The RISKS Digest
Volume 24 Issue 81

Thursday, 30th August 2007

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Wells Fargo bank computer problem
Ted Lee
MS WGA Servers down; XP & Vista installs marked "counterfeit"
David Lesher
Tokyo subway train misses a station
Paul Saffo
Free rides on the Boston T
Ryan Haggerty via Monty Solomon
Skype outage resulted from flood of restarts after updates
Problem that knocked out Skype has happened many times in the PSTN
Matt Holdrege
"No trucks using satellite navigation"
Mark Brader
Risks of randomly evaporating letters
Mark Brader
Data thieves hit site
Hiawatha Bray via Monty Solomon
Even the Navy Can't Censor the Internet
Lauren Weinstein
Chinese Village Name Change Sparks Chaos
Mark Brader
With Software and Soldering, a Non-AT&T iPhone
Ken Knowlton
Cell phones swamping 911 systems
Cable Industry Responds Regarding HD TiVo Incompatibilities
Lauren Weinstein
E-voting predicament: Not-so-secret ballots, Declan McCullagh
The Risk Factor weblog
David Magda
Risks of a protocol mismatch
Dave Horsfall
More Wikipedia "Gotcha" Silliness
Lauren Weinstein
Suspect named in TJX credit card probe
Ross Kerber via Monty Solomon
Don't make the normal into the unusual - leap seconds vs hours
Guy Dawson
Amusing Lack of Software Support
Gene Wirchenko
Re: Risks of trusting your fonts?
REVIEW: "Security Metrics", Andrew Jaquith
Rob Slade
Info on RISKS (comp.risks)

Wells Fargo bank computer problem

<"Ted Lee, Minnetonka, MN" <>>
Tue, 21 Aug 2007 14:07:18 -0500

I'm sure there will be several submissions on this.  The associated press
story on it contains the following "... Avid Modjtabai, head of technology
for the nation's fifth largest bank, said today that problems with the
company's online banking services lasted less than two hours, and customers
never lost the ability to make basic ATM transactions, including withdrawing
cash and making deposits at Wells Fargo-branded ATMs."  While I haven't been
able to verify that is the reason, on Sunday I had my Wells Fargo credit
("check") card refused by a merchant's POS terminal with the code "card
blocked."  My account has plenty of money in it and there are no untoward
transactions in it.  (That I was able to check.  Go figure).  I tried
calling calling WF off and on all day yesterday to see if they knew why the
card was blocked and they couldn't find out — because their computers were
down.  Today I can't get through, presumably because of heavy call volume.

MS WGA Servers down; XP & Vista installs marked "counterfeit"

<"David Lesher" <>>
Sat, 25 Aug 2007 19:58:22 -0400 (EDT)

The Windows Genuine Disadvantage servers all went down.

Result: All attempted OS installations were labeled as counterfeit.
THAT means you get 'limp home' mode for the box..


The recovery procedure, once you know their server is again working,
involves deleting some special files, and revisiting the WGA server.

{Sigh; haven't we had this conversation before?}


  Creating an artificial single-point-of-failure.

  Not making that single point robust/redundant enough to defend again all
  enemies, foreign and domestic [i.e. outsiders vs the more likely "we have
  met the enemy, and he is us..." errors.]

  Not having good recovery procedure when the Can't Happen Does
  Happen... [Can your mother find her data.dat file?]

I wonder if the server farm has both geographic and network diversity.
(There was a Jan 2001 failure of all Microsoft nameservice; then, they were
in one place, on one segment.)

I also worry about what happens if somehow, sometime, the MS database gets
trashed, and it decides ALL copies of XP/VISTA/Win2009/whatever are
pirated. So when every machine does its obligatory check-in, and gets

  [Will Debian be VERY popular overnight?]

Tokyo subway train misses a station

<Paul Saffo <>>
Mon, 20 Aug 2007 21:53:36 -0700

  [This looks like a RISKS story — not to mention being a reminder of how
  quaintly peaceful a place Tokyo is that allows them to treat this as news.]

