The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 24 Issue 33

Tuesday 20 June 2006


Backward switches: Genesis slammed to Earth after parachutes failed
Howard Israel
Sunken Ferry Crew didn't know how to use ECS display software
Kelly Bert Manning
Possible Loss of Space Shuttle: 'I think, at that point, we're done'
Harry Crowther
More BART woes: automated train-control system mothballed
German Federal Civil Court ruling on Robodoc cases
Juergen Fenn
NZ IRD Numbers about to run out
M. Hackett
Fortune cookie bet made Powerball lottery players rich
Howard Israel
Wily crows disconnect wired Tokyo
Another risk of electromagnetic interference
Tom Philp
Volvo's self braking car
David Magda
Risks of Ajax and Javascript
Charlie Wertz
Ironic risk of using a 'free' mail service
Mike Scott
DoE Discloses Data Theft
Ari Ollikainen
Testing stolen credit card numbers
Walt Daniels
RFID "Best Practices"
CDT via Monty Solomon
Bank's redirector helps phishing
Fred Bone
Microsoft Patches crash IBM Midrange Consoles
Al Macintyre
Re: Man Gets $218 Trillion Phone Bill
Nancy Bogart
Re: Hospitals have dramatically reduced unnecessary deaths
Peter R Cook
REVIEW: "Information Security and Employee Behaviour", McIlwraith
Rob Slade
Info on RISKS (comp.risks)

Backward switches: Genesis slammed to Earth after parachutes failed

<"H Israel" <>>
Wed, 14 Jun 2006 21:27:19 -0400

Select relevant quotes from

The 231-page document prepared by independent investigators found that
gravity switches on the Genesis probe designed to trigger the deployment of
its parachutes were installed backward.

Investigators found that the probe's builder, Lockheed Martin, skipped a
critical pre-launch test that would have uncovered the fatal flaw because of
time constraints. Instead, engineers decided to do a simpler test by
comparing Genesis' design to drawings of another spacecraft, Stardust, which
was built earlier and had passed rigorous testing.

The report also said lack of oversight by NASA's Jet Propulsion Laboratory,
which managed the $264 million mission, caused the error to remain
undetected from the design phase to the review stage.  Investigators also
faulted the space agency's "faster, better, cheaper" philosophy for creating
an environment where cost issues were put ahead of a successful mission.
That philosophy "created an ever-present threat of cancellation if overruns
occurred on cost-capped missions," investigators wrote. ...

And this quote, which appear to be conflicting 'requirements': "Clearly, we
want missions to be cost-effective, but we don't want to cut corners just to
make them cheaper," Jones said.

They probably meant to say something like this: "We want the missions to be
successful, at the least cost possible."  A laudable goal, not quite
achievable with current technology, in my opinion.

Howard Israel, CEO, Secure Systems Consulting, LLC (732) 613-9464

Sunken Ferry Crew didn't know how to use ECS display software

< (Kelly Bert Manning)>
Thu, 15 Jun 2006 11:47:51 -0400 (EDT)

Preliminary reports from the Canadian Transportation Safety board
investigation into the "Queen of The North" running into Mount Gil and
sinking say that the bridge crew had the Electronic Chart System Display
turned off because they didn't know how to use the software control to
reduce the illumination for night use.

The preliminary reports also say that bridge crew claim to not be fully
aware of how to use the various steering modes, or even to know what
steering mode they were in.

Digital controls should help, not hinder.

  "The screen from the ECS produced too much ambient light, so the crew
  would often turn it off at night, Ayeko wrote. The monitor would be
  turned on momentarily only when it was required."

This must have been an expensive system. Would it have been too much trouble
to add a rotating dial or rocker button which would reduce or increase the
brightness on the display? It wouldn't even have to be integrated with the
monitor, just mounted somewhere close to it and clearly labeled. These don't
even need to be rheostatic controls, just something that generates an input
specifying the type of change requested.

Software control is bad if it makes essential functions too complex or

Some reports describe Mt. Gil as Gil Island. It is a relatively tall and
steep mountain whose base is underwater. There should have been a good radar
return from it. It will be interesting to see what other electronic or
computer integrated safety systems also failed to make the officer and
helmsman aware that their failure to change heading at the scheduled time
had left them on a collision course with a mountain.

