The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 25 Issue 05

Monday 18 February 2008

Contents

L.A. School payroll system's spectacular failure
Richard I. Cook
FBI mistakenly receives supposedly protected e-mail
Steven M. Bellovin
Canadian Government Mails Out Confidential Data
Ken Dunham
JAL cabin crews sue over personal info
PGN
JAL near miss on attempted takeoff
PGN
Future of e-voting in doubt in Japan
PGN
Computer Error Strands Tanker off Massachusetts
Lee Rudolph
Bell Canada Data on 3.4 Million Customers Stolen
Ken Dunham
Royal Canadian Mounted Police Censured for Privacy Violations
Ken Dunham
Re: Lost Kansas City IRS tapes with personal info.
Danny Burstein
Critics chuck MS 'friendly worm' plan on the compost heap
Chris Leeson
Another BlackBerry Outage Caused by System Upgrade?
Ken Dunham
Vulnerability info suppressed by criminals paying to hide it
Ken Dunham
New GAO Report on IRS Information Security Pervasive Vulnerabilities
Diego Latella
The GPS miracle
Rich Mintz
'Woman Says Being Declared Dead Ruins Life'
PGN
A reminder: Eric Sevareid's Law
Ken Knowlton
Ah yes, just what you need!!!
David Lesher
Info on RISKS (comp.risks)

L.A. School payroll system's spectacular failure (Re: RISKS-24.84)

"Richard I. Cook, MD" <ri-cook@uchicago.edu>
Wed, 13 Feb 2008 11:08:29 -0600
—whither the U.S. National Healthcare IT Initiative?

[Source: "Payroll system beset from Day 1: Poor management, software
failures and breakdowns in training led to a yearlong crisis at
L.A. Unified."  Joel Rubin, *Los Angeles Times*, 11 Feb 2008]
http://www.latimes.com/news/local/los_angeles_metro/la-me-payroll11feb11,1,4656862.story?page=1

Painful experience with Los Angeles' 95 million US$ attempt to computerize
its school payroll is reviewed in the referenced article.  Predictable, of
course, but, to quote an old protest song, "we were knee deep in the big
muddy and the big fool said to push on." The spectacular failure is
particularly remarkable because it involved what should have been a rather
mundane project: the computerization of payroll for 36,000 employees. That
such a project should go so badly wrong should, perhaps, make us more
reluctant to embrace much larger efforts.

The present U.S. administration committed US$100 million to a vaguely
outlined project to catalyze the introduction of immediately available
electronic medical records for healthcare in the U.S. The scale of the
project is perhaps three to five orders of magnitude larger than the one
that failed in LA but the sum committed to the endeavor is about the
same. The efforts to introduce interoperable electronic medical records have
been far more expensive and much less successful than anyone is willing to
admit.

A private review of two major hospital systems showed that the overruns are
on the order of 3 to 5 times (sic) the initially proposed price but also
that the systems are delayed years beyond the plan horizon and the
implementations are radically stripped-down versions of what had been
proposed. Many of the high end features that were touted as bringing
increased efficiency and safety to healthcare delivery have been scrapped or
put off until later versions of the system. Senior management in these IT
efforts are routinely replace every few years as schedules slip and costs
increase. Somewhat surprisingly, hospital administrators remain optimistic
regarding the future of these systems—insisting that the problems
encountered are the result of inevitable "growing pains" or narrowly
technical flaws rather than inadequate planning, goal setting, design, or
implementation. (One facility recognized that the project could not be made
to work on the planned platform and essentially scrapped its entire effort
and started over.)  The similarities between the experiences with healthcare
IT and the LA system's evolution are disturbing.

What is particularly troubling about the LA school system story is the
willingness and ability of the system vendors and a few senior managers to
push forward despite many warnings that the project was far off course and
out of control. Institutional needs and conflicts of interest created the
problem and then sustained the fantasy that the system was going to work
even as it was collapsing.

