The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 24 Issue 30

Thursday 1 June 2006

Contents

EU blocks US access to flight data
Duane Thompson
Computer outage hits Montana state government
Paul Goble
Irish ATM pays double; ethical dilemma
Gerard McCarry
$8 million for self-parking charge
Geoff Kuenning
China fielding cyberattack units
Peter Gregory
College Door Ajar for Online Criminals
Lynn Doan via PGN
Computer c*ck-up finds e-r-e-c-t-i-o-n hard to handle
Nick Rothwell
Why the Democratic Ethic of the World Wide Web May Be About to End
Adam Cohen via Monty Solomon
Risks of Dishonest Hosting Providers
Roger Strong
Nationwide's Website Refuses Customer Feedback
Chris Brady
Black Frog: next generation botnet. No generation spam fighting
Gadi Evron
Symantec Denies 'Highly Severe' Antivirus Flaw
Ed Sutherland via PGN
Re: NASA's DART spacecraft smashes into satellite
Robert P Schaefer
Re: National Weather Center ... Bad Data
Amos Shapir
Re: Comcast outage and backup
Craig Partridge
Re: Cellphones
Les Denham
Re: Google Captcha
Thomas Insel
Re: Over-reliance on satellite navigation
Matt Roberds
Re: Man Gets $218 Trillion Phone Bill
Marc Auslander
Andrew Klossner
Scott Peterson
Info on RISKS (comp.risks)

EU blocks US access to flight data

<Duane Thompson <dst@rmhcn.org>>
Tue, 30 May 2006 06:08:51 -0700 (PDT)

Good for the EU!  It seems that the EU will protect my privacy better than
the U.S. will.

"The EU's highest court today blocked an agreement to give the US
information about transatlantic air passengers. The European court of
justice ruling said the US did not provide adequate protection for air
passengers' privacy. ..."

Guardian Unlimited, more at:
http://www.guardian.co.uk/eu/story/0,,1786002,00.html


Computer outage hits Montana state government

<"Paul Goble" <pg@pgcommunication.com>>
Wed, 31 May 2006 08:30:38 -0600

A hardware failure immobilized Montana state government from 1:30am on 22
May 2006 until 2:00am the next day.  The hardware failure affected the "vast
majority of services and computers" including things such as the state
Justice Department, drivers licences and wildlife permits. Apparently key
services such as law enforcement were affected at first but were "rerouted."

Dawn Pizzini of the Information Technology Services Division is quoted as
saying, "We would have never assumed that that many components in that piece
of equipment would fail."

http://edition.cnn.com/2006/TECH/05/23/computer.outage.ap/
http://www.helenair.com/articles/2006/05/24/montana/a08052406_01.txt

Paul Goble <pg@pgcommunication.com>


Irish ATM pays double; ethical dilemma

<"Gerard McCarry" <gmccarry@insightbb.com>>
Tue, 30 May 2006 21:57:25 -0400

The risk of taking advantage of a glitch
  http://news.bbc.co.uk/2/hi/uk_news/northern_ireland/5019012.stm


$8 million for self-parking charge

<Geoff Kuenning <geoff@cs.hmc.edu>>
23 May 2006 14:29:53 -0700

A humor column in today's *LA Times* featured a photograph of a self-pay
parking kiosk with a mis-set date of 16 May 1943, showing an amount due of
$8,082,022.84.

Sanity checking, you ask?  Not bloody likely.  An auxiliary display shows
the fee in larger characters; it reads 8.1E+6.  When you have an programmer
so clueless as to calculate money values in floating point, there is little
hope for subtleties like sanity checking.

As a side point, I'm fascinated that things like parking kiosks now use
chips powerful enough to have floating-point support, at least as a library.
A 4-bitter would be adequate for the task, though it's not clear to me that
this particular programmer could have written the code needed to compute the
fee on a 4-bit machine.

