The RISKS Digest
Volume 23 Issue 9

Tuesday, 23rd December 2003

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Rotorouted New Year's greeting?
PGN
Loss of bus braking due to nearby illegally modified transceivers
Chiaki Ishikawa
"Openness" in Government
Identity withheld by request
GuineTel seeks ways of clamping down on scam fraud
Patrick O'Beirne
AOL now filtering based on whether they like embedded URLs
Stever Robbins
Guilt by technology
Dawn Cohen
Murphy's Law
Mark Brader
Important article on origins of Murphy's Law
Doug Mink
Re: Railroad accident results from deactivated crossing gates
Geoff Kuenning
Re: Proper understanding of "The Human Factor"
Merlyn Kline
Poor writing is the problem, not PowerPoint
Paul A.S. Ward
Re: Diebold ATMs & Nachi worm; you ain't seen nuttin' yet!
Richard I Cook
Re: Diebold ATMs hit by Nachi worm
Tim Panton
Re: Voter information up for grabs
David E. Ross
Re: Online issue of civil claims
Robin Crorie
Info on RISKS (comp.risks)

Rotorouted New Year's greeting?

<"Peter G. Neumann" <neumann@csl.sri.com>>
Tue, 23 Dec 2003 14:07:42 PST

Yesterday I decided to schedule in advance our annual home sewer cleanout
derootification for 8 Jan 2004, to get the first call in the morning on the
day that our yearly guarantee expires.  The dispatcher assured me that would
be fine and that they would call the day before to confirm.  An hour later I
received a call from the plumber saying that he would arrive in 10 minutes,
and apologizing for taking so long!

You probably guessed what happened.  The dispatcher put the order in for 8
Jan assuming that their scheduling system would infer 2004.  But the system
coerced the year to 2003, and it was treated as an urgent request (that had
not been filled in 11.5 months).

Happy New Year!


Loss of bus braking due to nearby illegally modified transceivers

<Chiaki <ishikawa@yk.rim.or.jp>>
Sun, 21 Dec 2003 09:51:41 +0900

It has been reported widely in the Japanese press that electromagnetic
interference caused by illegally modified transceivers on trucks is
suspected of causing two accidents by disabling the braking system of
commuter buses.

Mitsubishi Fuso Truck & Bus Corporation announced that two models of its
buses are adversely affected by high-powered EMI from short distance and its
braking system may not function properly under such conditions.
Specifically, its breaking system that detects the wheel-locking condition
falsely triggers due to the EMI and thus the brake doesn't work as intended.

Two accidents were reported last year where the bus drivers reported that
the brake suddenly stopped working. However, after the police investigation,
no visible malfunction was found.

The manufacturer continued investigation and found that high-powered radio
signals emitted by a nearby transceiver (illegally modified and thus
1,000-10,000 as strong as permitted by law for such transceivers) can
interfere with its braking control unit, resulting in false information that
the wheels locked due to braking.  Upon this false information, it seems (my
interpretation from what I read various reports) that the control unit
decided to release the brakes, and thus caused unintended loss of braking.

It is not known whether such illegally modified transceivers were present
nearby in two accident cases.  But in other two instances where loss of
braking was observed, the bus drivers saw suspicious trucks nearby.

The company could reproduce the condition in live experiments, and it will
refit the 2200+ cars by replacing the control unit, sensors, pipes, circuit
harness, etc.  I think the company should be commended for its continued
investigation after the accidents.

I have personally noticed voices of presumably truck drivers whose
transceiver must have been modified to generate enormous amount of power
from my audio equipment over the years. (Remember the CB radio craze of
1970's?)  But this is the first time such strong emission is linked to
real-world accidents.  [I don't think so.  We had CB interference knocking
out cruise controls long ago.  PGN]

The warning that I see and hear on airplanes during landing and take off is
no longer a remote worry.  I should be glad that most air runways seem to
have enough distance from the nearby highway.

As we depend on computers and sensors for better control of *everything*
such as cars, home appliances, the malfunctions due to external EMI must be
considered carefully, but I suspect that only the military agencies who have
tried to harden the fighter planes and such against the EMI caused by
nuclear blasts have the technical knowhow or mentality to cope with such
problems caused by unusually and possibly illegally high-powered EMI.

