The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 24 Issue 2

Sunday 28 August 2005

Contents

The Time Has Come: Taking Our Issues to the Public
PGN
Customs Computers Fail
Chuck Weinstock
10th "planet" discoverer shares a secret a bit earlier than planned
George Swan
Hospital struck by computer virus
Andrew Brydon
USAF personnel database compromised
Ross Stapleton-Gray via Dave Farber
Students face punishment for computer tampering
Thom Kuhn
Cellphone carriers can listen in through your phone
Ryan Block via Dave Farber
No inspection record, lack of human contact, or something else?
Mythdraug
Risks of First UTC Leap Second in 7 Years
Dave Glicksberg
Teacher concerns over L.A. school computerization project
Lauren Weinstein
Re: Navy jet has severe brake failure
Carl F
Bad password practices
Jeremy Epstein
Risks of Bluetooth pirates?
Andre Kramer
Re: Risks of REAL ID: incorrect
Charles P. Lamb
Re: US Navy to drop paper charts
R A Lichtensteiger
Re: Slade's review of "File System Forensic Analysis", Brian Carrier
Simson Garfinkel
Info on RISKS (comp.risks)

The Time Has Come: Taking Our Issues to the Public

<"Peter G. Neumann" <neumann@csl.sri.com>>
Sun, 28 Aug 2005 19:29:42 PDT

My note in RISKS-23.96 on 20 years of putting out issues of the ACM
Risks Forum has led me to reflect further on what we have accomplished
in the way of progress and what remains to be done.

The basic problems considered here keep recurring.  Whatever progress
might be made in computer-related technologies and their applications
has not been reducing the threats, vulnerabilities, and risks related
to the systems upon which we individually and as a civilization depend
most.  Overall, this leads me to a sense of frustration that the Risks
Forum has been largely preaching to the choir, and that our message is
not getting through to those who really need it most.  All of you
regular RISKS readers are likely to be totally unsurprised by the
items that you read here --- they are just more of the same.
Occasionally we might gain a new convert in the understanding of the
depth of problems of what is wrong and what is needed to meaningfully
address those problems.

Somehow we need to be able to reach out professionally and effectively
beyond the RISKS audience.  I have testified at least a dozen times
for governmental bodies on RISKS-related issues, but always have a
gnawing feeling that these efforts fall on deaf ears or are largely
ignored by brains that are preoccupied with other concerns.

There are quite a few of you in the academic community who have
consistently represented the best principles that might be gleaned
from the RISKS experiences, such as Peter Denning, Rebecca Mercuri,
Dave Parnas, and Jerry Saltzer, to name just a few.  There are also
quite a few of you working for commercial companies who have done the
same, such as Jim Horning.

There are also a few organizations that are able to gather dedicated
people and financial resources to keep pressures up on certain aspects
of the RISKS problems -- for example, EPIC, EFF, and CDT on the legal
issues relating to privacy and human rights.

Beyond that, there are just a few of our RISKS readers who operate
essentially on a pro-bono basis with effectively no funding at all.
Notable among these is Lauren Weinstein, who as many of you know has
been a very long-time contributor to RISKS and a wide variety of other
venues, and the most prolific guest columnist for my CACM Inside Risks
series.  Because he has no ongoing institutional support, his
continuing time spent and efforts in these areas have been decidedly
to his own financial detriment, to the extent that merely keeping the
lights on is literally an issue for him these days.

Despite this circumstance, he has been strongly advocating a new
outreach project that I believe could be very important not only
toward making genuine progress in RISKS-related matters but in other
areas of concern as well.

He believes -- and I do too -- that those of us who worry about risks,
hype, propaganda, distortions, and the general demise of scientific
and realistic thinking have been outflanked by well-funded, vested
interests who have everything to gain from maintaining the status quo.
Further, making real progress against such entrenched forces means
moving outside of the confines of preaching-to-the-choir Internet
mailing lists and Web sites.

When we can occasionally create sensible public discussions of
hype-free facts about technological risks, effects of technology on
society, privacy, security, and many other related topics, the
response is generally enthusiastic and usually not politically biased.
Most often we hear, "Why has nobody told us about this before!"

We both agree that a significant nonpolitical, media-based outreach
may represent the best hope of making some real progress, by directly
reaching the vast audiences who all too often have been misled about
what's really going on.

Few of these persons can be expected to subscribe to RISKS or other
such forums, especially because they are unlikely to even realize that
many of these problems exist.  Thus, it is necessary to go to the
commercial broadcast media from which most people get their
information and misinformation.  Commercial radio is clearly a key
medium to this end, whereas public broadcasters such as National
Public Radio generally have very limited program schedules and do not
reach the full spectrum of listeners of concern.

