The RISKS Digest
Volume 25 Issue 07

Saturday, 1st March 2008

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Risks of Leap Years and Dumb Digital Watches
Mark Brader
Risks of Leap Years and Dumb Airline Software
$1.2 billion up in smoke
Paul Saffo
Southeast Florida Massive Power Outage
Steven J. Greenwald
FL power failure triggered by human error
Lauren Weinstein
Competent? We can't even archive our own e-mail reliably!
Jim Horning
DreamHost Accidently Bills Customers $7,500,000
Dan Jacobson
IT Project Failure Blog
Ken Dunham
Is the "law of unintended consequences" biting W3C DTD reference?
George Michaelson
Pakistan, YouTube, Google, and No Simple Answers
Lauren Weinstein
Re: YouTube outage blamed on Pakistan
R A Lichtensteiger
Richard Grady
Jay R. Ashworth
Cold Boot Attacks: Vulnerable While Sleeping
Ed Felten via Monty Solomon
Citibank needs a clue
Rich B. Astaird
Re: Hoist by one's own petard: data security: UK Child Benefits
Merlyn Kline
REVIEW: "Better Ethics Now", Christopher Bauer
Rob Slade
Info on RISKS (comp.risks)

Risks of Leap Years and Dumb Digital Watches

Mark Brader
Fri, 29 Feb 2008 03:15:30 -0500 (EST)
All right now, how many people reading this:

[1] saw a previous version of this message in RISKS-6.34, 13.21, 17.81,
    20.83, and/or 23.24?
[2] have watches that need to be set back a day because (unlike the
    smarter kind of digital watch) they went directly from February 28
    to March 1? and
[3] *hadn't realized it yet*?

Personally, I first remembered it was time for my quadrennial posting
and only then that I therefore needed to reset my own watch...

Mark Brader, Toronto,

Risks of Leap Years and Dumb Airline Software

"Peter G. Neumann" <>
Sat, 1 Mar 2008 8:15:24 PST
Passengers using United Airlines' Easy Check-In were unable to print out
boarding passes for several hours on Friday 29 Feb 2008.  This was not a
problem four years ago, and apparently came as a surprise to UAL.
[Source: A short AP item spotted in the *San Francisco Chronicle* this
morning.  PGN-ed]

$1.2 billion up in smoke

Paul Saffo <>
Fri, 22 Feb 2008 22:04:35 -0800
There is something deeply obscene about the idea of a $1.2 billion plane to
begin with, but the thought of it burning up only brings to mind what myriad
other, better purposes that money could have been put to...  p

B-2 Stealth Bomber Crashes on Guam, The Associated Press, 23 Feb 2008

A B-2 stealth bomber crashed [on 23 Feb 2008] at an air base on Guam, but
both pilots ejected safely and were in good condition, the Air Force said.
It was the first crash of a B-2 bomber.

The accident occurred 11 days after a Navy plane crashed into the ocean
about 20 miles northeast of Guam's Ritidian Point. Four aircrew members
ejected from the EA-6B Prowler electronic warfare aircraft and were rescued
by helicopter.

Southeast Florida Massive Power Outage

"Steven J. Greenwald" <>
Tue, 26 Feb 2008 18:19:41 -0500
PGN asked me to write up something regarding the Southeast Florida power
outage because of my location (North Miami).  I don't really know much more
than what the new media have reported, but I can give some local anecdotal

According to my UPS software, power failed today (February 26, 2008) at
13:09:12. This jibes with news media accounts of power failing at 9 minutes
after 1pm.

Million of people lost power (I heard 2.3 million at one point).

I first heard that the two Turkey Point nuclear reactors just south of Miami
(Key Biscayne National Park area) shut down as well as the two coal plants
at the same site. This peaked my interest, especially because we have no
coal powered plants at that site (we do have two gas powered plants at that
site, in addition to the two nuclear reactors). I have yet to get in touch
with a contact that works for Florida Power & Light (FPL) at that site (he
monitors the endangered salt water crocodile population that thrives at the
Turkey Point site).

