The RISKS Digest
Volume 24 Issue 63

Sunday, 15th April 2007

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Mars Global Surveyor review panel
Boy falsely jailed because of DST changeover
Ron Garret
Caltrain *Double* Daylight Time
Computerized Voting machines
Arthur J. Byrnes
Washington DC Metro replacing software that causes fires
Jeremy Epstein
When banking real time isn't really real time
John Pettitt
Surely it can't be this easy?
Ted M Lee
On "proving NON copyright infringement"
Ferdinand J. Reinke
A Botted Fortune 500 a Day
Gadi Evron
Airline Online Payment Requires Citizenship No.
Chris Brady
Re: Insured car wrongly crushed?
David W. Brunberg
Reminder - Computers, Freedom & Privacy 2007
Stephanie Perrin
Steve Goddard
Info on RISKS (comp.risks)

Mars Global Surveyor review panel

<"Peter G. Neumann" <>>
Sat, 14 Apr 2007 11:54:05 PDT

The review board has concluded that an errant computer command five months
earlier had been placed in the wrong memory location, which acted as a time
bomb that effectively disabled a safety feature intended to keep the solar
panels from rotating too far, ultimately hindering communications.  In its
final 13 minutes, Global Surveyor reported various alarms.  In attempting to
recover, the sun-oriented battery overheated, the resulting signal was
misinterpreted by the software, which stopped charging the OTHER battery.
Because of the earlier error, controllers could no longer control the
spacecraft.  Launched in 1996, and taking 10 months to reach Mars, Global
Surveyor sent back 240,000 images, lsating much longer than originally
intended.  [Source: Kenneth Chang, *The New York Times*, 14 Apr 2007;

Boy falsely jailed because of DST changeover

<Ron Garret>
Sat, 7 Apr 2007 10:44:57 -0700

In a nutshell: on 11 Mar 2007, a school received a bomb threat and through
their phone logs traced the call back to a 15-year-old boy, who was arrested
and incarcerated for twelve days despite the fact that the boy's voice
sounded nothing like the voice on the tape.

Of course the authorities had forgotten about the early onset of daylight
savings time, and the boy had actually called the school *an hour before*
the bomb threat.

Aside from the scary fact that it took twelve days for the authorities to
sort this out, the account contains this precious little burn-the-witch

"After he protested his innocence, ... the principal said: 'Well, why should
we believe you? You're a [terrorist]. [Terrorist]s lie all the time.' "

All this would be more amusing if we hadn't been doing more or less the same
thing on an epic scale for over five years now.

Caltrain *Double* Daylight Time

<"Peter G. Neumann" <>>
Thu, 5 Apr 2007 11:26:41 PDT

During the week beginning with April Fools' Day, the Caltrain time display
has been one hour *ahead* of PDT.  I presume that a manual change was
inserted at the time of the US cutover to DST, and that the subsequent
preprogrammed change was not disabled.  It is utterly amazing how
complicated clock arithmetic management seems to be for developers and

Computerized Voting machines

<"Arthur J. Byrnes" <>>
Thu, 05 Apr 2007 14:43:53 -0400

Here in Florida, the voting screw-up capital of the world, our legislatures
are being bombarded by both "sides" of the voting machine debate.

Amazingly, there is a well funded and vocal group that doesn't care about
voting integrity, and are working to convince the legislature that the lack
of touch screen machines is an infringement on the rights of the disabled.
[*] Their logic is that since the disabled (usually blind or physically
impaired) folks cannot enter the polling place and cast their vote without
some extra help, that their voting rights are being denied.  Their quote is
at the end of this article;

The folks looking for a paper trail are considered the enemy of the disabled
since there is not yet a certified touch screen machine with a paper trail,
in Florida.

Worse yet, there is a subset of folks who have latched onto the paper trail
fight who erroneously believe that the voter will get a copy of the
submitted paper, so that they can verify that the vote they cast, was
properly recorded.  In my communications with these folks, I have found that
the vote buying that could occur, never crossed their mind.

The sad part about all this is that the lobby for the disabled has stated
that they don't care about the integrity of the system, and that their only
goal is to make sure that there members can vote.  During the time that this
debate was at its peak, they had many of their members from out of state,
call Florida radio talk shows, using pre-scripted speeches, stating that
they felt that their voting rights were being limited.  Luckily, there
members were honest, (even if their lobbyists are not) and when asked where
they were located, and if they ever voted in Florida, would answer
truthfully.  (Radio talk shows are the grass roots leaders in many parts of

Almost no one in politics has enough understanding of the technology to see
the pit falls of a virtual voting system.  And almost no politician has the
backbone to stand up against a lobby claiming to be helping disabled folks.

