The RISKS Digest
Volume 24 Issue 69

Thursday, 14th June 2007

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Hurricane forecasting uncertainty
Jessica Gresko PGN-ed
Glitch Blamed for Fire Alarm on Orbiter
John Schwartz PGN-ed
Casting Ballot From Abroad Is No Sure Bet
Ian Urbina PGN-ed
Lawsuits mounting over massive customer data breach at TJX
Mark Jewell via Monty Solomon
Hotel wake-up calls and daylight savings deja vu
Kevin Fu
Council builds database of burglary targets
Adam Laurie
Man risks five years jail time for using open WiFi connection
Nick Brown
Urgent Call For a Google At-Large Public Ombudsman
Lauren Weinstein
AT&T's Internet Monitoring Plans
Lauren Weinstein
Just a few clicks sends all pupils NSFW pictures
Debora Weber-Wulff
Risks of secure e-mail access
Nick Brown
Bloat: 1986 personal computer outperforms 2007 personal computer
Daniel P. B. Smith
Info on RISKS (comp.risks)

Hurricane forecasting uncertainty

<"Peter G. Neumann" <>>
Thu, 14 Jun 2007 10:07:17 PDT

The National Oceanic and Atmospheric Administration chief has said written
that the anticipated failure of QuikScat ("an aging weather satellite
crucial to accurate predictions on the intensity and path of hurricanes",
launched in 1999 and designed to last only a few years) could add
uncertainty to forecasts and broaden the areas over which hurricane warnings
and watches would have to be invoked.  (The estimated cost of evacuations is
about $1 million per mile of coastline.)  Accuracy of predictions has
doubled in the past 15 years, but would be set back by delays and lack of
funding for the desired replacement — which might require four years and
$400 million.  (QuikScat suffered a transmitter failure in 2006, and has
been using a backup transmitter.)  Source: Jessica Gresko, AP item, seen in
the *San Francisco Chronicle*, 14 Jun 2007, A17; PGN-ed]

Glitch Blamed for Fire Alarm on Orbiter

<"Peter G. Neumann" <>>
Wed, 13 Jun 2007 14:17:11 PDT

After the failure of the computer control systems in the Russian part of the
International Space Station and the subsequent inability of the Russian
computers to work with the American computers, control was reportedly passed
to maneuvering jets on the Atlantis shuttle.  The Space Station solar panel
configuration was unable to generate enough power, and certain functions had
to be shut down manually — which caused the software to trigger a fire
alarm in the Russian part of the Space Station.  It took twenty minutes to
diagnose that it was a false alarm, and that there was no fire.  [Source:
John Schwartz, *The New York Times*, 13 Jun 2007; PGN-ed]

Casting Ballot From Abroad Is No Sure Bet

<"Peter G. Neumann" <>>
Wed, 13 Jun 2007 14:03:48 PDT

Voting over the Internet is a topic that has often appeared in RISKS: in
general (RISKS-21.15 and many more issues), and particularly relating to the
U.S. (SERVE), the Netherlands, the Philippines, Switzerland, and so on.

Today's NYTimes article notes that the U.S. DoD has expended over $30
million seeking to enable U.S. military and civilians to vote dependably,
with no viable solution yet in hand.  The article notes that the existing
Web-based system is slow and confusing, with many security and privacy
problems.  It was used by only 63 military voters in the November 2006
election.  Civilians are not able to use it.  Absence of standards among
different states is problematic.  Many overseas voters have been unable to
cast votes.  [Source: Ian Urbina, New York Times, 13 Jun 2007; PGN-ed]

  [As noted in previous RISKS issues, voting by Internet is inherently
  riskful, particularly with respect to voter coercion, vote selling,
  tampering, denials of service, and other problems.  PGN]

Lawsuits mounting over massive customer data breach at TJX

<Monty Solomon <>>
Wed, 13 Jun 2007 20:48:13 -0400

Since the 28 Mar 2007 filing that listed over a dozen lawsuits, the TJX
Cos. Inc. now faces nine more federal lawsuits in five additional states
over the data theft that exposed at least 45 million credit and debit cards
to potential fraud.  Fifth Third Bancorp is also named.  [Source: Mark
Jewell, Associated Press, 8 Jun 2007; PGN-ed]

