The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 24 Issue 90

Tuesday 6 November 2007

Contents

Computer Glitch Rolls Back Provincial Government
Ken Dunham
"Error" blitzes health records in New Zealand
Robert S. Heuman
UK Revenue loses CD-ROM
Bernhard Riedel
"Network Neutrality Squad": Users Protecting an Open and Fair Internet
Lauren Weinstein
Technology, the Stealthy Tattletale
Christopher Maag via Monty Solomon
GPS Units With More to Say
Roy Furchgott via Monty Solomon
Zombie botnet spam attack from over 3,000 IP addresses in 8 hours
Jonathan Kamens
Problems with Google's Spam filters and Google Content
Terence Eden
Spelling corrector creates "Muttonhead Quail Movement"
PGN
Cellphone in USB charger became default route
Stefan Alfredsson
Time change problems: Alltel
Steven M. Bellovin
Broken by design
Aahz
Update to "Think before you legislate"
Robert S. Heuman
Re: Predicting fatigue failure
Gary Maxwell
Re: Mac OS X Leopard firewall
Chris Adams
Ted Lemon
Re: Plagiarism & technology
Bob Brown
Re: "Same ol' same ol'"
Eric Ball
Re: Leaping onward
Rob Seaman
Info on RISKS (comp.risks)

Computer Glitch Rolls Back Provincial Government

<"Ken Dunham" <kdunham@rogers.com>>
Thu, 1 Nov 2007 12:27:51 -0400

Anyone surfing the New Brunswick government website on 1 Nov 2007 might have
wondered if the province's former Conservative government had staged a coup.
A computer glitch posted the week's agenda for Premier Bernard Lord and a
news conference on pandemic planning with Health Minister Elvy Robichaud.
However, neither man is still in office.

It turns out a faulty computer server spit out information for January 2006
-- well before the Tories were defeated in the last provincial election and
replaced by Premier Shawn Graham and his Liberal government.  Technicians
are trying to trace the problem.  [Source: Canadian Press item, 1 Nov 2007]
http://ca.news.yahoo.com/s/capress/071101/technology/technology_oddity_computer_glitch


"Error" blitzes health records in New Zealand

<"Robert S. Heuman" <robert.heuman@alumni.monmouth.edu>>
Sat, 03 Nov 2007 11:38:11 -0400

This is what happens when there is NO full OFF-SITE back-up available!  Bob

As a result of two disks failing on 21 Oct 2007, thousands of hours' work
over many years on the part of 690 staff members at the Waikato District
Health Board has vanished after a major computer error at Waikato Hospital.
The lost data -- which includes countless e-mails and personal work files,
reports, letters, communications, teaching material, guidelines -- was
information that was backed-up in the hospital's storage area network.  The
hospital is spending at least $60,000 trying to retrieve the information and
has hired experts in the US.  [Source: Natalie Akoorie, Error blitzes health
records, *Waikato Times* 3 Nov 2007; PGN-ed]
http://www.stuff.co.nz/4260645a11.html

  [Also noted by Andrew King in the NZ Herald.  PGN]


UK Revenue loses CD-ROM

<"Bernhard Riedel" <bernhard@sdg.de>>
Sat, 3 Nov 2007 20:48:26 +0100 (CET)

"Thousands at risk after data loss"
http://news.bbc.co.uk/2/hi/programmes/moneybox/7076106.stm

  A CD-ROM containing personal details about some 15000 people was lost by a
  courier. I remember a time when such stuff was moved on magtapes in huge
  aluminum boxes, not as easy to mislay, I guess.

Risks of miniaturization?

One really intriguing thing here (for me):

  The Revenue refused to say "on security grounds" whether the
  information was encrypted.

Does anybody have a plausible idea what kind of security grounds that might
be?

Bonus:

"Dog starts car after eating chip"
http://news.bbc.co.uk/2/hi/uk_news/england/southern_counties/5382878.stm

This one shows that new technology can cause not only unintended new failure
modes, but also new modes of recovery from failures.

