The RISKS Digest
Volume 25 Issue 1

Monday, 7th January 2008

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Fire! Works! oops, too slow
Mark Brader
Boeing 787 networking issues
Martyn Thomas
Feds Release Pass Card details
Brock N. Meeks via David Farber
Has chip-and-pin failed to foil fraudsters?
Pere Camps
Sears exposes customers' information via its web site
Rich Kulawiec via IP
User Data Stolen From Pornographic Web Sites
David Lesher
Election Computers Stolen in Tennessee
David Lesher
Er, Airline Captains Do What, Again?
Rick Moen
Risks of embedded javascript
Paul Wallich
Mercedes console display with conflicting information
Henry Baker
Mac Quickbooks update deletes user desktop
Bonnie Packert
No more loose lithium batteries in checked luggage
Peter Gregory
Risks of believing what you see on the WayBack Machine
Fred Cohen
Re: Computer Failure Causes Closure of Seattle Downtown Transit Tunnel
Stanislav Meduna
Re: Satnav: Nope, you can't get there from here.
Craig DeForest
Re: Satnav
Martyn Thomas
Re: Drunk a better guide than sat nav
Ross Younger
Passing of Computing and Information Security Pioneer: Jim Anderson
Gene Spafford
Info on RISKS (comp.risks)

Fire! Works! oops, too slow

Mark Brader
Wed, 2 Jan 2008 13:33:53 -0500 (EST)
Due to "a corrupted computer file", a New Year's fireworks show in Seattle
had to be set off manually.  Not only did that mean that the technicians had
to *press all the buttons themselves*, but the display was *not properly
synchronized* with the music that accompanied it!  What a horrible fiasco!
Oh the humanity!

  [I suppose Manual-ed Fire could have been accompanied by Manuel De Falla.
  I defy-ya' to play Noches en los jardines de Seattle as accompaniment.
  On the other hand, if the manual operation had misfired, they might have
  been sheepless in Seattle.  PGN]

Boeing 787 networking issues

Martyn Thomas <>
Sun, 06 Jan 2008 09:56:56 +0000
The FAA has issued "special conditions" for certification of the Boeing 787.
(mirrored at

In part, these state:

"Novel or Unusual Design Features

The digital systems architecture for the 787 consists of several
networks connected by electronics and embedded software. This proposed
network architecture is used for a diverse set of functions, including the
following: 1. Flight-safety-related control and navigation and required
systems (Aircraft Control Domain).  2. Airline business and administrative
support (Airline Information Domain).  3. Passenger entertainment,
information, and Internet services (Passenger Information and Entertainment
Domain).  The proposed architecture of the 787 is different from that of
existing production (and retrofitted) airplanes. It allows new kinds of
passenger connectivity to previously isolated data networks connected to
systems that perform functions required for the safe operation of the
airplane. Because of this new passenger connectivity, the proposed data
network design and integration may result in security vulnerabilities from
intentional or unintentional corruption of data and systems critical to the
safety and maintenance of the airplane. The existing regulations and
guidance material did not anticipate this type of system architecture or
electronic access to aircraft systems that provide flight critical
functions. Furthermore, 14 CFR regulations and current system safety
assessment policy and techniques do not address potential security
vulnerabilities that could be caused by unauthorized access to aircraft data
buses and servers. Therefore, special conditions are imposed to ensure that
security, integrity, and availability of the aircraft systems and data
networks are not compromised by certain wired or wireless electronic
connections between airplane data buses and networks."

According the the story in Wired

"Boeing spokeswoman Lori Gunter said the wording of the FAA document is
misleading, and that the plane's networks don't completely connect.  Gunter
wouldn't go into detail about how Boeing is tackling the issue but says it
is employing a combination of solutions that involves some physical
separation of the networks, known as "air gaps," and software
firewalls. Gunter also mentioned other technical solutions, which she said
are proprietary and didn't want to discuss in public.  "There are places
where the networks are not touching, and there are places where they are,"
she said.  Gunter added that although data can pass between the networks,
"there are protections in place" to ensure that the passenger Internet
service doesn't access the maintenance data or the navigation system "under
any circumstance."  She said the safeguards protect the critical networks
from unauthorized access, but the company still needs to conduct lab and
in-flight testing to ensure that they work. This will occur in March when
the first Dreamliner is ready for a test flight."

So that's all right, then. After all, no security problem has ever shown up
after testing, has it?

