The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 25 Issue 92

Tuesday 26 January 2010


*NY Times* expose on medical radiation overexposure
Jeremy Epstein
Air-traffic control glitch due to the installation of new software
Chiaki Ishikawa
Extending TCP/IP into space
Randall Webmail
Y2K+10 and SMS
Richard Gadsden
Bodyscanners that don't work
Peter Houppermans
Corporate espionage in the news: Hilton and the Oil industry
Gadi Evron
Have the Chinese Really Hacked into MSN's DB?
Chris J Brady
Cyberattacks on Google in China
Unsearchable stores
Mark Brader
ICSI claims "effectively perfect" spam blocking method
Lauren Weinstein
LORAN being retired
David Magda
Google Maps won't be taking my address for a ride
Upgrading a World of Warcraft account ends in tears
Turgut Kalfaoglu
Unique PINs
Dag-Erling Smørgrav
Re: Offensive shutting down of botnets
Dick Mills
Cloud Computing Security
Ivan Arce
Info on RISKS (comp.risks)

NY Times expose on medical radiation overexposure

Jeremy Epstein <>
Sat, 23 Jan 2010 23:25:21 -0500

There's nothing here that's akin to the infamous Therac disasters where
interactions of hardware and software caused unexpected results, but more
examples of how wrong configurations lead to dramatic radiation
overexposures.  "The Times found that on 133 occasions, devices used to
shape or modulate radiation beams [...] were left out, wrongly positioned or
otherwise misused."  But there were also software errors - crashes that lost
portions of the programming for the radiation beams.  "as [the medical
physicist] was trying to save her work, the computer began seizing up,
displaying an error message.  The hospital would later say that similar
system crashes 'are not uncommon with the Varian software, and these issues
have been communicated to Varian on numerous occasions.'  [...] At 12:57
p.m. -- six minutes after yet another computer crash -- the first of several
radioactive beams was turned on."  In another case, "One therapist
mistakenly programmed the computer for 'wedge out' rather than 'wedge in,'
as the plan required. Another therapist failed to catch the error. And the
physics staff repeatedly failed to notice it during their weekly checks of
treatment records. Even worse, therapists failed to notice that during
treatment, their computer screen clearly showed that the wedge was
missing. Only weeks earlier, state health officials had sent a notice,
reminding hospitals that therapists 'must closely monitor' their computer

The problem was lack of fail-safe processes.  "The software required
that three essential programming instructions be saved in sequence:
first, the quantity or dose of radiation in the beam; then a digital
image of the treatment area; and finally, instructions that guide the
multileaf collimator. When the computer kept crashing, [...] the
medical physicist, did not realize that her instructions for the
collimator had not been saved, state records show. She proceeded as
though the problem had been fixed. "

It's a pretty frightening article.

  [The article spans the middle of the front page and three inside pages.
  It's well worth reading in its entirety.  I also received comments on this
  from Jared Gottlieb, Harry Hochheiser, Matthew Kruk, Nancy Leveson, Martyn
  Thomas, and others.  See recent harbingers (RISKS-25.81,82) of the current
  round of events, as well as the earlier items on the Therac-25 problems
  (RISKS-8.5, 12.50, 14.04).  PGN]

Air-traffic control glitch due to the installation of new software

ishikawa <>
Thu, 21 Jan 2010 18:19:59 +0900

Air-traffic control glitch due to the installation of new software

Air-traffic control software problem (airplane positions could not be
identified in a timely manner) caused the disruption of air flights in Japan
on 14 Jan 2010.

This happened after the installation of new software that consolidated the
air-traffic control operations of two large and busy airports, Haneda and
Narita.  The program controls the radar screen displays for the
controllers. Due to a software problem, the display on the screen got
sluggish to the point that the operators switched to a backup system and
operators diverted to traffic to other airports and such.

On 15 Jan 2010, the official announcement was made by the Ministry of Land,
Transport, Infrastructure and Tourism that the climate information,
especially bad weather, was mistakenly fed to the module of the control
program that display the positions of airplanes in this new software
setup. This caused overload of processing, and thus the failure to keep
track of the airplanes timely.

