The RISKS Digest
Volume 25 Issue 10

Tuesday, 1st April 2008

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


A modest proposal for the improvement of Daylight Saving
Tony Finch
A Current Affair: Lauren Weinstein, Inside Risks, CACM April 2008
Chaos Computer Club publishes Minister's fingerprint - and more
Peter Houppermans
DST transition time mismatches
Tony Finch
Mini-Y2K fears over Aussie daylight saving change
Max Power
NYPD erases crime statistics for February 29
Ed Ravin
More flights canceled as Heathrow remains in chaos
Alan Cowell via David Farber's IP
Heathrow: The risks of hubris
Diomidis Spinellis
GPS Errors are riskier than you may imagine: consider Liability-Critical Applications
Bern Grush
Re: Securing The Wrong Spaces: A Lesson
Rick Damiani
Re: Arrest over phone system bug: Trailing zeroes
Graham Reed
Re: Thieves become victims?
Info on RISKS (comp.risks)

A modest proposal for the improvement of Daylight Saving

Tony Finch <>
Tue, 1 Apr 2008 06:24:00 +00:52
At this time of year we enjoy the twice annual collection of stories about
problems caused by time zone adjustments. DST is a cunning way of getting
people to adjust their habits to make better use of sunlight when it is
available. We know from the turbulent history of DST in the USA that people
will not make this adjustment without external influence, or if they do they
will not do so with consistent start and end dates or indeed any regard for
the inconvenience of those around them. (See David Prerau's book, "Saving
the Daylight".)

So DST is beneficial provided it is applied consistently over a reasonably
large area. However it is a crude and arbitrary mechanism. It offends those
who think time should be a matter of natural philosophy, not of politics. It
is a great inconvenience to us technologists when the politicians cannot
stop themselves from messing around with the schedule.  It causes many
problems when the clocks suddenly jump by an hour twice a year.

I believe there is a way to enjoy the benefits of DST while avoiding these
drawbacks. The essential idea is that our clocks should be set using sunrise
as a benchmark instead of noon. This is an entirely scientific way of
adjusting our clocks (and therefore our habits) to seasonal conditions, so
it is immune to political fiddling. Our clocks would run fast by about a
minute a day in the spring, and slow by a minute or two a day in the autumn,
so there would be no unpleasant disruptions to our sleep. If we forget to
make an adjustment we won't be embarrassingly early or late.

It is obviously not sensible for clocks in Land's End and John O'Groats to
tell different times just because of their differing latitudes. Therefore,
just as we use standard longitudes to define our time zones, we would use
standard latitudes to define sunrise time. Let us use the time of sunrise at
the tropic of cancer, 23.44 degrees north, as our standard. The difference
between this time and that latitude's latest sunrise, 06:44, gives us an
offset to add to our zone's standard time. This adjustment varies smoothly
between nothing in January and an hour and a half in June, giving us even
more evening sunlight to enjoy. Southern countries would use the same
mechanism, but with the tropic of capricorn as their standard latitude.

Some will argue that it is inconvenient to adjust one's watch every day
for most of the year. We were happy enough to do so with mechanical
watches in the past, so I don't think this is a big deal, and lazy people
can probably get away with adjusting theirs once a week. I also see it as
an opportunity for innovative new intelligent clocks and watches. There
may be slightly more difficulty checking relative times when communicating
between northern and southern sunrise time zones, but the time difference
tables will only be about 40 times larger. It is also a great way for
geophysicists to remain involved in timekeeping after leap seconds are

I recommend this proposal to you, and hope that it is as successful as
William Willett's idea one hundred years ago.

f.anthony.n.finch  <>

A Current Affair: Lauren Weinstein, Inside Risks, CACM April 2008

Peter G Neumann <>
Tue, 1 Apr 2008 00:03:00 GMT
The April 2008 issue of the *Communications of the ACM* includes an
important Inside Risks article by Lauren Weinstein.  (It is of course
subject to CACM copyright, so I won't reproduce his article here, but
suggest that it is worth reading.)  It is online on my Inside Risks website:

Chaos Computer Club publishes Minister's fingerprint - and more

Peter Houppermans <>
Sun, 30 Mar 2008 14:23:23 +0200
The last publication of the Chaos Computer Club (CCC) has published a
fingerprint of the Interior Minister Wolfgang Schäuble (quoting the
oft-heard mantra "if you have nothing to hide you should have nothing to
fear"), together with a tongue in cheek "collection album" page where
readers can fill in fingerprints of other ministers if they manage to
collect them. (sorry, only in German).

