The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 24 Issue 86

Wednesday 17 October 2007


Lessons from June International Space Station crisis
James Oberg via Pat Flannery
Tokyo Train System Ticketing System Failure
Stuart Woodward
Dutch railway offers too-easy access to customer profiles
Leon Kuunders
Austin-area toll equipment double-billed 50,000 times
Arthur Flatau
Car Remote Control Cipher KeeLoq Is Broken
Steve Klein
License plate scanners in police cars
Rob McCool
Changed dates of NZ Daylight Saving; unsurprising consequences
Donald Mackie
Medical error: Double mastectomy after 2nd opinion
Ken Knowlton
Bypassing Internet censorship
Mike Radow
Risks of writing a novel with your cell phone
Re: Another case of Deploy First, Test Later
Henry Baker
Re: Fake blogs
Dan Yurman
What do you do with unwanted voting machines?
David Lesher
Election Law online video lectures
Avi Rubin
Symposium on Usable Privacy and Security 2007 CFP
Simson Garfinkel
REVIEW: "The Complete April Fools' Day RFCs", Limoncelli/Salus
Rob Slade
Info on RISKS (comp.risks)

Lessons from June International Space Station crisis (James Oberg)

<Pat Flannery <>>
Tue, 16 Oct 2007 12:51:30 -0500

[Source: James Oberg, Space Station: Internal NASA Reports Explain Origins
of June Computer Crisis; Faulty computer design and corrosion of leads on
the ISS.  This is a useful article on lessons that need to be learned, even
though the crisis was resolved.  Read the article.  PGN]

Tokyo Train System Ticketing System Failure

<"Stuart Woodward" <>>
Sun, 14 Oct 2007 22:10:38 +0900

I wondered why the station staff were directing the commuters through
the gates without showing their tickets or passes on Friday. The
reason is given here:

All of the automated gates were down due to programming fault in the system
that reads the RFID cards commonly used by commuters.

If the guard wanted to see my train pass I would have had to open up the
Java applet on my phone which handles the renewal of the pass.  It's
possible that it would also have failed due to the ongoing problem.  Also if
the phone's battery is dead there is no way to see details about the
commuter pass, so the only sensible thing to do was to let everyone ride for
free that morning. jp mobile: 090-6166-7976 phone: jp 050-5534-5450  IM: stuartcw on skype, yahoo, googletalk

  [Stuart seems to support the MAX of five sentences for all e-mail:
  It would certainly not work for RISKS, even if we resorted to James
  Joycean sentences.  But it would certainly be a relief otherwise.  PGN]

Dutch railway offers too-easy access to customer profiles

<Leon Kuunders <>>
Thu, 04 Oct 2007 09:29:40 +0200

In order to keep customer satisfaction at the highest level possible, the
Nederlandse Spoorwegen (dutch railway) have enabled several online profiling
features for their subscription holders. Through this website customers can
change their full personal details, look at their (payment) history, change
bank account numbers, order new products, or ask for a refund.

The registration process for this website uses a failed authentication
scheme.  The "register me as a new customer" process works as "I have lost
my password".  For registration the only thing the customer has to do is
enter it's customer number, name and e-mail address, after which a
confirmation e-mail will be sent to the address given.

But there is no check if there has been a previous registration, and if so,
if the e-mail addresses are the same. To make matters worse the customer
number and name are clearly visible printed on letters, magazines and cards
that the company sends to it's customers. Thousands of people every year
lose their card, and with it the full credentials to their personal profile.

In a reaction the dutch railway representative said they thought it was "a
good service to their customers" and "we have no reports of any incidents."
How this service relates to the strict dutch privacy laws the representative
couldn't tell.  In the meantime the registration process is offline and
changed, so more details, like birthdate, are asked before access to a
profile is granted.

Noothoven van Goorstraat 14, 2806 RA, GOUDA
W: +31 641 164 995  P: +31 620 624 702

Austin-area toll equipment double-billed 50,000 times

<Arthur Flatau <>>
Thu, 11 Oct 2007 09:44:41 -0500

An article in the 9 Oct 2007 issue of the *Austin American Statesman*
reports on drivers getting double billed on the relatively new toll roads in
the Austin area.  (I believe none have been in use for more then a year.)

  "The problem has occurred one of every 600 times a car passed one of the
  roads' tolling points.  Agency officials say that they have made a number
  of equipment and software changes in the past few weeks to virtually
  eliminate the problem -- the frequency would now be more like one in every
  2,000 toll transactions ..."