Subway train passes station after line switched to wrong track

A subway train was forced to pass a station it was supposed to stop at on
Monday evening because the line was switched to a track exclusively for
trains passing the station, the subway operator said.

At about 6:40 p.m., the driver of a local train on the Tokyo Metro Tozai
Line slowed down his train to stop at Baraki-Nakayama Station in Funabashi,
Chiba Prefecture, but noticed the train had gone onto the passing track,
Tokyo Metro officials said.

The train was forced to continue on to the following Nishi-Funabashi
Station. About 840 passengers were aboard the train but the incident did not
cause major confusion.

Tokyo Metro officials pointed to the possibility that a computerized system
controlling the line's railway switches had developed trouble.  (Mainichi)

21 Aug 2007

Free rides on the Boston T

<Monty Solomon <>>
Thu, 23 Aug 2007 09:06:02 -0400

When the Boston Massachusetts Bay Transportation Authority updated its
software to shut off about 13,000 lost, stolen, or expired cards, it also
detected and disabled an unknown number of monthly passes that had been
automatically reloaded without payment for up to the past seven months.
[Source: Ryan Haggerty, Glitch allowed free rides with T passes; Audit to
check scope of flaw; firm blamed, *The Boston Globe*, 23 Aug 2007; PGN-ed]

Skype outage resulted from flood of restarts after updates

<"Peter G. Neumann" <>>
Thu, 22 Aug 2007 18:42:09 PDT

For two days beginning on 16 Aug 2007, Skype's peer-to-peer network was
critically unstable.  This evidently resulted after Skype users all around
the world rebooted their systems subsequent to getting a set of Microsoft
patches via Windows Update.  The flood of attempted Skype logins together
with a lack of adequate Skype network resources at that time prompted a
chain reaction.  Although this had never happened before, it revealed a flaw
in Skype's self-healing mechanism — which has now been fixed through
retuning of the algorithms.  This apparently had nothing to do with any
particular MS patches.  (Skype has something like 200 million users in
total, although only 5 or 6 million are generally online at once.  The peak
usage reported was 9 million in January 2007.)

  [Thanks to Lauren Weinstein for pointing out the Skype source with
  commentary by Villu Arak, 20 Aug 2007 and clarification on 21 Aug:,
  The site also includes current Skype status along with a note yesterday on
  a presumably temporary problem that involves payments using either of two
  banks in Estonia.  PGN-ed]

Problem that knocked out Skype has happened many times in the PSTN

<Matt Holdrege <>>
Tue, 21 Aug 2007 16:37:23 +0200

It is funny to see all the articles in Telecom magazines and blogs about how
Skype is unreliable as proven by last week's outage.  These people seem to
forget that the vaunted PSTN has had many such outages. I posted here in
RISKS back in 1993 about a Pacific Bell DACS software upgrade that went bad
and knocked out most of Orange County, California for a day. How often has
the PSTN been killed by radio contests and natural disasters? Any large
scale system can and will suffered from such problems as it is growing. This
is nothing new to most RISKS readers.

"No trucks using satellite navigation"

< (Mark Brader)>
Tue, 28 Aug 2007 17:28:35 -0400 (EDT)

In the Welsh country borough known as Vale of Glamorgan, there have been
several instances of foreign truck drivers following routings given by
satellite navigation and apparently unable to understand signs reading
"Unsuitable for heavy goods vehicles - Anaddas i gerbydau nwyddau trwm".

They are now experimenting with a pictographic sign instead — showing a
truck with a red slash through it, and a satellite overhead.  To me this
sign looks if heavy trucks whose drivers don't use satnav are now welcome...

Mark Brader, Toronto,

Risks of randomly evaporating letters

< (Mark Brader)>
Tue, 28 Aug 2007 23:46:22 -0400 (EDT)

The Saskatchewan Party is outraged that as the words Privatization of the
Crowns fades out in one part of the ad, the letters P,O, R, and N stay up a
split second longer than the rest.