Later reports stated that a total of 8 power plants shut down. I don't know
specifics, but heard that the other 3 nuclear plants in the state did not
shut down (Crystal River (1), and Port Saint Lucie (2)). Miami's mayor
reported "It was not sabotage" early on (I congratulate him on his technical
expertise). Recently (approximately 17:10) FPL has reported that the failure
got caused by a substation equipment failure in the western part of
Miami-Dade county (the Everglades?).

Huge sections of Miami-Dade county endured long blackouts (as I write this
about 800,000 "customers" still have no power). Broward county (just north
of us) endured many surges, and outages occurred as far north as Daytona
(according to the news media) and as far south as the Florida Keys.

Many people evacuated high-rise office buildings in downtown Miami. The
Wachovia building (44 stories) currently serves as the news media focus, as
people had to walk down 44 flights of stairs (some in high heels; office
workers in tall buildings might want to keep backup sneakers by their
workstations). Why a building like that does not have backup power remains a
great mystery to me. Many felt thankful they did not get stuck in elevators.

Traffic lights went out across the country causing massive traffic problems
that still have not gotten resolved as I write this (17:25).  Again, I
wonder why the traffic lights do not have backup power.

Most businesses gave employees the rest of the day off, which I suppose just
exacerbated the traffic snarls. The county schools kept students
on-site. Our train system failed, and the country has finally sent school
buses to the stations to move the people.

Many people eating lunch had problems paying, and many restaurants had to
add up bills manually, which evidently caused some problems due to
innumeracy and computer issues.

My fiancee, Laura Corriss, who works at Barry University (Miami Shores),
reports that they never lost power and did not suspend classes. Her brother
Michael reported that power went out on Miami Beach.

Our friend Myfanwy James who works at a law office on the 14th floor of a
building in the Brickell area (near downtown Miami) reports that they lost
power so she took the emergency elevator down (the building has a generator)
and went home. She reported a lot of traffic snarls, but nothing else.

Another friend, Vivian Marthell (a local artist specializing in the
intersection of art and technology/science), reports that in her area
(downtown Miami) the expressway appeared totally backed up. expressway
totally backed up. Vivian, an all-around smart person, asked me, "You know
the old Emergency Broadcast System? Why can that get done using wireless
technology so that we could find out about these things faster, and get
updates?"  I must give Viv total credit for this idea (I have not heard it
before); if anyone wishes to contact her feel free to send me a note and I
will put you in touch.

Another contact reports that school children in a South Miami school got
evacuated because their classrooms had no windows (no light, air, etc.).

I have nothing else to report, but now it starts to get dark.

FL power failure triggered by human error

Lauren Weinstein <>
Fri, 29 Feb 2008 17:54:46 -0800 (PST)
  A field engineer was diagnosing a switch that had malfunctioned.
  Without authorization, he disabled two levels of relay protection.
  This affected 26 transmission lines and 38 substations.  [PGN-ed]

Competent? We can't even archive our own e-mail reliably!

"Jim Horning" <>
Wed, 27 Feb 2008 13:20:18 -0800
  A former White House technology manager told the committee that the Bush
  administration's e-mail system "was primitive and the risk that data would
  be lost was high."  More than 1000 days worth of e-mail has vanished.

  [Try  The *WashPost* URL moved.]

DreamHost Accidently Bills Customers $7,500,000

Dan Jacobson <>
Thu, 07 Feb 2008 04:03:17 +0800

The billing glitch happened when Josh was manually running the billing
script for the last two weeks. Instead of inputting the billing date
as 2007-12-31, he ran the script for 2008-12-31...

IT Project Failure Blog

"Ken Dunham" <>
Tue, 12 Feb 2008 12:09:37 -0500
Michael Krigsman maintains a blog on ZDNet summarizing a wide range of IT
project failures:

Is the "law of unintended consequences" biting W3C DTD reference?

