The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 23 Issue 72

Thursday 17 February 2005


Missile interceptor doesn't even leave its silo -- again
Jeremy Epstein
Report on Patriot missile friendly fire over Iraq
TCAS RA incident
Martyn Thomas
Scammers access ChoicePoint data on 35,000
Matt Hines via Monty Solomon
Trees with concealed GSM antennas
Dan Jacobson
German TollCollect charges double
Debora Weber-Wulff
Wife broke law in using spyware
Gas stations lose money due inadvertent low pricing
Arthur T.
'Smart' driver's licenses a Trojan horse?
"The Mother is Back!" Announcing "DayThink" Audio Features
Lauren Weinstein
Limits of search-and-replace
Mike Albaugh
I may know who handles Personal Certs at thawte
Ed Bruce
Malware and Auto Electronics
Peter B. Ladkin
Re: More uses of satnav/GPS
Paul E. Bennett
New copy-proof DVDs on the way?
John Borland via Monty Solomon
Re: The risk of high-speed CD/DVD-rom drives in PCs
Eben King
Jonathan Smith
Info on RISKS (comp.risks)

Missile interceptor doesn't even leave its silo -- again

<Jeremy Epstein <>>
Mon, 14 Feb 2005 21:06:17 -0500

As reported in RISKS 23.65 and 23.66, the Dec 15 test of the missile
interceptor system failed when it didn't lift off from the launchpad due to
a timing problem.

The 14 Feb test didn't do any better.  CNN reports that "a spokesman for the
[Missile Defense] agency, Rick Lehner, said the early indications was that
there was a malfunction with the ground support equipment at the test range
on Kwajalein Island in the Marshall Islands, not with the missile
interceptor itself.  If verified, that would be a relief for program
officials because it would mean no new problems had been discovered with the

That's good news?

In case you're keeping score, that's 6 failures out of 9 attempts since the
program started.  And the three "successes" have been highly scripted.

Your tax dollars at work (at least for Americans).

Report on Patriot missile friendly fire over Iraq

<"Peter G. Neumann" <>>
Mon, 14 Feb 2005 11:39:40 PST

Nathan White was piloting a Navy plane at 33,000 feet over Iraq on 2 Apr
2003.  He was shot down by a US Patriot missile.  The summary of a report
released on 10 Dec 2004 concludes that White's plane was mistaken for a
nonexistent hostile missile, and that the Patriot's proper launch procedures
were violated.  However, a redacted version of the report notes the Army's
difficulties in using the Patriot system, including gaps in crew training
and frequent appearance of false tracks (which in past RISKS items are
referred to as ghosts).  "The issues show the unintended dangers that
computerized weapons systems can pose, and the need for better human
oversight."  [Source: Palo Alto *Daily News*, 9 Feb 2005, p. 25; PGN-ed]

TCAS RA incident

<"Martyn Thomas" <>>
Sun, 13 Feb 2005 16:41:09 -0000

The latest CHIRP Feedback contains an interesting report. Two aircraft
crossed with 1000 feet vertical separation in UK airspace. The higher
aircraft had a (known) faulty transponder that was reporting 500 ft lower
than actual, so the crossing caused a TCAS resolution advisory to descend in
the lower aircraft. The crew of the lower aircraft point out that if the
faulty transponder had read 1500 feet low, the Advisory would have said
"Climb" and they would have climbed into the other aircraft.

Scammers access ChoicePoint data on 35,000 (Matt Hines)

<Monty Solomon <>>
Tue, 15 Feb 2005 11:20:34 -0500

[Source: Matt Hines,, 15 Feb 2005]

ChoicePoint confirmed on 15 Feb that criminals recently accessed its
database of consumer records, potentially viewing the personal data of about
35,000 Californians and resulting in at least one case of identity fraud.
The unidentified individuals posed as legitimate businesspeople in order to
breech its defenses.  Chuck Jones, a company spokesman, said that roughly 50
fraudulent accounts were set up by the schemers, through which they could
view the data of California residents.

News of the crime first surfaced when ChoicePoint sent an e-mail to
individuals potentially affected by the attack last week.  Among the data
available through the company's services, and possibly accessed by the
criminals, are consumers' names, addresses, Social Security numbers and
credit reports.

