The RISKS Digest
Volume 24 Issue 60

Friday, 16th March 2007

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


'Embarrassed' Man Sues Microsoft After FBI Finds Sex Videos On His PC
Yet more privacy risks from copiers
Arthur T.
Thoughts On New $1B Viacom Suit Against Google/YouTube
Lauren Weinstein
Comments on Google's Privacy Announcement
Lauren Weinstein
Yet another risk of voting computers
Erling Kristiansen
When security software goes bad...
Jeremy Epstein
Wireless bingo in UK for smokers
C R Ritson
CBC: Vancouver bus info signs 'duds'
Andrew Gray
Biometric ID at airports
Peter Mellor
'Tamperproof' autopilot for passenger jets to avoid hijacks
George Michaelson
USAirways Merged Reservation Systems Fubar
Chuck Weinstock
Re: PG&E sidesteps $38 million bill for daylight-saving patch
Tom Watson
Re: US DST date changes
Robert Graves
Re: Date arithmetic before 1900
Ken Hagan
Re: Putting the SSN genie back in the bottle?
Ketrick McMillin
Announcement: the Ninth Bieleschweig Workshop
Peter B. Ladkin
Info on RISKS (comp.risks)

'Embarrassed' Man Sues Microsoft After FBI Finds Sex Videos On His PC

March 4, 2007 1:59:35 PM EST

  [Via Dave Farber's IP distribution]

"Michael Alan Crooker, currently in jail in Connecticut, says security
features advertised by Microsoft and its business partners should have kept
federal agents from accessing the files on his PC.  In court papers filed
this week in Massachusetts Superior Court, Crooker says he "suffered great
embarrassment" as a result of Microsoft's failure to keep the FBI's prying
eyes off his computer."

"In the court papers, Crooker says he already has reached settlements with
Hewlett-Packard, which owns the Compaq brand, and Circuit City."

Yet more privacy risks from copiers

<"Arthur T." <>>
Tue, 13 Mar 2007 16:43:24 -0500

We all know not to leave documents in a shared copier.

A few years ago I found another problem.  Someone had tried to copy a page,
but the copier didn't have the correct paper.  Some time later, when I put
in the correct paper, the copier printed out that page that it had
remembered.  It happened to have been an employee evaluation.

Now, someone has pointed out that most new copiers have hard disks.  Even
after you've gotten your copy, someone could come along and read what you

Ed McLaughlin, president of Sharp Document Solutions, said about shared
copiers: "You actually have a better chance at winning 10 straight rolls of
roulette than getting those hard drives on copiers rewritten."

Above abstracted from:

  [See also May Wong, Photocopies with disk drives may hang on to
  sensitive data, *San Francisco Chronicle*, 14 Mar 2007, C2]

Thoughts On New $1B Viacom Suit Against Google/YouTube

<Lauren Weinstein <>>
Wed, 14 Mar 2007 20:15:07 -0700

Greetings.  As reported by Reuters:

Viacom has filed a $1B copyright infringement lawsuit against

While this may be viewed (accurately, I believe) in some circles as largely
a negotiating ploy, the deeper issues go far beyond that.

My "you can't effectively censor the Internet" postulate suggests that it
will always be possible to post virtually any materials, even if this
requires "underground" or otherwise obscured communications channels.

However, this is not to say that serious legal and financial risks don't
exist related to the YouTube and similar models.

I see two biggies:

First, the obvious one — regardless of the ability of users to post
"offending" materials in other venues, the large services that are most
associated in the public mind with the availability of such items (in this
case Google/YouTube) run the greatest risk.  This is true both by virtue of
their high profile — they are the natural targets — but also due to the
availability of "deep pockets" for financial settlements or court-ordered

The second risk is actually even more onerous.  I sense an increasing
discomfort in the courts regarding the concept of retroactive rather than
proactive controls over posted Internet information — the former is the key
basis of DMCA enforcement, of course.  This issue doesn't apply only to
entertainment-oriented materials, but also to the rising chorus of stories
from people who claim (sometimes with validity) that their reputations and
lives have been disrupted or damaged by posted online campaigns or false
information that they are unable to control or successfully expunge.  Over
the years, I've head many such stories myself that were sent to me
personally, but this issue is rising rapidly in the mainstream media.