The CCC didn't stop there: for good measure they also repeat their 2004
guide in both English and German on how to lift fingerprints and use them as
your own, complete with links to videos of the process and how it has been
used to defeat a pay-by-fingerprint system of a German supermarket chain. (German) (English)

The usual "we'll sue you" noises are already being heard, which highlights
interesting questions about the fingerprints you leave behind..

DST transition time mismatches

Tony Finch <>
Fri, 28 Mar 2008 12:31:28 +0000
The following cartoon makes an amusing observation about the recently
increased mismatch between European and American DST schedules.

f.anthony.n.finch  <>

Mini-Y2K fears over Aussie daylight saving change

Max Power <>
Thu, 27 Mar 2008 16:58:52 -0700
My view has been and always will be:

Australia & NZ should totally abandon Daylight Savings Time (DST).

DST has no place in Australasia because most of Australia and NZ are
Semitropical or Temperate—with the corresponding reduced variation in
sunrise and sunset times. The only region of Australasia that may even be
nominally affected by this change are the NZ provinces South of Canterbury
(where Christchurch is, South Island).

As part of the this region's attempts to reduce its carbon (CO2) output, a
policy of reasonable workplace scheduling needs to be instated. With the
abolition of Australia's "Work Choices" and some minor tweaks to NZ
employment contracts laws—this can be done without disenfranchising

As a matter of state policy, the Australia & NZ "Fee Trade Agreement" (FTA)
and the "Uniform Commercial Code" (UCC) needs to be amended to abolish DST,
as it creates a "NONUNIFORM competitive environment."  Using DST is probably
more responsible for the loss of global competitiveness in Australasia, as
it creates totally unnecessary work in the commercial and governmental
sectors—and needlessly endangers people's lives.

I hope the new Rudd government issues a Y2036/Y2038 compliance law that
forces the Federal and State governments to Audit their systems and
gradually impose compliance benchmarks as time goes on.  The Unix/POSIX time
problem will negatively impact Australia's (and NZ's) global competitiveness
if it is allowed to remain unfixed.

Max Power, CEO, Power Broadcasting

Mini-Y2K fears over Aussie daylight saving change // By ASHER MOSES - SMH
| Friday, 28 March 2008

The decision to extend daylight saving in south-eastern Australia could
create a mini-Y2K by putting the internal clocks on computers, smartphones
and corporate servers out of sync.

From this year on, daylight saving in NSW, Victoria, ACT, Tasmania and South
Australia will end a week later than usual on the first Sunday in April and,
with the exception of Tasmania, recommence three weeks earlier on the first
Sunday in October.

The change was intended to harmonise daylight saving dates across the
country and give Australians more daylight hours, which in turn benefits the
environment by reducing evening electricity use.

Many electronic devices with internal clocks are set to adjust automatically
for daylight saving but, as a result of the recent date changes, the
adjustments this year will be incorrect.

The fallout for regular consumers could include missed meetings or
appointments, but corporations face bigger headaches as their internal
servers, fleets of BlackBerry devices and automated systems such as payroll,
stock trading and manufacturing are operating under the old daylight saving

Clocks must therefore be adjusted manually or via software updates from the
device makers.

A similar issue occurred in the United States last year when daylight saving
was changed to kick in three weeks earlier and end a week later.  At the
time The New York Times reported it would cost public companies $US350
million to make computer fixes to deal with the changes.

Microsoft has issued an advisory to users of its Windows, Outlook and
Windows Mobile products recommending they download an update from that will synchronise computer clocks with the daylight
saving changes.

"The synchronisation [issue] is not exclusive to Microsoft products. It
affects all devices that update automatically according to the old daylight
saving schedule," Microsoft's customer and partner experience director, Hugh
Jones, said.

IDC analyst Liam Gunson said widespread problems could occur if people were
not made aware of the issue and did not take action to fix it.

He said the same problems were predicted in New Zealand last year when
daylight saving changes were made but no serious problems eventuated.

"It was really just a matter of education and people knowing that they need
to download a certain patch or look at their IT systems and it appears that
most people did," he said.

The issue has been likened to the Y2K or millennium bug, albeit on a far
smaller scale and with less serious consequences.

Y2K caused chaos leading into the new millennium as it was feared computer
systems, which stored years as only two digits, would be unable to recognise
dates from 2000 onwards.

Governments spent hundreds of billions of dollars working to fix the
problem, with computer engineers predicting doomsday scenarios such as that
critical finance and electricity industries would stop operating and planes
would fall out of the sky.

However, when the year 2000 finally arrived, there were no major computer
disasters. There is debate over whether this was a result of the immense
preparation for Y2K or people overstating the seriousness of the problem.