Trees with concealed GSM antennas

<Dan Jacobson <>>
Wed, 16 Feb 2005 00:47:06 +0800

"The product used in Palm antennas is formed by the tree itself and the

  GSM base stations are camouflaged in specially preserved palm trees, with
  antennas that look like palm fronds with internal steel-bar reinforcements
  for structural rigidity, and with cable works inside the trunk.  [PGN-ed]

I suppose the risk here is assuming the plants aren't doing anything

  [They won't be doing much by themselves after they've been eviscerated.
  But they could serve other purposes as well.  This is another variation on
  an old theme, so we'll add it to our Fronds List.  PGN]

German TollCollect charges double

<Debora Weber-Wulff <>>
Thu, 17 Feb 2005 18:22:23 +0100

The Berlin daily Newspaper "Berliner Zeitung" keeps beating
up on the German TollCollect system.
[Note, the author is Peter Neumann, but not PGN!]

On Feb. 16, 2005 they report on a trucking company who was charged for the
same truck at the same time for two different pieces of Autobahn, while a
short time later they were charged for driving on some street that is not a
toll road. The winning charge is for going from Kurt-Schumacher-Damm to
Saatwinkler Damm (about 1.5 km as the crow flies) to the tune of 49
kilometers.  According to the booking list the truck drove around town twice
and used the Avus, apparently turning on the autobahn to continue
.... [Maybe these are the same folks that programmed the MSN map from
Haugesund to Trondheim in Norway, via the continent - dww]

On Feb. 17, 2005 they have a nice report about how easy it is to jump paying
for the toll.

It seems that there are just 300 of these bridges that are controlling
bridges, the rest are just for calculating the fare. And the specifications
say that a 10% check is done, so there are only ever 30 of them on at a time
because the machines do the checking but human intervention is necessary to
flag down a toll jumper. In addition to which, the mobile checkers only work
day shifts, while a lot of trucking takes place at night. A federal trucking
organization took some test drives at night in the East to see if they got
hooked - negative. So here we have all this expensive technology and these
ugly bridges, and it still doesn't really work.

Prof. Dr. Debora Weber-Wulff  FHTW Berlin, Internationale Medieninformatik
10313 Berlin  +49-30-5019-2320

Wife broke law in using spyware

<"NewsScan" <>>
Wed, 16 Feb 2005 09:42:15 -0700

A Florida appeals court has ruled that a suspicious wife, who installed
spyware on her husband's computer to secretly monitor and record his
electronic interactions with another woman, violated Florida's wiretapping
law. The law says anyone who "intentionally intercepts" any "electronic
communication" commits a criminal act. The wife had argued that her use of
Spector spyware should be viewed as similar to reading a stored file on her
husband's computer. But Judge Donald Grincewicz wrote that "because the
spyware installed by the wife intercepted the electronic communication
contemporaneously with transmission, copied it and routed the copy to a file
in the computer's hard drive, the electronic communications were intercepted
in violation of the Florida Act."  [CNet 15 Feb 2005; NewsScan
Daily, 16 Feb 2005]

Gas stations lose money due inadvertent low pricing

<"Arthur T." <>>
Sun, 13 Feb 2005 18:59:06 -0500

A (presumably self-service) gas station went all night with gas priced at
$.19/gallon instead of $1.83/gallon.  The owner didn't know about it until
reporters asked him about the low price.  He corrected the price only after
1200 gallons had been pumped.

It was blamed on a "computer glitch", but could easily have been a
data-entry error.  The article mentions another case of a misplaced decimal
point in gas pricing.

The Risks are more human than computer.  If you're going to leave the gas
station unattended, double-check your prices.  (Although, I admit, it would
be nice to have the computer sanity-check your price.)  Note: The article
doesn't say the station was unattended during the time the low price was in
effect, but I don't want to believe that any attendant could have let this

URL of story (beware of line-wrap):

'Smart' driver's licenses a Trojan horse?