It will also be interesting to see whether the ECS brightness control issue
is a "reasonable doubt" red herring raised as a defense for the criminal
trial which will take place. Two passengers are missing and presumed

Possible Loss of Space Shuttle: 'I think, at that point, we're done'

<"Harry Crowther" <>>
Mon, 19 Jun 2006 06:42:22 -0400

After a "spirited discussion"', space shuttle mission Discovery (STS-121) is
scheduled to launch 'despite the reservations of two senior officials': the
lead safety official & the chief engineer, over issues that "remained about
debris from the shuttle's external fuel tank that could damage the vehicle
during launching.'

"If a shuttle is critically damaged during launching, (NASA administrator
Michael) Griffin said, the crew could make it to the space station to await
rescue by another shuttle or a Russian spacecraft. Such an accident would
not unduly threaten crew safety, he said, but it probably would end the
shuttle program.  I would be moving to shut the program down," he said of
the loss of another shuttle. "I think, at that point, we're done."

'rescue by another shuttle' would be the (then) sole remaining shuttle.
Why bother to ground it, under the circumstances?

[Source: Warren E. Leary, NASA to Launch Discovery on July 1 for 13-Day
Mission, *The New York Times*, 18 Jun 2006]

More BART woes: automated train-control system mothballed

<"Peter G. Neumann" <>>
Sun, 18 Jun 2006 12:36:17 PDT

RISKS has long documented problems with the San Francisco Bay Area Rapid
Transit system.  The latest is that $80 million have been spent on a
long-planned automated train-control system that would enable a 25% increase
in the number of trains that could go through the Transbay Tube.  $40M for
equipment, $40M for staff time.  The effort is now on "indefinite hold".
Involved in a contract that began in 1998, Harmon Industries was acquired by
GE Transportation Systems Global Signaling, a GE subsidiary, which BART
officials claim has refused to honor the contract and GE claims is false.
The system was originally scheduled to be fully operational in 2004.
[Source: Rachel Gordon, BART: Transbay speedup on hold, *San Francisco
Chronicle*, 17 Jun 2006, B1,B7; PGN-ed]

German Federal Civil Court ruling on Robodoc cases

<Juergen Fenn <juergen.fenn@GMX.DE>>
Thu, 15 Jun 2006 02:28:02 +0200

In September 2003, I reported on "The benefits and risks of robot surgery"
using "Robodoc", a computer-controlled robot for hip and knee joint
implants, in use at a rather well-reputed German clinic at Frankfurt/Main.
The new method of medical treatment which was used since the mid-1990s in
Germany promised to be more precise than surgery done manually.

Operations with Robodoc were suspended in this country since 2004 and the
senior surgeon using the robot had left the said clinic in 2005 already.

The first of the lawsuits pending ever since has now been decided, resulting
in the German Federal Civil Court, or Bundesgerichtshof, at Karlsruhe
declining any legal claims raised by a former patient against either the
clinic or the physicians using the robot for the operations at the time. The
court thus upheld the earlier decisions by other German courts.

The court said in the ruling that patients must be told by physicians about
the risks of new operating methods before undergoing surgery so that they
can themselves decide whether they are willing to take risks hitherto
unknown due to the small number of cases the all-new method was used in or
whether he wants to be treated in a conventional way, i.e., in this case, by
a surgeon without the help of a robot. However, in the case decided on June
13, 2006 the risk of damage to the patients' nerves about 11 years ago was
the same as with conventional methods of operation she _was_ told about
before undergoing treatment. This is why the plaintiff who is now 49 years
old was not eligible to compensation damages in this case which is the first
in a series of rulings.

The press release on the decision (in German) can be found at:

NZ IRD Numbers about to run out

<"M. Hackett" <>>
Mon, 19 Jun 2006 03:35:25 -0700

It seems as if NZ is taking a Canadian-style solution to its tax number
length.  However, the risks of going to the longer format are (really) not
known at this time.  NZ has done a lot of background work with respect to
modernizing its government computer systems -- but IRD numbers span the
public and private sector.  Australian, British, Canadian and Irish IT
systems relating to taxation and benefits that explicitly use the NZ IRD
number may also be affected.
[Source: Inland Revenue and GST number range is to be extended]
Max Power, CEO, Power Broadcasting (PTY)

Fortune cookie bet made Powerball lottery players rich

Thu, 15 Jun 2006 21:46:30 +0000

Powerball lottery officials suspected fraud: how could 110 players in the
March 30 drawing get five of the six numbers right? That made them all
second-prize winners, and considering the number of tickets sold in the 29
states where the game is played, there should have been only four or five.
Answer: They all chose their numbers from fortune cookies from the same
factory in Long Island City, Queens.  (The unexpected payout totaled $19
million for the second-place winners.)

