The RISKS Digest
Volume 24 Issue 82

Wednesday, 12th September 2007

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Amtrak ticketing system outage
Steven M. Bellovin
New Zealand: Telecom's NGN will make old phones obsolete
Henry Baker
German rubbish piles up due to due to toll-system problems
Peter B. Ladkin
Aircraft safety and software reliability
Phil Colbourn
Risks of a flying society
Nick Brown
Groklaw reports 'The Incredible "Lawyers as Hackers" Case'
Kelly Bert Manning
EZ-pass evidence and the law
On-line property assessment databases a bit too accessible
Jonathan Kamens
Police mail sensitive information to the press
Debora Weber-Wulff
iTunes sharing
Henry Baker
Security: an example from Pakistan
Dan Jacobson
Monster data capture also includes "USAJobs"
Jeremy Epstein
Redacted account numbers
Tom Watson
Re: Save your transaction numbers!
Diomidis Spinellis
Re: Chinese Village Name Change Sparks Chaos
Julian Bradfield
Info on RISKS (comp.risks)

Amtrak ticketing system outage

<"Steven M. Bellovin" <>>
Thu, 30 Aug 2007 16:03:25 -0400

On Saturday morning, 25 Aug 2007, the nationwide Amtrak ticketing system
failed.  It wasn't restored to service until early Sunday afternoon.  During
that time, passengers couldn't buy tickets except (sometimes) at a ticket
window, query or change reservations, or retrieve previously-purchased
tickets.  Some other web functions were also unavailable.

The cause of the problem is unclear.  More precisely, there have been two
different, contradictory, explanations in the press.  One version has it
that they upgraded their software; the new version didn't work, and it took
a long time to diagnose the problem and back out the changes.  The other
story is that a circuit breaker panel failed, and it took a day to obtain a

There were good and bad aspects to how Amtrak handled.  The most glaring
failure was one of communications.  Apart from the different stories about
the cause, there was *no* mention on their web site about the problem.  If
you tried to buy tickets, you just received a "come back later" message.

The bright side is that Amtrak did have a contingency plan for this
situation, even though it had never happened before.  Passengers with
reservations were supposed to board the train the conductor came around
collecting reservation numbers.  (It remains to be seen if I will encounter
any residual billing or accounting difficulties from this happening to
me. ...  When I got to the station for my return trip, the automated kiosks
were unable to handle the situation (and gave a poor error messages); the
clerk, though, had no trouble when I explained the situation.)  On the other
hand, because this was such a rare situation, passengers at some stations
were told they had to purchase new, hand-written tickets.  Presumably,
they'll receive refunds.

More details and press links in my blog entries:

Steve Bellovin,

New Zealand: Telecom's NGN will make old phones obsolete

<Henry Baker <>>
Fri, 07 Sep 2007 10:54:28 -0700

FYI — You've heard of the demise of analogue TV's; now New Zealand is
getting rid of analogue telephones.  Aside from the issues of emergency
access when electrical power is down, note the fact that the old dial-up
"analog" modems will no longer work.  While no one uses them much these days
due to low bandwidth, they often provide the cheapest bit transmission
around for email, and may be the last refuge of bit transmission still "net

  Hundreds of thousands of conventional telephones that do not require mains
  power and are instead powered off the phone network will not work once
  Telecom switches to its Next-Generation Network, Telecom has confirmed.
  Dial-up Internet access will also be withdrawn and analogue modems in
  personal computers may not work, Telecom says.  The switch-over from the
  Public Switched Telephone Network (PSTN) to the NGN has been planned for
  several years and is scheduled to be finished by 2012, though there is
  growing speculation the completion date will be pushed back to 2015.  From
  then, customers will require a "residential gateway" device in their home
  that will need mains power. ... []

    [Backup?  We don't need no steenking backup when power is out --
    especially in areas where cell phones don't work.  PGN]

German rubbish piles up due to due to toll-system problems

<"Peter B. Ladkin" <>>
Mon, 10 Sep 2007 16:25:21 +0200

After a shaky and expensive start, it seems as if the automatic
toll-collection system for trucks on the German Autobahn (freeway or
turnpike, depending on if you are a car or a truck) is more or less working.

Unless you happen to be the Ferdinand Münnich Waste Disposal company in
Lippstadt. Our local newspaper, the Neue Westfalische Zeitung, reported on
the 10 July 2007 that their truck fleet was immobilised, pretty much from
one second to the next, as the newspaper put it, at about 10 am on 19 March.