Hotel wake-up calls and daylight savings deja vu

<Kevin Fu <>>
Fri, 1 Jun 2007 12:39:05 -0400

Daylight savings time produced some annoyances earlier this year, but on
1 Apr 2007 it produced some unexpected personal inconveniences.  My hotel's
wake-up call system malfunctioned because it "double counted" daylight
savings time.  I suspect that the hotel manually pushed time forward earlier
in the year, but forgot to disable the automated daylight savings time event
that previously took place on the first Sunday in April at 2AM.  That would
be April Fool's Day 2007.  My wake-up call was set to 4:30AM, but actually
rang at 3:30AM.  After attempting to re-set the wake-up call for 4:30AM
(which, of course, was futile since it would ring the next day), I slept
through my flight home and had to buy a new ticket.  The daylight savings
deja vu added a redeye to my travel, and my lecture the next morning was
probably quite loopy.

Anyhow, I'm surprised there was not much discussion on what would happen on
the historical day of daylight savings.  Most discussion focused on what
would happen on the new day of daylight savings.  That's simple: People
manually set their clocks trying to outsmart software.  There will probably
be similar "double daylight" problems in the Fall on the historical dates
for daylight savings for years to come.

The "smart" wall clocks in the hotel's fitness center also set themselves
forward twice, now an hour ahead of correct time.  Pictures on  Can you guess the hotel?

Kevin Fu, Assistant Professor, Computer Science Department, University of
Massachusetts Amherst  1-413-545-4006

  [Ah, yes, recall Caltrain's double daylight time (RISKS-24.63).  PGN]

Council builds database of burglary targets

<Adam Laurie <>>
Wed, 06 Jun 2007 12:39:22 +0100

Yesterday, while working at home, I received a visit from someone purporting
to be from my local council, and he had an ID badge to prove it. He also had
a copy of a letter which I should have received, and a fairly comprehensive
survey form for the activity he wished me to participate in. In brief, it
was a survey of "Housing Conditions", based on a randomly selected number of
houses, and intended to allow the council to extrapolate the overall
condition of the houses in their area for grant funding planning
purposes. All fine so far, but now onto the questionnaire that goes with the

As well as the obvious stuff about the condition of the property, there was
also an extensive "Socio-Economic" section. This attempted to determine the
net worth of the individuals in the property, as well as original cost,
value of contents etc. This was worrying enough in itself, but the final
straw was in a section they called "Health and Safety", which included an
item called "3rd Party Intrusion Risk". This was basically a breakdown of
how easy (and therefore likely) it was to break in to the building, and
details of any specific weaknesses. At this point alarm bells were ringing
loudly and I started to question who would have access to this data.

I was given the usual platitudes:

  "The data won't be linked to any specific building."
(So why is the address written on the front of the form?)

  "Only this department will use the data and only for a specific planning
(At this point it turned out he doesn't work for the council at all, but is
working for a firm sub-contracted to do this work nationwide. Who've just
been bought.)

  "All staff are vetted."
(Don't get me started on local government vetting. Oh, but wait, he now
works for company B, who bought company A, who does the work for the
council, so couldn't even tell me who the staff were or where the data entry
team were based).

  "Nobody but us would understand it."
(Errr... Yeah, right.)

  "The intrusion risk questions are to do with mental health."
(??? Apart from being utterly confusing, that's also utterly irrelevant.
Mr. Burglar is not going to care *why* you collated this useful tidbit for
him, only that you did!)


I think the risks of collating a database of houses, the wealth of the
owner, the value of the contents and a handy scale of difficulty of entry
complete with tips on where to look are manifest, particularly given the
ongoing revelations about "data loss" from similar organisations...

I, for one, declined to participate. :)

Adam Laurie, The Bunker Secure Hosting Ltd., Ash Radar Station, Marshborough
Road, Sandwich, Kent CT13 0PL, UNITED KINGDOM +44 (0) 1304 814800

  [This may sound familiar, but is certainly worth a RISKS warning.  I am
  reminded of a would-be burglar-alarm company that operated for a while in
  Watchung NJ (near Bell Labs), giving free detailed house security
  assessments and alarm-system estimates.  Somewhat later, the most
  opportune of those homes that did NOT subscribe to the alarm system were
  burgled, within a short period of time, after which the perpetrators
  vanished.  PGN]

Man risks five years jail time for using open WiFi connection

<"Nick Brown" <>>
Fri, 25 May 2007 10:54:58 +0200

A Michigan man who was caught using a coffee shop's unsecured WiFi
connection while sitting in the car park was fined $400 and ordered to do 40
hours community service.  But he could have received a 5-year jail term, as
the state law which covers this is part of a 1979 anti-hacking bill which
makes this a felony.

