The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 25 Issue 76

Saturday 15 August 2009


Amusement rides without Fail-safe States
Debora Weber-Wulff
Taipei rapid transit line closed until further notice
Twitter disruption
Jenna Wortham via PGN
UK national ID card cloned in 12 minutes
Social security to pay $500 million to victims of database error
Rob McCool
Computer Error Caused Rent Troubles for Public Housing Tenants
Manny Fernandez via Monty Solomon
Kentucky election fraud indictments
Sequoia e-voting machine manipulated without insider info
Peter Houppermans
Boy Dies After Mom Says GPS Left Them Stranded in Death Valley
Richard Grady
China backs off on censorship software ...
Lauren Weinstein
Robert P Schaefer
Apple keyboard firmware hack demonstrated
Monty Solomon
Re: Software never fails ...
Martyn Thomas
George Jansen
Andrew Brydon
Paul Edwards
Rob Seaman
Devin Moore
Nick Keighley
Martin Cohen
Re: Ari Juels, Tetraktys, a `cryptographic thriller'
Dag-Erling Smørgrav
Info on RISKS (comp.risks)

Amusement rides without Fail-safe States

Debora Weber-Wulff <>
Sun, 09 Aug 2009 23:14:51 +0200

Spiegel-Online reports that not one, but two amusement park rides in Europe
failed in August 2009 - in a non-safe state.

In Berlin, a car in the ride "Stargate" at the German- American Fair that
just used a rail to hold people in was stuck at the top with the 14
passengers on their heads. It took 20 minutes to get the car down by
hand. The passengers could not be retrieved by firetruck ladder, as opening
the rail would cause everyone to fall down. Some were treated for shock, one
woman apparently thought it was part of the ride. The same fair had an
11-year-old child die a week ago on a children's roller-coaster ride, as
reported by the *Abendblatt*.

In Moscow, a Ferris wheel at the Allunions fairgrounds stopped with about 50
people on board and could not be coaxed to move.  Here the fire trucks could
use ladders, as people were sitting right-side up. There had been repeated
technical problems with the wheel.

(Berlin, Stargate),1518,641351,00.html
(Berlin, Roller Coaster)
(Moscow, Ferris wheel),1518,641379,00.html

Prof. Dr. Debora Weber-Wulff, HTW Berlin, FB 4, Treskowallee 8, 10313 Berlin

Taipei rapid transit line closed until further notice

Sat, 15 Aug 2009 02:56:50 +0800

Taipei, Aug 6. (CNA) The Taipei Mass Rapid Transit (MRT) Neihu line was
closed Thursday noon until further notice due to problems with the
computer system.
OK, they did fix it, but things have been on and off, up and down,


"Peter G. Neumann" <>
Sat, 8 Aug 2009 12:22:59 PDT

Many of Twitter's 45 million customers were disrupted for several hours by a
denial-of-service attack on 6 Aug 2009.  This resulted from a spam flood
relating to the Russian-Georgian dispute over Abkhazia.  The messages
contained links to Twitter, Facebook, YouTube, and Google (among others).
However, Twitter users seem to have been affected the most.  Source: Jenna
Wortham, {\it The New York Times,} 7 Aug 2009; PGN-ed

UK national ID card cloned in 12 minutes

"Peter G. Neumann" <>
Tue, 11 Aug 2009 6:10:38 PDT

The prospective national ID card was broken and cloned in 12 minutes.  The
*Daily Mail* hired computer expert Adam Laurie to test the security that
protects the information embedded in the chip on the card.  Using a Nokia
mobile phone and a laptop computer, Laurie was able to copy the data on a
card that is being issued to foreign nationals in minutes.  He then created
a cloned card, and with help from another technology expert, changed all the
data on the new card. This included the physical details of the bearer,
name, fingerprints and other information.  He then rewrote data on the card,
reversing the bearer's status from "not entitled to benefits" to "entitled
to benefits".  He then added fresh content that would be visible to any
police officer or security official who scanned the card, saying, "I am a
terrorist - shoot on sight."

According to the paper, Home Office officials said the foreign nationals
card uses the same technology as the UK citizens card that will be issued
beginning in 2012.