The risk here is vast.  Courts may choose to upend the current free speech
and related DMCA and defamation models, in favor of a much more proactive
approach requiring prescreening and total responsibility for all
publicly-hosted materials.  The impact of such moves would be impossible to
overestimate, especially for the larger players in the so-called "Web 2.0"
environment.  As noted above, these are the very entities who are most
likely to be the targets in such situations.  Personally, I don't think that
I'd much like the Internet that would result if these sorts of broad
government-mandated crackdowns occurred.  But the problems are real and do
need to be addressed somehow.  The laissez-faire approach is reaching a
breaking point beyond which the powers-that-be are unlikely to allow it to
proceed unaltered.

I believe that there are possible routes to a better situation that could
avoid the "doomsday" scenarios.  Some of these I've outlined in the past,
others I have yet to publicly discuss, but an underlying principle is that
the major players need themselves to take more responsibility for the
effects of their creations beyond the technical necessities.  Better them
than the courts and governments I hope you'll agree.

The humorist Tom Lehrer sang: "'Once the rockets are up, who cares where
they come down?  That's not my department,' says Werner von Braun." --
referring to the German rocket pioneer who both enabled missile attacks on
London and was later the father of the U.S. space program.

If officials are able to successfully and publicly paint large Internet
corporations as having that sort of attitude, the results could be
devastating to the Net.  The only ones who can head off this possibility are
these firms themselves.

Lauren Weinstein +1 (818) 225-2800
Founder, CIFIP California Initiative For Internet Privacy

Comments on Google's Privacy Announcement

<Lauren Weinstein <>>
Thu, 15 Mar 2007 18:04:40 -0700

             Comments on Google's Privacy Announcement
         ( )

Greetings.  Google has announced significant changes to their data retention
policy.  Since I'm already being asked for my opinion regarding their
announcement, I'm sending this out now rather selfishly to avoid having to
generate a large number of individual responses (though I'll be glad to
discuss this in more depth upon request).

First, the "raw" material:

Google's Press Release:

Google's PDF with more details:

Michael Liedtke's AP piece:

The gist of the announcement is two changes: The obscuration of some IP
address bits (currently it appears that this would involve the
least-significant octet of IP addresses recorded in the Google user activity
logs), and changes to provide for some form of cookie anonymization.

Such an IP address change would allow for identification of any one computer
out of a group of 256, rather than the existing ability to identify each
computer individually.  The actual impact of this change from a privacy
standpoint would vary greatly depending on the type of addresses (dynamic
vs. static) and the total range of those IP addresses associated with any
given organization.  Cookie anonymization effectiveness is more difficult to
analyze until more information regarding the algorithms to be used becomes

Both of these changes would be applied to data after an 18-24 month period
-- during which time data would be retained intact — unless future
government data retention mandates require longer periods.  This is in
contrast to Google's policy up to this point of maintaining all log data
intact on an indefinite basis.

The AP piece referenced above notes that AOL apparently already goes farther
than Google plans to go in terms of IP address anonymization and some other
related issues.  In light of that, my many public statements over time that
have been critical of Google data retention policies, and my "Open Letter to
Google: Concepts for a Google Privacy Initiative" from last year
( ), what is my take right
now on this move by Google?

It's much simpler than you might expect.  I am not particularly concerned at
this point about the details of the policy.  I could (and at some point no
doubt will) critique the various aspects of Google's changes in detail
regarding both perceived strengths and shortcomings, but not today.

For now, let's view Google's announcement with the broadest possible scope
-- not so much for what it says but for what it might portend for the
future.  While these changes can be reasonably viewed as only a first step
on the road to the kinds of data retention privacy enhancements ultimately
needed, taking that first step at all is an immensely positive sea change to
Google's attitude toward this data.

Time will tell if the rest of that privacy road is traversed in due course.
It will be a challenging path indeed, especially in a political environment
where the pressure to retain data for extremely broad retroactive
investigatory purposes is growing at an alarming rate.  And as we've seen in
the recent revelations regarding the FBI's violations of the PATRIOT Act
( ),
the issues are all interrelated, and Google of course must obey these laws.