George Michaelson <>
Sat, 9 Feb 2008 14:48:26 +1000
The blog says
  that badly written software which doesn't cache, or work out what it
  doesn't need, is fetching the DTD reference that everyone points at the
  W3C, around 130,000,000 times a day, or 350Mbps of resources.

Does this remind anyone of the time the home-box vendors put a university's
NTP server address in firmware? except this time, (and I don't really mean
this, but it is in my mind...) the W3C sort-of did it to themselves..

The blogs mention remediation such as relocating the URL to paths more
ameanable to anycast or other distribution methods. Doubtless this will
solve itself in time.

Pakistan, YouTube, Google, and No Simple Answers (Re: RISKS-25.06)

Lauren Weinstein <>
Tue, 26 Feb 2008 17:29:57 -0800 (PST)
  [From Network Neutrality Squad (]

The Pakistan/YouTube story brings together a number of different elements
that touch on Network Neutrality (and what I might call "content
neutrality") in various ways that are useful to examine further, even though
we may stray away from the central network neutrality focus momentarily.

First, I'll offer a comment regarding my use of the term "religious zealots"
relating to take-down demands at YouTube.  No quibbling—as far as I'm
concerned anyone who wishes to block the entire planet from seeing material
that one religious group feels is distasteful or blasphemous (for religious
reasons) is a zealot.  It makes no difference if we're talking about any of
the world's major religions or the "Slackers" at the Church of the SubGenius
-- the same standards apply.

Now, if a country wants to *try* block their population from certain
Internet materials, that may be their right, however ineffective
such efforts will ultimately be
( ).

But when those efforts impinge on the rights and access of everyone else, we
enter an unacceptable situation.  In the case of Pakistan's disrupting
YouTube routes globally, I'm perfectly willing to accept the explanation
that this was a combination of error and fundamental routing
vulnerabilities.  The latter in particular is a topic for another time.

But the fact that Google reportedly pulled down the video in question that
triggered this entire situation is of much greater concern.  The fact that
this video could be seen as violating particular YouTube rules is notable,
but questions of the equality, "neutrality," and global impact of those very
rules are of even more import.

I appreciate—in fact I applaud—the need for Google to be responsible
with their sites' contents.  But we repeatedly see a double standard in this
regard that is increasingly difficult to fathom.

If you show up at Google with a DMCA take down order, you generally get a
rapid response.  This is understandable—DMCA is the law—at least at
the moment.

But it's far less clear why Google should permit religious demands to
(attempt) to censor material globally as reportedly occurred in this
situation.  Pakistan's laws and religious sensibilities don't trump the rest
of the world's rights, nor should any country have a veto over what other
countries' populations can access.

This situation is made all the more perplexing by Google's routine refusal
in most cases to act in instances of *individuals* being defamed or
otherwise damaged by Web sites that prosper solely on the basis of
high-ranking Google search results.  I've made a number of past proposals
relating to this area (e.g. "Search Engine Dispute Notifications: Request
For Comments" - ( and linked
items), plus I've previously discussed how Google has made an initial step
in a relevant positive direction relating to news sources ("Google Takes
First Key Step Toward Search Dispute Resolutions" - ).

However, for the vast majority of conventional (non-news source) Web pages
in Google search result listings, concerned parties have no effective
mechanism to comment or otherwise flag results to indicate that serious
disputes are in progress, so they effectively have no recourse.

This then is the dichotomy.  Certain classes of content and complaints
result in action from Google, and others simply do not.

What's particularly depressing about this situation is that—in my opinion
-- Google appreciates that this is a problem, but feels that they can't risk
really dealing with it.  In fact, I've discussed some of these issues
face-to-face with various Google folks (especially in the context of my
"Urgent Call For a Google At-Large Public Ombudsman" - ( ) and I've come away with the
strong impression that they felt both sympathetic and impotent in this

Google impotent?  A contradiction in terms?  Not really.  My sense is that
they are very concerned that if they opened the door broadly to these kinds
of complaints, they'd be flooded with aggrieved parties and be essentially
paralyzed as a result.