For more information on the National ID Card scheme:

Social security to pay $500 million to victims of database error

Rob McCool <>
Thu, 13 Aug 2009 22:27:19 -0700 (PDT)

The Social Security Administration has agreed to pay more than $500 million
in back benefits to more than 80,000 recipients whose benefits re unfairly
denied after they were flagged by a federal computer program designed to
catch serious criminals, officials said Tuesday. ...  At issue was a 1996
law, which contained language later nicknamed the "fleeing felon" provision,
that said fugitives were ineligible to receive federal benefits. As part of
its enforcement, the administration began searching computer databases to
weed out people who were collecting benefits and had outstanding
warrants. ...  The lead plaintiff in the class-action suit, Rosa Martinez,
52, of Redwood City, Calif., was cut off from her $870 monthly disability
benefit check in January 2008 because the system had flagged an outstanding
drug warrant in 1980 for a Rosa Martinez from Miami. An investigation showed
that the warrant was for a different Rosa Martinez.  Martinez tried for
months to convince officials that she was innocent, but failed.

Computer Error Caused Rent Troubles for Public Housing Tenants

Monty Solomon <>
Sat, 8 Aug 2009 17:30:28 -0400
  (Manny Fernandez)

The city's public housing agency overcharged hundreds of welfare families
because of a rent calculation error and took many of them to court,
threatening them with eviction for failing to pay the higher amount.  The
computer problem at the agency, the New York City Housing Authority, is in
the process of being corrected, and none of the tenants were evicted,
officials said.  But the error, which began last September and continued
until May, had serious legal, financial and personal consequences for many
low-income families.

Residents affected by the miscalculations were ordered to appear in Housing
Court for nonpayment of the extra rent, tried in vain to convince building
managers that there had been a mistake and lived in constant fear of losing
their homes because they could not or would not pay the extra money - often
as little as $50 to $200 a month - that the agency claimed it was owed.  The
problem affected only households whose sole income is public assistance.
[Source: Manny Fernandez, *The New York Times*, 6 Aug 2009; PGN-ed]

Kentucky election fraud indictments

"Peter G. Neumann" <>
Mon, 10 Aug 2009 8:06:39 PDT

In the November 2009 election in Kentucky, there was a serious discrepancy
between how ES&S's iVotronic voting machines worked and how some voters were
instructed.  Some voters were apparently falsely told that touching `Vote'
completed the voting process.  However, that only displayed the review
screen, whereas subsequently touching `Cast Ballot' was required.
Conspiratorial election judges were then able to modify the ballot and cast
it.  In addition to the fraud, it is clear that the `vote' screen should
have instead been labeled something such as `review'.  Five insiders were
indicted -- including conspiracy to commit vote fraud, extortion, and
tampering with grand jury witnesses in a subsequent attempt at a cover-up.
[I've been meaning to get this item into the RISKS archives for a long time,
and finally got around to it.  PGN]

Sequoia e-voting machine manipulated without insider info

Peter Houppermans <>
Wed, 12 Aug 2009 10:22:38 +0200

So much for Sequoia's security through obscurity - researchers bought some
machines legally at an auction, and without access to Sequoia's information
(which is heavily and heavy handedly protected) they managed to manipulate
the machines regardless..


Computer scientists have figured out to how trick a widely used electronic
voting machine into altering tallies with a technique that bypasses measures
that are supposed to prevent unauthorized code from running on the device.
[..]  The computer scientists were able to evade this safety mechanism using
return-oriented programming. Rather than designing the malicious code from
scratch, the technique reassembles programming expressions already found in
the targeted software in a way that gives the researchers the ability to
take complete control over the machine. It's tantamount to kidnappers who
write a ransom note using letters cut from the headline of a newspaper.

