The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 24 Issue 80

Monday 20 August 2007

Contents

Vista prevents users from playing high-def content
Jon Brodkin via Monty Solomon
Software bug took Skype out
Wolfgang Bruener via Mark J Bennison
Hacking The iPhone, Andy Greenberg on Black Hat
via Monty Solomon
Google mistakes own blog for spam, deletes it
Robert McMillan via Monty Solomon
Concern Over Wider Spying Under New Law
Risen-Lichtblau via Monty Solomon
Risks of trusting your fonts?
Boyd Adamson
Credit card headaches from TJX breach remain
Monty Solomon
Cost of data breach at TJX soars to $256m
Monty Solomon
Re: LAX airport delay cause
Olivier MJ Crepin-Leblond
Huge
Re: Source code at issue in drunk test
Steven M. Bellovin
Re: Toll data nabs unfaithful spouses
David Lesher
Re: U.S. legal time changing to UTC
David E. Ross
Randy Saunders
Rob Seaman
Overreliance on voting technology?
Joseph Brennan
Everyone is getting on the "secure voting" bandwagon
Ferdinand J. Reinke
Search engines: too many users for personal assistance
Dan Jacobson
Save your transaction numbers!
Andrew Koenig
Wendy's: In the Clear
Gene Wirchenko
Re: ... misuse of someone else's credit card
Adrian Cherry
Engaging Privacy and Information Technology in a Digital Age
Jim Horning
Info on RISKS (comp.risks)

Vista prevents users from playing high-def content

<Monty Solomon <monty@roscom.com>>
Sat, 11 Aug 2007 12:02:16 -0400

Content protection features in Windows Vista are preventing customers from
playing high-quality video and audio and harming system performance, even as
Microsoft neglects security programs that could protect users, computer
researcher Peter Gutmann argued at the USENIX Security Symposium in Boston
[on 8 Aug 2007].  [Source: Content protection rules said to harm system
performance, detract from security, Jon Brodkin, NetworkWorld.com, 9 Aug
2007]
  http://www.networkworld.com/news/2007/080907-vista-high-def.html


Software bug took Skype out

<"Bennison, Mark J" <mark.m.bennison@mbda.co.uk>>
Mon, 20 Aug 2007 08:06:20 +0100

[Source: Wolfgang Gruener, *TGDaily* 20 Aug 2007]
http://www.tgdaily.com/content/view/33452/103/

Skype today provided a few more information pieces about the reasons behind
its massive network outage last week.  According to the company, the network
outage was initially caused by a "massive restart of [its] user's computers
across the globe within a very short timeframe as they rebooted after
receiving a routine software update."  That high number of reboots was
followed by an equally high number of log-in requests, which resulted in
what Skype calls a "chain reaction."

On the Skype blog, a company representative wrote that this event revealed a
"previously unseen software bug within the network resource allocation
algorithm" which prevented Skype's "self-healing function from working
quickly. ... Skype has now identified and already introduced a number of
improvements to its software to ensure that our users will not be similarly
affected in the unlikely possibility of this combination of events
recurring."

The company said that there were no malicious activities that impacted Skype.

  [Also noted by Danny Burstein.  PGN]


Hacking The iPhone, Andy Greenberg on Black Hat

<Monty Solomon [mailto:monty@roscom.com]>
Monday, August 06, 2007 1:44 PM

The Black Hat Conference
Hacking The iPhone
Andy Greenberg, 08.04.07, 2:02 PM ET

Don't say you weren't warned, iPhone fans. Even when the prerelease fervor
surrounding Mac's mobile messiah-phone was at its highest, security
researchers were warning that it would be vulnerable to exploitations like
data theft and hijacking.

Last Thursday, Charlie Miller proved them right. In a presentation at the
Black Hat conference in Las Vegas, a gathering of cyber-security
researchers, Miller detailed how he had hacked and hijacked the iPhone by
exploiting a vulnerability in its Web browser.