  [Perhaps the dog thought it was a BONE-US.  PGN]


"Network Neutrality Squad": Users Protecting an Open and Fair Internet

<Lauren Weinstein <lauren@vortex.com>>
Mon, 05 Nov 2007 16:49:47 -0800

   "Network Neutrality Squad": Users Protecting an Open and Fair Internet
                http://lauren.vortex.com/archive/000327.html

Greetings.  I'm very pleased to announce a new project from
PFIR - People For Internet Responsibility:

                "Network Neutrality Squad" - NNSquad
                       http://www.nnsquad.org

PFIR Co-Founders Peter G. Neumann and I are joined in this announcement by
Keith Dawson (Slashdot.org), David J. Farber (Carnegie Mellon University),
Bob Frankston, Phil Karn (Qualcomm), David P. Reed, Paul Saffo, and Bruce
Schneier (BT Counterpane).

Recent events such as Comcast's lack of candor regarding their secretive
disruption of BitTorrent protocols, and Verizon's altering of domain name
lookup results to favor their own advertising pages, are but
tip-of-the-iceberg examples of how easily Internet operations can be altered
in ways that may not be immediately obvious, but that still can have
dramatic, distorting, and in some cases far-reaching negative consequences
for the Internet's users.

The Network Neutrality Squad ("NNSquad") is an open-membership, open-source
effort, enlisting the Internet's users to help keep the Internet's
operations fair and unhindered from unreasonable restrictions.

The project's focus includes detection, analysis, and incident reporting of
any anticompetitive, discriminatory, or other restrictive actions on the
part of Internet service Providers (ISPs) or affiliated entities, such as
the blocking or disruptive manipulation of applications, protocols,
transmissions, or bandwidth; or other similar behaviors not specifically
requested by their customers.

Other key aspects of the project are discussions, technology development and
deployment, and associated activities -- fostering cooperation and mutually
agreeable methodologies whenever possible -- aimed at keeping the Internet a
maximally unhindered, useful, competitive, fair, and open environment for
the broadest possible range of applications and services.

We invite individual, commercial, nonprofit, government, and all other
Internet users and stakeholders (including ISPs) to participate in the
Network Neutrality Squad.

Please join the moderated mailing list (choice of immediate
distribution or digest) for project announcements and discussions,
by sending a message (any subject or text) to:
  nnsquad-subscribe@nnsquad.org
or by signing up at the mailing list Web page:
  http://lists.nnsquad.org/mailman/listinfo/nnsquad

A moderated, interactive discussion and incident reporting forum is also
available for more real-time communications on related topics:

http://forums.pfir.org/main/messages/714/714.html

Questions and comments are welcome at nnsquad-info@nnsquad.org, or feel free
to contact me directly for details.

Working together, we can help to keep the Internet an incredibly useful
resource for everyone around the globe, unhampered by any efforts to skew
its enormous capabilities in ways that could hinder the many while
benefiting the relative few.

We hope that you'll join this cause. Thank you for your consideration.

(Affiliations shown for identification purposes only.)

Lauren Weinstein http://www.pfir.org/lauren lauren@vortex.com
Tel: +1 (818) 225-2800  Lauren's Blog: http://lauren.vortex.com
People For Internet Responsibility - http://www.pfir.org
Founder, PRIVACY Forum - http://www.vortex.com


Technology, the Stealthy Tattletale (Christopher Maag)

<Monty Solomon <monty@roscom.com>>
Fri, 2 Nov 2007 23:34:21 -0400

After stealing $7,000 from a PNC Bank in Evendale, Ohio, Kenneth Maples
climbed into a white Ford pickup driven by his wife, Jewell, according to a
police report. ...  But the suspects never had a chance.  A Global
Positioning System tracking device had been tucked inside the stolen cash,
according to the report, allowing a small army of local police officers and
F.B.I. agents to follow the signal from on-ramps and overpasses as it moved
south into downtown Cincinnati.  [Source: Christopher Maag, Tracking
Thieves, or Teens: Technology, the Stealthy Tattletale, *The New York
Times*, 27 Oct 2007; PGN-ed]
http://www.nytimes.com/2007/10/27/technology/27tracking.html?ex=1351137600&en=8d6b9fafbd080801&ei=5090


GPS Units With More to Say (Roy Furchgott)