The scale of the healthcare IT initiative might be estimated like this.  The
LA system apparently spent over $50 million before the failure became
apparent—this is for 36K employees or about $1,400/employee.  Taking the
U.S. population at 300 million and assuming that the national effort is
twice as efficient in implementation leads me to believe that about US$20
billion will be spent before people realize that things have gone badly
wrong.  As a sanity check on these numbers, the system reviews described
above indicate that a single facility can easily spend $40 million in direct
expenditures (just the hardware and software and associated IT people)
before realizing that the IT system being built is going to fail. There are
roughly 5000 U.S. hospitals, again giving a roughly US$20 billion loss
estimate.  Of course, the mileage you get may vary.

Recommended reading:
Brooks FP. The Mythical Man-Month: Essays on Software Engineering (2nd
Edition). Addison-Wesley, 336 pages.  ISBN-10: 0201835959


FBI mistakenly receives supposedly protected e-mail

"Steven M. Bellovin" <smb@cs.columbia.edu>
Sun, 17 Feb 2008 13:35:16 +0000
Here's what I put in my blog:

A Technical Mistake
16 February 2008
http://www.cs.columbia.edu/~smb/blog/2008-02/2008-02-16.html

The Electronic Frontier Foundation
<http://www.eff.org/deeplinks/2008/02/foia-document-shows-improper-fbi-access-entire-domains-email>
has obtained an FBI document
<http://www.eff.org/files/090507_surge2.pdf> describing a mistake that
was made in monitoring someone's email: the ISP sent the FBI all of the
email for the entire domain, rather than just the suspect's email.

It isn't surprising that something like this can happen. Matt Blaze
<http://www.crypto.com> and I warned about configuration problems
<http://www.crypto.com/papers/carnivore-risks.html> in surveillance
systems several years ago:

  Needless to say, any wiretapping system (whether supplied by an ISP or the
  FBI) relied upon to extract legal evidence from a shared, public network
  link must be audited for correctness and must employ strong safeguards
  against failure and abuse. The stringent requirements for accuracy and
  operational robustness provide especially fertile ground for many familiar
  risks.

  First, there is the problem of extracting exactly (no more and no less)
  the intended traffic.

The context then was Carnivore, but the problem is the same. On the same
subject, Matt wrote

  More seriously, I suspect that the meat (so to speak) of any meaningful
  analysis of Carnivore's security and behavior lies not in its core source
  code but rather in the parameters used when it is actually configured and
  installed.

In fact, errors by third parties are not uncommon.  *The New York Times*
report on this incident
<http://www.nytimes.com/2008/02/17/washington/17fisa.html> makes it clear:

  Past violations by the government have also included continuing a wiretap
  for days or weeks beyond what was authorized by a court, or seeking
  records beyond what were authorized. The 2006 case appears to be a
  particularly egregious example of what intelligence officials refer to as
  "overproduction"—in which a telecommunications provider gives the
  government more data than it was ordered to provide.

  The problem of overproduction is particularly common, F.B.I. officials
  said. In testimony before Congress in March 2007 regarding abuses of
  national security letters, Valerie E. Caproni, the bureau's general
  counsel, said that in one small sample, 10 out of 20 violations were a
  result of "third-party error," in which a private company "provided the
  F.B.I. information we did not seek."

From what has been released, the FBI did nothing wrong here. In fact, they
say that they destroyed the unwanted (and unauthorized) emails when they
noticed the problem. But mistakes /will/ happen. This is why I and others
have warned <http://www.cs.columbia.edu/~smb/papers/j1lanFIN.pdf> about the
dangers of too-close linkage to the telecommunications system: other
plausible configuration errors could give malicious parties access to the
network.

Surveillance is difficult. Complexity and interconnections make it
dangerous, too.

  [See Steve's blog for more.  PGN]


Canadian Government Mails Out Confidential Data

"Ken Dunham" <kdunham@rogers.com>
Tue, 5 Feb 2008 16:21:51 -0500
Public Works and Government Services Canada (PWGSC), the procurement arm of
the Canadian federal government, mailed out 138 CDs containing confidential
government and commercial data in response to requests made under the Access
to Information Act. The confidential portions of the information were
blacked out, but this was not done properly so anyone in possession of a CD
can easily restore the confidential information. The root cause is
apparently government—mishandling of the new imaging software—used to
process information access requests (insufficient user training?).