But those are issues for another day.  For now, I'll simply thank Google for
listening, and express the hope that we can move forward together into a
very uncertain future, where deeds will always speak more strongly than
words, and where the decisions we make now about these matters are likely to
have impacts for generations to come — as we all ideally try to live by the
"Don't be Evil" creed.

It won't be easy.  But we have no honorable choice but to try.

Lauren Weinstein  +1 (818) 225-2800  Lauren's Blog:

Yet another risk of voting computers

<Erling Kristiansen <>>
Thu, 08 Mar 2007 20:58:06 +0100

The election for regional governments (Provinciale staten) in the
Netherlands took place yesterday.  Many precincts use voting computers, I
believe from NEDAP, whose user interface consists of a rather large flat
panel with a push-button for each candidate (+ a display and a large
"confirm" button, but these are irrelevant here). The layout of the buttons
is the same as the layout of the printed candidate list distributed some
days before the election. So if you know which button was pushed, you know
the candidate voted for.

As is common in large elections, TV news showed a few prominent people
casting their vote. Mostly, this is a boring show of people depositing
folded pieces of paper in a box.  Not this time.

I suppose RISKS readers have already guessed what happened.  Yes, indeed:
The panel was in full view on TV news when the prime minister, the leader of
a main opposition party and one or two other high-ranking politicians cast
their votes.

The voting machines have a panel that obstructs the view from the voting
officials and the waiting public. But it is completely open towards the side
facing away from the public. No privacy cubicles, no curtains, nothing
obstructing the view from above.  So if one could get away with hiding a
camera above the machine, one could record the vote of everybody, and have a
picture of the voters as a bonus.

When security software goes bad...

<Jeremy Epstein <>>
Thu, 8 Mar 2007 10:28:42 -0500

A bug in Microsoft's new security product (Windows Live OneCare) wipes out
Outlook ".pst" and Outlook Express ".dbx" files when it finds malicious
email.  So it replaces one security problem (the malware) with another
(denial of service).  Leads to some interesting new forms of attack - send
emails to a victim that are just bad enough to trip up OneCare and cause it
to launch a DoS attack on its users.  Affects Outlook 97 & 2000, and Outlook
Express on WinXP.

Shouldn't we have a higher standard for security software in the "do no
harm" category?  Seems ironic, in particular, that it's a Microsoft product
damaging another Microsoft product!

Wireless bingo in UK for smokers

<"C R Ritson" <>>
Fri, 2 Mar 2007 10:12:30 -0000

I happened to catch a snippet on the radio this morning where two UK
bingo-hall operators (who will soon be forced to ban smoking inside) were
said to be considering providing customers who smoke with portable
bingo-playing handsets to take outside to a smokers' shelter.

I wonder how many risks will be discovered here before and/or after

Chris Ritson (Computing Officer and School Safety Officer)
Room 707, Claremont Tower,        EMAIL:
School of Computing Science,      PHONE: +44 191 222 8175
Newcastle University,             FAX  : +44 191 222 8232
Newcastle upon Tyne, UK NE1 7RU.  WEB  :

  [I presume those risks will not be smoked out until afterwards.  PGN]

CBC: Vancouver bus info signs 'duds'

<Andrew Gray <>>
Thu, 08 Mar 2007 12:11:34 -0800

"The signs at the bus stops have been duds," said TransLink spokesman
Ken Hardie, adding the company that installed the system said it cannot
be fixed.

"This system unfortunately just has never worked properly. Siemens has
basically thrown up its hands and say they can't make it work."

Biometric ID at airports

Tue, 13 Mar 2007 16:42:23 EDT

The following is from one of my "usually reliable" sources:

> By the way, I have seen the future of biometric identification and it's
> here at Quito Airport.

> Ecuadorians have an index fingerprint on their identity cards. Here at the
> airport, the biometric check involves the migration officer grasping the
> ID card in one hand and the subject's index finger in the other, bringing
> the two together and squinting at them. I shall leave it to you or others
> to speculate on the accuracy of the system.....