I was going to insert a funny comment about virtually eliminating the
problem, but I can not come up with one that is funnier then the original
wording above.

The problem has to do with the "antennae on the overhead gantries" picking
up the toll tag more then once as it pass through.  I do not understand how
this would be hard to fix in software.  If the same toll tag is picked up
more then once in a span of say 30-60 seconds, this be labeled as an error
of some kind (as it would be impossible to drive through in that span of

Car Remote Control Cipher KeeLoq Is Broken

<Steve Klein <>>
Mon, 15 Oct 2007 08:55:27 -0400

(This press release is brief and direct, so rather than summarize
I'll quote it in full. -- SK)

KeeLoq is a cipher used in several car anti-theft mechanisms distributed by
Microchip Technology Inc. It may protect your car if you own a Chrysler,
Daewoo, Fiat, General Motors, Honda, Toyota, Volvo, Volkswagen, or
Jaguar. The cipher is included in the remote control device that opens and
locks your car and that activates the anti-theft mechanism.

Each device has a unique key that takes 18 billion billion values.  With 100
computers, it would take several decades to find such a key.  Therefore
Keeloq was widely believed to be secure. In our research we have found a
method to identify the key in less than a day. The attack requires access
for about 1 hour to the remove control device (for example, while it is
stored in your pocket). Once we have found the key, we can disactivate [sic]
the alarm and drive away with your car.  The attack has been extensively
tested using software simulations.

This research is the joint work between 3 research groups: the computer
science department of the Technion, Israel, the research group COSIC of the
Katholieke Universiteit Leuven (Belgium) and the Hebrew University, Israel.

License plate scanners in police cars

<Rob McCool <>>
Sat, 13 Oct 2007 16:38:36 -0700 (PDT)

The *San Francisco Chronicle* just published an article about license plate
scanners in police cars and traffic enforcement vehicles, systems which can
scan "50 plates a second" and "do make mistakes". The system was used to
apprehend an attempted child abduction suspect, and is used for a variety of
parking enforcement measures related to increasing revenue.

The enthusiasm for the systems in this article is tangible, and it contains
a modicum of privacy-related concerns. There is a small discussion of the
risks of thieves and others changing their behavior given that they know
this system is in use, and claims that police officers tried to keep it
secret for that reason. The opportunities for privacy violations as well as
harassment are pretty easy to imagine, as are the unexpected side effects
that its error rate may cause.

The article briefly mentions that such systems are common in London and in
casinos, with little discussion of any problems that may have come up.

Changed dates of NZ Daylight Saving; unsurprising consequences

<Donald Mackie <>>
Fri, 5 Oct 2007 21:42:37 +1200

Earlier this year the New Zealand government decided to extend the
period of daylight saving by three weeks.

This involved bringing the spring clock change forward by a week.  There was
some concern in the IT community prior to the change about the ability of
systems to respond to the change.

The clocks changed last Sunday. Unsurprisingly the fixes have been
incomplete - though not entirely devastating. My own organisation uses
Outlook and many of us have synchronised calendars on a mix of iMates,
Blackberries and other phones (ie at least three downstream OSs).

Most appointments on desktops were, thanks to the work Microsoft did,
correct after the clock change.  I only had one which was an hour out - the
person who set this up has been on leave for a few weeks and I suspect their
desktop hasn't been turned on in that time - thus not getting any fixing

The portable device calendars have been a different matter with most (but
irritatingly not all) appointments at the wrong time. Efforts to fix the
issue on individual portables seemed to add to the confusion.  Events
entered by the individual behaved differently to those made by someone
else. The low point was a meeting yesterday that attendees came to at 1300,
1400 & 1500.

It is hoped that things will come back to normal next week, the clock change
would previously have happened next Sunday, the 1st Sunday in October. We'll

Don Mackie, Auckland, New Zealand

Medical error: Double mastectomy after 2nd opinion

Thu, 4 Oct 2007 09:56:06 EDT

A woman has had a double mastectomy, after seeking a second opinion
confirming that she had cancer.  She didn't -- the second diagnosing doctor
relied on the same mislabeled tissue sample. (For readers of RISKS, there
must be a subtle lesson or two in this.)

Bypassing Internet censorship

<Mike Radow <>>
Mon, 15 Oct 2007 14:46:42 -0700 (PDT)

There is an implied *social risk* when technology is used to *block* access
to the full range of Internet resources, i.e., ''censorship''.