Howard Israel, CEO, Secure Systems Consulting, LLC  (732) 613-9464

Wily crows disconnect wired Tokyo

<"Peter G. Neumann" <>>
Sat, 17 Jun 2006 14:10:39 PDT

"Tokyo's futuristic image as the world's most technologically advanced
broadband Internet-enabled city is under attack from a vicious but decidedly
low-tech foe: the crow."  During the spring mating season, the crows have
discovered that fiber-optic cable makes great nesting material, and have
seriously disrupted Internet service.  [Source: Leo Lewis, Australian IT
News, 16 Jun 2006; PGN-ed; thanks to Dan Farmer for pecking out that one.]

Another risk of electromagnetic interference

<Tom Philp <>>
Sat, 17 Jun 2006 10:54:04 -0700 (PDT)

I have a Toshiba satellite P30 laptop and a Treo 650 cell phone. Recently I
was working on the laptop and had occasion to take a phone call on my
cell. I needed some information for the phone call, so I looked it up on my
computer. To do so, I had to put my cell phone down. I placed it on the
table right next to the laptop.

Right in the middle of my Internet query, the laptop just completely shut
down... no warning, just dead.  When I thought about it, it seemed almost
obvious that the electromagnetic radiation from the phone caused some
problem and shut the system. down. I was able to reproduce this effect
simply by laying the phone within a few centimetres from the computer.

While I did not lose anything, even in my testing, it does point out a
problem with our computers and the ubiquity of cell phones. Surely computer
manufacturers could design some kind of shielding for computers to keep them
from this sort of risk.

Volvo's self braking car

<David Magda <>>
Mon, 12 Jun 2006 20:13:24 -0400

I ran across this video (via Gizmodo) demonstrating Volvo's new braking

It is currently in the lab, and NOT in production. Basically, if the system
determines that a collision is unavoidable it automatically applies the
brakes to try to prevent the collision.

Is driving safer when drivers are not involved?

RFID "Best Practices" (CDT via Monty Solomon)

Risks of Ajax and Javascript

<Charlie Wertz <>>
Tue, 20 Jun 2006 09:46:09 -0400

Here is an article on the potential evils of Ajax (the use of Javascript for
interactions with databases).

"Companies are quickly embracing Ajax and related techniques for Web
applications. Expect more security problems like the Yamanner worm along the
way.  The Yamanner worm that infested Yahoo Mail last week was quickly
squashed. In the 24-hour period it thrived, though, the worm provided a
glimpse of what's in store for Internet users unless companies apply strict
measures when building Web applications with techniques such as Ajax."

I've noticed that more and more web sites just flat out won't work if I have
Javascript turned off. We're not addressing sites that want to hurt us
here. The technology puts us at risk when the code is merely poorly written.

Ironic risk of using a 'free' mail service

<Mike Scott <>>
Tue, 20 Jun 2006 12:26:17 +0100

I was puzzled when I saw in the mail log that some mail accepted for my wife
had been flagged as spam by spamassassin, as the sender address was one of
her friends. "Obfuscated reference" to a certain drug, amongst other
things. I assumed the friend's machine had been hijacked, but not so. It
turned out simply that yahoo had tacked on an advert for /anti/-spam
software: "Tired of Vi@gr@! come-ons? Let our SpamGuard protect you". The
irony is quite delicious!

Interestingly, the ad had only been inserted into the html alternative text
- which we don't use anyway. A nice exercise in how to get your customers'
email binned for no obvious reason.

  [And that may be sufficient to cause this issue of RISKS to be blocked.

DoE Discloses Data Theft (From Dave Farber's IP)

<Ari Ollikainen <>>
June 10, 2006 1:37:31 PM EDT

Foot dragging on an incident which occurred in September 2005...