<Monty Solomon <monty@roscom.com>>
Fri, 2 Nov 2007 23:36:58 -0400

The most advanced attempt at dynamic content is currently being made by Dash
Navigation, whose portable GPS device not only receives positioning signals
from satellites, but also collects driving speed and road data from cars
that use it and anonymously report this information to a database.  That
data would let Dash know the actual speed at which traffic travels at
different times of the day, so that it could route cars more effectively
than current systems can.  But for the Dash to build the database, it needs
many drivers to buy the things and use them.  [Source: Roy Furchgott, *The
New York Times*, 24 Oct 2007; PGN-ed]
http://www.nytimes.com/2007/10/24/automobiles/autospecial/24gps.html


Zombie botnet spam attack from over 3,000 IP addresses in 8 hours

<Jonathan Kamens <jik@kamens.brookline.ma.us>>
Tue, 06 Nov 2007 02:21:27 -0500

This may be old news to some, but it was rather surprising to me, so I
thought I'd pass it on...

At around 3:21pm US/Eastern on November 4, 2007, a zombie botnet began a
dictionary spam attack against one of the domains I host.

  *zombie botnet* --- a group of PCs that have been broken into by a hacker
  and turned into "zombies," i.e., PCs over which the hacker now has
  control, so that he can tell them to do things like send out spam on his
  behalf.

  *dictionary spam attack* --- an attempt to deliver spam to legitimate
  users at a particular domain by attempting to send email to many different
  addresses within the domain in the hope that some of them will be valid.

I knew this was happening because the log monitor I run on my mail server
began reporting many "User unknown" mail delivery failures for this domain
every minute.

If this has been a typical dictionary spam attack coming from a single host,
it would have been quickly blocked by my fail2ban <http://www.fail2ban.org/>
configuration, which temporarily bans any host which attempts a few failed
SMTP deliveries within a short period of time.  However, since the delivery
attempts were coming from many different IP addresses all over the world,
fail2ban was powerless to stop them.

When I realized what was going on, I wrote a script to block all the IP
addresses from which invalid deliveries to the domain had been attempted,
and I set up the script to run frequently to block any new IP addresses that
turned up.

The attack continued until around midnight, i.e., for over eight hours.
During that time, I saw failed delivery attempts from 3,025 different IP
addresses, along with 815 delivery attempts from IP addresses that I had
already blocked.

At this point, I have two outstanding questions about this attack:

   1. Was it really a dictionary spam attack, or was it actually a
      denial-of-service attack of some sort?  I consider the latter a
      possibility because the email addresses to which delivery was
      attempted during the attack simply do not look like email
      addresses that someone would guess if they were seriously trying
      to get email through to a domain.  Here are some examples of the
      addresses that were attempted: Lundberghrpor, Lanhamypxg,
      zsgohuwrhykr, CLIFFORDforonda, Lange, ThreeRiojas,
      Witold-Johannesen, birtlesioiis, Djurkovicnyqz, NevenHeinritz.
   2. Is there anything productive I can do with the list I now have of
      the IP addresses over 3,000 compromised PCs?  Is there a site
      somewhere to which I can submit the list that will notify the
      appropriate network service providers about compromised PCs on
      their networks?  Is there any point in doing that?  I suppose I
      could write a script to run "whois" on each of the IP addresses,
      try to parse out the contact email addresses, and send a form
      letter to those addresses, but (a) I don't really have the time,
      and (b) I believe that multiple whois queries from a single host
      are throttled, so it would take me an awful long time to get
      through them all.


Problems with Google's Spam filters and Google Content

<"Eden, Terence, VF UK - Technology" <Terence.Eden@vodafone.com>>
Thu, 1 Nov 2007 14:23:57 -0000

Over the last few months, I've noticed an increase in unfiltered spam
within my GoogleMail inbox.

The spam - usually for online pharmacies - falls into two
characteristics.

1) A sales pitch pointing to a Google Pages website e.g.
http://12312.googlepages.com

2) A sales pitch pointing to a Google Search e.g.
http://www.google.co.uk/search?q=somestring

The string that is passed to Google is usually the name of the pharmacy,
ensuring that the spammer is in the top or the returned rankings.
However, many spammers are using a "Googlewhack" - a unique string - to
ensure that their page is the *only* one that is returned.

The risks are two fold.
Google's spam filter seems to trust "Google" content disproportionately.

