The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 24 Issue 67

Saturday 19 May 2007

Contents

E-stonia e-stoned
PGN
Colorado State Government Computer Project Failures
Peter Shriner
Alcatel-Lucent, lost disk
Ken Knowlton
UK judge: "What's a website?"
Ken Knowlton
BSoD forces students to retake standardized test
Jeremy Epstein
Risks of combining too many cards
Jay R. Ashworth
Information leak in combined systems
Paul E. Black
Re: Touch typing
Jim Horning
Tim Howe
Martin Ward
Re: Satellite navigation system
Ken Knowlton
Re: Another sat-nav accident: car destroyed, driver escapes
Alan J. Wylie
Re: Daylight savings time and Microsoft
Bruce Dawson
Re: Time zones and MS Exchange and Outlook
Tony Finch
Re: Microsoft sets the wrong time in the PC's real time clock chip
Dag-Erling Smørgrav
Re: Felten, You Can Own an Integer Too - Get Yours Here
Mark Brader
Top 5 Reasons to Attend USENIX '07
Lionel Garth Jones
Info on RISKS (comp.risks)

E-stonia e-stoned

<"Peter G. Neumann" <neumann@csl.sri.com>>
Sat, 19 May 2007 12:38:39 PDT

In a demonstration of how a distributed denial of service attack can affect
an entire nation, Estonian governmental computer systems have been under
sporadic attacks this month, which later extended to newspapers, TV
stations, schools, and banks in Estonia.  Although many zombie systems
appeared to have (presumably unsuspectingly) contributed to the attacks,
Russian servers were involved, leading the Estonian government to suspect
Russian complicity.  The attacks intensified on 3 May (which coincided with
protests in Moscow against the Estonian removal of a Soviet-era war
monument) and again on 8-9 May (when Europe commemorates the end of World
War II).  Russia denies complicity.  [Source: Steven Lee Myers, Estonia
Computers Blitzed, Possibly by the Russians, *The New York Times*, 19 May
2007; PGN-ed.  The *NYTimes* article notes that Estonia is "a wired country
that touts its paperless government and likes to call itself E-stonia."]

  [Various comments I have seen suggest that this may have been intended as
  an exploratory effort to see how effective such attacks could be, or
  perhaps a warning shot across the bow, rather than as an attack per se.
  The lack of ability for any definitive traceback on the Internet of course
  complicates analysis.  The entire incident of course is illustrative of
  the potential for widespread disruption, and is therefore a case deserving
  serious study.]


Colorado State Government Computer Project Failures

<Peter Shriner <petershriner@yahoo.com>>
Wed, 16 May 2007 12:46:54 -0700 (PDT)

After spending six years in development and $8 million dollars of state
taxpayers' money, the new CSTARS registration system for Colorado's
Department of Motor Vehicles apparently doesn't work.  And it's just one of
five major state computer projects worth $325 million that have failed to
meet expectations.  CSTARS was contracted at $10.3M.

There was ample warning.  State and DMV staff said that their efforts were
basically ignored by state officials and the contractor, Avanade.  The state
fired the subcontractor in charge of seeking their advice.  Code was written
before any detailed specifications.  The state even suspended the
development contract for a while in 2004.

[Source: Ann Imse, Doesn't compute: 'It's like you were having a baby, and
it turned out ugly' New system to register motor vehicles just the latest to
misfire for state, *Rocky Mountain News*, 16 May 2007; Long article starkly
PGN-ed, but it is the full text should be no surprise to RISKS readers.]
http://www.rockymountainnews.com/drmn/local/article/0,1299,DRMN_15_5538977,00.html


Alcatel-Lucent, lost disk

<Ken Knowlton <KCKnowlton@aol.com>>
Sat, 19 May 2007 09:27:58 EDT

AP reports that Alcatel-Lucent has lost a disk containing names, addresses,
SSN's, birthdates and salary data of thousands (on TV I heard 200,000) of
employees, retirees and dependents [presumably including PGN and myself*].
  http://www.physorg.com/news98775487.html
    [And numerous other RISKS readers as well!  PGN]


UK judge: "What's a website?"