Ron Deibert is a Professor of Political Science and Director of the Citizen
Lab at the University of Toronto.  He just published a paper on ''By-Passing
Internet Censorship''...: Everyone's Guide to By-Passing Internet Censorship
for Citizens Worldwide
   His BIO::

Some of techniques described in the text (or in the included URLs) were new
to me.  It is likely that many RISKS readers will find this paper
interesting and informative, too.

Risks of writing a novel with your cell phone

<"Peter G. Neumann" <>>
Fri, 5 Oct 2007 5:25:54 PDT

When Satomi Nakamura uses her cellphone, she has to be extra careful to take
frequent breaks. That's because she isn't just chatting. The 22-year-old
homemaker has recently finished writing a 200-page novel titled "To Love You
Again" entirely on her tiny cellphone screen, using her right thumb to tap
the keys and her pinkie to hold the phone steady. She got so carried away
last month that she broke a blood vessel on her right little finger. ...
[Source: Yukari Iwatani Kane, Ring! Ring! Ring!  In Japan, Novelists Find a
New Medium; Budding Scribes Peck Their Tales on Cellphones; Ms. Nakamura's
Hurt Pinkie, *Wall Street Journal*, 26 Sep 2007; thanks to Charles C. Mann]

Re: Another case of Deploy First, Test Later (Re: Huge, RISKS-24.85)

<Henry Baker <>>
Tue, 16 Oct 2007 12:15:12 -0700

"A foolish consistency is the hobgoblin of little minds."  Ralph Waldo Emerson

Whether intended or not, one consequence of the widespread implementation of
IEEE-754 floating point arithmetic is that almost every computer now gets
_exactly_ the same answer, down to the last little bit.  This "answer" may
be far from the "correct" answer, but at least all of the computers will be
consistent.  In the "old" (pre-754) days, running the same Fortran program
on several different computers could uncover potential sources of error.  No

(This generic phenomenon of foolish consistency even has a technical name:
"informational cascade" -- if everyone agrees, then everyone must be
correct.  See )

I realize that using multiple types of arithmetic to uncover bugs in
floating point code may not be particularly efficient, but it sometimes
works.  IEEE-754 also provided for rounding modes that would allow for
"range" arithmetic in order to achieve the same ends with much greater
efficiency.  Unfortunately, no one seems to implement or utilize those
rounding modes anymore.

Re: Fake blogs (Evron, RISKS-24.83)

<"Dan Yurman" <>>
Mon, 15 Oct 2007 12:33:18 -0600

The problem of fake blogs is significant for me in two ways.  I operate a
blog on nuclear energy and nonproliferation topics.  First, my content is
being ripped off without attribution to attract ad clicks on other web sites
and fake blogs.  Aggregators of all kinds are taking blog content and using
it to generate their own ad revenue.  Good luck on that because in the past
year I haven't made so much as lunch money from the ads on my blog served up
by Google.

Second, and the more relevant issue for this list, is my content is being
used on fake web sites to drive clicks on links in search engine results
sending unsuspecting users to fake blogs and via redirect to websites with
NSFW content and malware.  The fake blogs often have redirects embedded in
them so that the fake blogspot site is never really seen. The user is taken
directly to the malicious website.

More than two-thirds of my blog visitors per month come in via unique search
terms for one-time retrieval of archived material. People who search on the
topics covered by my blog usually have industry or government expertise and
know what they are looking for.  It is pretty hard to confuse a search for a
pop tart singer with one for spent nuclear fuel.

I've seen that visitors don't get to my blog on the first try.  It annoys
them that a serious, work-related search has been diverted into a fake blog
or website. There are additional problems for users who's employers have
zero tolerance for hitting URLs with NSFW content.

This phenomenon is due to the fact that fake blog sites contain the same
search terms as mine because they copied the original.  Search engines
deliver their results indiscriminately and do not always help users separate
the fake blogs from the real ones.

For instance, a recent post on an planned environmental review by the
Nuclear Regulatory Commission on uranium mining in Wyoming was picked up by
another legitimate blog.  My post and theirs both appeared subsequently in
bogus blogs with redirects to NSFW content.  I am not posting the fake blog
URL here because it is unsafe.

I have a niche subject blog which isn't a big site, but with traffic
approaching 5,000 visitors a month this is getting to be a problem.