The firms whose confidential commercial data has been compromised have been
notified, but the government has refused to identify any of the recipients
of the CDs on the basis that this would violate privacy laws. The Access to
Information Act specifically exempts the government from civil liability for
inadvertent disclosures made in good faith.

The government has asked the 138 recipients of the CDs to return them, but
so far only 28 have done so.

Reported in the Globe and Mail:
http://www.theglobeandmail.com/servlet/story/LAC.20080204.DISCS04/TPStory/


JAL cabin crews sue over personal info

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 16 Feb 2008 10:50:17 PST
Some 190 current and former cabin attendants of Japan Airlines Corp. and
their union sued the airline and its largest labor union on 11 Feb 2008,
claiming 150 items of personal information on 9800 employees—including
their DoB, home addresses, political beliefs, medical records, family
status, physical descriptions, and internal job performance evaluations --
were collected without their consent, and seeking about 48 million yen in
compensation.  This was just recently discovered.  [Source: Kyodo News, *The
Japan Times*, 27 Nov 2007; PGN-ed]
  http://www.japantimes.co.jp/


JAL near miss on attempted takeoff

<"Peter G. Neumann" <neumann@csl.sri.com>,>
Sun, 17 Feb 2008 15:49:18 PST
A Japan Airlines jet carrying 446 passengers and crew members started
heading down a runway without permission while another JAL aircraft was
still moving on the runway after landing at New Chitose Airport on 16 Feb
2008, but was stopped short of rear-ending the other plane just in time by
an air traffic controller.  The pilot reportedly misunderstood the
controller, who was speaking in English.  [Presumably within the standard
subset used internationally.]  [Source: JAL plane attempts takeoff without
permission in Hokkaido after English language mix-up, *Japan Today*, 18 Feb
2008; PGN-ed]
  http://www.japantoday.com/jp/news/428379
  http://www.yomiuri.co.jp/dy/national/20080217TDY01304.htm


Future of e-voting in doubt in Japan

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 16 Feb 2008 10:50:17 PST
  A bill designed to introduce electronic voting in national elections has
  been left up in the air due to worries about the system's reliability.
  The bill to revise the law on special provisions of the Public Offices
  Election Law has been carried over to the current Diet session at the
  House of Councillors after the House of Representatives passed it in the
  extraordinary Diet session.  [...]

E-voting began in Japan in Feb 2002 for some local governments, and has
expanded slowly since then, locally.  Past difficulties have apparently
caused questions of credibility.  In one municipal election in July 2003,
all servers went down, affecting Kani's 29 polling stations; the Japanese
Supreme Court invalidated the election.  Another election in Nov 2003 had
problems with communications and servers.  [Source: Discussion needed to
ease fears about touch-screen machines, Ryota Akatsu, Yomiuri Shimbun Staff
Writer, the *Daily Yomiuri, 3 Feb 2008, PGN-ed]
  http://www.yomiuri.co.jp/dy/national/20080208TDY04302.htm


Computer Error Strands Tanker off Massachusetts

Lee Rudolph <lrudolph@panix.com>
Tue, 12 Feb 2008 20:34:00 -0500 (EST)
The Coast Guard says a problem with the computers that control the 933-foot
Catalunya Spirit's tanker's boilers caused a loss of power that left it
adrift off Cape Cod.  Some power has been restored to the switchboards.  The
tanker, carrying liquefied natural gas, is being towed to an anchorage about
seven miles offshore for further troubleshooting.  The tanker was heading
from Trinidad and Tobago to Boston when it lost power early Monday about 45
miles off the Cape.  [Source: Associated Press item, *The Boston Globe*,
online, 12 Feb 2008]

Between the devil and the deep blue screen of death?


