed relatively straightforward until I examined
the section labelled "Shipping Cost Informations".  Zone 1 countries
and regions were listed as follows:

(from the English-language part of the site)

   Generally Shipping Costs for Delivery Zone 1 (EU)
   Zone 1 - EU(European union) Andorra, the Azores, Belgium, Denmark,
   Faeroeer (DK), Finland, France, Greece, Greenland, Great Britain
   (inclusive Isle OF one), Guernsey, Ireland, Italy, jersey, Korsika,
   Liechtenstein, Luxembourg, larva Irish Republican Army, Monaco, the
   Netherlands (Holland), Northern Ireland, Austria, Poland, Portugal,
   San Marino, Sweden, Switzerland, Slowakei, Spain (inclusive Balearen),
   Tschechien, Vatikanstadt.

vs. the German version (listed under "Versandkosten")

   Zone 1 - EU (Europäische Union) Andorra, Azoren, Belgien, Dänemark,
   Färöer (DK), Finnland, Frankreich, Griechenland, Grönland,
   Großbritannien (inklusive Isle of Man), Guernsey, Irland, Italien,
   Jersey, Korsika, Liechtenstein, Luxemburg, Madeira, Monaco,
   Niederlande (Holland), Nordirland, Österreich, Polen, Portugal, San
   Marino, Schweden, Schweiz, Slowakei, Spanien (inklusive Balearen),
   Tschechien, Vatikanstadt.

Note the entry in the English-language page: "larva Irish Republican Army",
between Luxembourg and Monaco. This is definitely a puzzle until one looks
at the corresponding entry on the German page: Madeira.  What presumably has
happened is that the word "Madeira" has beeb split in two for some reason,
becoming "Made" and "ira".  Then "Made" was translated, becoming "larva",
whereas "ira" was not translated but expanded to become "Irish Republican
Army.".  (Why other place names were not subjected to this treatment remains
a mystery).

Three risks (at least):

1) The usual hazards of doing a literal, contextless translation, magnified
   by an unexplained parse-split-translate procedure, leading to a result
   that, in this case, can be described without exaggeration as "weird" (not
   to mention inaccurate).

2) That a potential customer will see these idiosyncratic translations and
   assume that they're just the tip of the iceberg in terms of sloppiness,
   and take his or her business elsewhere.

3) While no reasonable person will see this site as "terrorist-related"
   there's a real risk that blocking software could spot the phrase "Irish
   Republican Army", and categorize this site as "Political
   Extremism-related", for no evident reason.  The RISKS to even cautious
   web-surfers living under authoritarian regimes, of accidentally viewing
   "Political Extremism" sites need no further explanation.


Job posting follies

<Stephen Cohoon <risks@cohoon-tx.com>>
Mon, 29 Nov 2004 17:15:25 -0600

While perusing some job posting web sites I found an interesting commentary.
I suspect the comments are intended for either in-house or external
recruiters who just posted it using select-all copy & paste resulting in
text that probably was not intended for public view.  Particularly the set
of competitors to raid.

  Required: C Plus Plus; Perl; Network Protocols; Linux; TCP/IP; Yes I will
  notify you guys in the case that anything else even gets warm. Right now I
  don't even have any other recruiters working on this but that may change
  by the end of the week. Companies to Pinpoint Recruit from include: <List
  of competing companies> (my former boss at <one of the competitors> is now
  the VP of Engineering here)


Re: New Standards for Elections (RISKS-23.59)

<"Atom 'Smasher'" <atom@suspicious.org>>
Wed, 10 Nov 2004 02:06:21 -0500 (EST)

> 7. Accurate and transparent voting roll purges.

or doing away with purges... if convicted felons are allowed to write the
proprietary software that the machines run and manage the company that
manufactures the machines
<http://www.blackboxvoting.com/modules.php?name=News&file=article&sid=132>,
then convicted felons should be allowed to use the machines.