This incorporation of the bad weather is a new feature according to the
short announcement made by the minister in charge.

Usual risk. But I really wonder why this was not caught in advance testing.

The unwanted climate data by the position display module was silently thrown
away without no logging? If the bad weather was properly reflected on the
screen by the feed to the proper module (assuming the testing was done for
the display of bad weather condition on radar), then the data was duplicated
by mistake and fed to the airplane position display module, also?  Why and

Inquiring minds want to know more.

I really wish that there is a public database of software bugs that caused
social glitches like this one and that record details for posterity for the
benefit of future programmers, etc. I suspect such a database will be a
loath to parties in the legal tangling as the result of such bugs, but the
society needs such a database, I think.  We need better foundation and not
try to build sand castles from scratch again and again with similar mistakes
in the foundation.

(This incident has nothing to do with the bankruptcy filing of Japan Air
Lines recently.)

Extending TCP/IP into space (From Dave Farber's IP)

Randall Webmail <>
January 22, 2010 11:16:07 AM EST


Astronauts aboard the International Space Station received a special
software upgrade this week - personal access to the Internet and the World
Wide Web via the ultimate wireless connection.

Expedition 22 Flight Engineer T.J. Creamer made first use of the new system
[on 22 Jan 2010], when he posted the first unassisted update to his Twitter
account, @Astro_TJ, from the space station. Previous tweets from space had
to be e-mailed to the ground where support personnel posted them to the
astronaut's Twitter account.

"Hello Twitterverse! We r now LIVE tweeting from the International
Space Station -- the 1st live tweet from Space! :) More soon, send
your ?s"

This personal Web access, called the Crew Support LAN, takes advantage of
existing communication links to and from the station and gives astronauts
the ability to browse and use the Web. The system will provide astronauts
with direct private communications to enhance their quality of life during
long-duration missions by helping to ease the isolation associated with life
in a closed environment.

During periods when the station is actively communicating with the ground
using high-speed Ku-band communications, the crew will have remote access to
the Internet via a ground computer. The crew will view the desktop of the
ground computer using an onboard laptop and interact remotely with their
keyboard touchpad.

Astronauts will be subject to the same computer use guidelines as government
employees on Earth. In addition to this new capability, the crew will
continue to have official e-mail, Internet Protocol telephone and limited
videoconferencing capabilities.

To follow Twitter updates from Creamer and two of his crewmates, ISS
Commander Jeff Williams and Soichi Noguchi, visit:

For more information about the space station, visit:


  [Well, that may be just a little more secure than an early desire for the
  space station that I heard when I visited Johnson Space Center long ago,
  which was that researchers should be able to uplink over the Internet to
  the Space Station control computer and monitor and guide their own
  experiments in real time.  PGN]

Y2K+10 and SMS

Richard Gadsden <>
Thu, 21 Jan 2010 14:21:01 +0000

The timestamp on SMS messages (known as TP-SCTS) stores the year in two
nibbles in a binary-coded decimal representation with the nibbles swapped.

Aside from the known risks of using a two-digit year, this is about as bad a
representation as can be imagined.  2009 is represented as 1001 0000 in BCD
swapped-nibble (i.e., as 09, decimal). 2010 (decimal) is represented as 0000

A number of telephone SMS programs, generally those that don't inherit a
code-base from pre-Y2K systems, have misread the spec, and are interpreting
it as swapped-nibble binary, rather than BCD, so are interpreting 0000 0001
as 00010000, i.e., as 0x10 or 16 instead of 10.  This is why some phones
(notably Windows Mobiles) are displaying text messages as having been sent
in 2016, rather than 2010.

It's worthy of note that these systems would not have worked correctly in
1999 either - they would have interpreted 0x99 as 153 (decimal) - and may
have displayed either 19153 or 2053.

In the specific case of Windows Mobile, the text message database stores two
dates, the TP-SCTS date and an internal datestamp applied to the text when
received by the phone.  There is a setting in the firmware that allows the
internal datestamp to be shown in preference to the TP-SCTS date, so some
phones are showing the correct information and some are not.  This setting
is set by the firmware programmer, normally being either the manufacturer or
the network operator.