<Ken Knowlton <KCKnowlton@aol.com>>
Fri, 18 May 2007 12:19:54 EDT

A JUDGE stunned a court yesterday by admitting he did not know what a
WEBSITE was.  Judge Peter Openshaw brought a shuddering halt to the trial of
three men accused of internet terror offences as a witness was being quizzed
about an extremist web forum. He told shocked prosecutors at Woolwich Crown
Court, South East London: ``The trouble is I don't understand the
language. I don't really understand what a website is.''  [Source: Tom
Wells, *The Sun*, 17 May 2007]

http://www.thesun.co.uk/article/0,,2-2007220614,00.html


BSoD forces students to retake standardized test

<"Jeremy Epstein" <jepstein@webmethods.com>>
Wed, 16 May 2007 10:05:05 -0400

2900 Virginia students will have to re-take standardized tests because the
computer systems failed during the testing process.  There are two
descriptions of what went wrong: the testing vendor "reported that there was
a problem with a connection between two servers" and students' "computer
screens suddenly turned blue and displayed an error message" (i.e., a BSoD).
Whether this is one problem or two is unclear - but the RISKS of relying on
systems that may not have been fully tested are pretty obvious.  And in
addition to the stress for the kids (and the time taken away from
instruction when they redo the tests), there's another factor - presumably,
the retest date will have to use a different test, since the students have
already seen some of the questions on the first shot.  "State officials said
there was an unrelated computer problem with online testing last week
[where] 1,300 tests were interrupted and that the students will have to be
retested."

The Standards of Learning (SOL) tests are how Virginia meets No Child Left
Behind (NCLB).  When it comes to actual learning, a more common usage for
the acronym "SOL" is more appropriate, IMHO.

http://www.washingtonpost.com/wp-dyn/content/article/2007/05/15/AR200705
1502060.html
(free registration required)


Risks of combining too many cards

<"Jay R. Ashworth" <jra@baylink.com>>
Fri, 18 May 2007 11:46:29 -0400

A thread was posted to Slashdot this week, about a proposal that's been
floated to leverage the magstripe on some state driver licenses to make them
into a debit/credit card as well.

I'm sure you can come up with some good reasons why that's RISKy, but
you might be surprised to find out that quite a lot of the postings on
the thread are well thought-ought and quite cogent, by RISKS standards.

My two favorites:

1) It's illegal to give your driver license to anyone in many states, but
you might want to lend your wife or child your debit card.

and

2) It used to be obvious to a robber that you had nothing worth taking, if
all you were carrying was a DL.  Now, though, that DL *might* be a debit
card... and they'll have to take *you*, too, to have the PIN at an ATM.

That latter one, to me, is enough to *outlaw* this practice, whether the
vendor who's implementing it likes that or not.  But what do I know...?

	http://yro.slashdot.org/article.pl?sid=07/05/17/2345231

Jay R. Ashworth, Designer, Ashworth & Associates, St Petersburg FL USA
+1 727 647 1274  http://baylink.pitas.com  jra@baylink.com


Information leak in combined systems

<"Paul E. Black" <p.black@acm.org>>
Fri, 18 May 2007 12:53:29 -0400

A friend is getting married.  As many of you have, I went to the web site of
the store where they registered and selected some gifts.  When I checked
out, I got the following (identifying and unimportant details elided.)

SHIP TO
***** her ***** and ********* him ********

YES! We have their shipping address on file.

(... items, prices, shipping, taxes, and total ...)

CARRIER :	UPS		TRACKING NUMBER :	1Z1V0*************

Although once upon a time, stores did list shipping address, they don't now,
probably for privacy.  However, when I later looked up the tracking number,
UPS provided quite a few details about where the package went.

I got a chuckle to think I could "buy" addresses for only a two dollar
butter knife, plus shipping and handling.