I suspect he needs a better lawyer.  If the coffee shop wants to limit
access to customers, it can do so easily by issuing (free) username/password
tickets and having the proxy server require a valid logon to connect.
Indeed, in many cases where multiple WiFi networks are available, it is not
possible to know where each is situated and which don't mind if you use them
without any other form of purchase.

In this case, the coffee shop owner did not complain; the man was spotted by
a law enforcement officer who asked him what he was doing and then had to
check that it was actually illegal.  Again, I wonder what a better lawyer
would have made of this, which seems - at first sight to this non-lawyer -
to constitute self-incrimination.

Urgent Call For a Google At-Large Public Ombudsman

<Lauren Weinstein <>>
Mon, 11 Jun 2007 08:17:57 -0700 (PDT)

           Urgent Call For a Google At-Large Public Ombudsman
                            June 11, 2007

In both public and government circles, concerns are rising regarding
important aspects of Google's ongoing operations.  Some of these concerns
are very real, and some are more a matter of perception than reality --
often magnified simply because Google is involved.  In either case, the
situation is exacerbated by the extremely limited opportunities for the
public to interact directly with Google in a meaningful way regarding
increasingly sensitive matters that can have highly personal and very
widespread impacts.

A dedicated, at-large, public ombudsman to deal with these issues is
urgently needed at Google, to interact directly and routinely with the
public regarding Google, YouTube, and other affiliated operations.

The privacy, content-related, and many other concerns of ordinary users and
organizations, expressed to Google through currently available feedback
channels, appear to routinely vanish into what is effectively a "black hole"
-- with a lack of substantive responses in most cases.  If you don't have a
court order or a DMCA "take down" notice, Google can appear impenetrable to
expressed concerns.

Privacy International's reported inability to receive a response to their
queries prior to the release of a new report regarding Google privacy is but
one example of a seemingly pervasive situation at Google
( ).
I won't present here a critique of that report itself, but it's clear that
both individuals and organizations commonly feel impotent when attempting to
resolve many important issues with Google directly.

In general, both politicians and government agencies appear increasingly
unsatisfied with this status quo, and their reactions could be extremely
damaging to Google and the broader Internet.

I'm not suggesting another Google counsel.  The ombudsman would have a role
wholly different from that of Peter Fleischer's Global Privacy Counsel
position, or Nicole Wong's Deputy General Counsel role.  In fact, this would
likely not primarily be a policy "development" role per se, though policy
evolution over time would of course be significantly involved.

The ombudsman would be a non-lawyer who would be assigned full-time to act
as an easily approachable and highly available front-line interface between
the public and Google operational/R&D teams.  This individual would be the
primary initial contact for most queries from individuals and organizations
who have specific problems related to Google content, privacy, or a range of
other related policy matters.  This technically knowledgeable individual
would be well-versed regarding the relevant issues and ideally already
possess a high degree of trust within the larger Internet community.

Such an ombudsman, by fostering open lines of communications, could
immediately interact with members of the public and push relevant matters
quickly up the chain of command inside Google for action as appropriate.

There's simply no legitimate excuse for a public communications void of such
a magnitude at this stage of Google's development, especially with an
organization of Google's size, market share, influence, and immense
technical competence.  At a minimum, ordinary Google users should be able to
get quick, reliable, and substantive responses and resolving dialogue for
their Google-related concerns, even irrespective of any final dispositions.

Communication is incredibly important in this sphere.  The current situation
is seriously and increasingly dangerous to Google.  Backlash and reactive,
knee-jerk legislation by ambitious politicians could easily unreasonably
constrain and seriously damage Google, the broader Internet, and Net users
around the world.

A Google at-large ombudsman along the lines that I've outlined could be the
best and most practical way to help avoid such negative outcomes, while not
disrupting Google's operations and growth.  It would most decidedly not be
an easy job for anyone, but would be an important position that definitely
needs to exist.