Date code written after 2000 may display Y2K-like bugs, by making
assumptions that all dates are post-2000.

Programs installed in firmware are much more difficult to correct for bugs,
so code quality for firmware is much more important.

Systems are frequently coded to a small set of sample data, rather than to
the actual specification.  Checking against the specification rather than
unit testing with sample data is harder, but may be necessary, especially
for systems that are difficult to correct.

Richard Gadsden

  [The authors of the post-Y2K phone software have obviously never heard The
  Ring of the Nibble-Young-un (Wagner).  It's worthy of a Ring-Tone-Poem
  (Strauss).  PGN]

Bodyscanners that don't work

Peter Houppermans <>
Sun, 24 Jan 2010 14:22:55 +0100

Interesting article in The Register about a full body scanner demo on German
live TV demo.  You guessed: it would not be news unless the thing had failed
to detect some Very Bad Stuff.

You may want to watch the video, it's in German but I think you will be able
to see that the key message is that the man scanned was carrying more than
what he originally mentioned:

Keep watching - he will use the stuff that wasn't picked up, just to prove
the point (notice that he almost ruins a camera when he stirs the remains).
I hope these scanners won't lure security staff into a false sense of
security, and wonder how the use of these expensive devices will pan out in
real life use.  We'll soon see.

Speaking of pan - no idea of correlation between frying pan material and
what is used for a plane hull..

Corporate espionage in the news: Hilton and the Oil industry

Gadi Evron <>
Tue, 26 Jan 2010 08:53:07 +0200

Corporate espionage in the news, and not just because of Google: Hilton and
the Oil industry. Is anyone calling espionage by means of computers
cyber-espionage yet? I hope not. At least they shouldn't call it cyber war.

Two news stories of computerized espionage reached me today.

The first, regarding the Oil industry, was sent by Marc Sachs to a SCADA
security mailing list we both read. The second, about the hotel industry,
was sent by Deb Geisler to science fiction convention runners (SMOFS)
mailing list we both read.

US oil industry hit by cyberattacks: Was China involved?

  "At least three US oil companies were the target of a series of previously
  undisclosed cyberattacks that may have originated in China and that
  experts say highlight a new level of sophistication in the growing global
  war of Internet espionage."

Starwood Charges That Top Hilton Execs Abetted Espionage

  "Starwood's claim points to a "mountain of undisputed evidence," including
  e-mails among Hilton senior management, that Klein and Lalvani worked with
  others within Starwood to steal sensitive documents by sending them via
  personal e-mail accounts, among other methods, and that such information
  was shared and used by all of Hilton's luxury and lifestyle brands, as
  well as in the development of Hilton's now-shelved Denizen brand. In the
  new filing, Starwood says, "This case is extraordinary, and presents the
  clearest imaginable case of corporate espionage, theft of trade secrets,
  unfair competition and computer fraud...Hilton's conduct is outrageous.""

As to whether China is involved, maybe. But the automatic blaming has got to
stop. Many other countries have been known to be conducting corporate
espionage, such as France, and as the second story above shows, so do
corporations themselves.

[ Source on naming France: ]

But.. here are a few questions:

- My dog barked, was China involved?
- The traffic light turned red, was China involved?
- I am tired. Is China involved?

Have the Chinese Really Hacked into MSN's DB?

Chris J Brady <>
Wed, 20 Jan 2010 06:04:14 -0800 (PST)

Seen in a forum on

"There is a new scam today offering cheap goods from China. They probably
don't exist and they have hacked accounts, it appears they are in the MSN
database. Anyone with hotmail or accounts should change their
passwords. This may be in the wrong thread. We are trying to figure out what
they are doing. It looks like a major operation hacking from China."

Is the risk believing that there is a risk here, or is there more of a risk
in ignoring it? Hmm ... but the Chinese do seem to be gaining a reputation
for hacking.

Cyberattacks on Google in China

"Peter G. Neumann" <>
Tue, 19 Jan 2010 16:21:02 PST

Google has uncovered a "highly sophisticated and targeted attack" coming from
China on its infrastructure that resulted in some of its intellectual
property being stolen.  The cited article suggests that at least 20
technology companies were similarly targeted (and more than 30, according to
other reports).

