The RISKS Digest
Volume 25 Issue 04

Saturday, 2nd February 2008

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Transplant patient has NEW kidney removed after NHS computer blunder
Richard I. Cook
Tachometer error caused 2005 runway overrun
Mark Brader
Mideast submarine cable disruptions
David Lesher
Empire State Building car e-interference mystery
David Chessler
Technology Review: Stopping cars with microwaves
David Chessler
Manufacturer Blames Bankruptcy on Failed ERP Implementation
Ken Dunham
2008 meltdown margin player blames s/w for failure to complete trades
George Michaelson
Fifth Amendment: Passphrase cannot be forced
David Lesher
British software pirate sells GBP 12K package at 1/1000
Peter Mellor
Peter Zilahy Ingerman
Voting Machine Usability Testing
Ken Dunham
Impersonating armored car personnel
Craig Partridge
Another public data loss in the UK
Robert Klemme
Automated calling system glitch locks down school
Steve Eddins
Re: Air Canada A319 upset
Peter Ladkin
Re: Coffee Grounds Qantas
Preston de Guise
Re: Metal structure beneath runway ...
Neil Youngman
Hoist by one's own petard: data security: UK Child Benefits
Adrian Cherry
REVIEW: "Software Testing Practice: Test Management", Spillner et al.
Rob Slade
Info on RISKS (comp.risks)

Transplant patient has NEW kidney removed after NHS computer blunder

"Richard I. Cook" <>
Thu, 24 Jan 2008 16:01:32 -0600;in_page_id=1770

Tachometer error caused 2005 runway overrun

Mark Brader
Wed, 30 Jan 2008 22:36:27 -0500 (EST)
On May 18, 2005, a Jordanian Airbus A320 completed a flight (on behalf of a
Spanish charter airline) from Fuerteventura, Spain, to Leeds Bradford
Airport in England.  After landing, it decelerated normally as far as a
speed of 73 knots, but then the brakes on both sides failed almost
completely.  With runway running out and reverse thrust insufficient to
stop, the pilot steered off the runway.  At 22 knots the brakes reengaged,
and the plane stopped safely without injuries.

The accident is covered by Report 6/2007 of the UK AAIB, which is available
in PDF in sections under this page:

They say the failure was the result of "excessive wheel tachometer signal
noise, caused by a bent tachometer driveshaft on each main landing gear
assembly" combined with "inadequate fault tolerance within the brake control
system".  The tachometer is involved because that's how the Brake and
Steering Control Unit (BCSU) tells whether the plane is skidding.  But the
tire and driveshaft could resonate at about the same frequency, causing the
tachometer to produce electrical noise that in turn would cause the BCSU to
malfunction and release the brakes to prevent a skid that was not happening.

The solution was to replace the driveshaft with a stronger one (solid
instead of hollow), which would also have a different resonant frequency.

Mark Brader, Toronto,

[Another item from me about something that happened in England in 2005!  I
 just happened across this report while checking the AAIB site on the
 off-chance that there was news about the recent Heathrow incident.]

Mideast submarine cable disruptions

"David Lesher" <>
Fri, 1 Feb 2008 02:12:16 -0500 (EST)
In what appears to separate incidents, two major submarine FO cables (FLAG
Telecom and SEA-ME-WE 4) have been cut in the Middle East.

Dubai, Egypt, Saudi Arabia, Qatar, the United Arab Emirates, Kuwait,
Bahrain, Pakistan, and India are all suffering badly. There's been much
rerouting to trans-Pacific circuits.

The RISKs? Well first, in an amazing short period of time [TAT-1, the
{copper} first transatlantic telephone cable was put into service in 1956;
TAT-8, the first fiber cable was in 1988.] our civilization/economy has
become highly dependent on photons & refined beach sand.

Second RISK: While cables are relatively safe in deep water, to be useful
they must come ashore somewhere; and shallow water is where they are
vulnerable. And ships also like those same shallows.

Cables are only REALLY redundant if they have nothing in common, and for
reasons of geography, politics and history, they flock together in those
same shallow port waters.

Alexander Harrowell made a sage comment on the NANOG list.

  [Landing spots..] have historically been in the same strategic
  locations. Suez, Singapore, Cape Town; it's the strategic map of the
  British Empire. "Five strategic keys lock up the world", as Lord
  Fisher said. (Dover, Gibraltar, Singapore, Cape Town, and Suez).