  [The planned test flight should be interesting. Where can you get a
  plane-load of suicide hackers at short notice?  MT]

    [This risk also spotted by Edwin Slonim
    and Ric Steinberger.  PGN]

Feds Release Pass Card details [from David Farber's IP]

"Brock N. Meeks" <>
December 31, 2007 4:13:01 PM EST
The government has dragged its feet in releasing the final details about its
Pass Card technology, and now they dump it into the Federal Register on the
last day of the year.  The government has decided to go with a technology
that is more suited to tracking inventory and can be read from up to 20 feet
away.  Govt.  officials counter by saying privacy protections will be built
into the cards.

Passport cards for Americans who travel to Canada, Mexico, Bermuda and the
Caribbean will be equipped with technology that allows information on the
card to be read from a distance.  The technology was approved on 30 Dec 2007
by the U.S. State Department.  Privacy advocates were quick to criticize the
Department for not doing more to protect information on the card, which can
be used by U.S. citizens instead of a passport when traveling to other
countries in the western hemisphere.  The technology would allow the cards
to be read from up to 20 feet away.  The technology is "inherently insecure
and poses threats to personal privacy, including identity theft," said Ari
Schwartz of the Center for Democracy and Technology.  [Source: Eileen
Sullivan, Passport card technology criticized, Associated Press; from the
Ft. Worth Star-Telegram; PGN-ed]

Has chip-and-pin failed to foil fraudsters?

Pere Camps <>
Thu, 03 Jan 2008 10:31:22 +0100
Interesting Chip-and-PIN article by the Guardian here:

  [Purveyors and law enforcement folks say crime is down.
  The article says maybe not.  (Starkly PGN-ed)]

Sears exposes customers' information via its web site (via IP)

<Rich Kulawiec []>
Fri, 4 Jan 04 2008 1:26 PM
  [From David Farber's IP group]

Summary: if you know someone's name, address and phone number, you can
retrieve their purchase history from Sears' web site.

This is an interesting follow-on to the recent discovery that Sears is
pushing spyware:

User Data Stolen From Pornographic Web Sites

"David Lesher" <>
Sun, 6 Jan 2008 21:39:13 -0500 (EST)
Consumers of Internet pornography who secretly signed up for memberships on
adult-oriented Web sites in the past few months may be in for a shock --
some of their personal information, including e-mail addresses, may have
been compromised by a security breach.  ....  The breach has raised serious
alarm in the world of adult-oriented Web sites, with many concerned about
the effect on customers if they learn that their most secret transactions
are not so secret after all.  [Source: *The Washington Post, 3 Jan 2008]

  [This gives new meaning to "Porn site exposes ...  PGN]

Election Computers Stolen in Tennessee

David Lesher <>
Fri, 28 Dec 2007 21:21:09 -0500
Thieves stole laptop computers containing the names and social security
numbers of every registered voter in the city from election commission
offices over the Christmas holiday.  The computers also contain voters'
addresses and phone numbers.  [Associated Press, 28 Dec 2007]

  [In David Farber's IP, Brad Malin noted an article by Michael Cass in the
  *Tennesseean*, 3 Jan 2008.  The building had weekend 12-hour periods
  without guards, and had no alarms or video surveillance.  PGN]

Er, Airline Captains Do What, Again?

Rick Moen
Sun, 30 Dec 2007 18:25:15 -0800
A nicely articulate Blog piece of *The New York Times* about TSA-screening
absurdities drew the usual litany of wry anecdotes and complaints, but this
one stood out for its peerless irony value:

  #61.  29 Dec 2007

  About two years after 9/11 I was selected at random by a TSA agent for
  additional security screening at an airport checkpoint.  I was asked to
  remove my hat, shoes, belt, and jacket, after which I was told to spread
  my arms and legs for electronic "wanding".

  When I asked why I had been chosen for the extra attention, two more
  agents quickly appeared, and their unsmiling faces emphasized that airport
  security was, indeed, very serious business.  "We need to be sure you
  don't have anything you can use to take control of an aircraft", the
  screener told me.  I will never forget the absurdity of his words.

  You see, I was, in fact, about to take control of an aircraft, an Airbus
  A320 to be precise, and fly it up the Potomac River to LaGuardia.  That's
  what airline Captains like me get paid to do.  That's why I had showed up
  at the airport in full uniform, properly credentialed and ready to go.