Geoff Kuenning   geoff@cs.hmc.edu   http://www.cs.hmc.edu/~geoff/


China fielding cyberattack units

<Peter Gregory <petergregory@yahoo.com>>
Tue, 30 May 2006 15:07:24 -0700 (PDT)

From the nation that enjoys U.S. Most Favored Nation trade status, and a
permanent member of the WTO...

China is stepping up its information warfare and computer network attack
capabilities, according to a Department of Defense (DoD) report released
last week. The Chinese People's Liberation Army (PLA) is developing
information warfare reserve and militia units and has begun incorporating
them into broader exercises and training. Also, China is developing the
ability to launch preemptive attacks against enemy computer networks in a
crisis, according to the document, ``Annual Report to Congress: Military
Power of the People's Republic of China 2006.''  The Chinese approach
centers on using civilian computer expertise and equipment to enhance PLA
operations, the DoD report states.

Report: http://www.defenselink.mil/pubs/china.html

[Source: *Federal Computer Week*, 25 May 2006]
http://www.fcw.com/article94650&#8722;05&#8722;25&#8722;06&#8722;Web


College Door Ajar for Online Criminals

<"Peter G. Neumann" <neumann@csl.sri.com>>
Tue, 30 May 2006 10:55:33 PDT

Hackers discover that universities are rich in personal data and easier prey
than banks.  Since January, at least 845,000 people have had sensitive
information jeopardized in 29 security failures at colleges nationwide. ...
[Source: Lynn Doan, *Los Angeles Times*, 30 May 2006]
http://www.latimes.com/technology/la-me-hacks30may30,0,1085392.story?coll=la-home-headlines


Computer c*ck-up finds e-r-e-c-t-i-o-n hard to handle

<Nick Rothwell <nick@cassiel.com>>
Tue, 30 May 2006 17:40:52 +0100

Two e-mail messages objecting to a home extension failed to reach a council
planning department because their computer system blocked the word
"e-r-e-c-t-i-o-n".  Commercial lawyer Ray Kennedy, from Middleton, Greater
Manchester, claims he sent three e-mails to Rochdale council complaining
about his neighbour's plans.  But the first two messages failed to reach the
planning department because the software on the town hall's computer system
deemed them offensive.  When his third e-mail, containing the same word,
somehow squeezed through, it was too late.  A planning officer told Mr
Kennedy that his next-door neighbour's proposals had already been given the
go ahead.  [Source: *The Guardian* online, 30 May 2006; slightly PGN-ed
to avoid filtering]
  http://society.guardian.co.uk/localgovt/story/0,,1786189,00.html


Why the Democratic Ethic of the World Wide Web May Be About to End

<Monty Solomon <monty@roscom.com>>
Tue, 30 May 2006 00:21:10 -0400
  (Adam Cohen)

Editorial Observer
Why the Democratic Ethic of the World Wide Web May Be About to End

The World Wide Web is the most democratic mass medium there has ever
been. Freedom of the press, as the saying goes, belongs only to those who
own one. Radio and television are controlled by those rich enough to buy a
broadcast license. But anyone with an Internet-connected computer can reach
out to a potential audience of billions.

This democratic Web did not just happen. Sir Tim Berners-Lee, the British
computer scientist who invented the Web in 1989, envisioned a platform on
which everyone in the world could communicate on an equal basis. But his
vision is being threatened by telecommunications and cable companies, and
other Internet service providers, that want to impose a new system of fees
that could create a hierarchy of Web sites. Major corporate sites would be
able to pay the new fees, while little-guy sites could be shut out.  ...
[Source: Adam Cohen, *The New York Times*, 28 May 2006]
http://www.nytimes.com/2006/05/28/opinion/28sun3.html?ex=1306468800&en=cd83b09b58c721a6&ei=5090


Risks of Dishonest Hosting Providers

<"Roger Strong (Computers)" <rogers@yetmans.mb.ca>>
Fri, 26 May 2006 15:52:38 -0500

Slashdot has a thread on Identifying and Avoiding Dishonest Hosting Providers:
  http://ask.slashdot.org/askslashdot/06/05/26/0034248.shtml

One story that stood out:

"One place I looked at promised backup power. Then when I asked to see it,
they explained that they only had the fittings and a contract for a backup
generator that would be delivered in a couple of hours. Given that they are
in San Francisco, that's a stupid plan, my-nurse-only-lets-me-use-a-spoon
stupid; in an earthquake, their provider wouldn't have enough generators and
probably wouldn't be able to deliver them anyhow."