Bell Canada Data on 3.4 Million Customers Stolen

"Ken Dunham" <kdunham@rogers.com>
Wed, 13 Feb 2008 09:55:28 -0500
Bell Canada announced that basic personal data for 3.4 million customers in
Ontario and Quebec has been stolen, discovered in electronic form in a
Montreal home after a tip.  The stolen subscriber data reportedly included
names, addresses, telephone numbers, and services, but not financial
information.  However, roughly 5% of the phone numbers are unlisted, which
may cause some consternation.  [PGN-ed]
http://www.reportonbusiness.com/servlet/story/RTGAM.20080212.wbelldata021=3/BNStory/Business/home


Royal Canadian Mounted Police Censured for Privacy Violations

"Ken Dunham" <kdunham@rogers.com>
Thu, 14 Feb 2008 08:29:30 -0500
The Privacy Commissioner of Canada has censured the Royal Canadian Mounted
Police (RCMP), Canada's national police force, for maintaining large numbers
of secret files in violation of both RCMP policy and Canadian law.

Summary: http://www.privcom.gc.ca/media/nr-c/2008/nr-c_080213_e.asp

Full report:
http://www.privcom.gc.ca/information/pub/ar-vr/rcmp_080213_e.pdf

Backgrounder:
http://www.privcom.gc.ca/media/nr-c/2008/nr-c_b-di_080213_e.asp

The RCMP has been struggling with criticism on a number of fronts recently,
and this report is likely to strengthen calls for stronger governance and
management oversight.

The RCMP have already committed to addressing the concerns raised by the
Privacy Commissioner. The latter will be conducting a follow-up audit to
verify compliance.


Re: Lost Kansas City IRS tapes with personal info. (RISKS-25.03)

Danny Burstein <dannyb@panix.com>
Sat, 19 Jan 2008 22:16:30 -0500 (EST)
KC faulted after probe of IRS tapes missing from City Hall
Lynn Horsley, *The Kansas City Star*, 19 Jan 2008

"A federal investigation of missing Internal Revenue Service tapes from City
Hall in Kansas City has concluded that the city failed to follow 'proper
safeguards for protecting federal tax return information.'  That conclusion
is contained in a heavily redacted report obtained recently by The Kansas
City Star under a Freedom of Information Act request to the Treasury
Department's inspector general for tax administration.  The inspector
general's investigation stemmed from the disappearance of 26 IRS computer
tapes containing taxpayer information. The tapes, which have never been
found, are normally used by the city to help enforce collection of the 1
percent city earnings tax paid by people who live or work in Kansas City."

[ and for good measure ]

"The IRS has never said what information was on the tapes, how many
taxpayers were affected, or whether those taxpayers would ever be notified
about the missing information."

http://www.kansascity.com/news/politics/story/451282.html


Critics chuck MS 'friendly worm' plan on the compost heap (The Register)

"Chris Leeson" <Chris.Leeson@atosorigin.com>
Fri, 15 Feb 2008 16:07:21 -0000
http://www.theregister.co.uk/2008/02/15/ms_friendly_worm/

Microsoft are reportedly working on plans to distribute patches using
techniques similar to those used by computer worms. Understandably, these
plans are not popular amongst the security specialists.

The idea is that patches can be distributed within subnets to machines that
are likely to be configured in a similar way. This hopes to reduce the load
on download servers that currently take a huge hit when patches are
released.

Of course, the process would be uncontrolled, and would never be secure
enough for safe practical use.

(We have had the "benign virus" appear RISKS before, of course.  If I
recall correctly, Cliff Stoll posted about a similar idea by Fred Cohen
in RISKS-12.27.  Chris)
  http://catless.ncl.ac.uk/Risks/12.27.html#subj13.1 )


Another BlackBerry Outage Caused by System Upgrade?

"Ken Dunham" <kdunham@rogers.com>
Tue, 12 Feb 2008 10:34:47 -0500
BlackBerry messaging services were interrupted Monday afternoon (February
11) throughout North America due to an unspecified problem at the RIM data
center in Canada through which all BlackBerry email messages are processed.
Although RIM states the outage began at 3:30pm EST, this BlackBerry user
also noticed message delays at various points earlier in the day. Jim
Balsillie, RIM's co-CEO, speculated that the outage was caused by a system
upgrade: "At the core virtually all these things tend to happen on service
upgrades".