(Yes, I know that the FCC regulations and similar usually protect the
ordinary home appliances against the run-of-the-mill EMI from computers,
etc.  However, I doubt that electronic home appliance makers are ready to
tackle the above the normal, high-powered emission caused by illegally
modified transceivers. And they are a real threat along busy traffic route
today.  I hate to see various home appliances behave erratically every time
a truck with such a transceiver passes by.  Or for that matter, a whole
field filled with tiny sensors blown by a strong zap of an illegally
modified transmitter.  Illegal or not, such dangers are going to be real and
may have wide-spread consequences in the future.)

cf. The company web page:
  http://www.mitsubishi-fuso.com

I found the reference to this topic in the Japanese web pages at above URL
by following links, but am not sure if English pages have the reference.
The Japanese report appears dated 15 Dec 2003, so the translation may have
to wait for a few more days.


"Openness" in Government

<[Identity withheld by request]>
Tue, 23 Dec 2003 12:09:00 -0500

A while ago California, with the help of MCI, implemented an Internet based
system, DROS, by which gun dealers verify that purchasers are eligible to
own a gun.

While searching for information on this system, I happened across the
following message
  http://caag.state.ca.us/firearms/mbw.htm
which I found somewhat disturbing.  However, looking further, I found the
DROS users manual
  https://dros.vansis.wcom.com/wpsd/manual.pdf
which tells the users to configure their Internet Explorer security settings
as follows:

  The ActiveX controls and plug-ins to Enable are
    Download signed ActiveX controls
    Download unsigned ActiveX controls
    Initialize and script ActiveX controls not marked as safe
    Run ActiveX controls and plug-ins

  If these radio buttons are set to Prompt, you will be prompted each time
  you log into the application.  Setting them to Enable is a time saving
  measure.

Although it is only the gun dealers' machines that are at risk, and the DoJ
system is hopefully secure, I'm not sure that I like the idea that their
machines are so insecure.


GuineTel seeks ways of clamping down on scam fraud

<"Patrick O'Beirne" <mail2@sysmod.com>>
Sun, 21 Dec 2003 19:37:31 +0000

By Brian King, Balancing Act's News Update 188 (21 Dec 2003)
http://www.balancingact-africa.com

Phantom Calls

In 2003, Terri Lockwood of Indianapolis, Indiana received a phone bill with
hefty charges for calls to Guinea-Bissau, a West African country she had
never heard of, and much less had reason to call.  When she disputed the
charges, the American operator AT&T told her that the calls were genuine,
and that she or someone in her house must have called, or accessed an adult
entertainment site on the Internet. The intruder was a program that had
slipped unnoticed onto the family computer, and reconfigured the connection
to dial a number in Guinea-Bissau (code 245).

The number, however, does not officially exist. The national operator, the
regulatory body, and the International Telecommunications Union all agree
that the number dialed from Terri Lockwood¹s computer is not programmed
within the territory of Guinea-Bissau. Communications infrastructure of the
country, furthermore, could not conceivably support the graphic-intensive
content production and broadcast of many adult entertainment sites.  For the
last few years the national operator Guine Telecom has been concerned with
repairing basic telephony infrastructure damaged in a devastating civil war.
At the beginning of this year Guine Telecom had no new cables to repair its
network, no wires to install phones for clients, and approximately 50,000
people on waiting lists.  This is not a company receiving revenue from a
brisk adult entertainment business, legitimate or not, apparently conducted
in its name.

The History

In 1989 the Government of Guinea-Bissau cemented a strategic partnership
with Marconi (now part of the Portugal Telecom group) All international
traffic to and from Guinea-Bissau would run through Marconi in Portugal.
Marconi was also given the right to open and maintain bank accounts abroad
in the name of Guine Telecom.

Critics of the company say that management of the company became
increasingly chaotic and untransparent.  Around 1996 Portugal Telecom
managers set up a bank of computers at the earth station to receive
pornographic calls from abroad. The calls were received at Guine Telecom and
were immediately transmitted back without entering the national network.
The practice reportedly generated significant new traffic to Guinea-Bissau,
and the added revenue funded new investments in infrastructure.

On June 7, 1998 a failed coup d¹etat tipped the country into civil war; key
infrastructure (such as the earth station) was destroyed and in the midst of
it the bank of audiotext (read 'phone sex') computers.

After their departure in 1998 Portugal Telecom began withholding settlement
payments for international calls terminating in Guinea-Bissau, and has
continued to do so.

A journalist from the major Spanish newspaper El País confirmed a so-called
³epidemic² of calls to Guinea-Bissau from Spain, appearing on the bills of
people who had no relationship with the country. In all these instances the
Spanish operator Telefonica responded that the calls were genuine.