  Security was then, and remains now, largely a sham.  It's all about
  politics and the appearance of vigilance.  It's about collecting pocket
  knives from forgetful, but otherwise law-abiding people.

  We have been lead to believe that we now have the best secured aviation
  system in the world.  And if success is measured with flow-charts, color
  codes, and administrative name changes, maybe we do.

  In truth, we have all been let down by the very people in charge.  They
  would have us believe that they are actually addressing security issues,
  when in fact they are doing little more than staging public relations

  Posted by Rick Reahr

Plus ša change....  My father, Pan Am Captain Arthur Moen always marveled at
the foolishness of taking pocket knives from airline pilots, and tried
fruitlessly for decades to get the airlines and FAA to install
intrusion-resistant cabin doors, something they did only three decades after
his death (by defective jet).

Risks of embedded javascript

Paul Wallich <>
Mon, 07 Jan 2008 10:57:08 -0500
This one is old, but I bet it still bites plenty of people who would know
better if they gave it a thought. Last night I was configuring a new
wireless access point, and after some gymnastics getting it to show up on my
wired network (it comes hard-coded to an inconvenient IP address) I got
ready to configure the password, same as the old one. So I clicked on the
setup page of the browser-based configuration program, and nothing. WEP, but
no WPA. I checked the package; it claimed to do WPA. I read the
instructions; there was the part about setting WPA encryption and a screen
shot that looked nothing like the one in front of me.

Then I remembered that my browser is set by default to disallow
javascript. I told it that I trusted my wireless access point, and suddenly
a whole raft of new options and menus appeared on my screen.  Obviously it's
convenient for widget designers to be able to use javascript for their user
interfaces, but nowadays the user without javascript is more likely to be
tech-savvy (and slightly paranoid) rather than a luddite with an outdated
browser. (This in turn leads to an unlikely but attractive risk scenario
where an attacker embeds browser-eating malware in one of the myriad
software libraries that the typical widget designer pulls together to make a
working machine; if you can't trust your access point, whom can you trust?)

Mercedes console display with conflicting information

Henry Baker <>
Fri, 14 Dec 2007 10:48:39 -0800
  [Henry sent me a photo that he might have taken himself.  PGN]

The console display says "check engine" & "no malfunction" at the same time!
Dueling messages!

It is supposed to say "check engine" & "1 malfunction", if "check engine" is
the only malfunction being reported.

BTW, my ever-lying Verizon DSL line finally got fixed after replacing about
4 bad splices.  (The computer kept calling me to tell me that the
malfunction in my phone line had been fixed, but since it hadn't, the good
news rolled over into voice mail!)  I think that the old-style POTS phone
system is now in its state of "graceful decline", and will join the
hand-cranked phone on the dustbin of history within 15 years.

Mac Quickbooks update deletes user desktop

Bonnie Packert <>
Mon, 31 Dec 2007 12:50:41 -0800
On Sunday 16 Dec 2007, I ran Quickbooks 2006 on my Mac. I got an error that
said there was not enough room to download an update, that it needed 100
bytes (!). I thought it was likely a bad error message because I do not
normally use an account that has administrator access, so it probably was
unprepared for some protection violation and gave a bad error message. I
logged in as admin to try to get the updated but got the same error. I
checked the Inuit Quickbooks web site and found that I already had the
latest version available. When I logged back into my regular account, I
discovered my desktop was empty, that the folders and files had
disappeared. Using a shell I saw that the Desktop directory was now a
regular file with 0 bytes.  After some disk integrity checks and cleanup
that failed to pinpoint a problem, I later ran Quickbooks again and realized
that my Desktop had ben trashed again. Searching online, I discovered a
number of Quickbooks Mac users had been similarly afflicted.

By 9am PST Monday morning, Intuit had corrected the problem on their server.
Unfortunately, this was after a large number of users had lost files. A
representative from the company called to collect information about my
situation and explained that it had been a scripting problem in the server,
which incorrectly deleted user information after no update had been found.

I was surprised that I never saw anything about it in mainstream press. Here
are some links about the issue from the Quickbooks community web site. More
is available by googling "Quickbooks deletes desktop".

No more loose lithium batteries in checked luggage

Peter Gregory <>
Mon, 31 Dec 2007 15:03:07 -0800 (PST)
In a move to prevent lithium battery fires on commercial aircraft, U.S.
airline passengers will no longer be able to pack loose lithium batteries in
checked luggage beginning 1 Jan 2008 once new federal safety rules take
effect.  The new regulation, designed to reduce the risk of lithium battery
fires, will continue to allow lithium batteries in checked baggage if they
are installed in electronic devices, or in carry-on baggage if stored in
plastic bags.