Re: Touch typing (Horning, RISKS-24.66)

<"Jim Horning" <Jim.Horning@sparta.com>>
Thu, 17 May 2007 15:45:42 -0700

Thanks to several readers, some more pieces of the puzzle seem to be falling
into place.  I now think that the problem was probably not due to tabs, per
se, but to the cumulative amount of JavaScript executed during a window's
lifetime.  With tabs, everything gets concentrated into one window, and the
window tends to stay around longer.

Steve Weeks <sweeks@sweeks.com>:

  I've observed lossage with FireFox in the past.  The problem wasn't as bad
  as yours. I usually have about 5 tabs open, but I don't know if that is
  related. Browser JavaScript implementations are very slow, and I think
  that's part of the problem, since all these new Ajax sites are using lots
  of JavaScript.

Thomas ten Cate:

  I once was unable to type at all in Opera.  Turned out that my characters
  were sent to a Java applet in a background tab. Perhaps you could
  investigate whether it matters if you have any Java or Flash stuff open in
  your background tabs?

Skip La Fetra <skip.lafetra@hp.com>:

  This note of yours is consistent with other experience I have...  The
  specific pages that have been most problematic have been very
  JavaScript-intensive.

Robert Scheidt <scheidt@skynet.be>:

  I had a similar problem with IE7 and multiple tabs open. Not with typing
  but I noted that other applications would run very slowly when I had IE7
  open.  Looking at the task manager I found out that IE7 was using 100% of
  CPU.  This could also cause the typing problems.

  After running a registry cleaner it was fixed.  I used "regseeker" which
  can be downloaded for free at hoverdesk.net.  I am however not 100% sure
  it was the registry cleaning which fixed it. At the same time I had
  problems with Adobe's Flash player (used for more video's on the web). I
  had to remove the Flash player with a utility available at Adobe's site
  end reinstall Flash player. I ran the registry cleaner after that and I
  noticed that it had detected a number of invalid activeX controls related
  to previous versions of Flash player.

Keith Power <keith.power@gmail.com>:

  I've noticed similar odd behaviour lately too, but I've narrowed mine down
  to particular applications. So far, they're always "Web 2.0" apps, that
  is,applications involving AJAX.

  My biggest complaints are with Google's Gmail and Google's Code Hosting
  (GCH), in both Opera and IE, since these are two sites I use
  regularly. Most of the time when I press backspace in Code it takes off
  two characters instead of the one. And in Gmail, in the to field if Gmail
  automatically enters an address and I press backspace to remove the
  superfluous comma it always enters, it skips over the comma instead of
  deleting it.

Any JavaScript experts out there who could further clarify the situation?

P.S. The most common suggestion I received was "Switch to FireFox."


Re: Touch typing (Horning, RISKS-24.66)

<Tim Howe <vsync@quadium.net>>
Tue, 15 May 2007 01:18:38 -0400

With regard to Jim Horning's issues with Internet Explorer 7, may I point
out that Opera and Firefox have had tabbed browsing for quite some time,
seem to have worked most of the kinks out, and do at least allow typing at
more than 10words/min.


Re: Touch typing (Horning, RISKS-24.66)

<Martin Ward <martin@gkc.org.uk>>
Wed, 16 May 2007 09:50:44 +0100

The last time I encountered this problem was about 25 years ago with
an accounts package running on a Commodore PET where you had
to type the account code fairly slowly in order for the CPU to keep up.

The CPU in question was a 1MHz eight bit processor, the 6502,
with 96 KB of RAM: so your Pentium is around 3,400 times faster,
with over 10,000 times as much memory ... and four times as many bits!