For iPhone owners, the talk wasn't as foreboding as it might have
been. Apple had released a patch for Miller's exploit just days before. But
Miller, a researcher at Independent Security Evaluators, says Apple's patch
was only possible because he had informed the company of the vulnerability
weeks before he presented it to Black Hat's hacker audience. And, he says,
it would only be a matter of time and effort to find an equally powerful
backdoor into the phone.

Though there has yet to be any documented criminal hijacking of the iPhone
outside of a lab, Miller says his research shows the relative ease of
hacking smart phones, as well as Macs in general. He spoke with Forbes.com
about the iPhone's vulnerabilities, Apple's short-lived patch and the
company's undeserved reputation for building secure computers. ...

http://www.forbes.com/security/2007/08/04/iphone-apple-mac-tech-cx_ag_0804miller.html


Google mistakes own blog for spam, deletes it (Robert McMillan)

<Monty Solomon <monty@roscom.com>>
Sat, 11 Aug 2007 12:05:32 -0400

Robert McMillan, IDG News Service, 08/08/07

Readers of Google's Custom Search Blog were handed a bit of a surprise
Tuesday when the Web site was temporarily removed from the blogosphere and
hijacked by someone unaffiliated with the company.

The problem? Google had mistakenly identified its own blog as a
spammer's site and handed it over to another person. ...

http://www.networkworld.com/news/2007/080807-google-mistakes-own-blog-for.html


Concern Over Wider Spying Under New Law

<Monty Solomon <monty@roscom.com>>
Sat, 18 Aug 2007 22:11:14 -0400

Broad new surveillance powers approved by Congress this month could allow
the Bush administration to conduct spy operations that go well beyond
wiretapping to include -- without court approval -- certain types of
physical searches of American citizens and the collection of their business
records.  This offers a case study in how changing a few words in a
complex piece of legislation has the potential to fundamentally alter the
Foreign Intelligence Surveillance Act.  [Source: James Risen and Eric
Lichtblau, *The New York Times*, 19 Aug 2007; PGN-ed]
http://www.nytimes.com/2007/08/19/washington/19fisa.html?ex=1345176000&en=2e7a7948ff52f9fe&ei=5090


Risks of trusting your fonts?

<Boyd Adamson <boyd-adamson@usa.net>>
Mon, 20 Aug 2007 12:03:39 +1000

Jim Weirich, a prominent developer noticed that on his machine
numbers were coming out incorrectly:

http://onestepback.org/index.cgi/Tech/Mac/MyMacCantCount.red

It seems that a corrupted "font cache" was causing all the "7" glyphs
in a single font (in all apps) to display as "9".

Jim was doing web development. What would have happened if he were
doing financial or life-critical systems work?

  [It's a real glyph-hanger!  PGN]


Credit card headaches from TJX breach remain

<Monty Solomon <monty@roscom.com>>
Thu, 9 Aug 2007 09:01:04 -0400

Almost seven months after TJX Cos. revealed that at least 45.7 million
credit and debit card numbers were compromised, some banks such as Citibank
are still reissuing cards for customers whose information may have been
exposed.  ...  [Source: Se Young Lee, *The Boston Globe*, 9 Aug 2007; PGN-ed]

http://www.boston.com/business/personalfinance/articles/2007/08/09/credit_card_headaches_from_tjx_breach_remain/


Cost of data breach at TJX soars to $256m

<Monty Solomon <monty@roscom.com>>
Fri, 17 Aug 2007 22:50:17 -0400

The figure is more than 10 times the roughly $25 million TJX estimated just
three months ago, though at the time it cautioned it didn't know the full
extent of its exposure from the breach.  The costs include fixing the
company's computer system and dealing with lawsuits, investigations, and
other claims stemming from the breach, which lasted more than a year before
the company discovered the problem in December 2006.  [Source: Ross Kerber,
*The Boston Globe*, 15 Aug 2007; PGN-ed]
http://www.boston.com/business/globe/articles/2007/08/15/cost_of_data_breach_at_tjx_soars_to_256m/