A hacker stole a file containing the names and Social Security numbers of
1,500 people working for the Department of Energy's National Nuclear
Security Administration last September.  But this was not reported to senior
DoE officials until Jun 2006, and none of the victims was notified.
[Source: Energy Dept. Discloses Data Theft; Victims, Top Officials Were Not
Told About 2005 Hacking, Associated Press item in *The Washington Post*, 10
Jun 2006; PGN-ed]

Testing stolen credit card numbers

<Walt Daniels <>>
Wed, 14 Jun 2006 23:05:20 -0400

Our Verisign account on is being used to test
stolen credit cards. They are spoofing our IP address, so aren't even going
through our web pages which contain no authorize transactions, which is what
they are using to test cards. They hit us with about 20 new cards most
evenings between 2am and 3am. Some succeed and some fail. The names are
totally bogus, but the addresses look real. They have CVC codes and those
usually match as does AVS. I assume they make use of the cards on other
sites because our site has donations and memberships as well as very
specialized books and maps that would be hard to sell. Sorting through all
these bogus transaction, more then 50% of all our transactions, places a
large load on our bookkeeper. Verisign has been very unhelpful in stopping
the transactions. They claim it is the banks that are authorizing the
transactions and they are just a passthrough agency. We do not have access
to the full card numbers and cannot tell which banks are involved. In some
sense I am observing an ongoing crime that effects me very little. I don't
know the real victims at all and cannot contact them to warn them that their
card is in play.

Given enough zombies, this looks like a way of finding valid cards without
having to steal them. See Risks24-32 "Unsalted Credit cards" for some of the
key pieces of doing this.

There are many opportunities for either the banks or Verisign to have
noticed these sorts of problems, e.g. 20 transactions from a single IP
address in a few minutes should be suspect. A name like "Kkkky Dhgmop" is
not likely to be a real person (an actual example that was accepted).

Neither any bank nor Verisign has made any attempt to contact me to find out
what I know. From the data I see I could easily be the person entering those

RFID "Best Practices"

<Monty Solomon <>>
Fri, 9 Jun 2006 20:19:58 -0400

Policy Post 12.09: CDT-Led Working Group Releases RFID "Best Practices"
A Briefing On Public Policy Issues Affecting Civil Liberties Online from The
Center For Democracy and Technology

(1) CDT-Led Working Group Releases RFID "Best Practices"
(2) Best Practices Ideal for Evolving Technology
(3) Technology-Neutral Consumer Privacy Legislation Still Needed

Bank's redirector helps phishing

<fred bone <>>
Tue, 20 Jun 2006 12:05:27 +0100

I received a "phishing" email claiming to come from Barclays Bank. All the
usual stuff, except that the URL it gave appeared to be plausible:

The bit after "location=" translates to

An experiment shows that, yes, Barclays do have a redirector which will
happily redirect off-site. An absolute gift to phishers and suchlike.

  [Certainly suggests a fissure of security.  PGN]

Microsoft Patches crash IBM Midrange Consoles

<Al Mac <>>
Mon, 19 Jun 2006 13:20:56 -0500

Windows Patches break Operations Console of IBM midrange platform.

In the olden days of networks, a dumb terminal might have been used for IT
staff to manage large computer networks.  In recent years the move has been
to use a PC for that function, which of course needs Windows patches.  The
latest round of MS patches has busted the ability of IBM Consoles to do
their primary tasks.

V#R# is version of IBM operating system affected.

Re: Man Gets $218 Trillion Phone Bill (Gold, RISKS-24.29)

<"Nancy Bogart" <>>
Tue, 20 Jun 2006 13:29:56 -0400

This reminds me of one of my first assignments in my graduate numerical
analysis class: Invert a Hilbert matrix using pencil and paper and
fractional arithmetic, and, invert it using a computer program.  The Hilbert
matrix is ill-conditioned (
because the fractions cannot be precisely represented in binary format,
which introduces round-off error, so calculation of the inverse by computer
results in greater inaccuracies as the errors are multiplied by each
iteration of the algorithm.  The lesson learned was, know the limits of your
computer's architecture.  Five decimal places does not mean five decimal
places of accuracy.   [See]

Re: Hospitals have dramatically reduced unnecessary deaths (R-24.32)

<Peter R Cook <>>
Thu, 15 Jun 2006 11:07:04 +0100

Is it just me, or have "lies, damn lies and statistics " simply become the
norm in the media.