> 11. An end to minority vote suppression, disenfranchisement, harassment,
> dirty tricks.

to a large extent, it can be argued that purging voters *is* a form is
suppression, disenfranchisement, harassment, and dirty tricks. purging
felons from voting roles was devised as a "jim crow" law, and it can be
argued that jim crow is still proud of it.

this article
<http://www.heraldtribune.com/apps/pbcs.dll/article?AID=/20040708/COLUMNIST36/407080376>
points out how the purge can be used as a precision weapon in the war
against democracy.


Re: new standards for elections; voting anomalies (RISKS-23.59)

<"J.E. Cripps" <cycmn@nyct.net>>
Wed, 10 Nov 2004 04:59:04 -0500 (EST)

Regarding the summary of the NYT editorial, I do not see any requirement
that voters be citizens of the U.S. or any identification requirement.
  [Citizens, yes.  That is understood.  Identification? It varies from
  place to place, and is seriously abused in some, one way or the other.
  PGN]

Appalled as I am at the allegations regarding the 2004 elections,
I do  not think that these .orgs address all the anomalies.  For example:

Laying the Groundwork: A Study Of Voter Registration In Missouri
http://cf.townhall.com/linkurl.cfm?http://www.centerforethics.org/VoterRegistrationStudy.htm

Moreover, a more fundamental threat was not addressed in the editorial at
all.  Both parties are at fault here, recalling the Bush amnesty:

Carrying out the Mandate: Get Borders and Illegal Immigration Under Control
http://cf.townhall.com/linkurl.cfm?http://www.humaneventsonline.com/article.php?id=5718

As PGN stated in an earlier issue of RISKS:

  [including] the actual casting of ballots and the creation, evaluation,
  certification, testing, and maintenance of voting equipment.  But it also
  includes the _registration of voters; identification, authentication, and
  challenging of voters_; creation of the actual appearance of ballots and
  setting up the voting machines; distribution and handling of ballot and
  polling-place information, absentee ballots, and especially provisional
  ballots; processing of ballots; tabulation and collection of results; and
  proper assurance that voters' ballots are treated with adequate respect
  for privacy — along with oversight of each of the steps in the entire
  process.  comp.risks 23.58, November 4, 2004, (emphasis added)

Many of these are not matters of technology (rushing a polling place in the
last minutes) but surely fall within the ambit of comp.risks.  But if either
major party has consistently addressed any of these, I've missed it.

I find  the Democratic inattention to the deficiencies of the 2004
technologies  before election very perplexing.

Appalling as the allegations which have appeared in sources quoted on this
list are (some of which find corroboration in the RISKS archives), I am
afraid that the proposals, laudable as many of them are, in the NYT
editorial insufficient.


More on the electoral process

<"J.E. Cripps" <cycmn@nyct.net>>
Wed, 10 Nov 2004 05:10:40 -0500 (EST)

Here's another longstanding anomaly:
Nearly 50,00 duplicate registrations: Florida Redux?
http://www.eagleforum.org/column/2004/oct04/04-10-27.html

Here's a Republican warning about technological deficiencies, in May:
Don't Let Judges Jimmy Elections
http://www.eagleforum.org/column/2004/may04/04-05-12.html

The most serious risk: The Scam of Voting by Noncitizens and Felons
http://www.eagleforum.org/column/2004/aug04/04-08-18.html
If this isn't fixed, the system will be broken.

More predictions of the current debacle, from someone with
first-hand experience as a local office candidate:
http://www.NewsWithViews/Devvy/kidd72.htm

Mark my words: We will never know the true vote count next month no matter
how many times the ballots are run through a machine or how many lawsuits
the Democrats file against the Republicans and visa versa. ...

As someone who has run for public office, put their whole heart into the
effort, along with all the volunteers and the financial generosity of so
many, I would rather have waited four or five days for a real vote count
than be cheated. I don't want election results at the speed of a button, I
want a true vote count. ...

A must is to get rid of the insidious Motor Voter Law of 1993. All states of
the Union must purge their voting rolls and start over from scratch. There
is a two year period between elections. That's more than enough time for
anyone who has a real desire to vote, to obtain a certified birth
certificate and personally get down to the county clerk's office to
register. If someone can't find those few minutes over a two year period,
then fine, keep them out of the voting booth.