Lesson learned: If your business depends on it being available, go tour the
facilities.  Verify that the generators, switching and back systems and
redundant data pipes exist, and occasionally get tested.


Nationwide's Website Refuses Customer Feedback

<Chris Brady <chrisjbrady@yahoo.com>>
Wed, 31 May 2006 10:51:48 +0100 (BST)

Wishing to report a number of different phishing emails sent to Nationwide
Building Society (UK) customers, including myself, I searched their website
for a) an email address, &/or b) a feedback form. The urgency was to alert
the technical team to get the false websites closed down. BUT there was NO
contact email address on their website - not one. However I found a customer
information request form but and a website feedback form. I duly completed
both of these, including a cut & paste of the text of the offending emails,
but with both when I clicked 'Submit query' I got the response 'Page Not
Found.' I wonder how Nationwide stays in business when it can't even get a
couple of feedback forms working. This is not the first company I've had
similar problems with. It seems that few companies with a website presence
actually want feedback from customers. CJB.


Black Frog: next generation botnet. No generation spam fighting

<Gadi Evron <ge@linuxbox.org>>
Thu, 25 May 2006 03:42:41 -0500 (CDT)

Black Frog - a new effort to continue the SO-CALLED Blue Security fight
against spammers. A botnet, a crime, a stupid idea that I wish would have
worked.

http://news.google.com/news?q=black+frog

Blue Frog by Blue Security was a good effort. Why? Because they wanted to
"get spammers back".

They withstood tremendous Distributed Denial of Service (DDoS) attacks and
abuse reports, getting kicked from ISP after ISP.  They withstood the entire
antispam and security community and industry saying they are bad.

The road to heaven is filled with good intentions. Their's was golden, but
they got to hell, quite literally, non-the-less.

They did not hurt any spammer (okay, maybe one), as their attacks reaches
servers spammers already moved from, domains spammers already dumped for
the sake of thousands of other bulk-registered throw-away domains and so
on.

Their attacks did reach hacked machines which hosted other sites. Their
attacks reached ISP's with other users and their attacks hurt the Internet
as well as these other legitimate targets.

Blue Security also got a lot of PR, good and bad, but they were not here
first. Lycos Europe with their "make love not spam" effort was. ISP's
globally null-routed that service, as it was indeed, much like Blue
Security's, a DDoS tool by the use of a botnet. A botnet in this case being
numerous computers controlled from a centralized point to launch, say, an
attack.

Lycos Europe soon realized their mistake and took their service off the
air. Blue Security had 5 Millions USD of VC money to burn, so they stayed.

Even if they did reach spammers with their attacks (which they didn't), they
would still hurt so many others with the attacks, and the Internet
itself. When Blue Security came under attack they themselves said how DDoS
attacks are bad, and their fallout hurts so much more than just their
designated target.

That said, who is to determine said target?

When Blue Security went down, some of us made a bet as to when two bored
guys sitting and planning their millions in some cafe would show up, with
Blue Security's business plan minus the DDoS factor. Well - they just did.

Thing is, a P2P network is just as easy to DDoS. It has centralized
points.

It is, indeed, a botnet.

I want to kick spammer behind too, but all I would accomplish by helping
these guys is performing illegal attacks and hurting the Internet as well as
innocent bystanders.

This business model will not last. It will get PR, but it will not be
alone. 10 other efforts just such as this will follow. Now that Black Frog
made their appearance - sooner rather than later.