> A campaign to reduce lethal errors and unnecessary deaths in U.S.
> hospitals has saved an estimated 122,300 lives in the last 18 months. ...

With 6731 hospitals in total in the US [*], this implies that the measures,
if applied to all would have saved over 265,000 lives in the last 18 months,
or 177,000/year -- almost twice the upper estimate of those dying from
errors and low-quality care.  (I am presuming here that hospital acquired
infection low quality care.)

Either someone needs a quick course in basic numeracy, that or the quality
of care and error rates have soared in the US since 1999!


  [The report seemed rather overhyped to me.  PGN]


<"Peter G. Neumann" <>>
Mon, 19 Jun 2006 14:40:31 PDT

  Cyberwar, Netwar and the Revolution in Military Affairs
  Edited by Edward Halpin, Philippa Trevorrow, David Webb and Steve Wright
  Palgrave Macmillan, 2006

This book is based on a summer program of the International School of
Disarmament and Research on Conflicts (ISODARCO), with a preface by the
organizers, Gary Chapman, Diego Latella, and Carlo Schaerf, and contributed
chapters from the lecturers.  [Gary Chapman has contributed various items to
RISKS over the years, beginning with volume 1.  Disclaimer: PGN is one of a
very diverse set of the authors.]

REVIEW: "Information Security and Employee Behaviour", McIlwraith

<Rob Slade <>>
Thu, 15 Jun 2006 10:39:42 -0800

BKISEMBE.RVW   20060520

"Information Security and Employee Behaviour", Angus McIlwraith, 2006,
0-566-08647-6, U$99.95
%A   Angus McIlwraith
%C   Suite 420, 101 Cherry Street, Burlington, VT   05401-4405  USA
%D   2006
%G   0-566-08647-6
%I   Gower Publishing Limited
%O   U$99.95
%O   Audience i+ Tech 2 Writing 3 (see revfaq.htm for explanation)
%P   169 p.
%T   "Information Security and Employee Behaviour"

In the introduction, McIlwraith points out that security awareness training
properly consists of communication, raising of issues, and encouragement to
modify behaviour.  (This will come as no surprise to those who recall the
definition of training as the modification of attitudes and behaviour.)  He
also notes that security professionals frequently concentrate solely on
presentation of problems.  The remainder of the introduction looks at other
major security activities, and the part that awareness plays in ensuring
that they actually work.

Part one looks at a "framework for understanding."  Chapter one addresses
employee risk, and the fact that people assess risk very poorly.  Issues
such as whether the risk is controlled by the self or another, problems that
are diffuse or dispersed, and immediacy all reduce our perception of the
scale of the hazard.  Other psychological reasons for poor decision-making
are also examined.  (There is also some explanation as to why security
people get fixated on their field, and often over-emphasize minor problems.)
This material definitely provides an understanding of the problem for anyone
involved in security awareness, but unfortunately does not give equivalent
solutions.  The discussion of culture, in chapter two, describes a number of
diverse corporate styles, with suggestions for the type of approach most
likely to be effective in each.  The fact that security professionals are
frequently perceived as problem-creating, rather than problem-solving, is
hardly a surprise, and so neither is chapter three.  However, it does
outline various reasons for this perception, which may give us insight into
changes we could make.  (I'm finishing off the security dictionary
manuscript at the moment [], and
McIlwraith's comments on the jargon we use in security are definitely

Part two moves into solutions.  Chapter four outlines practical strategies
and techniques.  The author lists five major points: manage by facts and
reality (rather than vague desires), have specific objectives (instead of
just "we need training"), plan carefully, implement meticulously, and get
real feedback on the results.  Additional mechanisms for training success
are discussed.  Realistic assessment of the program (and the danger of
simple metrics) is reviewed in chapter five.  (I might take slight exception
to McIlwraith's recommendation on rating scales: any use of odd-numbered
scales tends to push responses into the middle.)  Design of the delivery
media for awareness materials is as important as the message, and chapter
six provides useful advice for those of us who are stylistically
challenged--which includes pretty much the entire technically-oriented clan.

McIlwraith's message is important.  His writing is interesting and clear.
His suggestions are useful.  His book is recommended for anyone with either
a specific obligation for awareness training, or overall responsibility for
security management.

copyright Robert M. Slade, 2006   BKISEMBE.RVW   20060520

Please report problems with the web pages to the maintainer