  [No surprise to the red-team folks involved in last summer' California's
  Top-To-Bottom Review (  PGN]

Boy Dies After Mom Says GPS Left Them Stranded in Death Valley

Richard Grady <>
Sun, 09 Aug 2009 20:36:29 -0700

Alicia Sanchez, 28, was found severely dehydrated and remained hospitalized
in Las Vegas a day after being found with her dog, her dead son and a Jeep
Cherokee buried up to its axles in sand.  She told rescuers in California's
San Bernardino County that her son Carlos died Wednesday, days after she
fixed a flat tire and continued into Death Valley, relying on directions
from a GPS device in the vehicle.,2933,538323,00.html

China backs off on censorship software,

Lauren Weinstein <>
Thu, 13 Aug 2009 08:50:04 -0700
        but may still require real names on comments

Greetings.  *The New York Times* is reporting that China has now
definitively backed off from requiring the installation of
filtering/censorship software on all PCs sold in China.  Internet cafe and
other public computers would still be required to use the software, and two
major manufacturers are already including it on PCs sold in China.

China blames the controversy over the software on "confusion" related
to badly written regulations.

On a related front, the same article reports that China is considering a
requirement that all posters to Internet chat rooms, bulletin board systems,
etc. use their real names (and, I'd be willing to bet, eventually include
other identifying information as well) on all postings.  The stifling
effects of such a requirement on speech are obvious, but I should note that
I regularly hear from people in the U.S. promoting a similar misguided
("Internet Driver's License") concept.

Lauren Weinstein +1 (818) 225-2800  Network Neutrality Squad: [and more]

"Schaefer, Robert P \(US SSA\)" <>
Thu, 6 Aug 2009 14:52:27 -0400

Another website aggregating faults and errors, some of which are due to

  [Weblog maintained by Benjamin Mako Hill.  Lots of RISKS-worthy stuff,
  e.g., a recent item on Akamai and SSL.  PGN]

Apple keyboard firmware hack demonstrated

Monty Solomon <>
Mon, 3 Aug 2009 08:17:54 -0400

Charlie Demerjian at Defcon 17, 31 Jul 2009: Apple needs to patch it ASAP

Apple keyboards are vulnerable to a hack that puts keyloggers and malware
directly into the keyboard. This could be a serious problem, and now that
the presentation and code is out there, the bad guys will surely be
exploiting it.

The vulnerability was discovered by K. Chen, and he gave a talk on it at
Blackhat this year. The concept is simple, a modern Apple keyboard has about
8K of flash memory, and 256 bytes of working ram. For the intelligent, this
is more than enough space to have a field day.

K. Chen demonstrated the hack to S|A at Defcon today and it worked quite
well. You start out by running GDB, and set a breakpoint in Apple's
HIDFirmwareUpdaterTool. This tool is meant to update the firmware in human
interface devices, hence the name. The tool is run, a breakpoint set, and
then you simply cut and paste the new code into the firmware image in
memory. That's it.

Nothing is encrypted, decrypted, and the process is simple. You then resume
HIDFirmwareUpdaterTool, and in a few seconds, your keyboard is
compromised. Formatting the OS won't do you any good, the code is in
keyboard flash. There are no batteries to pull, no nothing, the keyboard is
simply compromised. ...

Reversing and Exploiting an Apple Firmware Update

Re: Software never fails ... (Robinson, RISKS-25.75)

Martyn Thomas <>
Thu, 06 Aug 2009 21:30:59 +0100

This rambling piece is nonsense and so are the articles it refers to. If
software engineering is not engineering because the specification contains
human requirements that cannot be completely formalised, then nor are civil
engineering, electrical engineering, or any other form of engineering.

The excuses that people come up with to justify their unwillingness to learn
and use some simple mathematics should be collected in a book and studied by
psychiatrists. Meanwhile, as an engineer, I shall continue to believe that
if my square-root function crashes, loops forever, or returns a value that
is not the square root of its argument, then it has failed. And that its
failure is independent of my personal opinion or anyone else's. And that the
straightforward application of some engineering methods can deliver a square
root function that does not fail, together with a proof.

And before anyone says that this is a toy example: (a) it only takes one
counterexample to disprove an absolute claim,and (b) the same methods
are being used routinely, successfully and cost-effectively on many
industrial and commercial projects.