I definitely do agree that there are serious scalability issues that impact
on these matters, but I don't feel that these issues present intractable
problems, and I don't consider the alternative of the status quo to be

However, these are all of course decisions for Google to make, and my
effective influence over events up at the Googleplex is nil.

What this all boils down to is that these are complex situations with few
clear-cut, off-the-shelf answers waiting to be plucked.  But we can try to
work our way through them to the best of our abilities, and ideally with as
little animosity and as much good will as possible.

Lauren Weinstein, NNSquad Moderator

Re: YouTube outage blamed on Pakistan (Shapir, RISKS-25.06)

R A Lichtensteiger <>
Mon, 25 Feb 2008 19:15:56 -0500
It was a local route leaked into the global BGP mesh.

AS 17557 (PKTELECOM-AS-AP Pakistan Telecom) announced a route for the
netblock YouTube is in and was sinking the traffic locally. Except that the
BGP announcement of the routes "leaked" out to their upstream provider,
PCCW.  From PCCW, it spread, and therefore lots of places saw that as a
shorter route to the YouTube servers than the legitimate announcement.

According to reports I've seen, the YouTube/Google engineering staff tried
to override the announcement on that netblock by announcing a pair of
specific (/25) routes for the same block. That didn't work out because most
network providers filter out announcements for space smaller than a /24.

The risk and lesson?  "Trust, but verify," of course.

Had PCCW implemented filters on inbound BGP announcements and limited it's
downstreams to only those netblocks it has, this wouldn't have happened.

The network of networks is built on trust; it has to be, because the whole
point to the thing is to push management out toward the edges and
decentralize the system.  But there +are+ safety valves—places you can
examine the incoming data and sanity check it.  PCCW didn't. How many
other's don't either?  And how many of them are having engineering
conferences right now trying to make sure they aren't the next cause of a
high profile outage like this one?

Only time will tell.

  [Noted by others.  For example, Anthony DeRobertis suggested
  "A quick visit to's bgplay shows the mistake fairly clearly."
  Andrew Pam cited
  Tore A. Klock recommended a writeup by Danny McPherson here on what (most
  likely) happened:

Re: YouTube outage blamed on Pakistan (Shapir, RISKS-25.06)

Richard Grady <>
Mon, 25 Feb 2008 19:52:21 -0800
The referenced story says

  "The government has valid reason for that, but they have to find a better
   way of doing it. If we continue blocking popular websites, people will
   stop using the Internet."

Perhaps that is the real agenda.  Block all the good sites, and the people will
give up using the Internet.

  [Fat chance.  PGN]

Re: YouTube outage blamed on Pakistan (Shapir, RISKS-25.06)

<"Jay R. Ashworth" <>
Tue, 26 Feb 2008 16:16:39 -0500
The Pakistani PTT was *apparently* using BGP advertisements to hijack
YouTube's IP address range, and redirect it to some in-country machines that
displayed a message saying that YouTube was Baaaaad.

Alas, those announcements, which shouldn't have been leaked *out* of the
Pakistani Autonomous System (AS 17557), and then shouldn't have been
permitted to leak *into* any of their upstreams... did.

Here's regular RISKS contributor Steve Bellovin's take on it:

It has a link at the very bottom to a much more in-depth treatment from
BGP-watchers Renesys:

RISKS?  Well, the top one I see is people saying "oh, it's just
YouTube."  What happens next time, when it's not YouTube, it's eTrade?

This one was very probably just sloppy network engineering.  That doesn't
mean the next one *won't* be an attack.  Just because hoofbeats usually mean
horses, don't forget that there *are* zebras out there.  (That is the
original intent of the medical quote, in case you ever wondered...)