"The most amazing achievement of the computer software industry is its
continuing cancellation of the steady and staggering gains made by the
computer hardware industry..."-- Henry Petroski

martin@gkc.org.uk http://www.cse.dmu.ac.uk/~mward/
G.K.Chesterton web site: http://www.cse.dmu.ac.uk/~mward/gkc/


Re: Satellite navigation system (RISKS-24.66)

<Ken Knowlton <KCKnowlton@aol.com>>
Mon, 14 May 2007 17:25:14 EDT

Just recently, as a passenger, I was introduced to the wonders of a
satellite navigation system. I was quite delighted with the delicacy and
precision of its micro-management as we exited a residential neighborhood,
and eventually got out into the the bustling world. I could so easily have
been lulled into "leaving the driving" to that gentle but assertive guarding
angle.  But ...
  "stay in the left lane" (just do it)
  "turn left in 500 yards" (slow down a bit  now)
  "turn left in 200 yards" (really slow down  now)
  "turn left"  ( this is it, TURN LEFT!)
Whoops! It's heavy traffic both ways, and NO-TURNS here except by a jug
handle. No, we didn't turn and, perhaps fortunately, hadn't even slowed
down. The disembodied voice immediately noticed, forgave our disobedience
and, thinking aloud but clearly unperturbed, intoned "course re-computation"
...  I cannot begin to enumerate the RISKS.


Re: Another sat-nav accident: car destroyed, driver escapes

<"Alan J. Wylie" <alan@wylie.me.uk>>
Mon, 14 May 2007 22:30:02 +0100

This has nothing to do with sat-navs, and everything to do with driver
stupidity.

*The Western Telegraph* has an article on the incident, with a high
resolution photograph showing all the road signs on the approach to the
crossing:

http://www.westerntelegraph.co.uk/display.var.1224413.0.0.php
http://www.westerntelegraph.co.uk/_images/db/42/91/LEVELCROSSING1.429125.full.jpg

Not quite fully visible in the photograph is a sign that reads:

* Check that green light shows
* Open *both* gates
* Check that green light *still* shows
* Cross *quickly*
* Close both gates

http://www.rail-reg.gov.uk/upload/pdf/rspg-2e-levxngs.pdf
Page 66

Here is the section of the Highway Code dealing with level crossings:

http://www.highwaycode.gov.uk/26.htm#265

  Some crossings have 'Stop' signs and small red and green lights. You MUST
  NOT cross when the red light is showing, only cross if the green light is
  on. If crossing with a vehicle, you should
    * open the gates or barriers on both sides of the crossing
    * check that the green light is still on and cross quickly
    * close the gates or barriers when you are clear of the crossing.

Note the explicit mention of "both sides of the crossing"

Here is the sign for a level crossing, clearly visible in the picture in the
Western Telegraph report.
  http://www.highwaycode.gov.uk/signs05.htm
  http://www.highwaycode.gov.uk/sign117.htm

The upper sign is "risk of grounding":
  http://www.highwaycode.gov.uk/sign115.htm

Knowledge of the highway code is required of all drivers, and a
written examination on it is part of the UK driving test.

Alan J. Wylie  http://www.wylie.me.uk/

 * * * * Note added Wed, 16 May 2007 18:23:40 +0100

A discussion in the newsgroup uk.railway has revealed further interesting
information.

See the thread following on from the posting

Message-ID: <SOETzQo61GSGFAAb@perry.co.uk>
<http://groups.google.co.uk/group/uk.railway/msg/ec4b544a942994a0>

1) The picture in the Western Telegraph is not the view that the driver saw
- she was heading north. Images of this are at
http://www.wjm.clara.net/ffynnongain/

The separation between the level crossing sign and the crossing itself is
much more than it appears in the long focal length shot in the Western
Telegraph.

2) The official UK government document
<http://www.rail-reg.gov.uk/upload/pdf/rspg-2e-levxngs.pdf>
describes this type of crossing as a "User Worked Crossing" and states
"129. This type of crossing is only applicable where the railway crosses a
private road".

The crossing is at the centre of this map:
<http://getamap.ordnancesurvey.co.uk/getamap/frames.htm?mapAction=gaz&gazName=g&gazString=SN264175>

On the map the road does not appear to be private, and posters to the
newsgroup who have visited the area state that they think it is a normal
public highway.

3) Heading west along the A40, and then at St. Clears turning off it to head
north-west to Hebron, there is a complicated limited access junction, which
requires a driver to go almost 360 degrees round a roundabout and head back
the way they had come to join the "B" road which is the obvious route,
rather than the unclassified road on which the incident occurred.