At that point, the company received phone calls from six of its drivers who
were somewhere in Germany on the Autobahn. Their on-board toll machines were
turned off, because the company's credit limit was exceeded. The company
performs its toll transactions using the "Log-Pay-System", as do many
companies which are continuously underway. This system extends credit for
tolls automatically through a bank called the DVD-Bank until specific
payment dates. DVD-Bank works with a collection agency, Creditreform, to
protect itself from insolvent companies.

Apparently at Creditreform there was suddenly an "arrears advisory"
concerning the firm. That was automatically forwarded to DVB-Bank, which
shut off credit immediately and that in turn led Toll Collect to shut off
the on-board systems so that the trucks could not roll further. It took a
day to clear up the problem; meanwhile the truckers had to wait in Autobahn
rest areas.

Apparently it was a mistake. However, Creditreform apparently doesn't (want
to) take responsibility for the information it distributes. The bank is
apparently saying that credit is a privilege, not a right, and trust in the
customer (Münnich) was temporarily lost through the information from
Creditreform until the problem was sorted out.

The company Münnich is trying to recover costs. As the paper put it in its
subtitle "the involved (organisations) are washing their hands in their

Peter B. Ladkin Causalis Limited and the University of Bielefeld

Aircraft safety and software reliability

<"phil colbourn" <>>
Sat, 1 Sep 2007 13:33:29 +1000

I have been reading "*Worst Case Reliability Prediction Based on a Prior
Estimate of Residual Defects" by *P.G. Bishop and R.E. Bloomfield from the
*Thirteenth International Symposium on Software Reliability Engineering
(ISSRE '02)*, November 12-15, Annapolis, Maryland, USA, 2002(c) IEEE

This paper and earlier work suggest that a software system failure rate can
be bounded by N/et where N is the number of (residual) faults at T=0, e is e
and t is the total usage time.  The theory predicts (If I read it correctly)
reliability growth where a system can be assumed to have a finite number of
faults each with a constant failure rate.

I then happened upon this report from Boeing regarding air craft accidents.

It contains a graph of accidents from 1959 to 2006. The graph looked similar
to what would be predicted from a software system according to the theory.

I wonder... The aircraft industry (any industry that is focused on safety)
produces complex, multi-functional systems. The industry is based on
standards, engineering methods, maintenance procedures, failure
investigation and corrective action.  This seems very like the software
industry: requirements, coding standards, fault analysis and rectification.
Software is, after all, a set of procedures - ordered instructions to
perform some function.

Could it be that industry failure rates are like software bugs? The industry
has faulty standards, faulty engineering methods, faulty maintenance
procedures, imperfect root cause analysis and incomplete corrective action.
Over time these faults are exposed, identified and changes made to
standards, designs or maintenance processes to eliminate or reduce the
failure rate?

The paper goes on to note that failure rates level out but can never be
zero.  Is this the situation the aircraft industry is presently in? Where
failures are now so unbelievable that the number of possibilities are too
large to predict or manage? An example is the El Al cargo crash on 4/10/1992
where one engine broke loose from the wing, accelerated ahead of the
aircraft, turned and collided with another engine knocking it off the wing.

Risks of a flying society

<Nick Brown <>>
Thu, 30 Aug 2007 14:30:50 +0200

I read with interest at that
a company in Davis, California called Moller International is planning to
sell, very soon, a personal flying machine, capable of hovering 10 feet off
the ground, for about US$90,000.

On visiting their site at can discover Moller's
attitude to safety at  I didn't spend much
time on this page; I'm sure that the safety of the pilot has been well
thought-out.  There's lots of redundant engine power, it can "land almost
anywhere", the software is presumably highly reliable (!), and anyway,
there's only 10 feet to fall, at least with the M200X model.

I found the most interesting aspect of the safety page to be the complete
absence of any consideration of the 6-billion plus people who do not own or
operate a "Skycar".  Given that a large number of the initial owners will be
rich people with bored teenagers in search of thrills and who may, on
occasion, have access to mind-altering substances, I'll leave that as an
exercise for the readers of RISKs.

To get the ball rolling: how many commercial premises currently consider
that an eight-foot high chain link fence topped with a foot of razor wire,
provides them with adequate security against intrusion?

Nick Brown, Strasbourg, France.