I'm further reminded of Dan Charles' report on Relay, Maryland:
<> where he
discussed how wagon trains, telegraph, railroads, and now fiber... all Go
West via the same route.

[See also a CNN report.  PGN]

Empire State Building car e-interference mystery (*NY Daily News*)

David Chessler <>
Tue, 29 Jan 2008 20:12:25 -0500
In addition to some of the reported incidents, there were several incidents
in the Washington area some years ago in which digital PBXs interfered with
air traffic control at National Airport (as it was then called).
Several cars a day get bizarrely stranded in a five-block 'Bermuda Triangle'
near the Empire State Building.

In the shadow of the Empire State Building lies an "automotive Bermuda
Triangle" - a five-block radius where vehicles mysteriously die.  No one is
sure what's causing it, but all roads appear to lead to the looming giant in
our midst - specifically, its Art Deco mast and 203-foot-long, antenna-laden
spire.  "We get about 10 to 15 cars stuck near there every day," said Isaac
Leviev, manager of Citywide Towing, the AAA's exclusive roadside assistance
provider from 42nd St. to the Battery. "You pull the car four or five blocks
to the west or east and the car starts right up."

"The lights work, the horn works, everything. But it won't start," Russell
Valeev, a driver for Golden Touch Transportation said one recent evening as
he sat in his 2005 Ford van with the hood propped open on E. 35th St.,
between Lexington and Park Aves. "It's my job. No money."

The 102-story building, at Fifth Ave. between 33rd and 34th Sts., has been
home to broadcast equipment since its opening in 1931, when RCA installed an
experimental TV antenna.  Since the 9/11 attacks destroyed the twin towers,
the building has regained its status as the leading transmission site for
commercial broadcast outfits, with 13 TV and 19 FM stations mounting
antennas on its spire.

The FCC said it has not received any complaints regarding interference
affecting autos in midtown, and Empire State Building officials don't
believe the claims.  Yet some phantom transmission appears to cause the
remote keyless entry systems of scores of car owners to go haywire and stop
talking to their vehicles.  [Source: Richard Weir, Empire State Building car
zap mystery, *NY Daily News*, 29 Jan 2008; PGN-ed]

[The NY Daily News blog is replete with cases reported by affected drivers.
You can add yours to the blog or report it to  But by
now it's familiar territory and no longer News.  PGN]

Technology Review: Stopping cars with microwaves

David Chessler <>
Fri, 01 Feb 2008 18:11:31 -0500
Zapping the bad guys: Attached to the roof of this police car is a 200-pound
electromagnetic system that can quickly bring an opposing vehicle to a
stop. The system is six- to eight-feet long (antennae included) and almost
three-feet wide.  It works by sending out pulses of microwave radiation that
disable the microprocessors that control the central engine functions of a
car.  Credit: Eureka Aerospace

Researchers at Eureka Aerospace are turning a fictional concept from the
movie *2 Fast 2 Furious* into reality: they're creating an electromagnetic
system that can quickly bring a vehicle to a stop.  The system, which can be
attached to an automobile or aircraft carrier, sends out pulses of microwave
radiation to disable the microprocessors that control the central engine
functions in a car.  Such a device could be used by law enforcement to stop
fleeing and noncooperative vehicles at security checkpoints, or as perimeter
protection for military bases, communication centers, and oil platforms in
the open seas. [Source: Brittany Sauser, Stopping Cars with Radiation: A
beam of microwave energy could stop vehicles in their tracks, MIT
*Technology Review*, 13 Nov 2007]

Manufacturer Blames Bankruptcy on Failed ERP Implementation

"Ken Dunham" <>
Wed, 30 Jan 2008 08:39:13 -0500
American LaFrance (ALF), a US manufacturer of fire trucks, has blamed a
failed ERP implementation for its filing for bankruptcy this week.  Coupled
with “inventory not properly declared as obsolete'', ALF incurred $100
million in unanticipated costs, lengthy production delays, and problems
servicing customers' existing trucks.

A significant consequence to ALF's operational problems is fire departments
across North America are apparently experiencing significant delays in
obtaining spare parts and service for their front-line fire trucks, and new
orders (most of which will be replacements for aging apparatus) are being
delayed by months. This will undoubtedly result in apparatus (and possibly
the associated companies of firefighters) being placed out of service more
than usual, and/or use of older, less reliable reserve apparatus (which
typically don't meet current safety standards).