Around the same time, a dissatisfied Spanish pornography consumer actually
called Guine Telecom to complain about the service. Technical Director Malam
Fati was alerted, and so discovered for himself the existence of a number of
web pages advertising live pornographic video. The pages appear to be
designed to target particular countries; all are linked to a home page at
www.sexhotel.com.  The pages offer 'free' access to live pornographic video
without requiring credit card information. Interested viewers need only to
call a number on the screen (dialing instructions from each country are
included), to receive a password. These access numbers bear the (245)
international code, but the regional codes are not assigned within the
territory of Guinea-Bissau.

For the rest of this story, go to:
  http://www.balancingact-africa.com

Patrick O'Beirne, Systems Modelling Ltd., Gorey, Co. Wexford, Ireland.
+353 55 22294


AOL now filtering based on whether they like embedded URLs

<Stever Robbins <stever@private.verstek.com>>
Fri, 19 Dec 2003 12:02:41 -0500

I just got this bounce message. I was mailing a friend of mine the URL of a
MOVEON.ORG Web site that's asking people to rate TV ads on effectiveness,
etc., at conveying the downside of GW Bush's policies. AOL won't even
deliver the message. Apparently, since the URL has generated complaints
(presumably from Bush supporters or current Govt. employees), I'm not even
allowed to tell AOL users about it.

RISKS: AOL can decide they don't like a particular URL, for instance, of a
topic or candidate or public opinion poll that they disapprove of, and voila
-- several million people now can't even be told about that page! In this
particular case, it's hard to imagine who would complain about it other than
people trying to get the page banned because it doesn't agree with their
political views.

The offending URL (which I highly recommend) is double-u, double-u,
double-u, bush in 30 seconds dot org.

>   ----- The following addresses had permanent fatal errors -----
><....@aol.com>
>     (reason: 554 TRANSACTION FAILED:  (HVU:B1) The URL contained in your
> email to AOL members has generated a high volume of complaints.?? Per our
> Unsolic)


Guilt by technology

<"Dawn Cohen" <COHEND@wyeth.com>>
Tue, 23 Dec 2003 09:28:47 -0500

A friend was inspired by his sister, who just got an MP3 player installed in
her car.  He wanted to do the same.

He called the Mercedes dealer that he normally goes to, and asked if they
could fit his car up with an MP3 player.  He was politely informed that they
could not.  Undaunted, he asked whether an MP3 player could be installed if
he was willing to put in a whole new stereo system.  The gentleman on the
line patiently explained that No, Mercedes does not make MP3 players
available in any of their cars, new or old.  As he put it, "MP3s are for
people who download music.  People who buy Mercedes cars can afford to buy
their music."


Murphy's Law (Re: ...the Human Factor, Ladkin, RISKS-23.08)

<msb@vex.net (Mark Brader)>
Tue, 23 Dec 2003 00:51:11 -0000

> The classic statement of the "Bubba factor" position is a comment made
> in 1949 by Edsel Murphy ...

Um, the Edsel was a *different* classic failure.

Edward Murphy's exact words have been forgotten, and credit for the
term "Murphy's Law" is now disputed.  For a full investigation, or at
least as good a one as we're likely to see after so many years, see:

  http://www.improb.com/airchives/paperair/volume9/v9i5/murphy/murphy0.html

and the four pages linked from it (or substitute 1 through 4 for the 0).

Mark Brader, Toronto, msb@vex.net


Important article on origins of Murphy's Law (Re: Ladkin, R-23.08)

<Doug Mink <dmink@cfa.harvard.edu>>
Tue, 23 Dec 2003 14:22:49 -0500

> The classic statement of the "Bubba factor" position is a
> comment made in 1949 by Edsel Murphy, ...

I have seen numerous references to Edsel Murphy as the originator of the
famous law, but this was the first reference with more details.  "Edsel"
seemed to me to be too uncommon to be associated with both a humorous
failure of an automobile (and the scion of major manufacturing family) and a
humorously successful law, so I looked into the matter on the Web.  After
several unsuccessful searches, I hit the jackpot with Nick Spark's article,
"The Fastest Man on Earth", on the September/October Annals of Improbable
Research, and available on their web site, HOT A.I.R.
  http://www.improb.com/airchives/paperair/volume9/v9i5/murphy/murphy0.html

It gives a very good history of the relationship between Colonel John Paul
Stapp (once the Fastest Man of the title), Project MX981, Captain *Edward*
Murphy, and the famous Law, and is must reading for RISKS readers who daily
do battle with the consequences of Murphy's Law.