I make this recommendation with what I believe are the best interests of
both Google and the Net's users in mind.  I want to see Google continue in
its success.  But a regulatory and public relations train wreck — with
major collateral damage across the Internet — is increasingly likely unless
serious and comprehensive improvements in Google's handling of this area are
forthcoming in the extremely near future.

The appointment of a qualified and dedicated ombudsman, with the sincere
support and confidence of Google high-level management, could go a long way
toward making Google an acknowledged leader in responsive operations, to the
benefit of us all.

Of course, it's not impossible that this call for a Google ombudsman will
itself be ignored by Google.  But in the final analysis, we can all hope
that Google management will realize that creating this position is very
simply the right thing to do.

Lauren Weinstein +1(818) 225-2800
Co-Founder, PFIR: People For Internet Responsibility -
PRIVACY Forum - Lauren's Blog:

AT&T's Internet Monitoring Plans

<Lauren Weinstein <>>
Thu, 14 Jun 2007 07:50:54 -0700

                    AT&T's Internet Monitoring Plans

News stories are now appearing widely about an AT&T plan to try block
pirated content *at the network level*.  See this example from the Los
Angeles Times:,1,2155771.story

The implications of this sort of network snooping are immense.  One might
assume that a primary target will be file sharing technologies.  But to
actually pick out particular content from those streams would imply the need
to actually examine and characterize the payload of files to locate and
block potentially offending music and/or video content.

AT&T will no doubt suggest that this activity is akin to virus and spam
filtering of e-mail for their customers.  This would be a specious analogy.
Spam filtering can usually be controlled by the user, and virtually all AT&T
mail processing can be avoided by their customers if AT&T servers are not

However, it sounds as if AT&T is planning a network monitoring regime that
would not be dependent on the use of AT&T servers.  What's more, the
"benefits" of this monitoring would not be directed to the customers whose
traffic is being monitored, but rather for the benefit of unrelated third

"Fingerprinting" of content for anti-piracy purposes is not always
unacceptable.  For example, Google/YouTube is reportedly starting tests of a
copyrighted material characterization blocking system.  Since users
submitting videos to YouTube are doing so with the expectation of that
content being hosted there, it is not unreasonable for YouTube to avoid
hosting pirated materials whenever practicable.

However, AT&T's proper role in this context (among an ever smaller number of
ISP choices) is simply to move customer data traffic between points, not to
be a content policing agent for third-party commercial interests, or a mass
data conduit for government interests without appropriate legal authority,
for that matter.  The traffic under discussion, based on news reports about
the AT&T plans so far, would typically not be directed to AT&T servers, and
should not be subject to content inspection by AT&T, in the absence of
specific targeted court orders or the like.

We can get into a discussion of if and how common carrier considerations
play into any of this anymore, and how encryption (and attempts to control
and suppress encryption) will enter the mix, but the very fact that these
AT&T plans have gotten this far is extremely disturbing.

Finally, perhaps the most illuminating aspect of this situation is a
statement by James W. Cicconi, an AT&T senior vice president, who is quoted
as saying that AT&T wouldn't look at the privacy and other legal issues
involved until *after* a monitoring technology has been chosen.

That pretty much says it all.

Lauren Weinstein +1(818) 225-2800
PRIVACY Forum - Lauren's Blog:

Just a few clicks sends all pupils NSFW pictures

<Debora Weber-Wulff <>>
Sun, 10 Jun 2007 16:25:32 +0200

The Swedish newspaper Sydsvenskan reports (June 6, 2007) on a problem
that affected some 10.000 pupils in the Lund school district:

It seems that whoever set up the mailing lists thought it would be a nice
idea if one could send an e-mail to every pupil at once, perhaps to announce
snow days or whatever. However, this function was open to everyone.

A pupil obtained some NSFW material and decided to send it on to all of
his fellow pupils. An administrator is quoted describing the material:

  "Det är så grovt att det inte kan uttryckas i ord. Jag har aldrig sett
  något vidrigare." (I cannot describe the brutality in words. I have
  never seen anything this disgusting before.)

It took a number of days to remove the material from the servers after the
incident came to light. The server was rented in another country (Norway)
and it apparently took some convincing for them to go in and remove all
copies of this e-mail, as there were so very many accounts affected. [Each
account probably had to be looked at by a human. -dww]

The school administration is debating whether to file charges against the
pupil [I would instead file the charges against the person setting up this
nonsense - dww], and has disabled the mass mailing functionality.

