The RISKS Digest
Volume 24 Issue 47

Wednesday, 22nd November 2006

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


More on the European power outage
Phone service cut to the St. John's region for 5 hours
Theodore S. Norvell
Scottish radiation therapy accident report available
Richard I Cook
Flat train wheels in NY/NJ
Melbourne's computerised train brakes fail
Boyd Adamson
Yet another canceled public sector IT project
Martyn Thomas
All your eggs... Aegis-class cruiser crippled
David Lesher
Bo Lipari's weblog on election problems: an excerpt
Some recent election results unresolved — or unresolvable?
New Google Service Will Manipulate Caller-ID
Lauren Weinstein
Proposed Solution For Google's "Click-to-Call" Caller-ID Problem
Lauren Weinstein
Hospitals Urged to Ease Mobile Phone Rules
Paul Czyzewski
REVIEW: "Preventing Web Attacks with Apache", Ryan C. Barnett
Rob Slade
Info on RISKS (comp.risks)

More on the European power outage

<"Peter G. Neumann" <>>
Mon, 13 Nov 2006 13:11:24 PST

German national electricity network officials issued a formal statement on
Sunday morning, in order to announce that a massive power outage that
occurred at about 9.30 p.m. on Saturday in the northwestern part of the
country, created a domino-like effect in other Western countries as well,
such as France, Italy, Austria, some parts of Spain, Portugal, the
Netherlands, Belgium and Morocco, immediately after it occurred in Germany.

Officials stated that no less than 82 million German citizens were left
without power for almost an hour, while electricity cuts affected around
five million French inhabitants as well as the entire northern part of
Italy. We weren't very far from a European blackout, one of the managers of
a French power company called RTE, highlighted, adding that the failure of
two German high-voltage lines, stretched over a river in north-western
Germany - which had been shut down by German utility company E.O.N. in order
to let a ship pass through - bear the entire responsibility for the house of
cards style European blackouts. In addition to this, the Deutsche Bahn, the
national rail company in Germany, announced that 100 regional trains were
disrupted by the blackout.

In the past, these operations were often performed with no problems,
E.O.N. officials declared in great surprise, while Michael Glos, the German
Economy Minister announced the fact that a thorough investigation into the
circumstances of this terrible incident is already being conducted: We will
examine this report quickly so that together with the companies we can
ensure that, if at all possible, such events are not repeated, he stated.

Apart from blaming the Germans for the outage, Italian Prime Minister Romano
Prodi stressed upon a more important fact, the need for a stronger
electricity policy in Europe legitimated by a powerful authority: It's a
rich contradiction that we depend on each other, but we can't help each
other without a common authority.

Source: Ruxandra Adam, Softpedia News, 12 Nov 2006

Phone service cut to the St. John's region for 5 hours.

<"Theodore S. Norvell" <>>
Mon, 23 Oct 2006 12:31:49 -0230

A small fire led to a power outage at a telephone exchange in St. John's,
Newfoundland, Canada on October 20. This lead to all phone service in the
St. John's region being lost for 5 hours Friday night and Saturday morning.
The outage included: 911 service, land lines, Internet, cellular, automated
tellers, and point of sale by bank cards and credit cards.  Ambulances were
dispatched to George St. (the drinking district), "just in case". The loss
of 911 service meant that a small child who had stopped breathing had to be
transported to the hospital at high speed by her caregivers rather than
receiving paramedical attention.  Air traffic control at YYT continued to
land planes, but could not communicate with ATC elsewhere.  Phone service
and Internet service is said to have been restored, but my own home phone is
no longer working properly.

Those of us who are not familiar with the phone system (and perhaps some who
are) are left wondering why a power failure at a single exchange leads to a
communications blackout in an entire metropolitan region, and also why all
back-up systems failed.  Phone service in St. John's is usually quite
reliable, even though power failures are quite common in the region, where
we get a fair bit of ice, snow, and wind, often all at once. However, this
power cut was inside the phone company's building, where it was presumably
downstream of the the back-up generators, but upstream of the back-up

Dr. Theodore Norvell, Memorial University of Newfoundland St. John's, NL,
Canada, A1B 3X5 +1 709 737-8962