Groklaw reports 'The Incredible "Lawyers as Hackers" Case'

< (Kelly Bert Manning)>
Fri, 24 Aug 2007 13:45:53 -0400 (EDT)

Many have commented that the Internet is like a shared long-term memory.
For practical purposes, it is impossible to retrieve or suppress anything
once it has been posted on a webpage or in a news group. Individuals have
been cautioned to assume that anything they post will be reviewed by future

Enterprises should be aware that anything they post on a webpage can appear
as evidence against them in court, and that measures they take to block
archival of their webpages may fail and may not prevent use of the webpages
as evidence.

This may seem obvious, but at least 1 USA enterprise went to some lengths to
attack a legal firm which used printouts of archived copies of enterprise
public webpages as evidence in court.

It seems bizarre that an enterprise could imagine that publicly accessible
webpages could not be used as evidence in court cases, but Groklaw recently
reported a decision where "Healthcare Advocates" did exactly that, claiming
that accessing a webpage archive was "hacking" under the USA Digital
Millennium Copyright Act, and that failing to preserve the content of a
browser cache was "spoliating evidence".

The judge quoted their own expert witness as saying that automatic purging of
expired cache data was normal browser behaviour, and was not evidence of any
deliberate act by the defendant law firm.

EZ-pass evidence and the law

<"Peter G. Neumann" <>>
Mon, 3 Sep 2007 11:03:17 PDT

E-ZPass records make way into criminal and civil trials;
They show where a vehicle traveled at a specific time
[Source: Madison Park, *Baltimore Sun*, 2 Sep 2007]

A woman accused of killing her husband was convicted after New Jersey
prosecutors reconstructed her movements.  Examining E-ZPass records,
investigators pieced together the driving route of a missing Baltimore
federal prosecutor who later turned up dead.  Prosecutors in a New York City
murder trial discredited a suspect's alibi.

  [See also RISKS-24.79.]

On-line property assessment databases a bit too accessible

<Jonathan Kamens <>>
Sun, 09 Sep 2007 02:10:02 -0400

While engaged recently in a discussion with a parent at our children's
school whom I felt was being overly paranoid about sharing her home address
with other parents, I googled her name, suspecting that I would be able to
illustrate to her that the information she was trying to protect was already
available on-line.

I succeeded far more than I'd expected to.  One of the first matches
returned by google was her home's property listing in the on-line property
assessment database for the town of Arlington, Massachusetts, where she
lives.  Her name, her husband's name, their address, a picture of the house,
a floor-plan sketch, the date they bought the house, their purchase price,
and all of the information used by the town to calculate the assessed value
of the house were instantly available.

Arlington's webmaster is guilty of two offenses: (1) providing an interface
for searching the assessment database by name (i.e., if you go to
<>, you can search not only
by address, but also by the owner's name); and (2) allowing its assessment
database to be fully indexed by public search engines.

This is not a small thing.  Consider a domestic abuse victim who moves to a
new house in a new town to get away from her abuser.  She takes precautions
to avoid being tracked down, e.g., ordering telephone service in a fake name
and paying the telephone company extra for an unlisted number.
Unfortunately, however, the town she has moved to is Arlington, which
proceeds to publish her name and address on its Web site for the world to
see and search.

The discovery of Arlington's carelessness with its residents' privacy
prompted me to check on Boston, where I live.  Boston, too, allows its
assessment database to be searched by name, but at least its database isn't
indexed in Google.  Someone with nefarious intent trying to locate a Boston
resident must already know that s/he owns a house in Boston.  That's bad,
but not as bad as Arlington.

I decided to check some other towns and cities in Massachusetts to see how
they stack up.

I checked 61 towns and cities, of which only 9 had their data sufficiently
secured (i.e., not easy to view the entire assessment database, not
searchable by name, not searchable in Google).  I found one town besides
Arlington, Ashburnham, whose records were searchable in Google, and four
towns (including Ashburnham) where it was easy to view the entire assessment
database without needing to perform individual searches.  In addition, I
discovered that independent of town and city records, the registries of
deeds of most Massachusetts counties allow their land records to be searched
by name, most of them from a single, convenient Web site.  See below for the

When assessment and land records were kept only on paper, they were
organized by street name and number, not by owner name.  When Massachusetts
communities began to put these records on-line for public access, did they
stop to think of the privacy, security and safety implications of allowing
them to be searched by name?  Apparently, only 9 of the 62 communities I
looked at did, and most of them are probably in counties which didn't.

Is Massachusetts typical?