Users may trust their search engine to provide clear and unbiased
results, they may not expect that a search engine can be so easily
bamboozled.

http://www.google.co.uk/search?q=terence+Novarra+betavine


Spelling corrector creates "Muttonhead Quail Movement"

<"Peter G. Neumann" <neumann@csl.sri.com>>
Tue, 6 Nov 2007 13:17:34 PST

  "Pakistan city virtually shut down after strike call.  The opposition
  blames the government and the pro-government Muttonhead Quail Movement
  (MQM), which runs Karachi, for the violence."

    [Someone noted that MQM actually stands for "Muttahida Quami Movement".]

      ["This is possibly the most unfortunate spell-check blunder I've ever
      seen.  We corrected it: GBU Editor"]

  [From Reuters blogs, filed by The Good, the Bad, & the Ugly Editor (GBU),
  14 May 2007; PGN-ed; thanks to Charles C. Mann for spotting it.]
    http://blogs.reuters.com/blog/2007/05/14/muttonhead-quail/


Cellphone in USB charger became default route

<Stefan Alfredsson <Stefan.Alfredsson@kau.se>>
Mon, 5 Nov 2007 09:55:50 +0100

His cellphone charger was broken, so 17 year old Christoffer connected his
phone, a Sony Ericsson k800i, via USB to his parents computer and left it to
charge over night.

A month later, he got a bill of SEK 6911  (about USD $1100).

It turns out that the phone became the "default broadband" when plugged in
via USB, and his long-running downloads were done over the phone instead of
his broadband connection. The common price per Mbyte GPRS/UMTS data traffic
is SEK 10 to 15 (about USD $1.5 to $2.3), which would correspond to about
500 Mbyte downloaded data.

Christoffer claims "there was no warning to allow the phone to take over the
connection. I did not even know it was possible".  According to the operator
Tele2, he must pay the bill even if it was a mistake. They concluded that
the phone modem had been used, but could not tell how it happened. The
operator were not aware of previous incidents, but claims that "there is
software to link the phone to the computer and start the phone Internet
function, but it's not possible for the computer to do this on its own".

Original article in Swedish:
  http://www.aftonbladet.se/goteborg/article1141706.ab


Time change problems: Alltel

<"Steven M. Bellovin" <smb@cs.columbia.edu>>
Mon, 5 Nov 2007 02:37:35 +0000

We see reports like this twice a year, with some variation in timing because
of different cut-over days in different countries.  This time, Alltel -- a
mobile phone company -- reported that some of its customers saw the time on
their phones move forward an hour instead of back.
  http://ap.google.com/article/ALeqM5idDfj-VyOMd0rsD0UlwoSxGaIMLwD8SN4B001

Steve Bellovin, http://www.cs.columbia.edu/~smb


Broken by design

<Aahz <aahz@pythoncraft.com>>
Sun, 4 Nov 2007 20:26:56 -0800

After reading RISKS for more than a decade, it takes *a lot* to shock me.
Here's "a lot" (lightly edited for name-hiding):

  Date: Sun, 04 Nov 2007 17:24:49 -0500
  From: Modest Needs Technical Support <tech@modestneeds.org>
  To: Someone <foo@bar.baz>
  Subject: Re: Modest Needs - Technical

  Dear Someone,

  Since we only allow one account per household, we've merged everything
  under your partner's (Aahz) account. Please ask him/her for the login
  information.

  I hope this helps. Please write back if you still need technical support.
  Sincerely,

  Thierry Mellon, Chief Information Officer

Modest Needs is a charitable foundation that supplies short-term loans
to people in sudden need.  I've been donating to them for several years
now, but given their unwillingness to use a sane security system, I
shan't in the future.  (We have received additional messages that
communicate quite clearly that they have no intention of fixing this.)

Aside from the obvious RISKS about sharing passwords and financial
information even for people who are partnered, what if Someone was just
my roommate?  Under what sane account-management regime do you simply
merge accounts without asking permission?


Update to "Think before you legislate" (RISKS-24.88)

<"R.S. (Bob) Heuman" <robert.heuman@alumni.monmouth.edu>>
Fri, 02 Nov 2007 20:03:56 -0400

The Conservative government introduced a bill on Friday aimed at fixing a
glitch in the Elections Act that could have prevented up to a million rural
residents from voting...  The bill introduced Friday clarifies that
addresses do not need to contain a street name and number.  CBC News, 2 Nov
2007


Re: Predicting fatigue failure

<"Gary Maxwell" <gmaxwell@casabi.com>>
Fri, 2 Nov 2007 18:31:28 -0700

Ken Knowlton's musings on real-world stress testing of in-service systems
reminded me of a missed opportunity some years ago.