Peter Mellor;   Mobile: 07914 045072;   +44 (0)20 8459 7669

'Tamperproof' autopilot for passenger jets to avoid hijacks

<George Michaelson <>>
Thu, 8 Mar 2007 12:16:53 +1000

I'm sure there are better references. It has potential to be a bottomless
pit of falsely raised expectations.  At least this is an industry which
understands the problem of software testing and things like FCC compliance.

USAirways Merged Reservation Systems Fubar

<Chuck Weinstock <>>
Wed, 14 Mar 2007 08:24:06 -0400

[USAirways is in the process of absorbing America West, and merging its
reservation systems into SHARES (Shared Reservations System).  The following
paragraphs have been excerpted by PGN from "Reservations Migration to
SHARES. The good, the bad and 'why move to this Reservations system?'"]

  We encountered "out of sync reservations," which means that when we
  migrated the seven million reservations from Sabre to SHARES,
  approximately 1.5 million of them didn't "sync up," meaning that
  passengers and agents can't do much easily — like check in for a flight.
  The result was that many systems that otherwise were ready to go became
  bogged down with lots of these reservations that couldn't be processed
  except by hand.  By now we've whittled down the number of "out of sync"
  reservations closer to a normal level, and continue to reduce them
  daily. ...

  The short version is this: Much of the technology that most airlines are
  built around is "legacy" mainframe systems from the 60's and 70's. These
  systems are deeply embedded in everything from reservations, to flight
  operations, to airport operations, to accounting. They are very reliable,
  but are very inflexible, so as our business changes, we often fight with
  one hand tied behind our back. ...

  You say: "So dummy, convert it to a 21st century system." We would like to
  do that and eventually we will. The biggest reasons we can't do it now are
  that there is currently no modern system in use to convert to, and the
  investment would be tremendous — that is, tremendously expensive. Several
  companies are building and preparing to implement more modern platforms
  for airlines to use and we are watching those closely and are in contact
  with those companies.  However, even when the opportunity presents itself,
  we will have to proceed with caution. In an industry where we lose money
  more often than we turn a profit, it's not always easy to justify
  replacing a system that works with a very expensive, untried system that
  carries additional risk. But stay tuned; we'll get there.

Re: PG&E sidesteps $38 million bill for daylight-saving patch (R-24:59)

<"Watson, Tom" <>>
Wed, 14 Mar 2007 15:45:57 -0700

The original article said:
"...For example, from 11 Mar through 31 Mar a peak usage period that would
ordinarily end at 6pm will instead end at 5pm to compensate for the meters
being off by an hour."

There is a problem here.  According to the PG&E blurb I got (I have a TOU
meter), the time period for the interval mentioned is actually 1 hour later
(spring forward...).  This means that the peak period is actually from 1pm
to 7pm (in my case), not 12 Noon to 6pm as it usually is.

The risks: Some people haven't gotten this daylight saving time thing right
yet.  If errors can be made in our discussions, they can be made EVERYWHERE.

Just to indicate that this has happened before: The clock chip used in the
PC/AT (when it was mostly discrete chips) in 1984 used the Motorola MC146818
clock chip.  It was HARD WIRED to change daylight saving time on the LAST
Sunday of April, and the LAST Sunday of October.  The law was changed to the
FIRST Sunday in April back in 1987 (as I recall, check your time zone
definitions), and rendered this circuit useless.  I don't think anyone
actually used it anyway.  If you are curious, see the datasheet at:
The description is on page 16, where the 'DSE' (Daylight saving time enable)
is described.

Legislative note:
The change in 1987 was supposedly at the behest of those who made barbeques
and the consumables (briquettes).  The recent change was made for "energy
conservation" reasons, but it was mentioned on the news that since we drive
more these days, it might cause more energy to be consumed.  Time will tell,
and we might go back to some previous "standard".  [*]

The political cartoon that went with the first attempt at changing DST (in
the oil "crisis" of 1973) showed the protagonist cutting a swath of his
blanket off one end of the blanket and attaching it to the other.  "We call
this daylight saving time...".