Prof. Dr. Debora Weber-Wulff, FHTW Berlin, Treskowallee 8, 10313 Berlin

Risks of secure e-mail access

<"Nick Brown" <>>
Fri, 1 Jun 2007 12:51:56 +0200

At our site, we use a number of techniques to detect malware infestation on
our Windows XP-based PCs.  One of these is the monitoring of auto-run
locations in the Windows registry, because most malware installs itself to
run automatically at system startup or logon time.

The other day our system called out a piece of auto-running software in the
user account of a visitor to our site, who was on loan to us for a week from
a UK government institution.  I assumed it was yet another minor piece of
drive-by malware from a Web site, took our usual first-level action (remove
registry entry, delete software) and assumed that would be that.

Next day, the software was back.  I took a closer look.  It had installed a
directory called "Whale Communications" in the "Program Files" directory,
containing a .EXE file and numerous DLLs.  I carefully checked the registry
of the PC, re-deleted the software (this required killing Internet Explorer
on the PC), and waited.  Within an hour, it was back.

Now, when we get to this point, one of two things is usually going on;
either the user is hitting a particular porn/warez/game site very hard, or
the malware uses some fairly classy techniques to keep itself installed.  So
I disabled the user's account, rebooted the PC, and waited for the phone to

Well, it turns out that all he was doing was reading his home office e-mail.
His organisation uses a "key-ring" code generator gadget which requires code
to be running on the client PC.  So their remote e-mail portal detects
whether this code is present, and if not, the browser automagically
downloads it to the PC and installs it to auto-run.

Slightly shocked at the rudeness (not to mention unreliability) of this
approach, I called the organisation's IT department.  My suggestion that it
might not be a good idea to work this way was greeted with very little
comprehension.  Apparently, their in-house culture is that anyone is allowed
to download anything they like, and nobody had given much thought to whether
different rules might apply elsewhere (at our site, we can potentially have
people physically removed from the building in such cases).

I pointed out that there are plenty of challenge-response solutions out
there which are entirely Web-based and don't require what, in many
jurisdictions, would be regarded as vandalism or hacking of the PC being
used, but the response was "well, this is the first time we've heard about
this problem".  (Regular RISKS readers may have heard that one before.)

So the risks are multiple, ranging from being unable to get to your e-mail
from any Internet cafe' as promised, if said Internet cafe' runs an OS for
which the client software isn't available and/or has download blocking in
operation, through to potential expulsion from the country or imprisonment
(I don't like to think what might have happened had the person in question
been using a computer in a US federal government office or one in several
countries which I could name).

Bloat: 1986 personal computer outperforms 2007 personal computer

<"Daniel P. B. Smith" <>>
Sun, 03 Jun 2007 11:26:03 -0400

Re the thread on touch typing, and Martin Ward's quotation:

  "The most amazing achievement of the computer software industry is its
  continuing cancellation of the steady and staggering gains made by the
  computer hardware industry..."-- Henry Petroski

A recent discussion in Slashdot referenced an article by Hal Licino: Licino
compared a 1986 Mac Plus with 4 meg of RAM, and 8MHz 68000 and a 40MB hard
drive running Mac OS 6.0.8, to a 2007 AMD Athlon 64 X2 4800+ with 1GB of
RAM, two 2.4GHz processors, and a 120 GB hard drive running Windows XP
Professional SP2. He carefully details the test conditions and the rationale
for the system configurations he chose.

The tests basically tested only two applications, Microsoft Word and
Microsoft Excel, and it seems to me that the things he chose to measure were
very reasonable, and not unrepresentative of ordinary use.

The 1986 computer won 9 out of 17 of his tests.

RISKS readers can read his article and decide what quibbles they have with
the results.

But the point is made. It is as if someone were to find that it took a
roughly comparable time fly from Albany to Buffalo today as it took to
travel on the Erie Canal.

(For the record, the fastest and slowest itineraries Travelocity shows me
for this 289-mile trip, are 1 hr. 10 minutes for a nonstop flight, and 5 hrs
57 min for an itinerary changing planes in Detroit.  The average speed of 48
mph for that second option gives one pause, but it is still twenty-four
times as fast as the fastest packets on the Erie Canal, which took 6 days.)

Please report problems with the web pages to the maintainer