Common consumer electronics such as travel cameras, cell phones, and most
laptop computers are still allowed in carry-on and checked luggage.
However, the rule limits individuals to bringing only two extended-life
spare rechargeable lithium batteries, such as laptop and professional
audio/video/camera equipment lithium batteries in carry-on baggage - but
none in checked baggage.

Entire press release here:

Peter Gregory, CISA, CISSP | |
Skypeid peterhgregory | Join InfraGard

Risks of believing what you see on the WayBack Machine (

Fred Cohen <>
Mon, 31 Dec 2007 06:56:36 -0800
I have now encountered 2 legal cases in 3 months in which a plaintiff saw
images on the WayBack Machine ( and believed that they
indicated events in the past that never happened. To provide some insight
into the problem, and to provide proof to our legal system, I arranged a
small demonstration that risks readers might want to take a look at:

Disable javascript in your Web browser.
Goto the URL
Enter "" into the WayBack Machine (and click as appropriate).
Select the entry from 1997.

At this point, you will see what looked like in 1977 - or so you
would think. But look at the picture on the right side of the page about
half-way down. You might want to open that picture in a new window to get a
clear look at it.

I think you will agree that the WayBack Machine cannot always be counted on
for digital forensic evidence. This demonstration has now been used in a US
Federal Court case.

Fred Cohen & Associates                 tel/fax: 925-454-0171       572 Leona Drive    Livermore, CA 94550
Join for our mailing list

Re: Computer Failure Causes Closure of Seattle Downtown Transit Tunnel

Stanislav Meduna <>
Sun, 06 Jan 2008 11:23:53 +0100
 > Who would have thought a tunnel would be subject to a computer
 > failure?  ...  Too many eggs in one basket...

Sometimes you only have one basket...

I worked on SCADA software that runs in quite a few tunnels in Europe.

A modern tunnel is a complex system where the subsystems are connected in
ways that require to be controlled by a (logically) single computer
system. E.g. a fire event starts a sequence where everything is involved -
sensors spot the gases, signs switch to red on the entry, fans switch to a
mode sucking out the smoke, staff is alerted etc. Everything has to be
logged (preferably tamper-resistantly) so that there is evidence what
happened and how the staff reacted. Surely the lower level systems will go
to sane failsafe values in the case of problems, but nobody will risk to
operate such system in full traffic with major subsystems disabled.

This application is normally redundant so there is no hardware single point
of failure, but this of course does not guard against programming errors,
inadequate testing an other things well-known to the RISKS reader.

Tunnel retrofitting is not an easy task, normally much worse than building
one from scratch - the main problem is that you have to interface things you
are probably not familiar with that are given and the number of interfaces

And let me tell you, when there was a real fire in a tunnel controlled by
our software, we were very relieved that everything worked as expected. One
is never sure that the tests caught everything...

Re: Satnav: Nope, you can't get there from here.

Craig DeForest <>
Mon, 31 Dec 2007 12:48:18 -0700
Reading the various satnav articles (Shapir, RISKS-24.91, Jacobson,
RISKS-24.92) reminds me of my own favorite satnav folly.

My 2007 Prius has a satnav.  Recently, I tried to navigate from Boulder,
Colorado to Sunspot, New Mexico (Google directions:
" ") for an observing run at the National Solar
Observatory.  The nav system found Sunspot OK, and the onscreen map showed
the dedicated state highway (NM 6563) but asserted that there was no route
there from here.

Likewise, once I was at the observatory, the system wouldn't let me navigate
to practically anywhere else in the U.S.!  I played with it a bit and found
the key—force it to route through the nearby town of Cloudcroft.

I believe Toyota's nav system uses a regress-to-the-nearest-highway
algorithm, which fails spectacularly for Sunspot: the nearest U.S.  highway
(US54) is only about 7 horizontal miles away at closest approach, but nearly
a mile down in altitude.  To get to the observatory you have to take a much
longer, windier route through Cloudcroft—it's nearly 40 miles (as the car
winds) from the closest approach point.

Google Maps finds the route perfectly.