<"NewsScan" <>>
Mon, 14 Feb 2005 10:42:11 -0700

A move by Congress to endorse a Republican-backed measure that would compel
states to redesign their driver's licenses by 2008 to comply with standards
for making them electronically readable has critics questioning government's
motives, saying it gives the Department of Homeland Security carte blanche
to do nearly anything "to protect the national security interests of the
United States." Rep. Ron Paul (R-Texas) says, "Supporters claim it is not a
national ID because it is voluntary. However, any state that opts out will
automatically make nonpersons out of its citizens. They will not be able to
fly or to take a train." Proponents of the Real ID Act say it reflects the
recommendations of the 9/11 Commission and will help in the battle against
terrorism and efforts to identify illegal immigrants.  But Paul says, "In
reality, this bill is a Trojan horse. It pretends to offer desperately
needed border control in order to stampede Americans into sacrificing what
is uniquely American: our constitutionally protected liberty."  [CNet 14 Feb 2005; NewsScan Daily, 14 Feb 2005]

"The Mother is Back!" Announcing "DayThink" Audio Features

<Lauren Weinstein <>>
Tue, 15 Feb 2005 22:49:47 -0800 (PST)

Greetings.  I'm pleased to announce "DayThink" -- a new series of very brief
(one-minute) MP3 audio features illuminating a wide range of relevant and
important topics.  Each day's feature will focus on one specific issue
affecting our lives -- issues definitely worth thinking about.  Many of
these segments will deal directly with the impacts of technology on
individuals and society.

DayThink features can be accessed via the DayThink main page at:

The debut segment is titled:
  "The Mother is Back!"

and looks at the current round of telecom mergers and what they may mean for
us all.

A notification mailing list has been established that will send out a brief
message to subscribers as each new feature becomes available (never more
than one per day), including the segment title, a brief description, and a
link to the feature audio itself that can be played at one's leisure.

Subscriptions to that list can be established via:

or by simply sending a note (no subject or body necessary) to:

I hope that these features will be of some value in helping folks wade
through the maze of many important issues.

Thanks very much.

Lauren Weinstein
1 818-225-2800 Fact Squad -

Limits of search-and-replace

<Mike Albaugh <>>
Mon, 14 Feb 2005 14:33:40 -0700

I dug a few nifty Alphanumeric displays out of the scrap bin, and wanted to
use them in a sculpture.  A few minutes searching on the web produced a
datasheet and application-notes for a plausibly similar device, but were I
too literal, I'd be perplexed.

The application-note claims that the sample code scrolls "AGILENT
TECHNOLOGIES" across the display, but the 8741 sample source code does not
include a general-pupose character generator and literal string. Rather,
there is a table of hexadecimal values, each row encoding the pixels of one
character.  The end-of-line comments confirm the suspicion that a glance at
the table raises. Had I actually copied this code, I would see "HEWLETT

The RISK here is only one of embarrassment, but imagine this sort of thing
happening in code for a device (e.g. many PC graphics cards) which uses
manufacturer's name or model number as a "key" to enable operation.

I may know who handles Personal Certs at thawte

<Ed Bruce <>>
Wed, 16 Feb 2005 10:46:01 -0500

My personal e-mail cert from thawte is expiring soon.  Thawte sent me an
e-mail informing me of this containing "links" to their web page on how to
extend it.  Problem is I forgot my password and clicked on a link provided
to help me recover my password.  It didn't work.  I'm using Mozilla
Thunderbird, which displays the actually link at the bottom of the display.
This is what I saw:

  file:///C:\Documents and Settings\jwolvaardt\Local Settings\Temporary
  Internet Files\Local Settings\Temporary Internet Files\OLK3C\Expiring
  personal Certs March.doc

I guess you don't need to just post Word documents to reveal information.

Malware and Auto Electronics (Klashinsky, Risks 23.370)

<"Peter B. Ladkin" <>>
Sun, 13 Feb 2005 08:14:49 +0100

Karl Klashinsky reported in Risks 23.70 about:

  a case where the on-vehicle software is corrupted by a virus, inserted
  into the automobile's computing systems, via a blue-tooth enabled

and suggested the scenario:

  As this vulnerability becomes known in the cracker community, how long
  before someone tailors a virus specific to a vehicular target -- perhaps
  creating runaway-vehicle scenarios similar to the "faulty cruise control"
  incidents reported here in RISKS.

Interestingly, a day before I had been pointed to an article in a South
African newspaper about just such a migration, and there was also something
about viruses spreading from cell phones to cars in an article in the
*International Herald Tribune*, which I read daily.

There is a wonderful cartoon from the German computer magazine *c't* pinned
to my group's noticeboard. A passenger is sitting in an airliner using his
laptop, and on the screen appears:

  Bluetooth: new device found: Airbus A310

In one journal it's a cartoon, and in the other journal it's news.  What's
going on? I made some inquiries.