  Jonathan Kamens

For those who are curious, here are the details of what I found:

  * *Cambridge* - not searchable by name, not searchable in Google (PASS)
  * *Abington* -* searchable by name,* *entire database can be viewed
    by sending an empty search,* not searchable in Google (FAIL)
  * *Adams* - *spreadsheet containing town's entire assessment
    database (last updated FY03) available on Web site, *not
    searchable in Google (FAIL)
  * *Amesbury* - * searchable by name with free registration,* *entire
    database can be viewed by sending an empty search,* not searchable
    in Google (FAIL)
  * *Amherst* - not searchable by name ("Owner Names are purposely not
    a part of the search interface"), not searchable in Google (PASS)
  * *Andover* - owner names don't appear in database (PASS)
  * *Ashburnham* - database available as PDFs on Web site, *searchable
    in Google* (FAIL)
  * *Ashby* - *searchable by name,* not searchable in Google (FAIL)
  * *Avon* - no on-line assessment database on-line, but links to*
    Norfolk County Registry of Deeds whose database is searchable by
    name for free, via "BROWNtech Document Management Systems"* (FAIL)
  * *Acton, Acushnet, Agawam, Aquinnah, Ashfield, Auburn* - assessment
    database doesn't appear to be on-line (PASS)

The discovery of the link to the Norfolk County Registry of Deeds on Avon's
Web site prompted me to check whether other counties' registries are also
searchable by name.

  * *Barnstable *- yes, via BROWNtech (FAIL)
  * *Bristol-Fall River, Dukes, Franklin, Hampden, Hampshire, Middle
    Berkshire, Nantucket, North Berkshire, North Essex, North
    Middlesex, North Worcester, South Berkshire, South Essex, South
    Middlesex, South Worcester, Suffolk *- yes, via (FAIL)

Note that Abington and Amesbury both appear to use a third-party service
called Vision Appraisal Technology ( to host
their on-line assessment databases.

Ashby uses software hosted by the Community Software Consortium
(  This software also appears to be used by Alford,
Ashland, Ayer, Bedford, Berkley, Bernardston, Bolton, Brookfield,
Charlemont, Chester, Duxbury, East Brookfield, Egremont, Framingham, Gill,
Grafton, Great Barrington, Hardwick, Heath, Hingham, Holliston, Lancaster,
Lee, Lunenburg, Mattapoisett, Maynard, Monroe, Needham, New Braintree, North
Andover, North Brookfield, Northborough, North Reading, Oakham, Richmond,
Royalston, Saugus, Seekonk, Sheffield, Somerset, Southborough, Swansea,
Tolland, Uxbridge, West Brookfield, and Windsor, all of which therefore
FAIL, and furthermore, there's a single convenient interface that one could
use to easily search for a particular person by name in all of these

Police mail sensitive information to the press

<Debora Weber-Wulff <>>
Sun, 09 Sep 2007 00:34:52 +0200

The German radio and television station SWR reports on September 7, 2007
that police in Friedrichshafen (near Lake Constance) mistakenly sent secret
information about their investigations of "terrorists" to their press
mailing list by email.

The article says that they "recalled the mail" [no way of that happening, in
my universe at least -dww]. The information included assessments of the
current situation, lists of investigations and a list of endangered
facilities. [just what your local terrorist needs -dww]

There will, of course, be a thorough investigation, someone will be fired or
sent to do hard labor down in the cellars of the archives, or whatever it is
that one is sentenced to if you are found to be the person guilty of making
your superiors look like idiots.

The head of the police department apologized, but did note that perhaps this
is just human error. [I think it is more likely a "helpful" email program,
doing email-address completion. I've managed to send an email intended for
my husband to a colleague (who discreetly destroyed it, thank goodness!) -

Prof. Dr. Debora Weber-Wulff, FHTW Berlin, FB 4, Treskowallee 8, 10313 Berlin
GERMANY  +49-30-5019-2320

iTunes sharing

<Henry Baker <>>
Mon, 10 Sep 2007 12:12:54 -0700

With Bluetooth & WiFi enabled on your laptop, go to an airport (or other
public place) & open up iTunes.

In many cases, you will see the sharable collections of tunes from a number
of other people.  It appears that this mechanism is completely outside the
usual mechanisms of file sharing.

Even if you don't see any tunes, you still get to see various computer
names.  Since a number of people tend to name their laptops after themselves
("Emily's PC", etc.), you can even find out their names.

Between the phones you see on Bluetooth, and the laptops you see on WiFi,
you get a pretty good idea of who is around you, what kinds of
music/podcasts that they like, what kind of phone they use, etc.

I assume that this is intended to be some sort of ad hoc social networking
scheme, but one that many people joined unconsciously.