Doug Mink, Smithsonian Astrophysical Observatory


Re: Railroad accident results from deactivated crossing gates

<Geoff Kuenning <geoff@cs.hmc.edu>>
Tue, 23 Dec 2003 00:15:36 -0800 (PST)

A friend once told me that in the Great Plains there are many accidents of
this sort each year.  Most crossings are completely unguarded, and at night
a train on an unlit level crossing is almost completely invisible.

The friend pointed out that the cure is both trivial and cheap: all railroad
cars should be required to have reflectors (or reflective paint) on the
sides.  But it would cost a lot of money (in aggregate, though very little
per $100K car) and thus the railroads have steadfastly resisted the passage
of any such regulation.  Meanwhile, people continue to die.

The funny thing is, that reflective paint could be used for some very
valuable advertising...

Geoff Kuenning   geoff@cs.hmc.edu   http://www.cs.hmc.edu/~geoff/

  [Ah, another nice low-tech solution.  PGN]


Re: Proper understanding of "The Human Factor" (Norman, R-23.07)

<"Merlyn Kline" <merlyn@zyweb.com>>
Fri, 19 Dec 2003 10:28:27 -0000

> No wonder we continue to have problems. It is this attitude of developers
> that cause the very problems they complain about.

Isn't this a bit reversed? Yes, developers complain that they must devote
more effort than they would like to ensuring that their software works in
the face of operator-generated adversity. But in making that complaint they
are recognising the requirement. And it *is* a requirement.

As if to underline all this, what is the very next story in the digest I am
responding to?...

> A homeland officer who read the first prank e-mail but did not note the
> April Fools reference, and did not read the second e-mail, processed
> paperwork that authorized the detainee's release from a county jail on 2
> Apr.

Could a system have been devised that would have prevented that? Could such
a system have been embodied in the administrative software that is
(presumably) used to run these processes?


Poor writing is the problem, not PowerPoint (Garfinkel, Re: R-23.08)

<pasward@tolstoy.uwaterloo.ca (Paul A.S. Ward)>
Tue, 23 Dec 2003 05:13:55 +0000 (UTC)

> the problem is that many engineers are simply poor verbal communicators.

Without disagreeing with the above statement (Heaven knows, I've read enough
poorly-worded documents by students to be firmly convinced of this point), I
would argue that PowerPoint, and moreso WYSIWYG systems, are a contributing
factor.  Specifically, WYSIWYG systems lead to a focus by the user on
appearance, not on structure or content.


Re: Diebold ATMs & Nachi worm; you ain't seen nuttin' yet! (R-23.04)

<Richard I Cook <ri-cook@uchicago.edu>>
Tue, 23 Dec 2003 06:04:56 -0600

Steve Summit wrote in RISKS-23.04 about "several Diebold Automatic Teller
machines...built atop Windows XP Embedded...infected by the "Nachi" worm
last August and his concern about "critical functions [being]implemented
using less-than-rugged components such as "consumer grade" operating
systems."

It is interesting that, even at this rather advanced stage, we have so
little 'feel' for the ways in which creating large, dependent
socio-technical systems creates new — and often startlingly large --
vulnerabilities. To describe an operating system as "consumer grade" implies
that there are real alternatives available. But there are few such
alternatives. New applications depend on the rich feature sets found in
large operating systems and the problems with security and reliability of
these are well known, albeit not well understood. A good deal of this seems
to me to be related to version control and maintenance activities and the
corrosive nature of the cost equation — we have these systems, after all,
because they are cheaper, not because they are more reliable!

ATMs are IMHO small potatoes. The U.S. Institute of Medicine has just
released "Patient Safety: Achieving a New Standard for Care"
(http://www.iom.edu/report.asp?id=16663) which continues the IOM's theme of
making safety through the creation of higher orders of computing systems --
basically an everything-is-connected-to-everything sort of model in which
the entire process of healthcare delivery is mediated using computers in
networks — by outlining the needs for standards for data communications
between systems. The rosy future is a world where your physician (or some
robotic analog) 'writes' a prescription into a computer and there is nothing
human in the way until the pill pops into your open mouth. Comparatively
little attention has been paid to what the actual operating characteristics
of a system composed of 106 Windows machines of 10^3 or 10^4 configurations
running 10^8 to 10^9 lines of code might be.