It is hard to understand, especially in a state that is forever tainted by
the largest election upset in recent US history, why any resident would even
consider a system that has questionable output, that is not recountable.
(The paper votes from the 2000 election were each recounted, by an
independent group of Newspapers, and the results were correct, but that was
not front page news...)

Greetings from Flori-duh, Arthur

  [* Actually, there are also some very articulate statements from within
  the visually impaired community that counter this argument, for example,
  Noel Runyan's report, "Improving Access to Voting"; see and .  Noel is exceptionally well qualified in this
  regard: "Noel Runyan became a critic of voting machines after his own
  experience with the Sequoia Edge II and subsequently became an expert
  witness in three separate lawsuits brought by Voter Action alleging that
  the machines were inadequate and therefore unlawful.  He has worked with
  advocates to promote accessibility and security in voting systems as
  mutually attainable goals."  PGN]

Washington DC Metro replacing software that causes fires

<Jeremy Epstein <>>
Sat, 14 Apr 2007 07:35:47 -0400

This is certainly not the only case of software causing a physical problem,
but it's one of the more unusual ones I've run across.

Metro (Washington DC's subway system) is one of the more automated subway
systems around.  The key to the problem seems to be as follows: "The fire
[on Easter Sunday] started after a sensor underneath the rail car failed,
causing the voltage in the car to rise. At the same time, the software
designed to monitor the flow of electricity also failed, causing overheating
in the resistor grid, an electrical component under the car that absorbs
excess energy, officials said.  A Metro official said the software was not
designed to take into account the failure of the voltage sensor. A check of
all affected rail cars found no other bad sensors, officials said."

As I've been spending a lot of time working on electronic voting issues, I
thought about how a few simple word changes might explain some of the voting
system failures we've seen - perhaps failures of sensors on touch screens
are causing unexpected interactions.  This is just an hypothesis - but shows
that just as Metro undoubtedly spent millions of dollars testing the rail
cars without finding this problem (until a serious fire brought it to their
attention), so too might similar problems occur in voting systems.  The
difference is that in today's paperless voting systems, the fire is
smoldering quietly and unseen - but still doing damage.

When banking real time isn't really real time

<John Pettitt <>>
Thu, 05 Apr 2007 01:07:42 -0700

A friend of mine had an interesting banking experience with Citibank this
weekend.  She wrote a check for $990 on Friday expecting it to take at least
two days to clear.  On Saturday she was surprised to see a negative $300
balance.  No problem, she transfered $1500 from another account at the same
bank via an ATM.  A subsequent check on line later that day showed the new
money in her account, a positive balance and the universe back in harmony.
Then things got weird.  On Monday Citibank credited back the $990 check as a
returned check and debited a $30 fee for doing it.  The end of day balance
for Monday was over $2200.

We both went into the branch today, and the manager couldn't give a rational
explanation as to how a check that appeared to have cleared in real time and
caused an overdraft (for which they charged interest) had in fact not
cleared and how a $1500 transfer that was available in real time (she took
some of it out at an ATM which also showed the check as cleared) was now
only showing as credited on Monday.  As best I can figure out the system
only appears to effect transfers and clear checks in real time when, in fact
it's still happening on an end of business day basis.

The result is what you see on the screen is not really what you get.  The
manager credited the $30 and my friend smoothed things over with the
recipient of the bounced check but I will now be much more skeptical of what
Citibank's computer is saying to me.

John Pettitt (who in another life wrote credit card processing software)

Surely it can't be this easy?

<Ted M Lee <>>
Thu, 5 Apr 2007 14:30:52 -0500

I just returned home from staying at hotel, part of a major chain I won't
embarrass by naming.  It uses one of the now almost ubiquitous mag-stripe
room keys.  I returned to my room the second day and discovered the key
wasn't working.  I walked over to a nearby house phone and called the front
desk to report my trouble.  The clerk apologized for whatever trouble I was
having and promised to send a new key right up.  She then started to say
something about my cell phone and I thought maybe she wanted to be able to
call me back and then I realized she'd been asking if I'd carried the key
next to my phone.  (yes, I had been — I gather now that's an easy way to
erase them.)  Apart from that useful piece of information which I'd probably
read before but never noticed (since I only recently joined the 21st century
and got a cellphone) that's not the point.  I waited awhile and somebody did
show up and handed me a new key — I did give him my old one, although he
didn't ask for it.  Nowhere in any of this process did anyone ask for any
identification — I'm not even sure I identified myself when I called the
front desk.  Need I say any more?