Satnav (Ashworth, RISKS 24.93)

Martyn Thomas <>
Mon, 31 Dec 2007 10:03:08 +0000
It's a little troubling to me that none of the articles that seem very
popular lately on "how dangerous it can be to depend entirely on your
satellite navigator" make clear the point that GPS is very susceptible to
in-band jamming (either accidental or deliberate) and that it is steadily
becoming a single point of failure for private transport, commercial
transport, and the emergency services.

Navigation systems based on the known location of cell-phone transmitters
would be more resilient.

Re: Drunk a better guide than sat nav (Ashworth, RISKS-24.93)

Ross Younger <>
Thu, 3 Jan 2008 11:16:26 +0000
A friend of my father's drives a taxi for a living, and recently fitted a
satnav to it.

Now, whenever a customer gets in, he offers them a choice - do they want to
go by the satnav's directions, or by his idea of the best route?

Most people opt for the satnav. This makes him happy; he has been driving
for years and knows all the tricks for getting around town, whereas the
satnav - following its own idea of "best" - tends to get stuck in jams (with
the meter running, of course).

"Best" route for him, perhaps, not for his customers? Reportedly the satnav
paid for itself within a few weeks!

Passing of Computing and Information Security Pioneer: Jim Anderson

Gene Spafford <>
Wed, 2 Jan 2008 20:08:22 -0500
On 18 Nov 2007, noted computer pioneer James P. Anderson, Jr., died at his
home in Pennsylvania. Jim, 77, had finally retired in August.  Jim, born in
Easton, Pennsylvania, graduated from Penn State with a degree in
Meteorology. From 1953 to 1956 he served in the U.S. Navy as a Gunnery
Officer and later as a Radio Officer. This later service sparked his initial
interest in cryptography and information security.

Jim was unaware in 1956, when he took his first job at Univac Corporation,
that his career in computers had begun. Hired by John Mauchly to program
meteorological data, Dr. Mauchly soon became a family friend and mentor. In
1959, Jim went to Burroughs Corporation as manager of the Advanced Systems
Technology Department in the Research Division, where he explored issues of
compilation, parallel computing, and computer security.  While there, he
conceived of and was one of the patent holders of one of the first
multiprocessor systems, the D-825. After being manager of Systems
Development at Auerbach Corporation from 1964 to 1966, Jim formed an
independent consulting firm, James P. Anderson Company, which he maintained
until his retirement.

Jim's contributions to information security involved both the abstract and
the practical. He is generally credited with the invention and explication
of the reference monitor (in 1972) and audit trail-based intrusion detection
(in 1980).  He was involved in many broad studies in information security
needs and vulnerabilities. This included participation on the 1968 Defense
Science Board Task Force on Computer Security that produced the "Ware
Report", defining the technical challenges of computer security. He was then
the deputy chair and editor of a follow-on report to the U.S. Air Force in
1972. That report, widely known as "The Anderson Report", defined the
research agenda in information security for well over a decade. Jim was also
deeply involved in the development of a number of other seminal standards,
policies and over 200 reports including BLACKER, the TCSEC (aka "The Orange
Book"), TNI, and other documents in "The Rainbow Series".

Jim consulted for major corporations and government agencies, conducting
reviews of security policy and practice. He had long- standing consulting
arrangements with computer companies, defense and intelligence agencies and
telecommunication firms. He was a mentor and advisor to many in the
community who went on to prominence in the field of cyber security. Jim is
well remembered for his very practical and straightforward analyses,
especially in his insights about how operational security lapses could
negate strong computing safeguards, and about the poor quality design and
coding of most software products.

Jim eschewed public recognition of his many accomplishments, preferring that
his work speak for itself.  His accomplishments have long been known within
the community, and in 1990 he was honored with the NIST/NCSC (NSA) National
Computer Systems Security Award, generally considered the most prestigious
award in the field. In his acceptance remarks Jim observed that success in
computer security design would be when its results were used with equal ease
and confidence by average people as well as security professionals - a state
we have yet to achieve.

Jim had broad interests, deep concerns, great insight and a rare willingness
to operate out of the spotlight. His sense of humor and patience with those
earnestly seeking knowledge were greatly admired, as were his candid
responses to the clueless and self-important.

With the passing of Jim Anderson the community has lost a friend, mentor and
colleague, and the field of cyber security has lost one of its founding

Jim is survived by his wife, Patty, his son Jay, daughter Beth and three
grandchildren. In lieu of other recognition, people may make donations to
their favorite charities in memory of Jim.

Please report problems with the web pages to the maintainer