Data thieves hit site (Hiawatha Bray)

<Monty Solomon <>>
Thu, 23 Aug 2007 08:52:21 -0400

Thousands of names, phone numbers, and e-mail addresses stored by the
Internet job-search site have been stolen as part of a complex
online fraud scheme.  Symantec Corp., a security company, disclosed the
breach over the weekend after one of its researchers found that a server
computer in Ukraine held 1.6 million records stolen from Monster, a New York
company whose US operations are based in Maynard.  [Source: Hiawatha Bray,
*The Boston Globe*, 22 Aug 2007: PGN-ed]

Even the Navy Can't Censor the Internet

<Lauren Weinstein <lauren@VORTEX.COM>>
Thu, 30 Aug 2007 07:48:44 -0700

I frequently make the assertion that it's impossible to successfully censor
the Internet by trying to remove materials that have already been posted
publicly after they've attracted attention.  What's published is published,
what's done is done.  The genie won't just refuse to go back into the
bottle, he'll stick his tongue out at you as well — or worse.

You may recall the international brouhaha a couple of weeks ago over the
Navy pulling from YouTube all copies of an (originally relatively obscure --
now infamous) amateur music video posted by a user named "PUMPIT01" and
produced on the aircraft carrier Ronald Reagan (CVN76), as described in and many other stories.

The video in question ("Women of CVN76") has been variously described as
being removed due to security violations (brief shots of utterly innocuous
reactor-related areas), "inappropriate use of safety equipment," and other

The real reason for the Navy's "reaction" is clearly just plain old ordinary
embarrassment, especially since the ship's CO has a cameo role in the
amusing production.

But my point here isn't to post a video review, but rather to emphasize that
for all the noise about deleting the video, it of course remains easily
available with but a minimum amount of effort.

You may feel that the inability to effectively "recall" posted materials is
a blow for freedom, or to the contrary an information control disaster.  But
either way, it's a fact — a reality that we can't escape.  And perhaps the
sooner we come to terms with this truth, the less time we'll be wasting at
shadow boxing with useless Internet censorship attempts.  There are far
better ways that we can be spending our time.

Excuse me?  Oh, where's the video?  Like I said, finding a copy is actually
quite simple.

Example: For the sake of the argument, let's say that you did a Google
Search right now for the straightforward query of:

  cvn-76 women pumpit01 "click here"

No magic words.  No secret codes.  Just pretty obvious stuff from the news
stories about the video, plus a little common search sense.  And while any
given search results are often fairly ephemeral, and any particular copy of
material found at any given time may still be removed, well, the Internet is
a big place, and the Lords of Censorship remain essentially impotent, for
better or worse, indeed.

Lauren Weinstein +1 (818) 225-2800

Chinese Village Name Change Sparks Chaos

< (Mark Brader)>
Tue, 21 Aug 2007 20:33:46 -0400 (EDT)

The 50 residents of the Chinese village Tianmeidong decided to change its
name to one that would bring it better luck: Tianwei plus a third character
that is rare enough that computers could not represent it.  Even the Nanguo
newspaper was forced to describe that character in its article because its
computer could not write it.  As a result, anything that involves the
government is blocked, such as registering a marriage or the sale of
property.  [AP item, 21 Aug 2007, PGN-ed],,-6865184,00.html

Good luck with that character set!

With Software and Soldering, a Non-AT&T iPhone

<Ken Knowlton <>>
Sat, 25 Aug 2007 11:07:41 EDT

A 17-year-old New Jersey resident has published instructions on how to
unlock Apple's iPhone so it will work on some competing cellular networks.
[Source: Brad Stone, *The New York Times*, 25 Aug 2007]

Cell phones swamping 911 systems (*LATimes*)

<"Peter G. Neumann" <>>
Sun, 26 Aug 2007 9:33:09 PDT

An explosion in calls from cellular phones has overwhelmed critical parts of
California's 911 system, resulting in hundreds of thousands of lost calls
and lengthy waits to reach dispatchers even as crimes or potentially deadly
emergencies unfold.  Wireless 911 calls statewide have jumped roughly
tenfold since 1990, to more than 8 million last year. Cell calls now make up
the majority of all 911 calls, and key emergency agencies are struggling to

The problems are aggravated by call surges — such as when multiple
motorists call in about the same accident — staffing shortages at 911
dispatch centers, and technological hurdles. Cell calls are more easily
interrupted or lost and take longer to handle, officials say, reducing the
number of calls each dispatcher can field.