How long is this journey of folly going to continue? Any service provider
which hosts them is as guilty of the illegal DDoS attacks as anyone who
signs up with them.

The way to kick spammer behinds is to, plain and simple, put them in
jail. I.e., change the economics. Make it more risky and less cost-effective
for them Bad Guys to spam.

I will keep updating about this latest useless harmful project on the blog
where this is written, http://blogs.securiteam.com.

Stop Black Frog Now.


Symantec Denies 'Highly Severe' Antivirus Flaw

<"Peter G. Neumann" <neumann@csl.sri.com>>
Sat, 27 May 2006 10:52:50 PDT

Could Symantec's antivirus software guarding company, as well as government
computers include a backdoor allowing hackers access to corporate data?  The
flaw could impact users of Symantec AntiVirus Corporate Edition 10.0 and
Symantec Client Security 3, according to eEye: the security vulnerability
can "compromise affected systems, allowing for the execution of malicious
code with system level access" and requires no user interaction.  [Source:
Ed Sutherland, *Internet News*, 26 May 2006; PGN-ed]
  http://www.internetnews.com/security/article.php/3609501

  [A subsequent report on 31 May indicates that Symantec has fixed the
  problem.  PGN]


Re: NASA's DART spacecraft smashes into satellite (RISKS-24.29)

<"Schaefer, Robert P \(US SSA\)" <robert.p.schaefer@baesystems.com>>
Tue, 30 May 2006 11:25:48 -0400

An article titled "Multiple Errors Cause DART Rendezvous Mission Mishap",
*Space News*, 22 May 2006, states that the 70-page NASA report on this
mishap will not be released because it contains sensitive material protected
by ITAR.  ITAR restrictions may also have been a contributing cause, i.e.,
people who should have talked to each other about technical
issues/misunderstandings were prevented from talking to each other by law.


Re: National Weather Center ... Bad Data (Kamen, RISKS-24.29)

<"Amos Shapir" <amos083@hotmail.com>>
Mon, 29 May 2006 18:01:20 +0300

Ever since the day weather observations were fed by phone or telex (5 bits
per character, no parity bits or CRC) to weather centers where maps were
drawn by hand, professional weather people have developed an almost
instinctive ability to spot weird data, and ignore it when analyzing weather
maps.  Based on their experience, they could even make an educated guess
about the possible correct values of bad data.

But letting some AI algorithm smooth out such data blips may be Risky.  What
if weather conditions did change abruptly?  While stationed in a desert
observation post in a previous life, I sometimes had to explain to a
bewildered Air Force colonel that yes, the temperature here did rise by 10 C
over the past half hour, and yes, the wind is 60 knots with zero visibility
due to a sandstorm.  Now try to explain that to a data-bot!

Nowadays there are many more situations in which professional people are
taken "out of the loop", and data untouched by humans ends up being
presented to lay people, including decision makers, who use it without being
aware of its origin and quality.  This is a known Risk, and seems to be
unavoidable.  In that case, it's better that these people be presented with
raw data and be able to spot errors (like Ben Kamen did), than automatically
processed data which might hide irregularities.  When analyzing weather
data, such irregularities are exactly what you don't want to miss!


Re: Comcast outage and backup (Duncan, RISKS-24.29)

<Craig Partridge <craig@aland.bbn.com>>
Tue, 30 May 2006 16:39:05 -0400

> The Risk for Comcast?  Never assume your backup generator will be there
> when you need it.  Test, test, test for power outages before they happen.

I just wanted to point out that testing the backup system regularly does not
ensure it works.  When we did the NRC study on the Internet's performance on
9/11, I was surprised to learn that ISPs find that their backup power
systems fail about 1 time in 10.  (ref: "The Internet Under Crisis
Conditions", p. 24, note 2).  This is from ISPs that test regularly (e.g.
once a month) and the number comes from their experiences with the tests
(that is, in one test in ten, the backup system system doesn't pick up
cleanly).