In addition, *The Jewish Chronicle* website ( was recently

See also John Markoff, David E. Sanger, Thom Shanker, "In Digital Combat,
U.S. Finds No Easy Deterrent, *The New York Times*, 26 Jan 2010, A1/A6
today's National Edition.

Unsearchable stores

Mark Brader
Sun, 24 Jan 2010 17:06:43 -0500 (EST)

Tangentially to recent thread in alt.usage.english, Cheryl Perkins
made a comment about how programmers dealing with addresses "don't
like apostrophes" and "don't allow for their existence".  John Varela
then wrote this (quoted by permission) about his TomTom One 130:

| I ran into that today when I wanted the GPS to take me to a store
| called "Lowe's".  There's no way to enter an apostrophe on the GPS.
| A search for "Lowe" found nothing and a search for "Lowes" found a
| store called "Lowest Price something-or-other".  I had to find the
| place on my own.  Doing so gave me a real feeling of independence
| and of superiority to technology.

Mark Brader, Toronto, | "Fast, cheap, good: choose any two."

  [Lowe'stcommon denominator?  PGN]

ICSI claims "effectively perfect" spam blocking method

Lauren Weinstein <>
January 25, 2010 6:51:19 PM EST

``Researchers have now come up with a system that deciphers the templates a
botnet is using to create spam.  These templates are then used to teach spam
filters what to look for.''

  [Maybe "effectively perfect" against that specific type of attack *at this
  point in the development of spam*.  Just ask Darwin.]  (New Scientist)
      [From the Network Neutrality Squad,]

LORAN being retired

David Magda <>
Thu, 21 Jan 2010 09:00:27 -0500

The U.S. Coast Guard has announced that it will begin turning off the
Loran-C navigation system on February 8, 2010, with a full decommissioning
by October 1, 2010:

While some people have said that GPS has made it redundant, critics of the
decision have said that having redundancy / backups is entirely the
point. The "Federal Register" statement implies that this concern is not
very pressing:

> The Loran-C system was not established as, nor was it intended to be, a
> viable systemic backup for GPS. Backups to GPS for safety-of-life
> navigation applications, or other critical applications, can be other
> radio-navigation systems, or operational procedures, or a combination of
> these systems and procedures. Backups to GPS for timing applications can
> be a highly accurate crystal oscillator or atomic clock and a
> communications link to a timing source that is traceable to Coordinated
> Universal Time.

Not sure what these other navigation systems would be (e.g., WAAS "augments"
GPS, not replaces it). For time a least, WWVB is available in large portion
of the continental U.S.

Other countries have their own LORAN towers, and it remains to be seen how
this will affect them:


Mon, 11 Jan 2010 02:18:46 +0800 is where I keep my retirement millions. A few days after a
cordial address update I double checked to find it had become a mangled
DONGSHI 42351 PROV-INCE OF CHI TAIWAN behind both my and staff's backs.
In order to please neighboring China, their run a batch job that alters
all Taiwan addresses. It then took much staff effort whack mine back
into shape. is where I keep my other millions. Foreign customers have a
pseudo-state of "OT" appended to their addresses. It used to be "OC" but
that probably landed mail into an even darker hole at the post office.

Google Maps won't be taking my address for a ride

Tue, 26 Jan 2010 07:30:24 +0800

Ah, the amazing ability of to pinpoint
anything one tosses into its search box.

Let's just change this search string from house number 21, to e.g., 22:

Whammo... for #21 all along Google was merely matching a text string
attached to a story associated with a point in their database. For #22
etc. Google Maps says "We could not understand the location."

If one has a Facebook account, here I am telling the business owner their
new address finds a point (stuck to their old address (mentioning their new

Me? I'm at,120.866261.
No text strings to get hijacked by pagerank.

Upgrading a World of Warcraft account ends in tears

Turgut Kalfaoglu <>
Wed, 20 Jan 2010 11:04:54 +0200

My son and I have something in common: We love the online game Warcraft.  We
are separated by a continent as he lives with his mother, but we still meet
online through this game.

For those who are not familiar, it consists of a 5GB game download, followed
by numerous similarly-sized updates, and finally being able to play (and pay
monthly) online.