I've assembled a few tips to avoid trouble, which may be obvious to readers,
but here they are anyway.  Fake blogs often have numbers in the web site
name preceding '  Also, fake blogs tend to show up further down
in the search results, due in part to a smaller number of links to them, but
not always.  Another way around is to search blogs on Technorati and check
the "authority" of a blog containing content of interest.  The more links
from other blogs with similar topics, the more likely it is legitimate, but
that could change.  Some search engines include a snippet from the content,
and if the words are gibberish, that's a dead giveaway.  Finally, search on
the blog name itself and see how it shows up in search engine results and
what kind of content is in the snippets.

I have no way as an individual to stop the current problem.  I'm certainly
open to ideas for constructive group action.  Also, please feel free to
share with me authentication measures you use before clicking on a blog link
in a set of search results. If there are enough of them that are useful,
I'll assemble a blog post on it based on your contributions, with or without
attribution as you wish, and post a link to it in a future message to this

Dan Yurman, 1-208-521-5726

What do you do with unwanted voting machines?

<David Lesher <>>
Sat, 13 Oct 2007 14:16:27 -0400 (EDT)

It used to be that everyone wanted a Florida voting machine.  {...}  But now
that Florida is purging its precincts of 25,000 touch-screen voting machines
bought after the recount for up to $5,000 each, hailed as the way of the
future but deemed failures after five or six years, no one is biting.  {...}
[Source: Abby Goodnough, Voting Machines Giving Florida New Headache, *The
New York Times*, 13 Oct 2007]

Pre-RISKS-able story [i.e: one any regular RISK reader could see was coming
from $10E6 away...]:

Florida is now stuck with $millions of worthless DRE voting machines.  Like
too many used car and overpriced condo owners; they still owe money on them.

The risks are old ones:

1. If you throw enough money at a bad problem; you can make it a REALLY bad
   problem...that will need more money.

2. Legislators alas, never learned "primum non nocere" as MD's do.

3. Spending money first, then studying the problem & spec'ing the solution
   later; is almost always a bad idea. While the failures are more
   spectacular in building bridges than buying computing appliances; the
   results are often similar.

Election Law online video lectures

<Avi Rubin <>>
Thu, 11 Oct 2007 14:22:40 -0400

The Election Law Program, a joint venture of the College of William and Mary
School of Law and the National Center for State Courts has put some course
material in the form of online video lectures on election issues online:

Here is a listing of the lectures available from their web site.  The last 3
are lectures that I gave there.

Segment 1: Why Election Law Cases Are Different
Professor Richard Hasen

Segment 2: Pre-Election Issues: An Overview
Professor Richard Hasen

Procedural Concerns Related to Pre-Election Litigation
Professor Richard Hasen

Substantive Concerns Related to Pre-Election Litigation
Professor Richard Hasen

Segment 3: Election Day issues
Professor Ned Foley

Segment 4: Post-Election Issues
Professor Ned Foley

Segment 5: Electronic Voting: Global Election Systems
Professor Aviel Rubin

Why Electronic Voting is Different
Professor Aviel Rubin

Electronic Voting Technologies: Strengths and Weaknesses
Professor Aviel Rubin

Avi Rubin, JOHNS HOPKINS UNIVERSITY, Computer Science; Technical Director,
Information Security Institute 410-516-8177

Symposium on Usable Privacy and Security 2007 CFP

<Simson Garfinkel <>>
Sat, 13 Oct 2007 22:27:09 -0700

CALL FOR PAPERS -- SOUPS 2008 [Pruned for RISKS.  PGN]
Symposium On Usable Privacy and Security
July 23-25, 2008
Carnegie Mellon University, Pittsburgh, PA USA

The 2008 Symposium on Usable Privacy and Security (SOUPS) will bring
together an interdisciplinary group of researchers and practitioners in
human computer interaction, security, and privacy. The program will feature
technical papers, a poster session, panels and invited talks, discussion
sessions, and in-depth sessions (workshops and tutorials). Detailed
information about technical paper submissions appears below. For information
about other submissions please see the SOUPS web site


We invite authors to submit original papers describing research or
experience in all areas of usable privacy and security. Topics include, but
are not limited to:

 * innovative security or privacy functionality and design,
 * new applications of existing models or technology,
 * field studies of security or privacy technology,
 * usability evaluations of security or privacy features or security
   testing of usability features, and
 * lessons learned from deploying and using usable privacy and
   security features.