The essence of Lauren's project idea is to achieve a significant
outreach push into commercial radio, with the aim being to provide
various forms of programming that would ``tell it like it is'' but not
be politically biased yell-fests.  Lauren has the necessary on-air
broadcasting and production experience (many of you have heard his
various commentaries and other works over the years), and the required
technical abilities.

I feel that this is an excellent approach and would be very valuable,
but Lauren simply cannot move forward along these lines unless there
is some source of significant funding -- advertisers, underwriters,
"angels", or other interested parties -- to seed and keep the project
going long enough to build a following among stations and listeners.

Lauren takes pains to point out that this would be a significant
effort that would require a considerable period of time, and that
there's no guarantee of success.  I feel that it would be well worth
the effort for him to forge ahead with this (or related efforts that
would usefully move these issues forward), if suitable funding can be
found.

Please let Lauren (lauren@vortex.com) and me (neumann@csl.sri.com)
know if you, or other organizations or entities, might be interested
in helping to make this happen.  Thank you.  PGN


Customs Computers Fail

<Chuck Weinstock <weinstock@conjelco.com>>
Fri, 19 Aug 2005 15:47:23 -0400

A U.S. Customs database system in Virginia shut down for about 5.5 hours
beginning around 6pm on 18 August.  The system is used to process incoming
international air passengers, but its absence caused havoc at Miami
International Airport, where up to 2000 people were waiting to clear
immigration.  Airports in the NYC area were able to use backup systems.
[The cause was subsequently blamed on a virus, according to lisa Orkin
Emmanuel, Associated Press/AP Online, 22 Aug 2005; PGN-ed]


10th "planet" discoverer shares a secret a bit earlier than planned

<George Swan <geoswan@primus.ca>>
Tue, 23 Aug 2005 17:52:06 -0400

Planetary Astronomer Michael Brown, one of the co-discoverers of various
Kuiper Belt Objects, including Sedna, the really distant one, recently
announced the discovery of a Kuiper Belt Object even larger than Pluto.
His web-page indicates why he released the information about the
discovery earlier than planned:
  http://www.gps.caltech.edu/~mbrown/planetlila/#discovery

He became concerned late in July, after he had learned that the computers
that controlled the telescopes his team used for their observations kept
publicly searchable logs of where the telescopes had been pointed.  (From
his description it sounds to me as if these logs must also contain a code
for what they were looking at.)  Brown also realized that they had used some
of their codenames in the publicly available abstracts for some upcoming
talks.  A call to the Minor Planet Centre revealed that someone had recently
used a tool the MPC provides to plot the location of his team's tenth planet
for that very night!  A hurried press conference followed.


Hospital struck by computer virus

<Andrew Brydon <andrew@isbjorn.demon.co.uk>>
Mon, 22 Aug 2005 19:44:18 +0100

Up to 300 radiotherapy patients were turned away from a hospital in
Bebington, Merseyside, UK, after a computer virus infected equipment.

  http://news.bbc.co.uk/1/hi/england/merseyside/4174204.stm


USAF personnel database compromised (From Dave Farber's IP list)

<Ross Stapleton-Gray <ross@stapleton-gray.com>>
August 22, 2005 2:22:34 AM EDT

Using an airman's log-in information to access the online Assignment
Management System (AMS) and download data from it, someone gained access
into an Air Force personnel system and accessed individual information on
about half of its officers and "a handful" of its noncommissioned officers.
The Air Force has started notifying more than 33,000 service personnel of
the security breach, according to a statement. ...  Air Force officers can
log in at www.afpc.randolph.af.mil/vs to see if their information was
compromised. The service will call the enlisted members whose information
the hackers viewed.  [Source: Hacker nabs Air Force personnel data, Frank
Tiboni, *Federal Computer Week*, 19 Aug 2005]
  http://www.fcw.com/article90229-08-19-05-Web


Students face punishment for computer tampering

<"Thom Kuhn" <tkuhn@mail.acponline.org>>
Wed, 10 Aug 2005 20:08:32 -0400

Thirteen high-school students in the Kutztown Area School District
(Pennsylvania) face felony charges of tampering with computers after
defeating security measures on laptops issued to them by the school
district.  They used administrator passwords (taped to the backs of the
computers) to override Internet filters and download software such as iChat
that the district policy forbids.  The laptops included an application that
allowed district administrators to see what students did with the computers.
However, the students modified the monitoring program so that they could see
what the administrators did with their computers.  The students and their
parents argued that the felony charges are unwarranted, but, according to
the district, students and parents signed acceptable use policies that
clearly state what activities are not allowed and that warn of legal
consequences if the policy is violated. The students continued to violate
district policies for use of the computers even after detentions,
suspensions, and other punishments, according to the district. Only then did
school officials contact the police.  [*Wired News*, 9 August 2005; PGN-ed]
http://www.wired.com/news/technology/0,1282,68480,00.html