Although problems with ERP implementations have caused a number of high
profile business disruptions in recent years (eg Hersheys, HP) this is the
first I've heard of a company blaming their bankruptcy on ERP. The RISKS
involved in such large-scale IT projects are well known (especially to
readers here), but unfortunately still occur all too often.

[For the benefit of readers who aren't accountants or lawyers, Chapter 11 is
a US bankruptcy provision that allows a company to voluntarily declare
bankruptcy, prepare a financial reorganization plan under the supervision of
the bankruptcy court, and (hopefully) ultimately be discharged from
bankruptcy as a viable concern.]

2008 meltdown margin player blames s/w for failure to complete trades

George Michaelson <>
Fri, 1 Feb 2008 09:42:20 +1000
Tricom, a margin lending specialist in Australia was unable to complete its
trades, and finalize settlements. the ASX had to declare a hold on its
activities and close off the market without it.  Everything was resolved by
the next business day.

Tricom stated (according to the Australian Newspaper) that it was net
positive, but s/w let it down and it couldn't complete the volume of
processing required due to a new s/w system.,24897,23142583-15306,00.html
suggests that the story is not that simple, the system was accepted under
the 3 day burn-in test the ASX require, and that it will not form the main
focus of any investigation.

I think we'll see quite a lot of software/computer-systems blame over
triggers to sell, but this appears to be about scaling functions to close
off, rather than automatic bet-the-market outcomes.

Interesting to think about what are the possible scaling functions in these
kinds of systems. The average-to-peak difference could be immense, if you
spread a range of people making smallish buys (by volume of event) spread
over a long time, but then have a synchronization event which forces
everyone to trigger SELL at the same time. It could be several decimal
orders of magnitude variation in the transaction volumes, which makes
capacity planning and even some data structure design quite important

Fifth Amendment: Passphrase cannot be forced

"David Lesher" <>
Tue, 18 Dec 2007 23:21:45 -0500 (EST)
U.S. Magistrate Judge Jerome Niedermeier ruled that a man accused of
transporting child pornography has a Fifth Amendment right to keep his
password in his head, not give it to prosecutors.

In other words, the Fifth Amendment protects the right to keep passwords.


British software pirate sells GBP 12K package at 1/1000

Wed, 16 Jan 2008 07:56:53 EST
Michael Walton broke an encryption code in the AceCad software (a 3D
modeling program for use in the construction of steel structures) which
allowed him to make copies of it. He sold the copies for GBP 12 on eBay.
The company has said that an AceCad licence costs between GBP 12,000 and
20,000.  Walton, who reportedly had 80 identities on eBay, pleaded guilty to
copyright infringement and will be sentenced in February.  The maximum term
to which he might be sentenced is 10 years.

Precisely why he sold the package for less than 0.1% of its commercial value
is not clear.  The strength of the vendor's encryption has been questioned
by some commentators.  [Maybe he missed the K?  PGN]

Peter Mellor  Tel/Fax: +44 (0)20 8459 7669


Peter Zilahy Ingerman <>
Fri, 25 Jan 2008 17:30:21 -0500
The organization that has been set up to distribute set-top converter boxes
( uses a database that was purchased from the US
Postal Service in order to determine whether the applicant address is a
business or a residence.  My address was erroneously classified as a
business. The USPS has corrected the error in their data base, but the
set-top people don't seem to understand that there can be errors in their
database because it isn't current.

Voting Machine Usability Testing

"Ken Dunham" <>
Fri, 1 Feb 2008 12:34:09 -0500
*Technology Review* published results from usability (as opposed to
security) reviews of voting machines, which find significant error rates due
to user confusion.

Ben Bederson <>, an associate professor
at the Human-Computer Interaction Lab at the University of Maryland, was
part of a team that conducted a five-year study
<> on
voting-machine technology. Bederson says that machines should be evaluated
for qualities beyond security, including usability, reliability,
accessibility, and ease of maintenance.  Bederson has designed a prototype
of a user-friendly voting machine.

Whether electronic voting machines are under scrutiny for usability or
security, many experts say that their design flaws call for reevaluation of
the devices. Tadayoshi Kohno <>, an
assistant professor of computer science at the University of Washington, who
has studied the security of several electronic systems, says, "My feeling of
the electronic-voting community is that we started walking down a dark
alley, and we know that it's very dangerous. We know that at the end of the
valley is a safe place. As a philosophical question, I have to ask, should
we continue going down this dark alley, or should we step back and figure
out some other way we want to go to safety?"