NYPD erases crime statistics for February 29

Ed Ravin <>
Wed, 19 Mar 2008 17:34:31 -0400
*The Village Voice* reports that the New York City Police Department's
"CompStat" report for the 9th Precinct shows zero homicides in 2008.  In
spite of Tina Negron having been murdered in an East Village supermarket on
February 29, 2008:

  You have to go to the fine print - an asterisk at the bottom of the stats
  - to get what's kind of an explanation: "Crime figures for February 29,
  2008 ... were excluded to ensure accurate comparisons."

  Negron wasn't the only victim who was victimized again by the stats. A
  total of 248 felonies, including two murders, occurred citywide on
  February 29. But they were excluded from the CompStat analysis - the
  NYPD's method of tracking seven "major" crime categories (murder, rape,
  robbery, felonious assault, burglary, car theft, and grand larceny).  [...]

  The NYPD press office's top CompStat guru didn't return several phone
  calls from the Voice. But according to published reports in 2004, the NYPD
  stopped counting Leap Day statistics in 2000.  Attributing the reasons to
  an unnamed police spokesman, a Daily News story explained that Leap Day is
  withheld from CompStat because "adding the extra day ... could show an
  unreliable increase in crime in comparison with the prior weeks and months
  and cause changes in deployment when it is not really necessary."

Full story at:,The-NYPD-Ignores-Leap-Day-Crimes,381244,2.html

The cooked statistics from the NYPD for the 9th Precinct are viewable here:

[note that the footnote that crime stats for Leap Day were excluded does not
appear in that PDF, but it does appear on other CompStat reports at the same
web site]

See also my post in RISKS-13.69 describing how the NYPD played computer
games with a performance metric in their 911 dispatch system, and
RISKS-24.28 on much more blatant (and unauthorized) rigging of the crime
statistics in a different precinct by a high-ranking cop who wanted to
improve his numbers.

Crime statistics have been used as political bludgeons for years in NYC and
it's not surprising that the NYPD takes every step possible to avoid looking
bad.  I wonder what crimes happened on February 29, 2000, that prompted that
policy change in the first place?

  [Also noted by Danny Burstein, who noted that other big cities (such
  as LAPD) include leap-day numbers.  PGN]

More flights canceled as Heathrow remains in chaos [IP]

David Farber <>
Fri, 28 Mar 2008 15:12:09 -0700
More flights canceled as Heathrow remains in chaos
By Alan Cowell The New York Times
Friday, March 28, 2008

British Airways canceled dozens of flights at Heathrow's glittery new
Terminal 5 on Friday as its staff struggled for the second day with
state-of-the-art technology that was supposed to hasten check-in procedures
and make flying a pleasure.

The hitches since the terminal opened to passengers on Thursday were
"definitely not British Airways' finest hour," the airline's chief
executive, Willie Walsh, said as he offered a personal, public apology for
disrupting the travel plans of thousands of people.

British Airways canceled almost 70 flights on Thursday, after a day of
delays caused by baggage handling problems. On what was supposed to be the
first full day of operations at Terminal 5, many flights took off with their
holds empty, carrying passengers with just cabin baggage.

Some passengers slept overnight in the steel-and-glass terminal - reviving
precisely those images of delay and decline in British aviation that British
Airways said it would banish with the opening of the new terminal.

As a result, Walsh said, about 36 flights out of Terminal 5 - mainly
short-haul and domestic - were canceled in advance Friday to ease pressure
on staff members dealing with unfamiliar procedures and systems.

Walsh said there had been "problems in the car parks, airport areas,
computer glitches and the baggage system."

About the prospects for the weekend, he said Friday: "I would expect some
disruption tomorrow, but I think it will become better as we become
accustomed to the building and the quirks of the systems."

Travelers arriving early Friday confronted what one traveler, Tony Pascoe,
35, called chaos as they stood in line for several hours only to be told
their flight had been canceled.

"It was chaotic," he told Britain's Press Association, "Everyone who had
been queuing were annoyed and a lot of jostling and arguing started. Then
the desk just crashed so everyone stood there.

"It is diabolical. I am a frequent traveler and this is the worst experience
ever - it is absolutely shocking."

"This is a public relations disaster at a time when London and the U.K. are
positioning themselves as global players," said David Frost, director
general of the British Chambers of Commerce. "We can only hope that this
will provide a wake-up call as we gear ourselves up to host the Olympics in

Heathrow is one of the world's busiest airports, handling about 67 million
passengers a year. The new terminal - reserved exclusively for use by
British Airways - was designed to counter the airport's image as an
unpleasant place for travelers. The building cost about $8.7 billion and has
10 miles of baggage-conveyor belts supposed to carry up to 12,000 items of
luggage an hour. But the baggage system has been at the heart of the
start-up problems.