[Source: Robert J. Lopez and Rich Connell, Users are experiencing lost calls
and lengthy waits; Officials say it's better to summon help on a land line.
*Los Angeles Times*, 20 Aug 2007; PGN-ed],0,3741158.story?page=1&coll=la-home-center and

Cable Industry Responds Regarding HD TiVo Incompatibilities

<Lauren Weinstein <>>
Sat, 25 Aug 2007 14:05:04 -0700 (PDT)

Lauren Weinstein's Blog Update:
Cable Industry Responds Regarding HD TiVo Incompatibilities
August 25, 2007

[...] a few days ago I reviewed the situation concerning incompatibilities
between the new High Definition TiVo ("TiVo HD") and the Switched Digital
Video (SDV) systems being rapidly deployed by cable systems.

That was last Wednesday.  The following day, that blog item appeared on
Slashdot and was as a result very widely referenced
and discussed.  So much for Thursday.

Now comes word that the next day (yesterday), the cable industry trade
association (NCTA - National Cable & Telecommunications Association)
made a filing with the FCC offering to develop a workaround for the problem.

As might be expected, NCTA is continuing to push the "OpenCable Application
Platform" (OCAP) system that the Consumer Electronics Association has found
to be unacceptable.

However, NCTA reportedly says in their new FCC filing that they are now
willing to develop a "tuning resolver" to work around the problem for
existing devices like the new TiVo.  This device would be a USB "dongle" to
handle SDV tuning (the second of the probable options that I mentioned in my
original blog item, as it happens).

While this is obviously a welcome development, two obvious questions are
"When?" and "How much will it cost?"

Obviously cost is important.  And if the device takes too long to appear,
the associated host devices might already be obsolete!

Still, a busy three days, and no doubt the timing of the NCTA filing vs. all
of the Slashdot attention to the issue was just an amusing coincidence.

E-voting predicament: Not-so-secret ballots, Declan McCullagh

<"Peter G. Neumann" <>>
Mon, 20 Aug 2007 16:37:46 PDT

Ohio's method of conducting elections with ES&S electronic voting machines
appears to have created a true privacy nightmare for state residents:
revealing who voted for which candidates.  Time-stamped paper trails permit
the reconstruction of an election's results — allowing voter names to be
matched to their actual votes.  [Source: Declan McCullagh, CNET, 20
Aug 2007; PGN-ed from an interesting long article.]

The Risk Factor weblog

<David Magda <>>
Thu, 23 Aug 2007 10:46:21 -0400 (EDT)

The IEEE has a blog called "The Risk Factor" with the by-line "Software
failures and successes dissected daily". Don't remember seeing it mentioned
in RISKS, so I thought people might be interested:

Risks of a protocol mismatch

<Dave Horsfall <>>
Wed, 22 Aug 2007 10:12:08 +1000 (EST)

When two similar protocols interoperate, the results can be drastic and at
other times humorous; fortunately, this falls into the latter category:
Looks like the response from the Kerberos server got mis-parsed by AD:

  If you log on to an MIT realm, press CTRL+ALT+DELETE, click Change
  Password, type your existing MIT password, and then type a new, simple
  password that does not pass the dictionary check in Kadmind, you may
  receive the following error message:

    Your password must be at least 18770 characters and cannot repeat any of
    your previous 30689 passwords. Please type a different password. Type a
    password that meets these requirements in both text boxes.  Note that
    the number of required characters changes from 17,145 to 18,770 with the
    installation of SP1.