So the challenges are more subtle.  How should an ISP invest in and plan for
the recovery process for that 1 time in 10 outage?  Designing that process
right is hard.  Example, one ISP I know had a policy of *NOT* allowing
systems personnel into their facility immediately after the rare case of
power loss and then being restored to key systems.  Because power loss was
such a rare event, the ISP used this experience as a chance to audit
installation procedures that were supposed to ensure that everything system
"just came up" when power was restored -- they'd often find a system did not
just come up.

craig@aland.bbn.com or craig@bbn.com


Re: Cellphones (RISKS-24.27)

<Les Denham <les@iiandt.com>>
Thu, 04 May 2006 00:42:18 GMT

> The results: Inattentiveness caused by drivers using a
> cell phone, applying makeup, and being distracted from the
> road -- all caught on videotape -- cause nearly 80 percent
> of crashes and 65 percent of near-crashes ...

That's an interesting conclusion.

Cellphones have gone from a rare luxury to ubiquitous in the last ten years.
Yet over the same time period, automobile accidents have declined steadily:
from 1994 to 2004 the fatality rate per 100 million miles has gone from 1.73
to 1.44, and the injury rate from 139 to 94.  For cars (which are the most
common vehicles) the numbers for fatal crashes went from 2.07 to 1.57,
injury crashes from 191 to 123, and property-only crashes from 351 to 260
over the same period.  (all statistics from
http://www-nrd.nhtsa.dot.gov/pdf/nrd-30/NCSA/TSFAnn/TSF2004.pdf )

I'd say the claim that cellphones are one of the major causes of traffic
accidents fails the basic test of common sense.

My guess -- based on personal observation -- is that the same idiots who
cause accidents by being distracted in other ways are the ones who cause
accidents involving cellphone use.

If, for example, a study finds 50% of accidents involve cellphones, that
statistic is meaningless without a measurement of the proportion of drivers
using cellphones.  In Houston, where I live, informal observation suggests
about 50% of drivers in rush hour traffic are using cellphones, and that
doesn't count the ones using hands-free devices, or the ones with tinted
windows.


Re: Google Captcha (Johnson, RISKS-24.28)

<Thomas Insel <tinsel@tinsel.org>>
Thu, 11 May 2006 15:39:10 -0700 (PDT)

> It would be interesting to find out the back story on this problem and why
> the "solution" is so broken for users of the search service.

It's not generally deployed -- Google does this defensively when they see
excessive traffic from a particular source address or network.  Causes could
include a virus such as MyDoom or an aggressive script.

I suspect that it's "broken" because they want to annoy you into fixing
whatever's triggering the message.


Re: Over-reliance on satellite navigation (Schwarz, RISKS-24.29)

<mroberds@att.net>
Sat, 27 May 2006 02:48:56 +0000

>The North East Ambulance Service is equipped with satellite navigation
>[which] isn't fully informed on roads too narrow for the ambulance model.

It is probably more cost-effective to modify the navigation software, but
perhaps they should buy some narrower ambulances, especially if they are
already aware of streets that are too narrow for their current vehicles.

http://www.neambulance.nhs.uk/CommercialServices/Index/Index.htm shows a
technician working on an ambulance that appears to be based on a
Mercedes-Benz van that is sold as a Dodge or Freightliner "Sprinter" in the
US.  It appears that the cab is stock, but the ambulance box is wider than
the stock van body.
  http://www.cornermotors.com/images/sprinter_dimensions.jpg
shows that the width of a US-model Sprinter, excluding the external mirrors,
is either 76.2" (1935 mm) or 78.6" (1996 mm) depending on load capacity.  By
contrast, ambulances based on a stock Volkswagen Transporter, with a stock
body width of 68.9" (1750 mm), have been successfully used in Europe.