On Sunday, May 24, 1987, in celebration of its 50th anniversary, the Golden
Gate Bridge District closed down the bridge and allowed pedestrians to roam
freely on the span. The District estimates that nearly 300,000 people
"surged" onto the roadway. Clearly, the weight of shoulder-to-shoulder
people is much more than bumper-to-bumper traffic, and on this day, the
slight upward arch on the bridge's roadway actually flattened under the
weight. However, engineers did not anticipate this scenario, and the bridge
had not been instrumented to record the stresses encountered on this
day. The Center for Design Informatics at the Harvard Design School wrote a
paper evaluating the stresses, but this effort would have been surely helped
by empirical data.


Re: Mac OS X Leopard firewall (Schmidt, RISKS-24.89)

<Chris Adams <chris@improbable.org>>
Fri, 2 Nov 2007 16:29:29 -0700

This argument and the similar argument regarding wifi encryption comes up
fairly often, which worries me because they're founded on an implicit
assumption that network-specific security policies are a good idea. We have
a mountain of evidence demonstrating that trusting any network is a bad idea
because of rogue/unmanaged clients, malware and the difficulty of ensuring
that the actual network setup faithfully conforms to policy.

Things like the TJX disaster demonstrate just how costly it can be assuming
that it's ever safe to use applications which depend on network-level
security rather than incorporating security into the application itself. In
contrast, refusing to use applications which are insecure by design is not
only better from a security standpoint but also tends to be easier to use
because the users don't have to learn different, network-dependent ways to
work.

I've been advocating the untrusted network approach for awhile but I can't
claim the idea is particularly novel - of particular interest might be Abe
Singer's 2003 report describing the San Diego Supercomputing Center's
firewall-less network:

http://www.usenix.org/publications/login/2003-12/pdfs/singer.pdf


Re: Mac OS X Leopard firewall (Schmidt, RISKS-24.89)

<Ted Lemon <Ted.Lemon@nominum.com>>
Fri, 2 Nov 2007 19:36:30 -0700

Look, I don't want to be an apologist for Mac OS X security, which I do not
think is invulnerable.  But this statement is kind of ridiculous.  The idea
that some networks are trustworthy and some aren't has been disproven time
and time again over the past years.  It's perfectly possible for a virus to
be carried inside of a network and disseminate there, and it's happened and
made news several times that I've noticed in the past couple of years.
Imagine how many times it *didn't* make news, or was mentioned in passing in
a story about botnets attacking from inside corporate networks, where the
focus of the story, unbelievably, was not even *on* the idea that such a
network had been penetrated by a virus infestation.

The problem here is not that Leopard trusts all networks equally -- that is
appropriate, because no network is "trustworthy."  The problem is that Vista
lulls people into a false sense of security by suggesting that it is only
when they are sitting in Starbucks that they are at risk of attack.  Nothing
could be further from the truth.  If you examine all the machines in all the
botnets in the world, the ones that were infected in Starbucks don't amount
to a hill of beans...


Re: Plagiarism & technology (Re: Epstein, RISKS-24.88)

<"Bob Brown" <bbrown@spsu.edu>>
Sat, 3 Nov 2007 17:16:44 -0400

I am a college teacher and user of Turnitin.com.  I've used it for several
years for term papers, and occasionally for shorter papers.  I am very
familiar with what teachers see when they use this product or its
competitors.

> There are several problems with products of this sort:
> (1) False positives...

Turnitin.com and its various competitors do not detect plagiarism; they
detect similarity of text in the student's paper to text found elsewhere: on
the Web, in certain publications, and in previously-submitted papers.  The
teacher must then read the paper, checking for proper citation, and where
appropriate, proper quotation.  A teacher who does not do this is both lazy
and intellectually dishonest.