Cellphone carriers can listen in through your phone, Ryan Block

<David Farber <dave@farber.net>>
Fri, 5 Aug 2005 11:09:55 -0400

Ryan Block, Cellphone carriers can listen in through your phone, Aug 5, 2005,
  http://cellphones.engadget.com/entry/1234000563053276/

We're always a little wary of that very blurry line between protection of
the general public and infringements on basic civil liberties, but it would
appear that according to the Financial Times by way of the Guardian, at
least one UK cellphone carrier not only has the power (and mandate) to
remotely install software over the air to users' handsets that would allow
for the kind of monitoring we thought only perverts and paranoiacs had
access to: picking up audio from the phone's mic when the device isn't on a
call. While don't think the backlash on this one has really gotten underway
yet, and though we do hate to rock a cliche', we can't help but be reminded
of that classic Benjamin Franklin quote, ``They that can give up essential
liberty to obtain a little temporary safety deserve neither liberty nor
safety.''  What's worse, a cellphone carrier and The Man are gonna take it
from us without our permission on the sly?


No inspection record, lack of human contact, or something else?

<"Mythdraug ." <mythdraug@gmail.com>>
Thu, 11 Aug 2005 12:05:49 -0500

First some background.

I have signed up with my local gas company (Peoples Gas) for online
payment and billing.  As part of the process they, of course, require
my e-mail address.  In late May I received a postal letter informing
me of their need to perform an inspection of my inside lines under
threat of being disconnected if we failed to comply.  Naturally, I
scheduled an appointment.  A technician came and mechanically sniffed
the joints in the line said thanks and walked out the door.

Fast forward to a much more recent day.  Via the e-mail address which
I signed up for online service with them, I receive a letter
admonishing me for failing to allow the mandatory inspection.  I was
again threatened with disconnection for failure to comply.

Knowing that I had previously had the inspection completed, I replied
to the message stating exactly that. The e-mail bounced from their
system as undeliverable. I called the phone number provided in the
message, only to be connected to an automated system for setting an
appointment with no obvious way to reach an operator.

At this point, you may think that my complaint is in not being
presented with an audit record at the time of inspection.  Or perhaps,
I am frustrated  that there was no clearly defined way to break out of
the process or way for me to indicate that my inspection had already
been performed.

You would be incorrect.  You see, what I haven't yet mentioned is that
they had addressed that message to me by placing my e-mail address on
the CC line. But it wasn't just my e-mail address there, it was the
e-mail address of everyone (well I guess only half of them actually as
the list began with purplerose3637@*********.net;
PWOODWARD1966@*****.com and ended with zedwards@***.com;
zoldowski@********.net) receiving the notification.  Yes, that is
correct, I now have the e-mail address for ~240 people who are in risk
of having their gas disconnected.

The privacy policy on their web site (http://pecorp.com) states "We
will never willfully sell, trade, rent, disclose, or make available
personally identifiable information to any third party without first
receiving your permission, except when we believe in good faith that
the law requires it, or to protect the rights or property of Peoples
Energy."

The risks?  I'll let you decide....


Risks of First UTC Leap Second in 7 Years

<Dave Glicksberg <davidg@bourbaki.jpl.nasa.gov>>
Mon, 22 Aug 2005 18:58:22 -0700 (PDT)

  [Originally submitted 2005-07-07, but lost in the shuffle.  PGN]

The International Earth Rotation Service (IERS, http://www.iers.org) just
announced a UTC leap second for the end of 2005, specifically at
2005-12-31T23:59:60Z (see http://hpiers.obspm.fr/eoppc/bul/bulc/bulletinc.dat).
The previous leap second was 7 years before, at 1998-12-31T23:59:60Z, which was
before Y2K!  In contrast, from UTC's inception in 1972 through 1998, leap
seconds were fairly common, occurring every 0.5 to 2.5 years.

UTC is the basis for civil and military timekeeping worldwide.  It is
transmitted in coded radio time signals like WWV, and it is used by Russia's
navigation satellites GLONASS (http://www.glonass-center.ru/stime.html), which
therefore must accommodate leap seconds.  However, GPS satellites use a
continuous timescale that does NOT have leap seconds.

THE RISKS?