Scottish radiation therapy accident report available

<Richard I Cook <>>
Tue, 31 Oct 2006 09:44:04 -0600

[ Plus ca change, plus c'est la meme chose. ]

'Critical error' led to radiation overdoses,

"...Dr Arthur Johnston, who outlined the devastating chain of events that
led to the overdose. His 100-page report pointed out that the Beatson unit
had upgraded the computer system it used to calculate radiation doses in May
2005. For the most complex treatment plans, data from the system were
transferred to paper forms, as happened in Lisa's case. The report said that
the "critical error" occurred when the treatment planner - referred to as
Planner B - transcribed the data from the computer to paper, but was unaware
of the changes to the system which meant the data were incorrectly written
down. 'The outcome was that the figure entered on the planning form for one
of the critical treatment delivery parameters was significantly higher than
the figure that should have been used,' the report said. However, the error
was not spotted during the checking process and the incorrect dosing
information was passed to the radiographer who gave Lisa her treatment. The
error came to light only because the same planner made the same mistake in
the next plan for a different patient, and this time it was identified by a
colleague. An investigation was launched which found that, apart from Lisa,
no other patient had been affected. Dr Johnston said Planner B had 'limited
experience' and had been under the supervision of an experienced colleague -
Principal Planner A - who failed to pick up the error."

Full report available at:

Dr. Richard I. Cook, Associate Professor, Department of Anesthesia and
Critical Care, University of Chicago, Chicago, IL, 60637 1-773-702-4890

Flat train wheels in NY/NJ

<"Peter G. Neumann" <>>
Wed, 22 Nov 2006 11:03:16 PST

124 railroad passenger cars of the Metro-North Railroad Harlem and Hudson
lines are out of service for at least two weeks.  Each fall, oily leaf
residue on the tracks tends to cause wheel slippage.  Perhaps a la Rube
Goldberg, this is interpreted by the circuitry as excessive speed, which
causes the brakes to be applied, which causes the wheels to skid, which
flattens them out, which affects performance, which causes the cars to be
sidelined for wheel truing.  The rail yards in New Haven and Harmon can
re-true only 9 cars per day, so it is going to take a while to catch up.
The newest cars (M-7s) are the ones with the most flat wheels, and operate
in pairs, so that one bad wheel takes down both cars.  NJ Transit and the
LIRR are having similar problems, with the LIRR having to fix 20% of its
cars.  [This might inspire a step-kick slip-slide in Chorus Line?]
[Source: Caren Halbfinger, 'Flat wheels' deflate train commuters, *The Journal
News*, 21 Nov 2006; PGN-ed]

  [See RISKS-7.22 and 7.23 for flat wheels at Colwich Junction in 1986,
  and RISKS-12.62,66,67,73 for the effects of leaves on train tracks
  in 1991.  PGN]

Melbourne's computerised train brakes fail

<Boyd Adamson <>>
Thu, 16 Nov 2006 09:13:50 +1100

Some of Melbourne's newest passenger trains have had to be withdrawn from
service after a spate of braking failures.  Connex, the operator of the
suburban rail network, has reported 15 incidents involving trains
overshooting platforms since 13 Nov 2006 and is at a loss to explain the
problem.  The most serious incident occurred on Tuesday night when a train
failed to stop at Brighton Beach station and traveled into the level
crossing at South Road.  The boom gates still had not been lowered as the
train came to rest in the middle of the intersection. A rail system source
said cars were forced to break to avoid colliding with the train.

The problems involve a fleet of 72 German-built trains that were introduced
to the suburban network in 2003.  Fourteen three-carriage trains have been
removed from service following emergency talks between Connex and the trains
manufacturer, Siemens.  The withdrawal of the trains is expected to cause
some disruption to services, particularly on the Pakenham and Cranbourne
lines, until the problems can be fixed.

The source said the problems were connected to the trains' computerised
braking system. In several incidents, drivers were forced to apply emergency
brakes, push emergency stop buttons and activate handbrakes to bring the
trains to a halt.  But even after activation of all manual braking systems,
some trains continued moving. One incident occurred while a driver was
undergoing assessment by a transport official.  [...]

Since its introduction in April 2003, the Siemens fleet has been plagued
with controversy. The trains were initially too wide for suburban tracks and
have recently been repaired to fix faulty wiring. They have also been
criticised for having only two sets of doors on each side of each carriage,
causing bottlenecks for passengers.