<http://getamap.ordnancesurvey.co.uk/getamap/frames.htm?mapAction=gaz&gazName=g&gazString=SN274160>

This may have confused the Sat-Nav system.


Re: Daylight savings time and Microsoft

<"Bruce Dawson" <brucedawson@cygnus-software.com>>
Tue, 15 May 2007 22:21:29 +0100

There have been two recent letters to Risks
(http://catless.ncl.ac.uk/Risks/24.66.html#subj16.1 being the most recent)
complaining about how Microsoft implements DST and saying, as if it is
obvious, that Microsoft is wrong ("fundamentally broken" was one
quote). They don't, however, waste anytime exploring the alternatives and
their problems.

As Nick Bender says, when you change to daylight savings time then Windows
displays all of your file timestamps using daylight savings time, even those
that were created outside of daylight savings time.  This is a good thing,
for many reasons:

If you create a file, and then an hour later create another file then
Windows will show their time stamps as being an hour apart, always. If the
'current wall clock time when they were created' is used instead then these
two files might have times that are an hour apart, or they might have times
that are two hours apart (in the spring) or they might both have the same
time stamp (in the fall)! In order to display these times unambiguously you
would need to display the time-zone, so that instead of:
    readme.txt 5:00 pm
you would need:
    readme.txt 5:00 pm EDT

Even if Windows did this, all is not happy and consistent. If I am in
Seattle and I create a file at 5:00 pm then it will show a timestamp of 8:00
pm when I am in New York. According to the ambitious 'show creation time'
strategy this file should show 5:00 pm PST (or PDT) as its creation
time. That sounds nice, but not very likely, and without that the proposed
'solution' seems incomplete.

Another problem is that daylight savings time rules vary by year and by
location. The UK started daylight savings time two weeks after the US.  Some
states within the US don't use daylight savings time. Some countries (crazy
Australians) use daylight savings time during what we call winter! So how, I
want to know, is Windows supposed to know whether daylight savings time was
in effect when a file was created? Unless it records that fact at creation
time then it cannot display the 'local creation time'. Recording the local
time zone at creation time is not possible for a host of compatibility
reasons.

The Win32 rules are not perfect for all cases, but they make perfect sense
in many contexts. Changing this behavior, in addition to the backwards
compatibility implications, would just trade one set of problems for
another.

Raymond Chen covered this in his blog in October 2003, where he also points
out that .NET does it differently.
http://blogs.msdn.com/oldnewthing/archive/2003/10/24/55413.aspx


Re: Time zones and MS Exchange and Outlook

<Tony Finch <dot@dotat.at>>
Mon, 14 May 2007 21:57:19 +0100

Nick Bender <nbender@gmail.com> wrote:
>
> I cannot say for certain not having looked at the code but I can only assume
> that products such as Outlook/Exchange which do calendaring which must be
> correct across time changes have entire libraries of code to deal with this
> issue outside of the standard Windows system libraries. Maybe someone who
> knows can enlighten the rest of us....

The process that sysadmins managing Exchange servers had to go through
to deal with the US DST rule change was astonishing. It revealed a
catastrophically wrong-headed database design. All the data in the
Exchange database had to be scanned and re-written to fix incorrect
timezone offsets stored in appointments that were to happen in the
period between the new and old offset changes. Utterly brain-damaged.
	http://support.microsoft.com/?kbid=930879


Re: Microsoft sets the wrong time in the PC's real time clock chip

<des@des.no (Dag-Erling Smørgrav)>
Tue, 15 May 2007 11:31:28 +0200
  (Spyker, RISKS-24.66)

> ... as no doubt it would break a few thousand apps.

It would break absolutely nothing, since apps get their time from the
operating system, not from the BIOS RTC (which they cannot access anyway;
attempting to do so would trigger a general protection fault).  The only
issue would be having to set your clock when upgrading from a Windows
version that uses local time to one that uses UTC.