Why do we bother with this foolishness.  Just have "summer hours" and
"winter hours".  (*SIGH*)

  [* A U.C. Berkeley study of Australian energy consumption in 2000/2001
  (comparing New South Wales <which extended its DST by two months> and
  Vitoria <which did not>) concluded that energy savings in the evening
  were more than offset by increased energy consumptions in the morning. 16 Mar 2007
  For those of you who shave in the dark under DST, you might do it in the
  evening instead, and call it Daylight Shaving Time.  PGN]

Re: US DST date changes

<Robert Graves <>>
Fri, 16 Mar 2007 09:11:10 +1100

In the past (or on Unix machines - take your pick), DST dates were
configurable with a simple ruleset.  As such, you could define 2nd Sunday in
May or 12th February or whatever, the time amount and the designator (AEST,
DST etc).  A comprehensive default set came with the operating system.  This
allowed the various DST changes around the world to be *managed* by system
administrators, including local anomalies for specific events (such as the
Olympic Games in Sydney).  Now, we appear to have broken that model, and
left it all in the hands of the manufacturers.  For example, Microsoft have
to release a patch for its OS to cope with the change.  Shouldn't it be a
simple configuration change?  (There is a benefit to the patch - it is
simpler, but the patch is the only official way of changing it.)  I am very
wary of such dependence.

As for all those manufacturers who have embedded fixed rules, it is about
time they started reading RISKs and got their act together.

Re: Date arithmetic before 1900 (Gilliver, RISKS-24.59)

<"Ken Hagan" <>>
Fri, 16 Mar 2007 13:18:16 -0000

John Gilliver mentions genealogy software as something which regularly does
date calculations "as far back as" 1900.

Yes, and most packages that I've seen also claim to correctly handle the
switch from the Julian to the Gregorian calendar, although I suspect that
most are assuming the switch-over was 1752. However, I don't think genealogy
software counts, because nothing depends on the answers being correct. (My
program allows events to precede the birth of the participants. Yes it will
warn, but genealogy is not an exact science and good programs don't pretend
that it is.)

(Losing the thread somewhat, imagine the mess if there had been computers
around in 1752.)

Re: Putting the SSN genie back in the bottle? (RISKS-24.58)

<Ketrick McMillin <>>
Fri, 09 Mar 2007 20:36:29 -0600

Steve Summit has accurately observed that Social Security Numbers (SSNs) are
now so widely distributed that efforts by states and the federal government
to restrict SSN usage are irrelevant to the problem of ID theft.  What's
frustrating is that a simple, inexpensive, workable solution is possible but
Congress is apparently uninterested.

The solution is to 1) require businesses to report to the Social Security
Administration (SSA) the SSNs that have been presented to them, and 2)
require the SSA to report to the legitimate holders of those SSNs the
identity of those businesses, thus alerting SSN holders to any improper use
of their SSNs.

But the SSA can't implement this solution without Congressional action,
and members of Congress have shown no interest.

Announcement: the Ninth Bieleschweig Workshop

<"Peter B. Ladkin" <>>
Fri, 16 Mar 2007 11:06:50 +0100

The Ninth Bieleschweig Workshop on Systems Engineering will be held Mon-Tues
14-15 May in the headquarters of Germanischer Lloyd, on the bank of the
River Elbe in Hamburg (although I believe the windows in the conference room
look to the other side). Participation is free. Germanischer Lloyd has
kindly sponsored lunch on both days and dinner on Monday evening. Languages
are German and English. The workshops usually attract 30-40 participants
from academia and industry. The Ninth Workshop is organised by myself and
Karsten Loer of Germanischer Lloyd, and is, as usual, strongly oriented
towards safety-critical systems.

The Bieleschweig series is now in its fifth year, meeting twice a year, with
additional meetings (the "half" series) for CausalML and WBA users.  They
have "themes", and this time we ask for contributions especially in
model-based engineering and in incident analysis, although other topics in
critical-system engineering are also welcome. The call, timetable, venue
details, and some of the planned talks may be found on the Bieleschweig page
at the University of Bielefeld: -> Bieleschweig ->
Ninth Workshop.

We publish the slides from the talks, as well as other contributed written
material as wished, on the WWW, at the Bieleschweig page at the Technical
University of Braunschweig: and at the
Bieleschweig page at the University of Bielefeld ->

Peter B. Ladkin, Causalis Limited and University of Bielefeld

Please report problems with the web pages to the maintainer