On "proving NON copyright infringement" (Re: Dellinger, RISKS-24.61)

<"r @ reinke" <>>
Sun, 1 Apr 2007 09:50:17 -0400

This sounds like a case for "watermarking", "stenography", or a good old
fashioned notary?

I am surprised that the concept of a "digital notary" has not taken off for
just such situations. (Maybe there's a web20 application for me make into
the next google? I could be rich! And, get a life, instead of reading
ezines, blogging, and commenting.) Maybe it has and I just haven't heard of

While the Internet Archive is a good idea, one has to wonder if push came to
shove (i.e., think RIAA as the model for a Pyrrhic victory) if that would be
acceptable evidence in a legal proceeding.

I'd envision the digital notary as a website that:

CASE#1 — takes an url, "photographs" it, computers a digital signature,
saves and encrypted copy, sends you a receipt, and publishes the checksums.
The disadvantage is that you have exposed your content on the web.

CASE#2 — takes anything you send it and do the same. The disadvantage is
you've shown it to a nosy notary like me.

CASE#3 — takes a file from you that you want to keep secret and "seals" it
as well in a similar fashion.

[NOTE: I need two key pairs. Call them FERDINAND and REINKE. I'd envision
that I'd take my secret treasure map (MAP) to the Lost Treasure of the
Sierra Madre and encrypt it with my REINKE private key.
WORK1=ENCRYPT(MAP,REINKEPRIVATE) Anyone who had that file could read the map
using REINKEPUBLIC. Then, I'd encrypt it with my FERDINAND private key.
WORK2=(WORK1,FERDINANDPRIVATE) Anyone who had this file would know there was
a file and it was mine by using FERDINANDPUBLIC. Then, WORK2 goes to the
notary. The notary decrypts WORK2 with FERDINANDPUBLIC, and ENCRYPTS with
NOTARYPRIVATE and returns it to me. Then, since I am getting old I promptly
forget all my passwords, lose the keys, and the LOST TREASURE stays lost.]

The digital notary would seem to be a useful service for such disputes.

Now all I need is a PowerPoint deck and some VCs. And a spare checkbook to
put all the money in.

Ferdinand J. Reinke, Kendall Park, NJ 08824

A Botted Fortune 500 a Day

<Gadi Evron <>>
Thu, 12 Apr 2007 05:45:01 -0500 (CDT)

Support Intelligence releases daily reports on different fortune 500
companies which are heavily affected by the botnet problem, with many
compromised machines on their networks.

You can find more information on their blog:

They are good people, and they know botnets.

Airline Online Payment Requires Citizenship No.

<"CJB" <>>
10 Apr 2007 06:18:38 -0700

Recently I was trying to book an internal flight on Brazilian airline TAM, I
made my ebooking OK, and then went on to the VISA payment stage (not via
PayPal). I typed in my country address as UK. It also wanted my date of
birth. All OK so far. But then it also wanted a CPF number.  I phoned VISA
(on a premium rate phone no.) and after being on hold for a long while, a
call agent then admitted that she hadn't a clue what a CPF no. was. A search
of the newgroups elicited that this was a Brazilian citizenship no. for tax
and social security purposes. I obviously did not have such a no. And so TAM
lost its online booking.  Time wasted - one hour.

The TAM web site was stupid enough to think that just because I wanted to
book a flight online that I was a Brazilian citizen not a tourist from the

The risk? Due to the poor design of its booking and payment system TAM lost
an online booking for the want of an 11-digit no. which I did not have. I
wonder how many other online bookings it has lost because of this?

Re: Insured car wrongly crushed? (Drewe, RISKS-24.59)

<David W. Brunberg <>>
Thu, 5 Apr 2007 07:41:29 -0400

I apologize in advance for the (perhaps overly, but not completely for this
situation) detailed nature of this submission.  I've tried to edit it as
best I can to keep the content strictly relevant.

  They stopped someone because the computer said the car was untaxed and
  uninsured and the driver tried to show them an insurance certificate. ...