Jay R. Ashworth, Ashworth & Associates, St Petersburg FL  +1 727 647 1274

Cold Boot Attacks: Vulnerable While Sleeping (Ed Felten)

Monty Solomon <>
Fri, 29 Feb 2008 17:32:06 -0500
[From Ed Felten's blog 26th Feb 2008]
(Re: RISKS-25.06)

Our research on cold boot attacks on disk encryption has generated lots of
interesting discussion. A few misconceptions seem to be floating around,
though. I want to address one of them today.

As we explain in our paper, laptops are vulnerable when they are "sleeping"
or (usually) "hibernating". Frequently used laptops are almost always in
these states when they're not in active use - when you just close the lid on
your laptop and it quiets down, it's probably sleeping.

When a laptop goes to sleep, all of the data that was in memory stays there,
but the rest of the system is shut down. When you re-open the lid of the
laptop, the rest of the system is activated, and the system goes on running,
using the same memory contents as before.  (Hibernating is similar, but the
contents of memory are copied off to the hard drive instead, then brought
back from the hard drive when you re-awaken the machine.) People put their
laptops to sleep, rather than shutting them down entirely, because a
sleeping machine can wake up in seconds with all of the programs still
running, while a fully shut-down machine will take minutes to reboot.  [...]

Citibank needs a clue

<Rich B. Astaird>
Fri, 29 Feb 2008
I just dug an e-mail from Citibank out of the Spam folder.  I know it's
really them because they have my full name and the last four digits of my
card number listed inside.  It was a very "Important Message":

   Dear Rich B. Astaird,

   As a current Citi Cardmember, you know your security is our top
   priority. But we also want to make sure you receive emails containing
   important information from us.

   Don't let Citi messages be filtered out by your e-mail provider - add
   our "from addresses" to your address book.

     Follow these 3 simple steps:
     1. Open your e-mail address book
     2. Add a contact or "add new contact"
     3. Enter and click Save

As reported previously in RISKS, some banks don't seem to have a clue about
how to use email securely.  Or, in this case, how to keep their email out of
the Spam folder.  It's not: just ask Mr. SpamAssassin what not to do:

> Content analysis details:   (5.1 points, 5.0 required)
>  pts rule name              description
>  --- ---------------------- ---------------------------------------------
>  3.1 RCVD_IN_NJABL_SPAM     RBL: NJABL: sender is confirmed spam source
>                             [ listed in]
> -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
>  0.0 HTML_MESSAGE           BODY: HTML included in message
>  2.0 FROM_EXCESS_BASE64     From: base64 encoded unnecessarily

A quick check on the IP address (, a company known for
its bulk mailings and spammer-like behavior), shows it is also listed in the
SORBS and CSMA blacklists.  Let's see, if I were Citibank, and wanted to
stop my mail from getting flagged as spam, would I (a) stop outsourcing my
email to a company with a reputation for spamming, or (b) send
vaguely-worded email to my customers in the hope that it will convince them
to whitelist my return address?

The worst-case RISK is that people who use a provider where such
instructions actually work will follow them, and then every phishing email
trying to steal their Citibank credentials will sail right through.

Way to go, Citibank!

Very truly yours,

   (not) Rich B. Astaird

Re: Hoist by one's own petard: data security: UK Child Benefits (Cherry, RISKS-25.04)

"Merlyn Kline" <>
Tue, 5 Feb 2008 09:30:23 -0000
> I'm surprised that no mention has been made of one Jeremy Clarkson, ...

Perhaps not mentioned because it bears no real relevance. The UK direct
debit system is set up so that anybody who is empowered to create direct
debits can do so with no more than the information that, as Clarkson
originally said, is published on every cheque we write (among other places).
The system is designed to make it easy for companies such as utilities to
set up direct debits. The security is in the careful vetting by the banks of
the companies so empowered, and the guarantee that the banks make to their
customers: that if a direct debit is ever used to take money from your
account without your permission, they will refund it without question.
Clarkson could presumably avail himself of the benefit of this guarantee if
he so chose. It probably serves him better not to do so in this case.