Re: Software never fails ... (Robinson, RISKS-25.75)

"George Jansen" <>
Thu, 06 Aug 2009 15:18:34 -0400

Perhaps the subject line would more justly be "Software never fails more or
less than it did on release." I am struck in particular by two things:

1. "Any software package ...  only requires maintenance or change because in
   someone's subjective opinion it needs a change." I think that the
   expression "someone's subjective opinion" is not usefully defined. In the
   preceding paragraph it covers changes in the tax law--the subjective
   opinion of the legislators that taxes should go up or down, and of
   businesses that they had better comply--and of network providers that
   they must provide new features. Subjective opinions held by the IRS and
   by enough consumers tend to become compelling enough to affect the
   continued existence of a business, don't they?

This also does not cover such cases as they year 2038 issue. I don't think
it useful to say that it is merely my subjective opinion that we can't stick
with 32 bits and reset the clock to 1970.

2.  "A bridge needs replacement when it collapses or when it is beyond its
    useful life; a building needs replacement under the same circumstances."
    Yet "useful life", unless referring to safety, reflects "subjective
    opinion". Every day (unless in depressed markets), building are
    demolished that could have stood for many years yet; a developer has the
    opinion he'd make more money building a new one. Does the engineer's
    employment by a developer make him less an engineer?

Software never fails ... (Robinson, RISKS-25.75)

Andrew Brydon <>
Fri, 7 Aug 2009 06:40:54 +0100

> But the claim by someone that a software package needs change, updating or
  replacement is, and always will be, a subjective opinion based on nothing
  more than "because I say so."

One difference between engineering software and something physical such as a
bridge is the general population's experience of the domain. The average
person on the street can readily conceive the failure modes of bridges,
their causes and outcomes. The effects of software on the domain world, be
it returning the wrong tax deductions from payroll after a governmental rule
change or simply freezing/crashing are less easily perceived and much less
understood by a non-programmer. However, that does not inhibit someone other
that the originator from making an informed and educated decision, based on
engineering principles, that the product requires updating or replacing.

Re: Software never fails ... (Robinson, RISKS-25.75)

"Paul Edwards" <>
Fri, 7 Aug 2009 22:01:56 +1000 (EST)

Paul Robinson asserts that "the claim by someone that a software package
needs change, updating or replacement is, and always will be, a subjective
opinion based on nothing more than "because I say so." " This assertion
does not stand up at a practical level, nor at a philosophical level. It
fails to recognize that software exists to provide support for specific
real-world activities; software does not exist for its own sake (with the
exception of games and entertainment software).

Well designed and implemented software will reflect the constraints and/or
requirements of the real-life application it is supporting, and if those
constraints and/or requirements change, the software (objectively)
requires updating, otherwise it will fail to achieve its purpose.

Suppose it's 2001, and you have some financial reporting software. As a
result of Sarbanes-Oxley passing in 2002, this software will need updating
in order to accurately support its real-world activity (financial
reporting). Of course, the "do nothing" option here would result in
additional expense for reporting companies through increased headcount,
and an ongoing reduction in efficiency of the financial reporting

Further, whilst I can't speak for the two men involved in drafting SOX,
I'm confident their motivation had precious little to do with software,
and more to do with strengthening financial reporting activities to avoid
another Enron.

The bridge analogy in the original article also fails to stand up to
scrutiny. A bridge near where I used to live was a good solid bridge,
there were no issues with its structural integrity, and it was nowhere
near the end of its life. However, due to unanticipated demographic
movements, the bridge became a bottleneck. It was updated to double the
number of traffic lanes it could handle, to reflect the changing
requirements that the bridge supported (pun intended).

Note that the above holds when instantiating "system" for "software" as well.