* In the 7 years since the last leap second, maintainers of systems and
  software that are UTC-aware may have forgotten how to properly handle a
  leap second, whether it is done manually or automatically (e.g. by
  synchronization with WWV, or with time servers that properly handle the
  leap second).

* Newer systems and software have never encountered a leap second, unless
  via thorough testing.  Some systems may have omitted consideration of leap
  seconds altogether!

* Potential downtime or errors due to the need to do a manual update, or due
  to incorrect automatic updating.

* Consequences of forgetting that the leap second occurs simultaneously
  around the world, regardless of local time zone.  In New York, the leap
  second will occur at 7PM (actually, 18:59:60) on New Year's eve, and in
  Moscow, it will occur at 3AM (02:59:60) New Year's Day.

Dave Glicksberg -- glicksbergd AT eh see em DOT oh are gee -- MY OPINIONS ONLY


Teacher concerns over L.A. school computerization project

<Lauren Weinstein <lauren@vortex.com>>
Sat, 27 Aug 2005 10:14:32 -0700

A friend of mine here in L.A. -- a middle school teacher in the Los Angeles
Unified School District for around 30 years -- sent me the note below.
LAUSD is the second largest school district in the country, and is embarking
on a computerization project that has many teachers concerned.  The driving
force appears to be the desire to obtain every last possible attendance
dollar per student, despite the risks that appear obvious even to persons
who are not computer experts.

  - - - -

Thought you would want to hear about the latest L.A. school district new
program for attendance taking and report card grades.  It rolled out earlier
this year at some schools already and should be debuting soon at many
secondary schools by October. Every teacher has been mandated to set up an
LAUSD e-pal account so that we can now do on-line attendance taking and
grades. We were promised to have an additional brand new computer installed
in our classrooms over the summer. All rooms were wired prior to summer
vacation. Next semester we are being asked to take and report by computer
attendance for every single class in real time, period by period, by logging
into our e-mail account and using our issued password. Many teachers are a
bit nervous about adjusting to the new requirement and the time away from
focusing on instruction.  We were warned to protect our password as if our
career depended on it, keeping in mind what an evil-minded child could do on
the system if our password got into their hands.

The whole program originally named ISIS (after an Egyptian goddess) was just
changed to LAUSDMAX.  Their hope is that time and paper will be saved. I am
a bit nervous about having to run to my attendance computer multiple times a
day, especially when my school like most others can have multiple tardy
students during a typical period which would require attendance adjustments
for accuracy. I hope the district knows what it is doing and is not backing
itself into another financial disaster. Can you imagine the problems
substitute teachers will face? You would think they would be smart and just
ask us to do the attendance in just one sitting at the end of the school
day. Teachers are waiting to see if they make us maintain a paper rollbook
as well. Will we be doing more or less work?


Re: Navy jet has severe brake failure (RISKS-24.01)

<<carlf@panix.com>>
Wed, 10 Aug 2005 17:10:52 -0400 (EDT)

> The F/A-18 Hornet has had a series of recent accidents many of which are
> being attributed to a very thin $535 electrical cable that controls the
> antiskid brakes ...

Where "recent" dates back to 1990?  There may well be a problem, but 24
accidents in 15 years is hardly "a series of recent accidents".

As the Navy spokesperson said, every significant accident involved failures
by the pilots to follow procedure (notably one pilot not knowing how to use
the emergency brakes!).

I don't know that this is a Risk In Computing.

  [REMINDER: Risks in the Use of Computers are often interface problems,
  educational problems, training, experience, etc.  PGN]


Bad password practices

<Jeremy Epstein <jeremy.epstein@cox.net>>
Wed, 10 Aug 2005 14:12:18 -0400

I recently applied for and got an account on a moderately sensitive
government computer system that's accessed over the Net.  You apply by
sending various information (such as name & address, but not SSN) to them by
e-mail.  A person then reviews the request, and sends you back the account
information.

Two interesting things:

1. When my account was issued, the username and password were sent in two
   separate e-mail messages.  That's a good practice (certainly not
   foolproof, but better than sending in one message).  However, they were
   sent just seconds apart from the same address and to the same recipient
   address, which dramatically reduces the value of separating them.
   Doubtless, someone said "it's dangerous to send them together", but
   didn't consider that sending the impact of sending them at the same time.

2. The password is a fairly high quality value (seven random-looking letters
   and numbers, but no special characters).  However, it's not changeable.

So, my sensitive password came via e-mail, most likely will get written down,
and can't be changed.  Now *that's* a secure system!


Risks of Bluetooth pirates?