The punch-line first. Ross Anderson pointed me to
which reports on someone asking Eugene Kaspersky of Kaspersky Labs about how
to cure a virus that ``infected the onboard computers of automobiles Lexus
LX470, LS430, Landcruiser 100 via a cell phone.''  Apparently there are some
communicating systems on board those cars which use Symbian (one of the
mobile-phone OS's) and are bluetooth-enabled, and Kaspersky conjectured that
this could be a infection route. The article, from Donald Melanson, suggests
that it is not clear whether this has actually happened or not.  The South
African article, and the other articles besides the IHT mentioned Kaspersky
Labs, so this seems to be the source of the "news".

The IHT commented on a document issued Wednesday by IBM Security
Intelligence, the Security Threats and Attack Trends Report, which said:

  Beware viruses that spread to cellphones, hand-held computers, wireless
  networks and embedded computers that are increasingly used to run basic
  automobile functions

Nothing much there.

Ross also told me of a discussion at the Electronic Security in Cars
conference about a (different) major car company which used a T39 mobile
phone with a linux card running Apache for managing over-the-air software
upgrades in some high-end models.

So it seems as if two car companies use GSM communication over OTS
communicators for some on-board systems. Obviously those systems *could* be
infected by viruses targeted to those devices, and someone asked Kaspersky
about it. That it has actually happened is questionable; that it could
happen is not, for those systems, for those cars.

What is there to say about likelihoods? Let me restrict myself to critical
systems (chassis, especially brakes and steering; and engine control). Nav
systems and in-car entertainment are not critical.

First, the critical on-board systems people (chassis systems, engine
systems) build separate systems from others on-board. If they use common
busses, those busses (usually CAN, about to become FlexRay or TTP) are
hard-real-time and the architectures are explicitly designed to inhibit
inter-application interference. The critical systems themselves are
hand-designed, often hand-coded, running on small processors built for
hard-real-time systems use, although they may migrate to special-purpose
OS-based SW in the future. There are many such systems, they are all
different from each other at present, and they are proprietary. You can't
easily get a copy to play with, just as you can't easily get a copy of
Airbus critical-system code to play with. It may be even harder, since the
companies are all in heavy competition with each other for their continued
existence (see below) and they are aware of industrial theft and sabotage

I don't know of any such system which installs upgrades over standard mobile
phones. There may be some, but the people I deal with on critical systems
are all more or less aware of security issues.  Furthermore, at least in
Germany, such systems in the future will have to demonstrate that they have
been developed according to the precepts of the IEC 61508 standard on
functional safety in E/E/PE systems (roughly, systems which use programmable
electronic components). That standard explicitly covers maintenance, and it
does not condone upgrading critical systems using OTS communication channels
vulnerable to known security problems such as malware transmission.

Which doesn't mean that no one is going to try it. But it does suggest that
such an effort would not last long, would end in tears, and would preclude a

Why would it end in tears? Well, few people have remarked it so far, but
auto manufacturers are at the sharp end of progress in SW safety and
reliability (components of dependability). A model such as the Ford Focus
sells a million cars a year. Each of those cars can be expected to drive
300-500 hours a year, and the cars themselves are standardly taken to have a
3-5 year service lifetime. So one model-year alone can be expected to
accumulate between 9 x 10exp8 and 2.5 x 10exp9 hours of service. Add to that
that systems for such cars are often built by component manufacturers such
as Bosch, who install that system or closely similar systems in other cars
also, and you are looking at attempting to attain an actual dependability of
the order of one critical failure in 10exp10 hours of service.

In aerospace, taken by many to be the industrial pinnacle of critical
systems engineering, single-point-of-failure critical systems are built to a
nominal standard of one catastrophic failure (loss of the airplane) in
10exp9 operational hours. And that is notional; it is intended to be higher
than the cumulative service life of the entire model fleet. Whereas the
10exp9 to 10exp10 operational hours in automobile electronics is actual.