What has happened here is that the charity which has received the money has
either over-stepped the line of its own direct debit agreement with the
bank, or has had its own security compromised in some way which has nothing
to do with Clarkson's publication of his bank details (or, indeed, the loss
of Child Benefit records). Under the circumstances I suppose it seems
churlish to all concerned to go after the charity, as would otherwise
normally happen.

So Clarkson was right first time round and to have so publicly reversed
his position does not seem well.

REVIEW: "Better Ethics Now", Christopher Bauer

Rob Slade <>
Mon, 25 Feb 2008 12:04:05 -0800
BKBEETNO.RVW   20071118

"Better Ethics Now", Christopher Bauer, 2005, 978-0-9765863-3-3,
%A   Christopher Bauer
%C   1604 Burton Ave., Nashville, TN   37215
%D   2005
%G   0-9765863-3-9 978-0-9765863-3-3
%I   Aab-Hill Business Books
%O   U$21.99/C$29.99 615-385-3523
%O   Audience n Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   171 p.
%T   "Better Ethics Now: How to Avoid the Ethics Disaster You Never
      Saw Coming"

A note on the title page of the book states that the text is intended
to educate and entertain in regard to ethics, and that the material is
neither comprehensive nor tested.  (It is ethical to let the reader
know that, although my initial reaction was that the "entertain"
aspect might have been a bit of an abdication of the author's
responsibilities to the readers.)  The introduction asserts that the
focus of the work is on how a lack of personal responsibility creates
the foundation for corporate ethical disasters, and that having
individuals improve their own ethical standards will enhance the
integrity of the company.  There is, of course, something to this,
although it does fly in the face of a great many studies identifying
the "tone at the top" as the major determinant of corporate ethical

Chapter one notes that ethical breaches in companies have serious financial
ramifications, and reiterates the position that assessing your own morals
will improve those of the company, primarily by forcing you to determine if
the normal business behaviour you are asked to follow is ethical.  (This
does tie back to the issue of "tone at the top": if your ethics stand up to
scrutiny and you feel comfortable in your working environment, the tone is
probably OK.)  Ethics are guiding principles, chapter two tells us.  It
isn't just following (or even breaking) rules, says chapter three.  Chapter
four seems to repeat this last, in slightly different wording, properly
taking issue with the subject of "compliance," which has become something of
a buzzword and panacea in recent years.  Using cute expansions of "ethics"
as an acronym, chapter five tentatively introduces the idea of personal
responsibility and decision.  A simple tool for personal assessment is
described in chapter six.  Chapter seven examines the issues of reporting or
otherwise dealing with ethical violations that you discover.

Chapter eight moves the discussion to the corporate level, noting the
importance of policy statements, processes, and procedures.  Ethical
behaviour involves achieving positive actions, we are told in chapter
nine, rather than merely avoiding negative ones.  Chapter ten does
promote the importance of the "tone at the top," noting that sometimes
you, as an employee, may need to walk away from an intolerable
situation.  Chapter eleven suggests that those in management and
leadership need to communicate ethics directly and openly.  The idea
that the moral standards of each employee are important is again
stressed in chapter twelve.  Proper ethics are not always easy, says
chapter thirteen.  Chapter fourteen repeats encouragement to be
proactive about promoting ethics, and suggests various procedures for
the corporation.

There are other books on ethics, and business ethics as well.  Johnson's
"Computer Ethics" (cf. BKCMPETH.RVW) is a classic and Tavani's "Ethics and
Technology" (cf. BKETHTCH.RVW) adds depth and intellectual rigour.  Bauer's
work is very different: there is little academic or conceptual background,
but the brevity and practicality of the work may make it more suitable for
the general work environment.  While it doesn't add much to the debate, it
could certainly be used for training and the promotion of ethical standards,
and is probably more accessible for the general population of employees and

copyright Robert M. Slade, 2007   BKBEETNO.RVW   20071118

Please report problems with the web pages to the maintainer