  NOTE: This is not a common case; it occurs only when you configure Windows
  2000 to authenticate against an MIT Kerberos domain.

More Wikipedia "Gotcha" Silliness

<Lauren Weinstein <>>
Sat, 18 Aug 2007 15:58:15 -0700 (PDT)

Lauren Weinstein's Blog Update: More Wikipedia "Gotcha" Silliness
                        August 18, 2007

My concerns regarding the Wikipedia operational model are fairly well known,
e.g., "Wikipedia and Responsibility"

So it was with considerable interest that I've noted the controversy
regarding a 24-year-old self-described "disruptive technologist," and his
tool to more easily track the origin of Wikipedia changes (*The New York
Times*, "Lifting Corporate Fingerprints From the Editing of Wikipedia").

But even the title of that article tends to belie the underlying nature of a
real problem — the lack of accountability for most of what's written or
edited in Wikipedia.  The "Corporate Fingerprints" bit is cute — but what
about all of the other fingerprints smeared through virtually every byte of
the Wikipedia database?

Apparently it's one thing to snicker about corporate folks who want to
correct what they perceive as errors (or, indeed, put their own positive
spin on "the facts.") But there seems to be little interest in figuring out
who purposely defaces pages, plants false or defaming information in the
first place, or for that matter is responsible for the more mundane,
probably factual minutiae, even just for the sake of establishing
authenticity or expertise.

Wikipedia seems to be turning into a gigantic "gotcha" machine --
increasingly contaminated like a chunk of "Silly Putty" that's been used
once too often to pick up comic strip images.

The single best thing that Wikipedia could do to lend itself genuine
credibility would be to require that contributers identify themselves — by
name, not by handles or childish aliases.  Or, as an alternative, at the
very least clearly indicate "in-line" when unauthenticated text dominates an

Ironically, our disruptive technologist's tracing mechanism will probably
have ever less value moving forward from today.  While it will continue to
be useful for retrospective analysis up to this point in time, we can be
sure that more and more of the primarily targeted corporate Wikipedia
editors will learn their lesson.

That lesson being, if you're going to edit your entry on Wikipedia, be sure
to do it through a proxy or generic ISP account, not through your corporate

So moving forward, we'll probably have even less meaningful transparency
concerning Wikipedia changes, and that Silly Putty Syndrome will likely
continue to escalate.

Given what Wikipedia could aspire to be, that's really a shame.

Suspect named in TJX credit card probe (Re: RISKS-24.62,69,78,80)

<Monty Solomon <>>
Wed, 22 Aug 2007 01:21:54 -0400

[Source: Ross Kerber, *The Boston Globe*, 21 Aug 2007; PGN-ed]

Authorities have arrested Maksym Yastremskiy, a Ukrainian man, whom they
suspect played a key role in the sale of many credit card numbers stolen
from TJX Cos., in what is considered the biggest corporate data breach to
date.  "Prices ranged from $20 to $100 per stolen card, and the cards were
sold in batches of up to 10,000, depending on factors like the credit limits
of the consumer accounts being traded."

Don't make the normal into the unusual - leap seconds vs hours

<Guy Dawson <>>
Tue, 21 Aug 2007 10:57:15 +0100

One of the risks of replacing frequent leap-seconds and thus the
frequent need to handle them with infrequent leap-hours is that handling
them becomes an unusual task.

We're never as good with unusual tasks as we are with the usual tasks.
Practice makes perfect!

With the requirement to add a leap second every few years systems have
to be designed to handle them as part of their normal operation.

If we have to add a leap hour every 100 years or so, we'll have Y2K date
problems every time. The same old excuses will be rolled out :

   We never expected this system to have to handle leap hours when we
   built it.