Looks as if the (rather familiar) risks here are (a) ambiguity as to what is
regarded as the definitive record — in this case, computer database or
paper insurance certificate? — and (b) how individuals can find themselves
in trouble for others' errors and omissions, e.g. if your insurance company
makes a mistake in updating the database.  Presumably you could prove in
court that you have a valid policy, but that's not much good if you're
detained by police at the side of the road a long way from home.

I can think of an analog situation in the U.S. that, while it admittedly
affects a much smaller group of people, is far scarier in terms of its
potential consequences.  Under U.S. law (and few other than a rarefied group
of collectors know this), it is legal to own certain rare and exotic small
arms such as machine guns and firearm sound suppressors if properly
registered.  The Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATFE)
is charged by the National Firearms Act of 1934, as amended (NFA), with
maintaining the National Firearms Registry and Transaction Record (NFRTR).
In short, all transfers of such firearms (to and between licensed
dealers/manufacturers, individuals, law enforcement agencies, and
corporations) are subject to a tax (waived in the case of government
agencies and licensees), recording in the NFRTR, and in the case of
individuals, very stringent background checks.  Military organizations are
the only entities exempt from these recording requirements.  As an
aside--and the reason for this will soon be demonstrated--collectors of NFA
items are typically very detail-oriented when it comes to strict adherence
to the law.

When an individual transfer is initiated, the transferor and transferee fill
out a paper document known as a Form 5320.4 (there are other forms and
situations but I'm trying to keep this simple--the law sure doesn't) and
submit it in duplicate , along with payment of the transfer tax, to the
ATFE's NFA Branch, which investigates the item's history, if any, in the
NFRTR.  Upon successful completion of the necessary background checks, the
ATFE approves the Form 4, updates the electronic NFRTR, and affixes and
cancels a Tax Stamp bearing the item's serial number to each original paper
document.  ATF then keeps one original for government records and sends the
other to the transferor, who gives it to the transferee, along with the
firearm in question.

As has been reported elsewhere,
the NFRTR has been in deplorable condition for some time.  Many registration
documents have been lost by ATFE, and some were even willfully destroyed by
ATFE contract employees in a well documented case.  Furthermore, the
electronic database that serves as the authoritative Registry is known to
have serious flaws and inconsistencies.  Due to various political and
financial issues, the ATFE has been slow to rectify these problems with the
NFRTR (although the pace seems to have picked up since a recent wholesale
relocation and restaffing of the NFA Branch).  Thomas Busey, who was the
Chief of the NFA Branch for a period in the 1990s, admitted in a videotaped
training session in 1995 that the NFRTR had a 49-50% error rate.  Mr. Busey
also stated in this session,
  "Let me say when we testify in court, we testify that the data base is 100
  percent accurate. That's what we testify to, and we will always testify to
  that.  As you probably well know, that may not be 100 percent true."

In a 1998 letter to Chairman Dan Burton of the House Committee on Government
Reform and Oversight
pursuant to a conviction based on flawed NFRTR information, David Montague,
an attorney for the defendant (whose convictions were previously overturned)

  "To make matters worse, Mr. Busey was summarily fired and the transcript
  of his remarks hushed up. His remarks did not become known to the world
  until obtained on an FOIA request from attorney James Jeffries, III, of
  Greensboro, N.C."

Given the steep penalties for mere possession of an unregistered firearm
regulated under the NFA (minimum sentence: up to 10 years' imprisonment
and/or a fine of $10,000 for each violation), there is a high RISK to lawful
transferees associated with the poor condition of the NFRTR brought about by
neglect and/or willful violation of the law by the government agency charged
with upholding this law.

Thankfully, it is considered an affirmative defense for a person found in
posession of an NFA-regulated item to produce their original approved
registration document, complete with canceled tax stamp.  This typically is
enough to prevent any further legal action against the individual, presuming
no other laws have been violated.  However, it's no excuse for an agency not
maintaining a correct record.

Otherwise, as James Bardwell, a documentor of firearms law, and keeper of
the NFA FAQ states:

  "If you don't have the paperwork, and it isn't in ATF's computer, (it is
  likely they will check, even though they don't have to prove
  non-registration, they don't want someone to wave a registration form in
  their face during a trial) you can have a serious problem."