Impersonating armored car personnel

Craig Partridge <>
Thu, 17 Jan 2008 17:22:25 -0500
This seems to have suddenly become a popular (and sometimes successful) way
to try to steal money.  Someone impersonating a Brinks carrier got away with
over $100K in the DC area and it took some time for the bank to even
realized it had been robbed.

Another person wearing a uniform got into an apparently restricted area at a
Brinks facility in Philadelphia and got his hands on $640K but was caught
trying to get out.

The stories don't have enough detail to understand fully how security was
breached but it sounds, from both articles, as if a uniform alone suffices
to identify someone.  No ID checks?

Another public data loss in the UK

Robert Klemme <>
Sat, 19 Jan 2008 17:49:22 +0100
It happened again: a UK government institution lost quite a few data records
of citizens.  I won't bother to list the risks of leaving a laptop with
unprotected data in a car; but again the major risk here is having people
work with sensitive material who are either careless, uneducated or unaware
of the sensitiveness of the data.

Automated calling system glitch locks down school

"Steve Eddins" <>
Thu, 31 Jan 2008 09:23:28 -0500
More than 2,000 people in Medford (Mass.) were called with an automated
message: Their children were not in class.  So many parents started arriving
at Brooks Elementary School to check on their children that officials put
the place in lockdown.  Superintendent Roy E. Belson said a telephone glitch
occurred shortly after the district's automated calling system went through
its update.  Someone forgot to log out of the database before trying to send
a message sometime before noon to the few parents whose children had been
marked absent.  [...]  [One of the planned steps for preventing a recurrence
is] posting a sign next to the phone system warning users to 'make sure you
shut down the database before you go to message' mode." [Source: *The Boston
Globe*, 31 Jan 2008]

Re: Air Canada A319 upset (Ant, RISKS-25.02)

Peter Ladkin <>
Tue, 15 Jan 2008 07:54:26 +0100
"Computer malfunction" and "flying manually" on an A319.  What rot.  Yes, I
understand it is what the pilot said (or so it says on a note on an aviation
forum cross-posted from another forum and supposedly written by a B757 first
officer that was on the flight), but he has to say something to all the
people in the back.

Here is a link to the incident report in the Transport Canada Civil Aviation
Daily Occurrence Reporting System:

They do not know if it was turbulence-related, system-related or both.

When there is an upset, the A320-series aircraft have a set of so-called
"Abnormal attitude laws". You can check out the FCOM description of these
and other flight control laws in section 1.27.30 at
or if you don't have time, a very brief comment at
or a little more time for a "Noddy's Guide to Airbus Flight Control Laws" at

I should warn that the "postcount" number on the links above may change as
the forum is edited, which will send them to notes other than the ones I
intend to reference, in which case one can simply search through the notes
on the thread at to
recover the referenced posts.

Peter B. Ladkin  Causalis Limited and University of Bielefeld, Germany

Re: Coffee Grounds Qantas (RISKS-25.02)

Preston de Guise <>
Wed, 16 Jan 2008 11:19:21 +1100
Continuing from the story regarding a leaking coffee area causing a power
outage on a Qantas jet last week, Australia's Sydney Morning Herald reported
today that a former Qantas engineer has been charged with forging a
maintenance engineer's license and maintaining jets without a license.

SMH reports that one of the aircraft he was alleged to have performed
unlicensed maintenance on was VH-OJM, the Boeing 747-438 that suffered a
power loss and made an emergency landing in Bangkok.

The risks of insufficient background checking for such high profile jobs
(i.e., of the variety of "if this is done wrong, people can die") is
obvious. One hopes Qantas revisits confirmation of correct credentials for
all its engineering staff in light of this mishap.

The SMH story can be found at:

Preston de Guise <> +61 414 978 190

Re: Metal structure beneath runway ... (Rees, RISKS-25.03)

Neil Youngman <>
Wed, 30 Jan 2008 13:13:23 +0000
While this may be true, the original story (Dixon, RISKS-25.02) was about
magnetic interference at London City Airport, not London Heathrow.

For those not familiar with London, there are a number of "London" airports.
London City is very central and caters for short haul, mainly business
traffic.  London Heathrow is the main international hub and is situated on
the Western fringes of Greater London, well away from the centre.