Voter touch-screen no good? Here's a pen!

<"Joel Garry" <joelgarry@anabolicinc.com>>
Mon, 8 Nov 2004 17:26:09 -0800

As I write this, the extremely close vote for mayor of San Diego is still up
in the air.  From
  http://www.signonsandiego.com/uniontrib/20041107/news_1m7frye.html :

"But she clearly benefited from the unusual technical aspects of this
election.  Because of problems in the March primary with a touch-screen
voting system, the county shifted to optical-scan ballots, which required
voters to fill in bubbles next to their choices. That meant all voters were
handed a pen when they got their ballot, a remarkable turn of luck for
Frye."

This highlights a risk of computerized voting: More difficult to write in a
candidate, and conversely, if a fallback system is used, that can stimulate
a change in vote.  Also, the web page that shows the results
http://www.sdcounty.ca.gov/voters/Eng/Eindex.html is a bit difficult to
figure out the vote tally, whoever wrote it didn't seem to consider the
possibility of a write-in - so there is a separate link to see the slowly
increasing Frye vote, as opposed to the regular candidates and "write in."


Re: Is Windows up to snuff for running our world? (Bean, RISKS-23.59)

<Sander Tekelenburg <tekelenb@euronet.nl>>
Tue, 9 Nov 2004 22:29:56 +0100

> Apple is missing out on a huge market here by not allowing their OS to run
> on other vendors' hardware. Nobody's going to buy a Mac to run an ATM or a
> cash register, but they might buy the OS if they thought it would work
> better.

Apple being wrong about not letting their OS run on non-Apple hardware is an
age-old argument. The age-old counter argument is that part of the quality
of Apple's OS is the fact that Apple controls the hardware. That gives them
an enormous advantage when it comes to guaranteeing some level of quality to
customers. Without it, when Mac OS X would have to run on any (and *cheap*)
third-party hardware, Apple cannot guarantee the hardware quality, customers
with crappy hardware will blame Apple for problems, Apple loses its name of
offering quality products.

If you want quality, you need to be willing to pay for it. It's that simple.
It seems Apple understands that.

Of course that doesn't mean some enterprising bank could not try to get
Apple interested in working together on building ATM hardware running Mac OS
X.  Steve Jobs might like the challenge. But it seems to me that something
like Mac OS X is way overkill for an ATM machine... Possibly Darwin. But
then there's other BSDs too to choose from.

Sander Tekelenburg, <http://www.euronet.nl/~tekelenb/>


Deworming the Internet: addressing computer security market failure

<"Douglas Barnes" <salguod@mail.utexas.edu>>
Sat, 20 Nov 2004 10:38:15 -0600

I thought RISKS folks might be interested in a paper I've written which is
just now available on SSRN.  In part it's a response to the periodic calls
for "liability" (notably from Bruce Schneier) as a mechanism for solving
computer problems.  The upshot is that I think Bruce is right that there is
a need for a regulatory response, but that extending, say, tort liability to
software would be a disaster.  In addition to my more complicated law &
economics argument for why this is, I point out in passing that ordinary
tort liability could crush open source software, which has the potential to
act as a positive force in addressing the underlying market failure.

Douglas Barnes  http://www.salguod.com

Abstract:

Both law enforcement and markets for software standards have failed to solve
the problem of software that is vulnerable to infection by
network-transmitted worms. Consequently, regulatory attention should turn to
the publishers of worm-vulnerable software. Although ordinary tort liability
for software publishers may seem attractive, it would interact in
unpredictable ways with the winner-take-all nature of competition among
publishers of mass-market, internet-connected software. More tailored
solutions are called for, including mandatory "bug bounties" for those who
find potential vulnerabilities in software, minimum quality standards for
software, and, once the underlying market failure is remedied, liability for
end users who persist in using worm-vulnerable software.

http://papers.ssrn.com/abstract=622364

Please report problems with the web pages to the maintainer

x
Top