Re: LAX airport delay cause

<=?iso-8859-1?Q?Olivier_MJ_Cr=E9pin-Leblond?= <ocl@gih.com>>
Thu, 16 Aug 2007 21:58:57 +0200

This is a classic NIC fault. Without being in the know about LAX's specific
failure, I suspect that all terminals are connected to large switches which
simply act as relays to the backbone.  On numerous occasions have I found
NICs failing simply by either repeating any received packets, thus flooding
the network, or worse still, not recognising potential collisions and
therefore transmitting whilst other computers are transmitting at the same
time. This results in a collision on each attempt. I've seen 100Mbit/s
networks grind to a halt (0.1Mbit/s). As opposed to expensive backbone
telecom equipment, computer NICs are often cheap and nasty $5 electronics.

The solution?

Don't put all your eggs in one basket.
Don't put all your computers on one sub-network.

Olivier Crepin-Leblond, PhD / Global Information Highway Ltd


Re: LAX airport delay cause (Magda, RISKS-24.79)

<Huge <huge@huge.org.uk>>
Fri, 17 Aug 2007 15:07:07 +0100

What's happening at my place of employ is that the business are starting
to query why we have duplicate systems "sat around doing nothing", so
they start running production work on the DR kit. Then, when one site
fails, the other can no longer cope with the workload.


Re: Source code at issue in drunk test (RISKS 24.79)

<"Steven M. Bellovin" <smb@cs.columbia.edu>>
Thu, 16 Aug 2007 21:10:02 -0400

The Minnesota case relies on a rather narrow foundation: the RFP
to which CMI responded gave title to at least some of the code to
the state, and required CMI's co-operation with defense attorney
requests.  In other words, the Minnesota Supreme Court's ruling is
not based on a recognition of a fundamental right as opposed to the
factual basis of this particular case.  I wonder, in fact, if
the prosecutors could secure a court order for the code under contract
law, and enforce it with large civil damages.

More details on this in my blog entry on the case:
http://www.cs.columbia.edu/~smb/blog/2007-08/2007-08-10.html


Re: Toll data nabs unfaithful spouses (RISKS-24.79)

<"David Lesher" <wb8foz@panix.com>>
Thu, 16 Aug 2007 15:21:54 -0400 (EDT)

> Seven of the 12 E-ZPass states in the U.S. Northeast and Midwest provide
> toll records to court orders in criminal and civil cases.  Four of those
> states (including NJ and PA) allow release only in criminal cases.

A) Do they require a court order? [Or just a request?]

B) How do those states that do block civil demands accomplish same?
[i.e. Do they have tested support in state law?]

C) What does this portend for other tracking records: NYC's new access
charge scheme, DC Metro {and others, inc NYC..} permanent fare cards, video
recordings, and cell phone tracking records? Does the alleged protection
mentioned extend to them?

The obvious Risk: Mission Creep abounds. Will folks be required to archive
all data just in case... How will the demand alter system design?  Staffing?


Re: U.S. legal time changing to UTC

<"David E. Ross" <david@rossde.com>>
Thu, 16 Aug 2007 13:58:53 -0700

The elimination of leap-seconds is being promoted by those who are too lazy
or too incompetent to code time conversions correctly.  This situation arose
because the long-term slowing of the earth's rotation (which creates the
need for leap-seconds) failed to occur for several years, eliminating the
need for leap-seconds for 7 years.  Previously, a leap-second had been
required every year or two.

From 1 January 1961 until 1 January 1972, UTC seconds varied in length
relative to TAI seconds, leap-seconds were fractions of a second, and UTC
clocks thus did not tick on the same instant as TAI clocks.  I was a
software test engineer on a project that handled this correctly.

UTC was redefined starting 1 January 1972 to have a second exactly the same
as the TAI second, to have leap-seconds exactly whole seconds, and thus UTC
clocks thereafter indeed did tick on the exact same instant as TAI clocks.
The old software did not need revision; it still handled this correctly.