The other London airports (Gatwick, Luton, Stansted) are tens of miles outside
the greater London area.

  [Mistaken airport identification in Rees's item also noted by Mark Brader.

Hoist by one's own petard: data security: UK Child Benefits (R-24.92)

"Adrian Cherry, UK" <>
Tue, 15 Jan 2008 09:42:45 -0000
Following up from "Whole of UK Child Benefit records on CD lost in the post"

>Regarding the possibilities of fraud:
>The data includes: National insurance (NI) number Name, address and birth
>date Partner's details Names, sex and age of children Bank/savings account
>details ... quite useful for an identity fraudster, particularly the NI
>number.  There is plenty of scope here for a fraudster to redirect payments.

I'm surprised that no mention has been made of one Jeremy Clarkson, an
infamous celebrity motoring journalist. When the story broke about the loss
of the Child Benefit Records on CD he rather rashly claimed that it was a
storm in a tea cup, just a bit of scaremongering. To prove his point he
published personal details and claimed there was nothing to fear. He is now
500 pounds poorer and a little wiser.

At the time he wrote: "I have never known such a palaver about nothing. The
fact is we happily hand over cheques to all sorts of unsavoury people all
day long without a moment's thought. We have nothing to fear."

However, yesterday he told readers he had opened his bank statement to find
a direct debit had been set up in his name and 500 taken out of his

"The bank cannot find out who did this because of the Data Protection Act
and they cannot stop it from happening again," he said. "I was wrong and I
have been punished for my mistake."

He added: "Contrary to what I said at the time, we must go after the idiots
who lost the discs and stick cocktail sticks in their eyes until they beg
for mercy."

REVIEW: "Software Testing Practice: Test Management", Spillner et al.

Rob Slade <>
Thu, 24 Jan 2008 09:47:00 -0800
BKSTPTMN.RVW   20071110

"Software Testing Practice: Test Management", Andreas Spillner et al,
2007, 978-1-933952-13-0, U$44.95
%A   Andreas Spillner
%A   Thomas Rossner
%A   Mario Winter
%A   Tilo Linz
%C   26 West Mission St, Suite 3, Santa Barbara, CA   93101-2432
%D   2007
%G   978-1-933952-13-0 1-933952-13-X
%I   Rocky Nook Inc.
%O   U$44.95 805-687-8727 fax 805-687-2204
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   321 p.
%T   "Software Testing Practice: Test Management"

This book is intended to assist candidates who are writing the exam for the
International Software Testing Qualifications Board (ISTQB) Certified

Chapter one stresses the importance of software and software quality, and
explains that the text is based on the ISTQB Certified Tester second
("Advanced") level, specifically the Test Manager module (excluding the
topic of reviews).  This chapter also presents an overview of the first
("Foundation") level as background.  The tools and processes used to
structure testing are outlined in chapter two.  Testing is examined, in
chapter three, in relation to the software life cycle.  Problems with
different development models are analyzed, but it is interesting that the
complexity of the models is not covered as a risk factor.  Criteria for a
testing policy are discussed in chapter four.  Chapter five mandates a
formal test plan.  The blueprint will be helpful for those who do not have a
structure in place, but appears overly committed to items that are not
inherently necessary for all trials.  Controls to ensure and follow the
progress of testing are detailed in chapter six.  Chapter seven explains
some of the common quality and process improvement models, and their
implications for testing.  Testing is used to detect faults or deviations in
software, and chapter eight looks at the classification and handling of such
issues.  Chapter nine examines risk analysis with respect to software
testing.  The material follows most standard principles for risk management,
and so is not wrong in any specifics, but the text fails to present helpful
means for using this technique to best advantage.  Various important skills
that should be contained within the test team are listed in chapter ten.
Test metrics are discussed, in chapter eleven, in an academic manner that is
very similar to the style of chapter nine.  In the same way, by attempting
to apply a single process of evaluation to all test management software
tools, the authors restrict the utility of chapter twelve.  Chapter thirteen
lists standards bodies, as well as some of the guidelines that relate to
software development and evaluation.

The book reflects the certification, and one cannot fault it for that.
However, if the authors had been willing to move beyond the overall coverage
of principles, they might have produced a more useful work.

copyright Robert M. Slade, 2007   BKSTPTMN.RVW   20071110

Please report problems with the web pages to the maintainer