We recently attempted to upgrade our gaming accounts to their new "Wrath of
Leech King" expansion - it was suppose to be a Christmas present for him.
So I entered their web site, gave my credit card details, clicked
upgrade. It promptly said congratulations, and that the account was

A day later, we got another e-mail saying that the purchase was "undone" and
the game upgrade was rolled back. No details were given, but we were given a
hint that we should phone them.  That simple task of phoning them took three
days of non-stop phoning from overseas: Their UK help desk was so
swamped/understaffed that I could not get in their waiting queue.  When I
did, I was dropped off after waiting 9 minutes on the phone.  It eventually
turned out that my security-conscious son had not entered his correct name
and address when signing up to the service some years back, and apparently
only during the upgrade that Blizzard bothers to check these things.

After a successful phone call to their help desk, we were sent a
questionnaire to fill out to correct the details.  However, even after the
details were entered into their system, we were STILL denied the
upgrade. Reason? As far as I can tell, it was their security system again:
It will not let you "upgrade" twice from the same IP address!

Since according to their records, we had one "successfully" upgraded, we
were now denied an upgrade!

After numerous fruitless e-mails, I finally re-re-re-did the registration
from a work computer, and it went through, and it became a late new year
present for my son instead.

Moral of the story:
  1) You must reveal your complete identity if you want to play games,
  2) Your request must not look like it's coming from a sweatshop in China.

And you thought playing online games was all fun and games?

Turgut Kalfaoglu, Msc. Computer Engineering, Izmir Institute of Technology

Unique PINs

Dag-Erling Smørgrav <>
Wed, 20 Jan 2010 11:51:22 +0100

A number of municipal cinemas in larger Norwegian cities have a common
fidelity program called Kinosonen ("the cinema zone").  Amongst other
benefits, members get a card they can use to prepay tickets (at a discount,
of course).

A few days ago, two e-mails were sent out to program members.  The first
e-mail enjoined all members to change their PIN as quickly as possible "for
security reasons".  All well and good.  The second...  The second said,
loosely translated:

  We have been notified of a flaw in our procedures, and have asked all our
  members to change their PIN.  Several members have been issued the same
  PIN for their membership cards.  As many as 1200 cards may be affected.
  This only applies to cards issued after 2007-11-25.  We are in the process
  of changing the PIN for those 1200 members.  You will receive a new PIN by

So...  am I to conclude that the security of their system depends on each
member's PIN being unique?  The mind boggles.  If so, why do they ask
members to select their own PIN?  What happens if a member selects a PIN
that is already in use - does she get a message to that effect?  So now she
knows that somebody else uses that PIN, can she take advantage of that
knowledge?  If not, why are duplicate PINs a problem in the first place?

I'm not sure how long the PIN is, by the way, but my guess is four or five
digits.  The total population of these cities and their suburbs is around
two million people.  Even with conservative estimates of their membership
base, latecomers are going to have a hell of a time trying to find an unused
PIN.  Even with six digits, the odds are that a lot of people are going to
use either their birth date or the last six digits of their 12-digit card

Re: Offensive shutting down of botnets

Dick Mills <>
Thu, 21 Jan 2010 09:14:38 -0500

It seems foreseeable that someday a mass cutoff of botnet infected computers
will trigger some kind of disastrous side effect.

Of course, mission critical or life critical applications should never be
allowed to exists on unprotected net connected computers, especially those
infected by malware.  Nevertheless, it would be foolish to presume that
nobody else is ever foolish.

Here's the risk.  We may know that a mass collection of computers are
hosting malware, but we have no way of knowing what good and vital services
they may also be providing.  Is it not true therefore, that any action to
remotely cut off a class of nodes is somewhat reckless by nature.

  [Old whine in new bot-tles?  PGN]

Cloud Computing Security

Ivan Arce <ivan.arce@CORESECURITY.COM>
Sat, 23 Jan 2010 18:24:12 -0200

We have a special issue on Security in Cloud Computing scheduled for
publication in Nov/Dec 2010.  The final date for submissions is approaching
(5 Mar 2010). and The Call for Papers is here:

Please report problems with the web pages to the maintainer