Yet another canceled public sector IT project

<"Martyn Thomas" <>>
Fri, 27 Oct 2006 12:55:04 +0100

The BBC reports that after
four years of development, the UK government has suspended its plans for an
Internet retirement planner. No date has been set to restart work on the
proposed service, which was aimed at people on low to middle incomes.

The online planner was intended to give help to those without easy access to
financial advice. It would have provided them with individualised state and
private pension forecasts, and offered advice on how to boost their

Although 11m pounds had been spent on the website, halting the work will
save the government an estimated 14m pounds.  According to the Minister for
Pensions Reform, James Purnell, the work on the site was halted when the
Department for Work and Pensions realised that "delivering accurate online
information about state pensions would become increasingly difficult, given
the uncertainty about the exact shape of future pension provision".

11m pounds wasted because no-one did a decent requirements analysis?

All your eggs... Aegis-class cruiser crippled

<"David Lesher" <>>
Sun, 19 Nov 2006 19:31:47 -0500 (EST)

A Usenet poster related that several years ago, for 10 days, an Aegis-class
cruiser in the Gulf was crippled by the failure of both of its INS system,
and its GPS.

But navigation was not the only issue. It seems virtually all the weapons
systems on board require the INS to provide them data on the ships
[roll/pitch] attitude to aim/fire. Without such, they are no longer

Eggs several, baskets one...

Source: Teacher Adam Hilliker gives kid detention for being right

Bo Lipari's weblog on election problems: an excerpt

<"Peter G. Neumann" <>>
Fri, 10 Nov 2006 13:54:26 PST

    Election Problems, What Election Problems?
    Bo Lipari <>
    Friday, November 10, 2006

The Media Narrative and Public Perception

If you watched the cable news coverage on Election Night, it was easy to
come away with the impression that few problems were experienced with
electronic voting - the predicted "train wreck" had not materialized.  But
out in the real world, the HAVA mandated changeover of voting systems
resulted in real failures <>
that resulted in long lines and lost votes. Just like the fancy new high
tech voting machines, the mainstream media has failed us yet again.

That there were widespread problems with electronic voting equipment all
around the country is well documented. Thousands of citizens took part in a
first time nation-wide effort monitoring polling sites and reporting
problems. The reports are still coming in, but it's clear that hundreds and
hundreds of problems occurred. But the mainstream media has thus far barely
mentioned this, leading one to ask what vast scale of voting disaster would
it actually take for the media to report on it?

The Election Night Narrative

News organizations used to report the news, but nowadays they're more
concerned with telling their viewers a story. This story, the theme of the
day as it were, is called the ``narrative''. On Election Night 2006, the
media narrative was ``The Great Tsunami''.  The story was about the
Democratic tide as it moved from East to West, sweeping away Congress in its
path. As soon as the first totals started coming in from the East Coast the
news networks started framing everything solely in the context of this
narrative. There was no room here for voting machines failures, long lines
of voters, or anything else. The story was about the horse race, about
devastating loss, about the great wave sweeping across the nation. Voting
machine problems had no place here as they would distract from the
narrative, even worse, maybe even undermine it. Raising the possibility that
votes were lost? How are you going to sell soap with that?

The Unspoken Narrative

Underlying the Great Tsunami story was a subtler narrative, one that the
media has consistently fed us on Election Nights for years. This narrative
is expressed by the often repeated mantra ``Even if there were problems, it
wasn't enough to affect the outcome of the election.''  It seems vitally
important to the media that the public believe that no matter what, no
matter how bad the problems, no matter how many lost votes and machine
breakdowns, the results are still basically correct, your vote still counts,
or at least close enough.

We've been told this story before, in 2000, in 2004, and now again in
2006. Nothing to worry about folks, just a little glitch, pay no attention
to the man behind the curtain. This seems to be an essential narrative for
the media, one that we must be told and reminded of each and every Election
Day. Because imagine what would happen if the media told the public the real
story, and showed the real impact on real voters. Why, you might not have
just thousands of activists around the country demanding change, you might
have hundreds of thousands. If the real story about broken voting machines
and lost votes got out, you might even have millions. Imagine, millions of
citizens demanding that their right to vote is sacred and not for sale to
voting machine vendors, demanding real accountability, demanding accurate
elections with results that we can have real confidence in.