Papers need to describe the purpose and goals of the work completed to date,
cite related work, show how the work effectively integrates usability and
security or privacy, and clearly indicate the innovative aspects of the work
or lessons learned as well as the contribution of the work to the
field. Submitted papers must not substantially overlap papers that have been
published or that are simultaneously submitted to a journal or a conference
with proceedings. Accepted papers will appear in the ACM Digital Library as
part of the ACM International Conference Proceedings Series. The technical
papers committee will select an accepted paper to receive the SOUPS 2008
best paper award.

Papers may be up to 12 pages in length including bibliography, appendices,
and figures, using the SOUPS proceedings template on the SOUPS web site. All
submissions must be in PDF format and should not be blinded. In addition,
you must cut and paste an abstract of no more than 300 words onto the
submission form.

Submit your paper using the electronic submissions page for the SOUPS 2008
conference ( A successful
submission will display a web page confirming it, and a confirmation email
is sent to the corresponding author. Please make sure you receive that
confirmation email when you submit, and follow the directions in that email
if you require any follow up.

Technical paper submissions will close at midnight, US East Coast time, the
evening of Friday, 29 Feb 2007.

General Chair: Lorrie Cranor, Carnegie Mellon University

Interactive and In-Depth Session Chairs:
Andrew Patrick, National Research Council Canada
Konstantin Beznosov, University of British Columbia

Posters Co-Chairs: Rob Miller, MIT and
Jaime Montemayor, The Johns Hopkins University Applied Physics Laboratory

Technical Papers Co-chairs: Jason Hong, Carnegie Mellon University and
Simson L. Garfinkel, Naval Postgraduate School

REVIEW: "The Complete April Fools' Day RFCs", Limoncelli/Salus

<Rob Slade <>>
Mon, 15 Oct 2007 12:38:37 -0800

BKAFDRFC.RVW   20070814

"The Complete April Fools' Day RFCs", Thomas A. Limoncelli/Peter H.
Salus, 2007, 978-1-57398-042-5
%A   Thomas A. Limoncelli
%A   Peter H. Salus
%C   P.O. Box 640218, San Jose, CA 95164-0218
%D   2007
%G   978-1-57398-042-5
%I   Peer-to-Peer Communications, Inc.
%O   U$19.95 800-420-2677 fax: 408-435-0895
%O   Audience a+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   390 p.
%T   "The Complete April Fools' Day RFCs"

For those in the know, the designation "RFC" is a bit of a joke in itself.
As a "Request For Comment," there is an implication of a proposal, as
opposed to a standard.  In fact, the RFCs are the "official" documents of
the Internet protocols, and are part of a formal process.  Given the nature
of the Internet, and the people involved, it should come as no surprise that
embedded in this library are jokes, making fun of the process as much as
anything else.

(Just to make things clear, this is far from a compendium of all of the
jokes flying around the net, or even all of the jokes about network
standards.  The April Fools' RFCs are a specific class of net jokes, and are
the material of this volume.)

The RFCs themselves present a kind of technical history of the Internet.  In
a similar way, the April Fools' RFCs are a history of aspects of the
Internet.  Some of them document technical concerns and emphasis, such as
the 1990s attempts to implement the Internet on any base physical transport
(RFC 1149, dealing with avian carriers) or 2002's efforts to run all
utilities over the Internet (RFC 3251, for providing electricity over
Internet Protocol).  Others reflect more general social concerns.

The RFCs are all freely available.  This book collects all the April Fools'
documents, and the authors have even made the collection available on the
Internet.  However, the print version contains additional commentary,
structure, and supplementary background information about the RFC authors.

And it's handy to have the dead trees edition for those times when the avian
carriers aren't flying to your particular hotspot.

copyright Robert M. Slade, 2007   BKAFDRFC.RVW   20070814

  [Steve Bellovin's Evil Bit (and Drew Dean's Angelic Bit), both of which
  appeared in RISKS-22.66 are both worthy, although only the first one was a
  "real" RFC.  The "IP over Avian Carriers" is a real classic.  The material
  is highly recommended for humor-loving RISKS readers.  Limoncelli and
  Salus deserve many thanks for making this material so easily accessible.
  Of course many other non-RFC April Fools' spoofs are also worthy, such as
  Chernenko@MOSKVAX (Piet Beertema, 1 April 1984, pre-RISKS, but reproduced
  in my book, Computer-Related Risks, pp.  146-148) and the April Fools'
  warning message attributed to Gene Spafford (RISKS-6.52) come immediately
  to mind, even though the day of wreckoning is still half a year away.

Please report problems with the web pages to the maintainer