This was for a large software system for the command and control of military
space satellites.  Internal time was kept in TAI minutes from some base time
because the mathematics required all minutes to be uniform in duration.
External time, however, was reported in UTC (day, month, year, hour, minute,
and seconds -- to the nearest millisecond).  UTC was also used as an
intermediate step to getting actual solar time (not mean solar time) for
determining the orientation of the surface of the earth relative to a fixed
coordinate system based on the stars.

When the software system was replaced in the mid-1980s, the developer (who
had not worked on the previous system) did not really understand the
difference between UTC and TAI.  I repeatedly -- and unsuccessfully --
warned both the developer and the US Air Force (the customer) that there
would be problems for not doing time conversions correctly.  In the end, the
Air Force was required to suspend mission operations a minute before a
leap-second and resume operations a minute after.  This suspension was
considered to be a cost-effective response to the lack of proper design
because correcting the design would impact both software and hardware with a
cost of several millions of dollars (partially a consequence of poor
modularization of the software).  A capability that existed in 1970 no
longer existed in 1992.

A historical tabulation of leap-seconds:
  http://hpiers.obspm.fr/eoppc/bul/bulc/UTC-TAI.history
A history of the proposal to eliminate leap-seconds oriented against the
proposal:
  http://www.ucolick.org/~sla/leapsecs/nc1985wp7a.html

David E. Ross <http://www.rossde.com/>


Re: U.S. legal time changing to UTC (Seaman, RISKS-24.79)

<Randy Saunders <R.Saunders@ieee.org>>
Thu, 16 Aug 2007 15:26:57 -0400

We need to check our math here.

We're adding leap-seconds at a rate of less that one second per year.  With
86400 seconds in a day, turning day to night takes more than 43,200 years.
That's not a few to me, that's five times recorded human history.

Perhaps the time community will decide to add a leap-minute every 100 years
or so.  That's the sort of Y2K planning even Congress should be able to
manage, and it only impacts folks who need to be within a minute of solar
time.  It would become the sort of once-in-a-lifetime event that century
changes have been in the past.  For a minute, about the time it took to read
this "sky is falling" post.

Randy Saunders, JHU Applied Physics Lab +1.240.228.3861 R.Saunders@IEEE.org


Re: U.S. legal time changing to UTC (Saunders, RISKS-24.80)

<Rob Seaman <seaman@noao.edu>>
Thu, 16 Aug 2007 13:46:48 -0700

"Day into night" was poetic license to grab people's attention - apparently
it worked.

Your calculation assumes a linear effect.  The first leap hour is estimated
to occur in about 600 years.  They accelerate quadratically after that -
remember, we have leap seconds due to the tidal slowing that has already
occurred.  Future slowing will make leap seconds occur more frequently.
There have been the equivalent of about 4 leap hours since Aristotle's time:
	http://www.ucolick.org/~sla/leapsecs/ancient.png

As I said, the expected cost to the astronomical community is large.  One
independent estimate was $3M to remediate a single midsize telescope.  The
cost to other communities, as with Y2K, is unknown until an inventory is
performed.  This legislation guarantees, however, that researchers,
government, and industry need to pay attention to UTC - now the law of the
land.  For instance, the impact of climate on our economy is ever more
critically appreciated.  Weather and tides, ocean currents and glaciers all
respond to diurnal effects.  The question isn't whether a static offset of a
minute matters - the question is whether a residual secular slope of that
magnitude matters.  For many purposes, no.  But is it prudent to assume that
no risks possibly pertain?

We're all the "time community", of course.

Interested parties will find detailed, often entertaining, and sometimes
repetitive discussion of these issues on the LEAPSECS mailing list:
  http://six.pairlist.net/mailman/listinfo/leapsecs

Rob Seaman, National Optical Astronomy Observatory


Overreliance on voting technology?

<Joseph Brennan <brennan@columbia.edu>>
Thu, 16 Aug 2007 21:46:56 -0400

Imagine paper ballots, with a separate slip for each office that is up for
election.  Voters coming into the polling place would be handed a set of
slips.  They could be color coded, but also marked by number.  The voters
would first check that they have a complete set of slips.