Now, nobody actually knows how to manufacture SW that is guaranteed to be
that dependable (that is, one may achieve it, but one cannot know or prove
that one has done it). Current limits (through exhaustive testing of the
final product) seem to be about 10exp5 operational hours.  That is the
theoretical limit of certainty through practical testing (Bayesian
calculations by Littlewood and Strigini). People are scratching their
heads. Heavily. And occasionally asking me and my colleagues to scratch

Serious problems are occurring. Each problem will lead to a recall, and I am
told that a minimal cost for a recall (SW upgrade, for example) is EUR 50
per auto (Mike Ellims, Pi Technology, personal communication).  Mercedes
recently had to recall 600K autos for a brake-system SW upgrade (a counter
that they thought would not run over between services did, in two instances,
and they had to recall all cars with that SW). We could thereby reckon that
that cost EUR 30 million, or thereabouts. Given that profit margins amongst
those manufacturers that actually do make a real profit are in the low USD
10exp8 region, if that high, a single recall cuts seriously into profit.

(According to the Economist's survey of 4 September 2004, at which cites a
study by Maxton and Wormald for Goldman Sacks entitled "Time for a Model
Change", there are only only 8 car companies above the curve of
cost-of-capital versus revenue per unit, namely Porsche, Nissan, Honda,
Toyota well above, and Mercedes, BMX, PSA and Hyundai barely making it

Recalls are not the only cost. There is also the cost of recompensing
the victims of accidents in which system malfunction was a causal factor.

So there is plenty of motivation to make auto critical electronics the most
dependable SW-based systems the world has ever seen. We are a long way from
it, but I don't think we are going to be seeing critical systems upgraded
through gratuitously insecure channels. Except for the exceptions, of

If I were to bet today, I'd bet on the cartoon staying a cartoon.

Peter B. Ladkin, University of Bielefeld, Germany

Re: More uses of satnav/GPS (Magda, RISKS-23.71)

<"Paul E. Bennett" <>>
Sun, 13 Feb 2005 11:20:16 +0000

It seems that some solutions have more "sex appeal" than others and hence
get considered for adoption over and above obviously saner solutions.

In respect of trains, as they run on rails, it should be very easy to use
the trackside equipment and links to the train to determine that the train
is where it should be at that moment in time.  It is not as though the
trains will be running off the tracks at any time during its journey (unless
derailed of course in which case it is definitely going to be late).

Paul E. Bennett
Forth based HIDECS Consultancy Mob: +44 (0)7811-639972

New copy-proof DVDs on the way? (John Borland)

<Monty Solomon <>>
Tue, 15 Feb 2005 11:23:55 -0500

Macrovision is expected to release a new DVD copy-protection technology
Tuesday in hopes of substantially broadening its role in Hollywood's
antipiracy effort.  The content-protection company is pointing to the
failure of the copy-proofing on today's DVDs, which was broken in 1999.
Courts have ordered that DVD-copying tools be taken off the market, but
variations of the software remain widely available online.
[Source: John Borland,, 14 Feb 2005]

Re: The risk of high-speed CD/DVD-rom drives in PCs (RISKS-23.71)

<Eben King <>>
Sun, 13 Feb 2005 11:29:31 -0500 (EST)

You quote Drew Dean as saying: "I believe programs such as Exact Audio Copy
(EAC) do slow down the drive, and most CD/DVD burning software can write at
slower speeds, but I'm not aware of any interface to tell an OS to always
slow down reading."

"Nero CD-DVD Speed" makes the maximum speed of the CD/DVD drive lower.  I
use it on my DVR to quiet down (and prevent the "spin up - fill up cache -
play from cache - spin down" cycle) to slow down my 52x drive to 8x or so.

  [Also noted by David DiGiacomo and by Serguei Patchkovskii (who also
  provided a URL
  and advice for Linux users: you already have the needed tool installed.
  At the command line, to get 4x CD-ROM speed,
    eject -x 4 /dev/cdrom

Re: The risk of high-speed CD/DVD-rom drives in PCs (RISKS-23.71)

<Jonathan Smith <>>
Tue, 15 Feb 2005 12:16:44 -0500 (EST)

I know that for years Plextor CD rom drives have come with a windows taskbar
utility that allows the user to force the drive to run at a lower speed
along with adjusting other settings.

I ended up needing to use this utility on occasion with the then extremely
high-speed 12x CD-Rom drive I owned.  CDs built for 1x or 2x drives,
including my copy of Windows 95 would vibrate so much in a 12x drive at full
speed that the computer case would also vibrate and no data could be read.

Forcing the drive down to 4x would fix the problem.

Please report problems with the web pages to the maintainer