Now that would be a tsunami.


Some recent election results unresolved — or unresolvable?

<"Peter G. Neumann" <>>
Wed, 22 Nov 2006 14:04:19 PST

At least five U.S. House races are apparently still unresolved or in
question two weeks after the election.  I have been waiting for someone else
to come up with a retrospective summary and objective analysis of the voting
machine problems.  Not having found one, I mention just a few of the close
races of interest in which the investigation of any of various
irregularities could reverse the results.

* Florida 3rd Congressional district, with the peculiarly large (18,300)
  undervote for the Sarasota Congressional race in touch-screen machines
  that do not permit a meaningful recount (without a new election), with
  a computer-reported spread of just a few hundred votes.
  This is receiving significant media coverage.  Also, see David Dill,
  "Is Florida Ready for Democracy?"
  [This reminds us of the 210,000 undervotes in the four punch-card counties
  in the 1988 Florida Senate race.]

* New Mexico 1st Congressional district, with a .5% difference

* North Carolina 8th Congressional district, with a .025% difference

* North Carolina Court of Appeals, with a .24% difference
  [Three other NC elections had very small margins as well.]

* Williamson County, Texas, the votes cast and counted electronically were
  each recorded THREE times.  (This was detected primarily because the total
  number of votes cast exceeded the number of voters.)

New Google Service Will Manipulate Caller-ID

<Lauren Weinstein <>>
Wed, 22 Nov 2006 15:27:23 -0800

17 Nov 2006,

Greetings.  Google has made available a new "Click-to-Call" service that
will automatically connect users to business phone listings found via Google
search results.

In order for this feature to function, the user must provide their telephone
number so that Google can bridge the free call between the business and the
user (including long distance calls).

An obvious issue with such a service is that there is no reasonable
way to validate the user phone number that is provided.  Google says
that they have mechanisms in place to try avoid repeated prank
calls, but the potential for abuse is obvious.

Of even greater concern is that Google says that it will manipulate
the caller-ID on the calls made to the user-provided number, to
match that of the business being called.  This is extremely
problematic, since it could be used to try to convince a prank
target that they were being called directly by the business in
question, and so cause that target to direct their anger at the
innocent business.  In the case of targets who are on do-not-call
lists, it is possible to imagine legal action being taken by callers
upset that the business in question called them "illegally," though
in fact the call had been made by the Google system.

Google's explanation for this caller-ID manipulation is that it
would be handy to have the called business number in your caller-ID
for future calls.  That may be true, but the abuse potential is way
too high.  Caller-ID should never be falsified.

I've written many times about how caller-ID can be manipulated to
display false or misleading information, why this should be
prevented, and how the telcos have shown little interest in fixing
caller-ID or informing their customers about the problem (caller-ID
is a cash cow for the telcos whether it is accurate or not).

Up to now, the typical available avenue for manipulating caller-ID
has been pay services that tended to limit the potential for
largescale abuse since users are charged for access.  Google, by
providing a free service that will place calls and manipulate
caller-ID, vastly increases the scope of the problem.  Scale matters.

Google has not vetted this caller-ID feature sufficiently, and I
urge its immediate reconsideration.

Proposed Solution For Google's "Click-to-Call" Caller-ID Problem

<Lauren Weinstein <>>
Wed, 22 Nov 2006 15:27:23 -0800

Proposed Solution For Google's "Click-to-Call" Caller-ID Problem, 19 Nov 2006

Greetings.  In a recent blog entry, I discussed my concerns about Google's
new "Click-to-Call" service, especially key issues regarding Google's
handling of caller-ID in this service.

Now I'd like to propose a specific solution.

I completely understand why Google likes their caller-ID feature.  It's a
cute hack (hack in the positive sense), and in the context of non-abusive
use brings some value-added.  But I really believe that this is one of those
cases where somebody needed to get beyond the "gee-whiz isn't this nifty"
factor and consider more carefully how it will be abused, particularly on
the large free-access scale that Google provides.  Even if the vast majority
of the calls are legit, the absolute number of abuses is bound to be high,
and it seems certain that innocents will be hurt in significant numbers --
there are a lot of jerks in the world who are going to take advantage of
this service to get their jollies or take revenge on businesses that they
have a gripe with, etc.