This latest outage follows on the heels of another widespread outage last
April, which was attributed to the introduction of a new feature that had
been insufficiently tested.

Reported in the Ottawa Citizen and elsewhere:
http://www.canada.com/ottawacitizen/news/story.html?id=3D23a3b21b-3d52-4714-b232-b7098c9f4996
<http://www.canada.com/ottawacitizen/news/story.html?id=3D23a3b21b-3d52-4714-b232-b7098c9f4996&k=3D8706> &k=3D8706=20

  [Also reported by Mike Hogsett.  PGN]


Vulnerability info suppressed by criminals paying to hide it

"Ken Dunham" <kdunham@rogers.com>
Wed, 13 Feb 2008 10:07:35 -0500
The annual ''X-Force'' report, released on 12 Feb 2008 by Internet Security
Systems, part of IBM Corp., says network and software vendors acknowledged
6,437 security flaws in 2007, down 5.4 percent from the prior year, but up
from 4,824 the year before that.  [Good news and bad news.]  But the real
bad news may be that a black market has emerged "that will pay up to
$100,000 (euro68,766) to computer whizzes" who find vulnerabilities and sell
the information to criminal gangs eager to exploit them.  Thus, it is
profitable NOT to publicly report previously undetected flaws.  [Source: Web
security report says known vulnerabilities fall because criminals pay to
hide them, Associated Press item; PGN-ed]
http://www.technologyreview.com/printer_friendly_article.aspx?id=20206
http://www.iss.net/documents/literature/x-force_2007_trend_statistics_report.pdf


New GAO Report on IRS Information Security Pervasive Vulnerabilities

Diego Latella <Diego.Latella@isti.cnr.it>
Wed, 13 Feb 2008 17:18:45 +0100
On 8 Jan 2008 the GAO published a report that may be of interest for
many RISKS readers:

GAO-08-211 Information Security: IRS Needs to Address Pervasive Weaknesses
http://searching.gao.gov/query.html?charset=iso-8859-1&ql=&rf=2&qt=GAO-08-211&Submit=Search

Dott. Diego Latella - Senior Researcher - CNR/ISTI, I56124 Pisa (ITALY)
http://www.isti.cnr.it/People/D.Latella - phone:+39 0503152982

  [This is just one in a very long series of GAO reports on IRS computer
  problems.  PGN]


The GPS miracle

Rich Mintz <richmintz@richmintz.com>
Tue, 5 Feb 2008 11:50:49 -0500
All the anecdotes about how GPS has led people down the garden path, into
lakes and rivers, 300 miles out of the way, etc., are entertaining—I
consume them hungrily.  But is the situation they represent really that new,
or really limited to technology?

The same thing can happen (and does) when people expect a printed map to be
a perfect reflection of the real-world things (roads, etc.) it symbolizes,
or to have complete information, or to be current.  Some of the printed maps
in my car don't show the directions of one-way streets, so "relying" on them
can lead me around in circles.  *None* of the printed maps in my car show
the locations of things like "no left turn" signs, bridge ramps that are
closed during rush hours, etc.  And maps know even less about traffic
conditions than GPS does (or can, at least in theory).  Someone who drives
frequently in the real world (or, for that matter, who does almost anything
in the real world) constantly has to contend with incomplete or imperfect
data, and constantly revise his or her mental map or action plan based on
new information.  That is as true for us as it is for zebras in the wild
trying to keep from being eaten by lions.

With that as context, GPS navigation is nothing short of miraculous.  To
someone who doesn't understand the underlying science (and I am *almost* in
that category, having only a basic conceptual grasp of how it works), it is
like magic—a magical black box that knows where you are, where you are
going, and how to get there, almost without limitation.  When I bought my
basic no-frills consumer GPS navigation device six weeks ago, I was fully
prepared for an experience that fell short of my expectations.  I
anticipated imprecision, the occasional inaccuracy, out-of-date road data.
But no.  The thing has worked exactly as advertised from the moment I took
it out of the box in the parking lot of the store where I bought it.