The voters would then mark their choice of candidates on each slip, or write
in any name wanted.  They would put the slips into boxes for each
color/number.  (If a slip happens to go into the wrong box, that can be
easily sorted out later by the poll counters.)

At the close of voting hours, poll counters would take each box in turn and
sort the slips into piles for each candidate.  In many cases the winner will
be immediately apparent when one pile is obviously larger than the others.
But of course exact counts would be made and reported.  Poll watchers would
watch the counting to be sure no one removes or adds slips.

After counting, the slips would be put into boxes and sealed.  If a recount
is called for later, the slips can simply be recounted.

Would an electronic system offer less opportunity for fraud, or more
reliable detection of fraud?  Would an electronic system be cheaper to
implement?  If no, why do we want electronic systems?

  [This is of course a very old idea (used in many places more or less as
  proposed), but it keeps looking better and better when observing the mad
  feeding frenzy for all-electronic machines that have rushed in where even
  fools might fear to tread.  PGN]


Everyone is getting on the "secure voting" bandwagon

<"r @ reinke" <reinke@reinke.cc>>
Thu, 16 Aug 2007 17:00:20 -0400

  Go low tech on the counting side of the equation. By manually counting
  paper ballots, integrity and trust is restored. The time savings and
  convenience don't outweigh the costs when you factor in the distrust a
  closed, unverifiable system creates. For almost 200 years, most elections
  in the U.S. were handled this way. No, this doesn't alleviate fraud. It
  does potentially save billions of dollars to the taxpayer by eliminating
  unnecessary technology purchases while restoring accountability in the
  electoral system. Without accountability and transparency in our electoral
  system, technology additions do not provide any value no matter how
  persuasive are their advocates.
    http://www.lewrockwell.com/fisk/fisk9.html

Even the political philosophy types understand that there's no confidence in
any technology-based solution.

So why should us technology types keep pounding our collective heads against
the walls?

Maybe the low tech solutions are really "the best" since they can be
verified by the great unwashed ... ... and I include myself in that. Since
the "kamikaze 1000", Dye boldly, or whatever isn't "my" platform of
expertise, then I too am part of the great unwashed that doesn't understand
it's particular version of "voo doo".

Some times one can be too smart for one's own good. There's no doubt that
smart people can figure out a technological solution. And, there is equally
also no doubt that the people, who seek to rule over others, are just as
smart and cunning as well. Humans can always find a hole that they can
exploit.

The old programming canard is so true, "you never find the last bug".

At least, the manual "one - two - three" doesn't require detailed
examination. Just a counter and two or three watchers.

Ferdinand J. Reinke, Kendall Park, NJ 08824
http://www.reinke.cc/   blog => http://www.reinkefaceslife.com/


Search engines: too many users for personal assistance

<jidanni@jidanni.org>
Mon, 13 Aug 2007 00:31:08 +0800

> attempting to contact search engine personnel

Why aren't search engine companies responsive to little old you and me?
Simple. Take why I dare not get hooked on their "gmail" product: How can one
expect personal assistance when there are just too many users for the
company to provide personal assistance to?


Save your transaction numbers!

<"Andrew Koenig" <ark@acm.org>>
Sat, 11 Aug 2007 10:37:25 -0400

Between us, my wife and I have four credit cards, which you might think of
as "hers," "mine," "ours," and "business expenses."  All four of those cards
are with Citibank, three in the guise of AT&T Universal Cards, and the
fourth directly.

The fourth card has significantly different properties from the other three,
despite being with the same bank.  For one thing, it gives rebates on
various kinds of purchases, which can be spent (only) on buying or
maintaining an automobile.  For another, the due date for payments is a week
before the statement date; on the other three cards, the two dates are the
same.

Every month, a few days after statements become available, I go online and
schedule electronic payments for all four cards.  Although I am nervous
about the possibility that a payment might wind up being credited for much
more than I had requested, that is a possibility with paper checks also, and
now that we don't get original checks back anyway, all such transactions
come down to "he said, they said" anyway.