However, there is indeed a simple solution in this case.  If the caller-ID
delivered to both sides of the bridged calls is set to indicate the true
source of the calls (i.e., Google) the problem goes away.  In fact,
caller-ID could be used to further enhance the service by providing a true
full point of contact.

What I would do is set the caller-ID to display a Google phone number
(ideally toll-free) that played a recorded announcement explaining that the
call originated from Google Click-to-Call, and noting how to proceed (via a
Web page, e-mail address, and/or specific phone number) if you felt that you
were being targeted for abuse by a user of that system and wanted to file an
associated report.  This would be a win-win all around.  Google would more
rapidly get a handle on abusive users, and the service would be even more
consumer friendly.

Sometimes there can be a happy ending!

Lauren Weinstein +1(818)225-2800
PRIVACY Forum - Lauren's Blog:

Hospitals Urged to Ease Mobile Phone Rules

<"Paul Czyzewski" <>>
Wed, 25 Oct 2006 22:46:16 -0700

"The biggest concern is that mobiles interfere with sensitive medical
equipment.  But a 1997 study from the UK's Medical Devices Agency showed
that phones affected just 4% of devices at a distance of one metre, the
researchers said."

Who wouldn't want to allow something that affects *only* 4% of sensitive
medical devices?  The lack of common sense exhibited in the above sentences
is mind-boggling.  Also, apparently, the phones are classified as only
"annoying" as long as they don't actually kill the patient (at least, not

The "sensible caution" paragraph is mildly reassuring, though somewhat
contradictory to the parts quoted above:

"Sensible caution regarding the proximity of mobile phones to medical
equipment is thus warranted, but concerns about patient safety alone
do not justify zealously enforced no-phone areas, which can cause
arguments between staff, patients and visitors."

[Source: Hospitals Urged to Ease Mobile Phone Rules, Reuters, 13 Oct 2006]

REVIEW: "Preventing Web Attacks with Apache", Ryan C. Barnett

<Rob Slade <>>
Fri, 03 Nov 2006 11:33:38 -0800

BKPRWAWA.RVW   20060913

"Preventing Web Attacks with Apache", Ryan C. Barnett, 2006,
0-321-32128-6, U$49.99/C$66.99
%A   Ryan C. Barnett
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2006
%G   0-321-32128-6
%I   Addison-Wesley Publishing Co.
%O   U$49.99/C$66.99 416-447-5101 fax: 416-443-0948
%O   Audience a- Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   582 p.
%T   "Preventing Web Attacks with Apache"

Chapter one notes that there have been many attacks against Web servers and
the applications running on them.  It also lists the common excuses
presented for a lack of security preparation (and assesses the weakness of
those arguments).  Hardening of the (UNIX) operating system, and network
operating system, in order to establish a trusted computing base for the Web
server application, are dealt with in chapter two.  Initial installation of
the Apache software is covered in chapter three.  Chapter four reviews the
configuration file, and properly secure settings and options.  Security
related modules in the Apache suite are discussed in chapter five.  Chapter
six reviews the Center for Internet Security Apache security benchmark tool.
The Web Application Security Consortium (WASC) threat classification system
is described, in chapter seven, with specific reference to Apache
countermeasures against these attacks.  (The material provides nice
explanations and examples of a variety of exploits.)  Buggy Bank, an
intentionally flawed e-commerce application that provides practice in
hardening a Web server, is outlined in chapter eight.  Chapter nine looks at
various countermeasures and controls that can be applied to Web servers and
sites, noting strengths and weaknesses, and also noting which work most
effectively, as well as which can be implemented via Apache functions.  If
you'd like to do primary research and gather information on attacks and the
level of threat to Web servers, chapter ten details the settings and
requirements for using Apache to set up a honeypot server.  Chapter eleven
finishes off with basic advice on issues such as patch management, and also
broadens the discussion to some fundamental concerns in Internet security

A helpful guide for those using Apache.

copyright Robert M. Slade, 2006   BKPRWAWA.RVW   20060913

Please report problems with the web pages to the maintainer