Security: an example from Pakistan

<Dan Jacobson <jidanni at>>
Tue, 04 Sep 2007 05:43:02 +0800

The interlocking nature of technology and policy issues related to security
are illustrated by the example of Pakistan. In 2000 the monopoly service
provider had one point of entry and the international bandwidth was brought
in via one undersea fibre with no redundancy.  The ambition of the
government to deploy pornographic content blocking on the core gateway
router by putting up access control lists added to the vulnerability. The
total bandwidth coming into Pakistan was less then 250 Mbps. Finally, the
total lack of any security awareness and training in the staff manning the
Internet Exchange set the stage for trouble. A childish exercise by
Pakistan-based hackers to deface Indian sites was met by an equally immature
response by the Indian hackers in devising the yaha virus.  This was
originally a Denial of Service (DoS) attack on all .gov sites. This rapidly
escalated to a Distributed Denial of Service (DDoS) attack in different
strains of the virus. This attack was accompanied by different varieties of
attacks (fragmented packets, etc.) which coupled with the overloaded core
router handling the pornographic access lists brought the complete network
down. The attacks collapsed web servers, choked the domestic bandwidth,
overloaded the router and consequently flooded the international
bandwidth. These attacks continued intermittently for several months as the
Pakistanis tried desperately to address the multiple threats. The national
network went down for hours and days at a time.

Monster data capture also includes "USAJobs"

<"Epstein, Jeremy" <>>
Fri, 31 Aug 2007 17:02:05 -0400

The Monster hybrid attack (Infostealer.Monstres) has been discussed
adequately [see RISKS-24.81].  What I haven't seen covered is that it
apparently also affects anyone who applied for a US government job as well,
according to an email my wife received from USAJOBS.  According to that
letter, "Monster Worldwide is the technology provider for the USAJOBS
website and regrettably, some of the contact information captured came from
USAJOBS job seekers. The information captured included name, address,
telephone number, and email address. Monster Worldwide has assured the
U.S. Office of Personnel Management that Social Security Numbers were NOT
compromised because of IT security shields USAJOBS has in place."

I wonder how many other organizations "private label", and hence
their customers are also at risk.

Redacted account numbers

<Tom Watson <>>
Mon, 3 Sep 2007 14:12:06 -0700 (PDT)

My bank (Wells Fargo) in its infinite wisdom has decided to change the way
it attempts to redact account numbers.  In looking over the transactions for
an infrequently used account (I only have it because my ex-wife is a signer,
and who knows when I'll need to cash a check with her name on it!) I noticed
that the method had changed from the July to August automatic transfers I
have to keep the account active.  In July, the account number is listed with
THE LAST 3 digits as 'X'.  In August, the method is now all 'X' EXCEPT FOR
THE LAST 4 digits.  I just looked and said to myself "what is wrong with
this picture?".  The risk: when you change methods of redacting, change ALL
occurrences, not just the new ones.  You may just totally unredact what you
were attempting to hide.

Fortunately in my case, I know the account number anyway, so TO ME it is no
big deal (unless I print out something), but I'm aware, which is the the
thing to be.

I sent the bank a note as well.  I don't hold out much hope for anything
constructive in return, but we will see.

  [It seems pretty stupid to make such a change that completely exposes the
  account number to anyone with records before and after sanitization.  PGN]

Re: Save your transaction numbers! (Koenig, RISKS-24.80)

<Diomidis Spinellis <>>
Fri, 24 Aug 2007 18:26:29 +0300

Andrew Koenig's story of a bank transaction he couldn't prove it occurred
illustrates the need for keeping logs (including voting records) in a
human-accessible format.  I always print the transaction's final screen when
I perform an electronic payment.  I never analyzed why I needed to do that,
it just seemed right to me.  Banks, which have lot of experience in keeping
track of money, keep a paper trail for all their transactions: they have me
sign paper slips in duplicate at the teller, and even the ATM has a second
printer in its housing logging all transactions on a paper roll.  Reports
regarding the demise of paper are greatly exaggerated.

Diomidis Spinellis -

Re: Chinese Village Name Change Sparks Chaos (RISKS-24.81)

<Julian Bradfield <>>
Thu, 30 Aug 2007 21:33:24 +0100

If the Wikipedia entry (Tianweiban) on this story is correct, the
character isn't even particularly obscure - it's just not in the PRC
simplified set. It is, however, in the standard Hong-Kong set (Big5),
and used in Cantonese rather than Mandarin. There are vastly more
obscure characters!

Please report problems with the web pages to the maintainer