Since leap seconds come around every few years any system that is to
keep accurate time has to deal with them head on as part of the basic

Guy Dawson, I.T. Manager, Crossflight Ltd

Amusing Lack of Software Support

<Gene Wirchenko <>>
Sat, 25 Aug 2007 09:33:23 -0700

This story is hilarious:

The opening paragraph: "A Linux user who was jailed for uploading a film
onto a peer-to-peer service has been told he will have to switch to Windows
if he wants to use a computer again."

It seems that the monitoring software he is now required to have does not
run under Linux.  Also amusing is the closing remark about being *given* two

Re: Risks of trusting your fonts? (Adamson, RISKS-24.80)

<McGrude <>>
Mon, 20 Aug 2007 17:56:51 -0700

But wasn't the only issue the *display* of the underlying data?

From the linked post, "copying and pasting what looks to be '0123456989'
into a text editor will still give '0123456789'".  [Typo in original
linked post corrected.  PGN]

From that I'd assume that internal calculations would still be correct and
that only the displaying of results would be corrupt.  It is still a
problem, no doubt, but at least it wasn't as bad as it could have been.

Mike Hogsett

REVIEW: "Security Metrics", Andrew Jaquith

<Rob Slade <>>
Wed, 29 Aug 2007 10:53:24 -0800

BKSECMTR.RVW   20070612

"Security Metrics", Andrew Jaquith, 2007, 0-321-34998-9,
%A   Andrew Jaquith
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2007
%G   0-321-34998-9 978-0-321-34998-9
%I   Addison-Wesley Publishing Co.
%O   U$49.99/C$61.99 fax: 416-443-0948 800-822-6339
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   306 p.
%T   "Security Metrics: Replacing Fear, Uncertainty, and Doubt"

In the Foreword, Dan Geer states that the book is not about selling the idea
of metrics.  Which makes the initial chapters a bit problematic: if they
aren't about selling the idea of metrics, what are they about?  Chapter one
is supposed to be an introduction, but seems primarily focused on the idea
that metrics are not about risk management.  (There is also an assertion
that proper metrics are "well understood across industries, and consistently
measured," which is interesting because much of what follows appears to
contradict this statement.)  The definition of security metrics, in chapter
two, addresses metrics from fields other than security, and emphasizes the
position that metrics are important (and that the current "metrics," such as
checklist frameworks and annualized loss expectancy, are inadequate).
Chapter three divides metrics into four general areas, dealing with
perimeter security, control, availability, and applications development.
Brief examples of collections of metrics related to these fields are given
in the text, although the lists can't be expected to be comprehensive, due
to the huge scope of security as a whole.  The second of these topics,
control, is probably the subject of chapter four, although it is entitled
"Measuring Program Effectiveness."  Basic concepts from statistics, such as
the difference between mean (average) and median (midpoint of a set of
elements), are presented in chapter five.  Chapter six talks about
demonstrating data in a visual manner.  Most of the material consists of
suggestions for graphics and examples are given "redrawing" the displays of
commercial programs.  Aspects of automating the calculations of security
metrics are outlined in chapter seven.  In chapter eight, Jaquith recommends
the use of a security scorecard based on the Balanced Scorecard management
assessment model.

Security can be difficult to define, let alone measure, and, in general, too
little attention is paid to numeric assessments that can assist in
determining how well we are performing at the task.  This book does go
somewhat beyond a mere exhortation to create and use metrics for security,
but it still leaves an awful lot of work for the practitioner or manager.

copyright Robert M. Slade, 2007   BKSECMTR.RVW   20070612

  [The need for incisive security metrics has been with us for a long time.
  On the other hand, the metrics that have emerged tend to be local rather
  than system-wide, and these local metrics are not easily composed into
  system-wide metrics.  Even the metrics for algorithmic crypto strength are
  relatively unsatisfying when the crypto is poorly implemented or embedded
  in systems that are easily compromised — whether by insiders or outsiders.
  Thus, the quest for meaningful system-level security metrics that can be
  derived from lower-layer metrics remains an enormously difficult
  challenge.  PGN]

Please report problems with the web pages to the maintainer