I foresee an era when this trend is reversed and we deliberately uncouple
systems into smaller, isolated subsystems; where software change is
deliberately retarded in the hope of achieving stability; where end-to-end
automated processes are broken apart and human intermediaries inserted in an
effort to produce robust behavior of the larger entity; and where security
and privacy issues drive large parts of the healthcare system completely
'off-line' so as to make them 'invisible'. Because healthcare reimbursement
from Federal and insurance sources will be tied directly into on-line record
keeping and so-called "quality measurement" computing, portions of
healthcare delivery will be paid for out-of-pocket, essentially dividing the
system into the "white" (visible, regulated, tabulated, on-line) system and
the "black" (off-line, cash-and-carry, AMFYOYO) system. In addition, you may
find springing up a cottage industry of configurators, people capable of
making your small, independent, unconnected, archaic, but quite useful
computer nets working without connecting them to the larger world.

"Burning chrome" here we come!


Re: Diebold ATMs hit by Nachi worm (Dean, RISKS-23.07)

<Tim Panton <tpanton@attglobal.net>>
Fri, 19 Dec 2003 9:00:00 0000

Drew Dean describes the tendency of 'security professionals' to focus on
their specialty and not on the what might be called the "bigger picture".
It seems to me that there are two ways to fix this problem.  The first is to
spread the awareness of security in the programming community,
de-specializing it and making it a core competence expected from
designers. (we have made a small step here in this direction by making risks
compulsory reading for all software engineers)

The second way is for managers to incorporate computer security into their
analysis of business risks when developing or adopting a new product (again
de-mystifying it).

As an aside, I don't quite buy Drew Dean's analysis of the ATM situation.
ATMs require frequent human intervention, to fill them with cash. This puts
them in a different category from fully autonomous systems, like weather
stations or unmanned space craft, where being able to force an upload of
patches without onsite intervention is clearly "a good thing".

I think the thing that shocks me about the ATM story is the reliance on
stock protocols with apparently no more security than I apply to my desktop
systems. I mean, why not configure it to only accept signed updates, or only
updates from a shortlist of ip addresses?

Yes, the world is a messy place, but I think I like the emerging computing
monoculture even less.


Re: Voter information up for grabs

<"David E. Ross" <david@rossde.com>>
Fri, 19 Dec 2003 07:52:32 -0800

Selling voter information to candidates is a very old situation.  And it's
not necessarily bad.  (The lists are sold and not given away only because of
the cost of printing them; the same is true of lists sold in electronic
form.)

Early on, the lists were available to anyone.  With the increased concern
about privacy, they are now available only to legitimate candidates and
campaign committees.

When I ran for local school board in the late 1970s and through the 1980s, I
bought voter lists from the Registrar of Voters for 25c a page.  That
allowed me to focus my door-to-door campaign on homes where actual voters
lived.

In a neighboring city, a city council candidate used her list to challenge
illegally registered voters, individuals who registered from their business
addresses (inside the city) instead of their residential addresses (outside
the city, some in a different county) as required by California election
law.  Only persons who registered within the city were eligible to vote in
the city council election.  Some business owners perceived her as
anti-business and wanted to vote against her.  (She won anyway, served
several terms, and is now in the State Legislature.)

At each election, the lists are posted outside the polling places for public
inspection.  Anyone can review these lists and write down (or photograph)
their contents.

I can drive to the county recorder's office.  There, I can review the lists
of property owners and the assessed values of their homes.  I can browse
through all the recordings of liens, quit-claims, and title changes.  Some of
those recordings also include wills and other declaratory statements.

The point is: Some records of personal information are indeed public. They
have been public in paper form for over a century.  The fact that they are
now public in electronic form is not necessarily bad.  Bad uses of these
data occurred before computers, and bad uses occur now.  Laws against those
bad uses may be older than the computer.  While I am very concerned about
privacy (and upset about the new federal law that invalidates the stronger
California privacy law), I feel that privacy concerns should not eliminate
the public availability of what have traditionally been public records.

David E. Ross <http://www.rossde.com/>


Re: Online issue of civil claims (RISKS-23.06)

<Robin.Crorie at cheshire.pnn.police.uk>
Fri, 19 Dec 2003 16:33:46 +0000

You are still referring to this service as new...??

Actually, "Money Claim Online" is not at all a new service - I've used it
twice in the last couple of years, first issuing a summons with it on 22 Feb
2002.

Whilst the potential risks are worthy of examination, those relating to
potential use of the service whilst masquerading as a third party need to
take into account the fact that there are *no identity checks whatsoever*
when using the existing paper-based system.  To my knowledge, there haven't
been any related high-profile issues regarding this service yet, over this
two-year period.

I won't even *dare* mention ID cards... oops I just did...   :-)

Please report problems with the web pages to the maintainer

x
Top