The RISKS?  Having a government registry of items (cars, guns, whatever)
that is inadequately maintained, poorly transcribed from paper to electronic
database, and considered to be authoritative, without adequate assurance of
accuracy.  Potentially forcing, due to political realities, government
agents to perjure themselves in court when questioned about the accuracy of
the records in question.  Endangering, by rendering government records
unworthy of trust in court, legitimate cases against truly guilty
defendants.  In the special case of the UK's auto registry, the lack of
recourse "at the curb" to paper documentation by the defendant is
unnecessary and injurious.  In any event, regardless of the stakes or
whether the individual is innocent of wrongdoing, it can be prohibitively
expensive (in time, money, reputation, and opportunity cost) to defend
oneself when the big wheels start turning.  And it seems especially unjust
when the situation is initiated by "others' errors and omissions"--much less
their willful violation of the law.

Reminder - Computers, Freedom & Privacy 2007

14 Apr 2007 23:17:03 -0400

Debate the Future at the 17th annual Computers Freedom and Privacy
Conference, 1-4 May 2007 at the Hilton Bonaventure Hotel in
Montreal, Quebec.  WWW.CFP2007.ORG

CFP is the conference where the inventors and innovators on the Internet
met the industry, the regulators, and the creative community to talk about
the new freedoms the net brought. Free speech, censorship, filtering
spam, crypto controls, business security, dataveillance, were all meat
for the all-night debates that took place at this annual gathering.

There has never been a greater need to talk about these issues. This
year's agenda is packed with plenaries and breakout sessions, and Birds
of a Feather sessions that look at all aspects of the growing threats
and opportunities for autonomy in cyberspace.

Featured Speakers

* Whitfield Diffie Sun Microsystems
* Ron Rivest MIT
* Simon Davies Privacy International
* Michael Geist University of Ottawa
* Bruce Schneier BT Counterpane
* Kim Cameron Microsoft

* 1 full day workshop * 8 half day tutorials * Topics include: * ID
Management * Digital Divide * Surveillance * Stalking * Wiretap * War
on drugs * Digital Millennium Copyright Act * Charter rights * RFIDs *
Spyware * No Fly lists * Traffic analysis * Airline Passenger Data *
Health Information * Censorship * Data Retention * Forensics * Security
Information Management

All this and lots more! Watch the program at
Simultaneous Translation throughout plenary sessions
*Discounts for Students and ACM Members*

Stephanie Perrin, Chair CFP2007,


<Steve Goddard <>>
Tue, 10 Apr 2007 13:19:43 -0500

            Program Update and Call for Extended Abstracts
                          Joint Workshop On
    High Confidence Medical Devices, Software, and Systems (HCMDSS)
       and Medical Device Plug-and-Play (MD PnP) Interoperability
                         June 25-27, 2007
                            Boston, MA

The program for the Joint Workshop on High Confidence Medical Devices,
Software, and Systems (HCMDSS) and Medical Device Plug-and-Play (MD PnP)
Interoperability will feature 2-3 keynote speakers, presentations of
selected technical papers, interactive panels of 3-4 speakers on
important topics that require invited experts, demonstrations, and
poster presentations. Papers for presentation are being selected that
outline current and future directions for the development of the HCMDSS
and MD PnP fields, as well as recent advances in the state of the art,
with perspectives from government, industry, and academia.

A competitive Call for Papers was issued in late December and early
January, and more than 30 submitted papers were received by the February
20th deadline. These were a mix of technical papers and position papers
or summaries of work-in-progress. The Program Committee has reviewed
these papers, and is contacting the submitters to either (1) accept the
paper for a full presentation (estimated at 20 minutes plus 5 minutes
for Q&A) or (2) request submission of an extended abstract (2-3 pages)
on the work, which will be presented more briefly through a poster
session, as a demonstration, or as part of a panel, as decided by the
workshop organizers. Submitters whose paper is accepted for a full
presentation may also elect to provide a poster or a demonstration.

Extended abstracts should not exceed 3 pages (750 words). PDF format is
preferred, but MS Word and PostScript are also acceptable.* The deadline
for extended abstracts for all submitters is April 20th .* Extended
abstracts should be submitted by e-mail to .
Further information about the workshop can be found at the HCMDSS/MD PnP
workshop web site, _

Julian M. Goldman, Insup Lee, Oleg Sokolsky, and Sue Whitehead
HCMDSS and MD PnP Workshop Organizers

Please report problems with the web pages to the maintainer