Paul Edwards, IT Service Management Consultant, Melbourne, Australia

Re: Software never fails ... (Robinson, RISKS-25.75)

Rob Seaman <>
Tue, 11 Aug 2009 10:33:59 -0700

Paul Robinson makes an interesting observation - that success in
software is subjective - but then overgeneralizes to suggest that
software engineering can never be a rigorous discipline.  Bridges must
be maintained because the external world changes.  This is also true
of software.  Traffic load increases, the balance of expense of
necessary resources (toll plazas, police, paramedics) shifts.  Yes,
tax laws change and cellular networks evolve to vex software
engineers, but this is precisely the same with other types of

More to the point, almost every modern system includes software
dependencies.  Systems engineering would be impossible without taking
software into account.  And programmers - whether or not they are
using formal system engineering methods - should be held as
responsible to the intrinsic requirements of each project as any other
engineer.  Projects are defined by their requirements.  Requirements
are discovered from use cases.  Use cases evolve more rapidly for
certain kinds of projects - those are simply the projects for which
software solutions are most appropriate.  Requirement management
techniques exist precisely to control the subjective aspects of a
project.  These techniques are even *more* appropriate to software
than to other engineering disciplines.

It is also naive to suggest that software never rots or rusts.  The
existence of software is contingent on the vessel containing it.  At
great ongoing expense one can preserve digital copies indefinitely,
but entropy will always win (cf. Claude Shannon).  To suggest,
therefore, that software never fails is naive.  One could similarly
assert that bridges never fail, by redefining their collapse as an
exercise in performance art.  Alternately, even the collapse of
natural bridges (
) may reflect our subjective, but not therefore less real failures
(human induced climate change).

It is true that software failures tend to reflect failures during
design, but this is true of bridges as well.  The total system
involving both must surely include life-cycle maintenance and the
periodic review of external requirements, such as exponentially
growing usage patterns exceeding initial assumptions.  All failures
reveal shortcomings of the human imagination.

The Risk?  Software is only as perfect as its creators.

Rob Seaman <>

Re: Software never fails ... (Robinson, RISKS-25.75)

Devin Moore <>
Thu, 13 Aug 2009 08:20:46 -0400

I would like to comment on the RISKS-25.75 editorial advancing the idea that
software engineering failures or changes are always subjective.  I agree
that for software engineering projects that are proven to have no existing
bugs, any change from that point forward may be a subjective change because
the product is proven to meet its functional requirements.  However,
software can contain bugs and will fail just like any other engineering
project.  For example, if I build a bridge and it collapses, that failure
was because of a flaw rather than someone's opinion about whether the bridge
is failing or not.

Furthermore, I believe in many circumstances software engineering is
rigorous and formally designed, as in safety-critical systems (1)(2).  In
these cases, opinion is not enough to advance that a system is capable of
serving its desired functionality without failure.

Devin Moore
[I am currently a Ph.D student in Information Systems Science at Nova
Southeastern University]

(1) Ponsard, C; Massonet, P; & Dallons, G.  (2008, October).  From Rigorous
Requirements Engineering to
Formal System Design of Safety-Critical Systems.  *ERCIM News **Special:
Safety-Critical Software*.* (75) *  Retrieved August 9, 2009, from

(2) Merino, P.; & Shoitsch, E. (2009).  Introduction to the Special Theme:
Safety-Critical Software.  Retrieved August 9, 2009, from  |

Software never fails ... (Robinson, RISKS-25.75)

Nick Keighley <>
Fri, 14 Aug 2009 14:14:16 +0100

> An engineer can determine by experience and judgment that the structure
  is at its lifespan limit or can point to signs of physical rust,
  deterioration, or structure failure indicators that prove their opinion.

This just isn't true. Look at an old street in a European country. Every
building has had substantial changes made to it over time. Building have
changed use. Medieval pubs stand on Roman bath houses and office blocks on
old monastaries. Buildings get removed when they can no longer be adapted
for their new purpose. This is a better model of software maintenance.

Software isn't as different from other designed objects as Mr Robinson thinks.

Re: Software never fails ... (Robinson, RISKS-25.75)

Martin Cohen <>
Thu, 6 Aug 2009 14:50:14 -0700 (PDT)

If software requirements change, and the software no longer meets the
requirements, then it has objectively failed - no opinion needed.

This was definitely one of the weirder risks posts.

Re: Ari Juels, Tetraktys, a `cryptographic thriller' (RISKS-25.75)

Dag-Erling Smørgrav <>
Thu, 06 Aug 2009 20:40:35 +0200

> The book, which might be the world's first cryptographic thriller [...]

Not by 10 years:

Please report problems with the web pages to the maintainer