Re: Felten, You Can Own an Integer Too - Get Yours Here (RISKS-24.66)

<msb@vex.net (Mark Brader)>
Tue, 15 May 2007 00:07:03 -0400 (EDT)

> Remember last week's kerfuffle over whether the movie industry could own
> random 128-bit numbers? (If not, here's some background: 1, 2, 3)

Yes, that certainly is some useful background there.  Just think, only
340,282,366,920,938,463,463,374,607,431,768,211,453 more terms in the
series, and we start getting to 128-bit numbers!

But what I really want to know is, which one is now claiming ownership of
1, 2, and 3 -- Ed Felten or Monty Solomon?

Mark Brader, Toronto, msb@vex.net

[Oh yeah: ROTFL!  Risks of copying from a web browser, I suppose.  Those were
actually supposed to be links, of course -- to these pages by the same author:
  http://www.freedom-to-tinker.com/?p=1152
  http://www.freedom-to-tinker.com/?p=1153
  http://www.freedom-to-tinker.com/?p=1154
MB]


Top 5 Reasons to Attend USENIX '07

<Lionel Garth Jones <lgj@usenix.org>>
Fri, 18 May 2007 13:49:53 -0700

Top 5 Reasons to Attend the 2007 USENIX Annual Technical Conference
June 17-22, 2007, Santa Clara, CA
http://www.usenix.org/usenix07/progb

USENIX '07 offers a cost-effective, one-stop shop for the latest in IT
training, break-throughs, and systems research. Check out the top 5 reasons
to join us in Santa Clara, CA, June 17-22, 2007:

1. Top-notch training: Highly respected experts provide you with new
information and skills you can take back to work tomorrow. Topics include:

-- Richard Bejtlich on TCP/IP Weapons School, Layers 2-3
-- Peter Baer Galvin on Solaris 10 Security Features
-- AEleen Frisch on Administering Linux in Production Environments
-- Steve VanDevender on High-Capacity Email System Design

To view the entire training program, see:
http://www.usenix.org/events/usenix07/training

2. Invited Talks that feature industry luminaries discussing timely
and important topics, such as:

-- Keynote Address by Mendel Rosenblum of Stanford University,
   "The Impact of Virtualization on Computing Systems,"
-- Plenary Closing by Mary Lou Jepsen, One Laptop per Child, "Crossing
   the Digital Divide: The Latest Efforts from One Laptop per Child"
-- Rob Lanphier, Linden Lab, "Second Life"

http://www.usenix.org/usenix07/ITs

3. You'll see it here first:

-- The latest developments in cutting-edge systems research in the
   Refereed Papers track.
http://www.usenix.org/events/usenix07/tech

-- An introduction to interesting new or ongoing work at the Poster Session.
http://www.usenix.org/events/usenix07/activities.html#poster

4. Answers to your toughest questions:

-- Guru Is In sessions feature experts who come prepared to respond to your
   most burning technical questions on hot topics. The full list of topics
   will be announced soon!
http://www.usenix.org/events/usenix07/tech

5. The chance to mingle with industry leaders:

-- Evening events such as the Birds-of-a-Feather (BoF) sessions offer
   additional opportunities to network with peers to gain that all-important
   "insider" IT knowledge.
http://www.usenix.org/events/usenix07/bofs.html

And that's just the beginning. Visit http://www.usenix.org/usenix06/progb to
see the full list of offerings.

Don't forget:

-- Register at the headquarters hotel by May 29, 2007, to receive the
discounted hotel room rate:

http://www.usenix.org/events/usenix07/hotel.html

-- Register by June 1 and save up to $300!

http://www.usenix.org/events/usenix07/registration

-- Take advantage of the multiple employee discount for groups sending 5
or more:

http://www.usenix.org/events/usenix07/registration/#multi

2007 USENIX Annual Technical Conference
June 17-22, 2007, Santa Clara, CA
http://www.usenix.org/usenix07/progb
Early Bird Registration Deadline: June 1, 2007

Please report problems with the web pages to the maintainer

Top