Matt Roberds <mroberds@worldnet.att.net>

  [For those of you who relish the risks of overly long vehicles, as
  opposed to overly wide vehicles, this one is quite amusing.
    http://www.travelingtiger.com/tiensblog/2006/05/beached-suv-limo.html
  PGN]


Re: Man Gets $218 Trillion Phone Bill (Gold, RISKS-24.29)

<Marc Auslander <marcslists@optonline.net>>
Sat, 27 May 2006 10:33:16 -0400

  "... I'm not impressed with the proposed representation.  There is *no*
  advantage to representing things in decimal. ..."

In fact, there are serious practical programming advantages to decimal
arithmetic in commercial programming.  This is because the laws and customs
related to rounding are stated in decimal terms.  You can of course always
get the right answer in binary, but it involves carefully scaling each
number to the correct decimal precision so the rounding is correct.  For
example, many procedures need to be correctly rounded to the nearest mil,
that is 1/1000 of a dollar.  In binary, you need to represent amounts in
mils to get the rounding right, then convert back to dollars and cents or
dollars and mils for other purposes.  In decimal, it all just works, of
course.

  [Some similar comments from Dik Winter.  PGN]


Re: Man Gets $218 Trillion Phone Bill (Gold, RISKS-24.29)

<Andrew Klossner <andrew@cesa.opbu.xerox.com>>
Sun, 28 May 2006 21:26:38 -0700

 > There is *no* advantage to representing things in decimal.

The advantage is that, when the system rounds or truncates values, it will
do so in the way that customers expect.  Rounding 0.142 dollars to 0.14 will
surprise nobody.

 > Say you advertise a rate of, say 2.75%, compounded daily.  That means you
 > need to divide .0275 by 365.

Never.  Such accounts are compounded daily but credited monthly, when the
calculation is (balance * 0.257) / 12, rounded to the nearest cent.

The rules of financial arithmetic have been codified for hundreds of years.
They cannot be implemented using fixed binary notation.  Arbitrary-precision
arithmetic is completely impractical in data processing.


Re: Man Gets $218 Trillion Phone Bill (Gold, RISKS-24.29)

<Scott Peterson <scottp4@mindspring.com>>
Fri, 26 May 2006 14:08:21 -0700

At 11:30 AM 5/26/2006,  Barry Gold <barrydgold@comcast.net> wrote

I think you're expressing opinions in without nearly enough information
about the environment. For example, if this happened in a COBOL program
running on an IBM mainframe your comments would be completely wrong because
of the way data is typically stored and because of the way that these
computers most efficiently perform arithmetic.

> In *any* fixed representation, there will be limits -- a largest (and
> smallest) possible exponent, the maximum number of fractional bits/digits
> that can be represented.

And that's the job of a competent programmer.  To make sure that the fields
involved are large enough to hold any possible data.

> The result is an infinitely long repeating fraction, regardless whether
> you express it in decimal or in binary.

So?  Pi is an infinite number but I can do calculations involving it with
sufficient accuracy for my needs when I round it to 3 or 4 decimal places.
I could care less what the rest is.

> Decimal only provides an advantage if you are dividing by 5 or 10, which
> produces a finite fraction in decimal notation but an infinite one in
> binary.

To me, this is so much gibberish.  I think this simply shows unfamiliarity
with how various computers work.  Using IBM mainframes as an example, they
do very efficient arithmetic in what's called packed decimal and that's a
very common format for storing numbers.  It's not as fast as binary, but
when you add in the conversion factors it's generally faster.  Floating
point arithmetic is slower by orders of magnitude when you include the
conversion overhead.

> If you want to represent numbers without loss of either significance
> (overflow) or precision (rounding error), you can use any of several
> package, you can write in Franz Lisp, which allows arbitrary-sized numbers
> as a built-in type.

So your solution is to rewrite the program in an obscure language on a
different platform.  I think there would be easier, less expensive
solutions.

Please report problems with the web pages to the maintainer

Top