<"Andre Kramer" <andre.kramer@eu.citrix.com>>
Thu, 18 Aug 2005 11:31:28 +0100

The Cambridge Evening News reported yesterday ("Phone Pirates in seek
and steal mission" 17th August 2005) that several laptop computers have
been stolen from car boots (automobile trunks for US readers) in
Cambridge (UK). The article claimed that "Bluetooth" was used to detect
the laptops presence. While the thefts appear related, the claimed modus
operanti seems unlikely as short range wireless would be inactive unless
the laptops were powered on (to be fair, the article also mentioned
"other electronics"). The risk: thinking your devices are safe in the
car boot when they don't have wireless.


Re: Risks of REAL ID: incorrect (Re: RISKS-23.95)

<"Charles P. Lamb" <clamb@acm.org>>
Wed, 10 Aug 2005 16:58:42 -0400

The article from RISKS-23.95 with subject Risks of REAL ID and the linked
*The Boston Globe*/Associated Press article are incorrect.  The REAL ID Act
doesn't require states to do anything.  The law states only requirements for
use of a state-issued driver's license, or any other identification card, as
a Federal ID.  In the words of the law itself:

  "(1) IN GENERAL.  Beginning 3 years after the date of the enactment of
  this division, a Federal agency may not accept, for any official purpose,
  a driver's license or identification card issued by a State to any person
  unless the State is meeting the requirements of this section."

If a state intends its driver's licenses to be used *only* as driver's
licenses, it need do nothing.

  [This could lead to some curious results.  If every state were to claim
  that its licenses are to be used only as licenses, then all state elected
  officials could not use their drivers' licenses to board commercial
  aircraft.  Or the Feds might just say that those state licenses must be
  considered as de facto Federal IDs (whether or not they actually satisfy
  the requirements).  PGN]


Re: US Navy to drop paper charts (Scott Peterson, PGN, Scott Peterson)

<R A Lichtensteiger <rali@Tifosi.com>>
Sun, 14 Aug 2005 00:44:36 -0400

Scott Peterson <scottp4@mindspring.com> wrote (in Risks 24.01)

<> Given some of the stories that have been posted here about the problems with
<> electronic navigation systems, the mind boggles at the potential for
<> disaster in this decision.  [SP]

The biggest problem is the same one that applies to paper charts and
modern navigation technologies.  GPS shows you where you are on the
planet's surface, not where you are on the chart. Cross up your datums
and things are just as apt to go "bump" in the night ...

Once again, the mediation is the same melody: "Never place all of your
trust in a single system" whether that system is GPS, ECDIS or a
lightning detector.

So long as running into things continues to be a "career limiting move"
for the commanding officer, I suspect the Navy will continue to be very
good about cross checking what different navigation inputs claim for the
ship's position.

For commercial shipping, with it's much smaller crews, and civilian
sailors, the level of faith placed in a GPS and chartplotter scares me.

Peter G. Neumann <neumann@csl.sri.com> added (in the same Risks digest):

<> Risks might occur when their Net connection is down and they cannot get
<> their updated maps online!  Remember the sub that ran into a rock.  I wonder
<> whether that rock has ever shown up on an online map since then?

Charts are updated with a system of "Notices to Mariners" and "Local
Notices To Mariners."  They are published on a weekly or monthly basis,
available electronically, or by snail mail. With paper charts, the
information then needs to be (accurately!) transcribed onto the chart.
Given this time lag, one's net connection would have to be pretty solidly
down for ECDIS-N to not be an improvement on the older system. (Not that
I put that beyond the USN's capability, mind ...[1])

[1] Snotty remark from a former USCG navigator!

  [Later note:

     You might find the USCG's E-Nav website interesting (or some of
     your readers may):
        http://www.navcen.uscg.gov/enav/default.htm
  ]


Re: Slade's review of "File System Forensic Analysis", Brian Carrier

<Simson Garfinkel <simsong@eecs.harvard.edu>>
Fri, 12 Aug 2005 21:20:31 +1200

I need to take issue with Rob Slade's review of Brian Carrier's new book.

File System Forensic Analysis is really an excellent book. It not only is
the first to go into the topic, but it has so much detail that it is likely
to be of invaluable assistance to both practitioners and researchers for
many years to come.

I am completely baffled by Slade's criticism of the book taking a while to
get to technical details, and his complaint that the book is uneven. Brian's
book is specifically designed to be approachable to both a person who is new
to the field and a seasoned expert.  it does a great job with this goal.

Indeed, if there was no introductory material, I image that Slade would have
criticized File System Forensic Analysis for being impenetrable or unusable
for people new to the field.

Please report problems with the web pages to the maintainer

Top