It is perhaps unfortunate that Turnitin produces a "similarity score" that's
expressed as a percentage of text that is similar to text found elsewhere
because it can facilitate lazy and intellectually dishonest behavior by
teachers.  However, it does help teachers in detecting something that's bad,
but not plagiarism: the cut-and-paste paper.  In such a paper, everything is
cited and quoted properly, it's just that none of it, with the possible
exception of some glue sentences, was written by the student.  The material
went through the Windows clipboard and not through the student's mind; no
learning took place.  I tell my students that the cut-and-paste paper is not
plagiarism, but neither is it evidence of learning, and the *best* grade
such a paper can earn is a D-minus.  (I also help them to write good papers
by talking and writing about the process.)

> (2) Copyright infringement...

Bogus argument.  Does the student who solves a series of math problems
assigned by the teacher hold copyright in the answers?  Of course not!  I
assign short ethics cases and the students write answers.  That's more
complicated because there is both a right answer and the expression of it.
I'd argue that the student who gets the right answer has exhibited evidence
of learning, but has not done creative work.  In the case of a term paper or
creative writing assignment, the student has (we hope) done some creative
work, but it is generally work that would never have been done but for the
assignment.  It is a work made for hire, and the payment is evaluation by
the teacher and a grade.

Further, Turnitin.com never "publishes" the papers that are uploaded, and
publication is of the essence of copyright infringement.  Teacher and
student get to see the analysis, but no one else does.  The only way to get
to see what's in such a paper is to submit later a paper that is, at least
in part, substantially identical.  Those parts that are identical are called
out, but what is highlighted is material in the *newly submitted* paper, not
material in the stored paper.  Turnitin.com does provide contact information
for the teacher whose student submitted the original paper, and that teacher
may then possibly release a copy if allowed by the school's policies and
procedures.

I have not yet had a student object to using Turnitin.com on intellectual
property grounds.  If ever I do, I will ask how much money the student
expects to make from the sale of the paper and whether the student would
want a third party to earn a good grade by submitting a copy of the
student's paper as his own.

(I am aware of the court cases.  A Pennsylvania court decided that caller ID
was an illegal wiretap, too.  This issue is not yet decided, at least in the
United States.)

The real value of a service like Turnitin is not in detecting plagiarism.  I
can do that better than any computer system I've seen so far because I know
my students' intellectual capacities and writing styles.  I have, in fact,
detected plagiarism not detected by Turnitin.com.

The real value is in plagiarism prevention.  Students do not believe that I
can detect writing that's not their own.  They do, however, believe that
"the computer" can detect similarity with text on the Web, and the student
who is tempted, but knows the paper will be submitted to Turnitin.com, is
more likely to make a good decision than a bad one.  While I have not done a
controlled study, I have observed fewer instances of plagiarism when
Turnitin.com is used in a class than when it is not, and *that* is what's
valuable.


Re: "Same ol' same ol'" (RISKS-24.88)

<Eric Ball <eball@ca.ibm.com>>
Mon, 5 Nov 2007 13:13:27 -0500

I received a similar e-mail from my wife's credit card company.  In that
case the links didn't match the URLs because they went through the CC's
3rd-party marketing firm.  I called the CC company and said they either had
lousy security or incompetent marketing, and that I would cancel the CC if I
received a similar e-mail.  The CC has now been canceled for that reason.


Re: Leaping onward

<Rob Seaman <seaman@noao.edu>>
Tue, 6 Nov 2007 16:31:43 -0700

Tony Finch opines:
  The obvious answer is to leave UTC alone, even when it is an hour or more
  away from GMT. If the discrepancy becomes inconvenient for civil purposes
  then local time offsets can be adjusted. Local time changes do not need to
  be agreed globally and they do not need to be applied simultaneously
  around the world. Therefore no new mechanism or policy is needed to cope
  with a continuous UTC.

Rob Seaman responds:
  A brief (negative) response is to consider that computer scientists have
  raised all this ruckus over the need to track a single list of historical
  leap-second events.  However, leaving the question to local officials
  replaces that single list with hundreds, or potentially thousands, of such
  lists that our software systems would need to consult.

Further discussion ensued and has been redirected to LEAPSECS:
	http://six.pairlist.net/mailman/listinfo/leapsecs

Seaman also notes:
  Also see http://www.physorg.com/news113282110.html.  The disruptions
  caused by unexpected Daylight Saving Time style jumps may not be the best
  model for establishing safe civil timekeeping practices.

Please report problems with the web pages to the maintainer

Top