So...In the middle of last month, I scheduled payments for three credit
cards (the fourth had a zero balance).  A few days ago, I went back to check
that the payments were in the queue as requested.  To my surprise, (1) One
of them had vanished, and (2) Even though the next statements had not yet
been prepared, it was already past the due date.

I immediately scheduled another payment, which went through that day.
Nevertheless, when the next statement came out, it included both a $39 late
fee and finance charges for all outstanding charges--even those that were to
recent to appear on the statement.

I was able to get them to reverse those charges, based on their observation
that I had paid the other cards at the same time.  I still don't know what
happened to this payment.  Did I really forget one of the cards?  Did I
enter the transaction only to have it go awry somehow?  I doubt I will ever
know.

But I do know that this would not have happened if, after seeing the final
confirmation screen, I had simply saved the date and confirmation number.
Yes, it is always possible for them to deny that the confirmation number
exists, just as it is possible to deny that a canceled check exists.  But
it is much harder to do so, especially if they do not offer any alternative
means of proof.


Wendy's: In the Clear

<Gene Wirchenko <genew@ocis.net>>
Wed, 08 Aug 2007 16:10:09 -0700

Here is the text from a confirmation E-mail that I got from Wendy's
Restaurant:

  You are receiving this email because you (or someone pretending to be you)
  has entered the WENDY'S KICK FOR A MILLION CONTEST. If you did not enter
  this contest, please ignore this email.

  This email confirms we have received your WENDY'S KICK FOR A MILLION
  CONTEST entry information.

  For your records, here is the password you used to register: XXXXXXXXX

[I changed the password in paragraph three.  (sigh)]


Re: ... misuse of someone else's credit card (Robinson, RISKS-24.78)

<"Adrian Cherry (UK)" <Adrian.Cherry@baesystems.com>>
Thu, 9 Aug 2007 13:56:34 +0100

> I use Netscape version 7.2 "Mozilla/5.0 (Windows; U; Windows NT 5.1;
> en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)" on a Windows XP machine
> with Service Pack 2 for browsing because I do not trust Internet Explorer
>  and its security holes.

You could actually claim that Internet Explorer 7.x (IE7) is better than
Netscape 7.x (N7) for security. Like anything with statistics it possible to
interpret the numbers several ways. For checking browser security I would
recommend http://secunia.com/

So N7 has 31 security issues against 15 with IE7. So N7 actually has more
security holes than IE7 however on the bright side they are better at
patching the security holes than Microsoft, N7 only has 4 outstanding
security issues against IE7 with 9 still to fix, one of which is considered
highly critical.

In fact if you want the most secure browsing then the latest version of
Opera, www.opera.com is my recommendation, all 8 security issue have been
patched by the vendor. From the website "There are no unpatched Secunia
advisories affecting this product".

IE7 : http://secunia.com/product/12366     Unpatched 60% (9 of 15
      Secunia advisories)
N7  : http://secunia.com/product/85        Unpatched 13% (4 of 31
      Secunia advisories)
Opera 9 : http://secunia.com/product/10615 Unpatched  0% (0 of 8 Secunia
      advisories)


Engaging Privacy and Information Technology in a Digital Age

<"Horning, Jim" <Jim.Horning@sparta.com>>
Mon, 20 Aug 2007 12:57:13 -0700
  (Re: Horning, RISKS-24.68)

The abstract of the report titled in the above Subject line was included in
RISKS-24.68, http://catless.ncl.ac.uk/Risks/24.68.html#subj15.

This report is now available from the National Academies Press,
in hardcover or pdf download:
  http://books.nap.edu/catalog.php?record_id=11896

  [This report was in the works for about five years.  Jim's blog entry on
  it is online:
    http://horning.blogspot.com/2007/08/privacy-is-not-simple.html
  PGN]

Please report problems with the web pages to the maintainer

Top