In about 5,000 miles of driving, all across the congested New York region
and up and down the Eastern Seaboard, *not once* has the system steered me
wrong, aside from the two or three times that it was momentarily confused
about my location on startup.  *Not once* has it so much as instructed me to
make an illegal turn, let alone an impossible one.  Half a dozen times I
have thought "it must be mistaken, I'm going to ignore it and turn here
instead"—on every such occasion, it was right and I was wrong.  When I
divert from the recommended route (for instance, because I as a human have
knowledge about traffic conditions that makes an alternate route
preferable), it notices what I am doing and recalculates a new route
automatically according to my wishes in about eight seconds.  The sole
exception is that sometimes, in a complicated stack of highway ramps (as on
the approach to the Brooklyn-Battery Tunnel in lower Manhattan), it
momentarily gets confused about which level I'm on.  But within a few
seconds, it rights itself again.

At least in this relatively densely populated part of the United States, it
appears to me to have *perfect* knowledge of every street, highway, ramp,
and access road—not *significant* knowledge, not *very good* knowledge,
but *perfect* knowledge.  I say that knowing that it cannot be literally
true, but for all practical purposes, to me it might as well be.  And on top
of that, it has a surprisingly complete and current database of business
addresses and phone numbers (want a bagel right now in an unfamiliar
neighborhood of Danbury, Connecticut?  need to find a post office in a city
you have never set foot in until 5 minutes ago?  It can tell you where).

The device doesn't obviate the need to have common-sense overview knowledge
of unfamiliar areas before heading into them ("if the GPS device stopped
working, what road would I ask directions to?"), nor the need to pay
attention to make sure that the real world conforms with the map on the
screen.  But I would say that since getting the device, my driving paradigm
has permanently changed.  I still carry a stack of maps and atlases in the
car, but now I only look at them when I'm heading somewhere completely new
for the first time.  I leave the device on all the time, even when I'm not
heading anywhere in particular, so I have an overview map of my surroundings
right in front of me—which has frequently led to interesting detours I
never would have thought to make without it.  I go anywhere I like, in any
direction, and never worry about getting lost.  I freely detour from my
planned route whenever I feel like it, even in completely unfamiliar areas,
secure in the knowledge that I can easily find my way back (or find a more
efficient route from the stopover to my ultimate destination).  It is
nothing short of miraculous.

  [Reminder: RISKS is always short on success stories, so I am happy to run
  this one.  PGN]


'Woman Says Being Declared Dead Ruins Life'

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 16 Feb 2008 7:10:36 PST
News Story - WSMV Nashville
  http://www.wsmv.com/news/15315424/detail.html?taf=nash


A reminder: Eric Sevareid's Law

Ken Knowlton <KCKnowlton@aol.com>
Wed, 6 Feb 2008 12:13:28 EST
(Lest we forget:)

  "The chief cause of problems is solutions."
  Eric Sevareid, 1970


Ah yes, just what you need!!!

"David Lesher" <wb8foz@panix.com>
Mon, 11 Feb 2008 10:47:14 -0500 (EST)
Forwarded message:

> From: <ntisa77@yahoo.com.au>
> To: <wb8foz@panix.com>
> Subject: I've visited your website http://www.csl.sri.com/~risko/risks.txt
> Date: Mon, 11 Feb 2008 23:58:42 +1100
>
> Hi,
>
> We've seen your website at http://www.csl.sri.com/~risko/risks.txt
> and we love it!
>
> We see that your traffic rank is 0
> and your link popularity is 0.
> Also, we see that you are online since <Online since>.
>
> With that kind of traffic, we will pay you up to $4,800/month
> to advertise our links on your website.
>
> If you're interested, read our terms from this page:
> http://www.contactthem.ws/hit.php?s=10&p=2&w=102122
>
> Sincerely,
>
> Ngaupokoina Isamaela
> The ContactThem Network
> 61395628930

Why am I reminded of the line from Animal House:
"And as for you, you don't even HAVE a grade point average! Zero point zero"

  [David, Ngaupo obviously wants to be your Auto-Mate manager.  PGN]

Please report problems with the web pages to the maintainer

Top