Other airlines, excluded from Terminal 5, took some delight in claiming to pick up business from British Airways as travelers switched to carriers operating out of Heathrow's older terminals.

And a private aviation company, Netjets, said in a statement that the number
of people seeking private business flights had risen by 88 percent over a
24-hour period as "travelers sought to bypass the chaos of the opening of
Terminal 5 at Heathrow."


Heathrow: The risks of hubris

Diomidis Spinellis <>
Sat, 29 Mar 2008 12:14:43 +0200
I assume other comp.risks contributors will by now have provided the details
and the background regarding the problems of Heathrow's terminal 5: the
parking sign snags, the baggage processing backlog, the canceled flights,
and the resulting chaos.  A related interesting angle is an email that
British Airways circulated to its customers on the day of the terminal's
opening.  Here are some notable excerpts, as highlighted by a colleague who
brought this to my attention:

 - - - -

Dear Mr [...],

Five and a half years ago the building of our new home began in our most
visionary project to date. Today we opened the doors. There is no more
waiting... Terminal 5 welcomes you.

*At Terminal 5 everything has been streamlined and designed to make your
journey through the terminal calm and relaxed.* And this morning we saw all
the planning fall into place.

The next time you fly in to, or on from Terminal 5, *you'll experience for
yourself how all the planning and careful design has fallen into place.* The
arrivals Gates are conveniently located to minimise your walk from the plane
and if you're transferring to another flight, Flight Connections is so
smooth, you'll be through in 20 minutes.

*A state-of-the-art baggage system*, a shopping concourse that rivals
London's West End, and an array of tempting restaurants, bars and cafes to
choose from, you'll discover nothing has been overlooked to ensure *your
time at Terminal 5 is spent in a most relaxing and enjoyable way.* [...]

In this case the risk is that the making of grandiose claims about
yet-to-be-established performance can easily backfire.

Diomidis Spinellis - Athens University of Economics and Business

GPS Errors are riskier than you may imagine: consider Liability-Critical Applications

"Bern Grush" <>
Sun, 23 Mar 2008 02:16:14 -0400

I note, after searching this RISKS database of items on "GPS", that a
considerable number of observations from your writers re GPS errors are
actually errors in the mapping data bases that are used in navigation system
applications (e.g., automotive navigation), rather than a GPS positioning
error due to signal errors per se. This distinction may not be interesting
when you are lost in your car, but it is critical in other applications.

GPS position estimates have inherent errors (generally of a couple of meters
in "open sky" circumstances, but possibly 100s of meters on some occasions
due to "non-line-of sight multipath error" in especially built-up urban
areas.  Some GPS-Auto-Nav users will have noted temporary errors such as
their position being displayed on the wrong road. The difficulty is more
subtle than writers surmise.  There are indeed errors in the maps being
used.  Even if a map is correct when installed in your device, roads change.
But at any one moment how can you be sure an error is in the positioning
estimate or on the map.  You really need to rely on signage if it is

But worse than all this is that we are on the cusp of deploying GPS-based
road-tolling systems, the majority of which will depend on map-matching
algorithms to determine which road you are on or which "cordon" you are in
to calculate a charge. These tolling systems will be subject to error for
the same fundamental two reasons signal errors and map errors.

The risk here is that tens of companies are building and tens of
municipalities and tens of counties are considering investing in GPS-tolling
systems that will critically rely on map-matching.

Considering that the very first such system (Germany) cost far in excess of
Euro 10^9, these companies, cities and countries are about to put many, many
billions at risk.  Any decent lawyer could cobble together a class action
suit to defeat charges based on map-matching.  They only need your
collection of emails to show negligent system design.

Bern Grush, Chief Scientist |
desk +1 416 673 8406 | cell +1 647 218 8600

Re: Securing The Wrong Spaces: A Lesson (Ferguson, RISKS-25.06)

"Rick Damiani" <>
Sat, 15 Mar 2008 18:14:56 -0700
This isn't actually a design flaw or oversight. Naval vessels (like every
other ocean-going ships) are equipped with surface search radar, but naval
vessels often don't use it. RADAR emissions can be detected at twice the
distance they can 'see', so a warship running it's surface search RADAR is
both broadcasting it's position and telling everyone how far away they can
stay and not be detected. That's often not the most useful thing a warship
could do.

The real failure here was undoubtedly much more complex than simply not
running the RADAR though. The underway watch team charged with safe
operation of the ship (i.e. those actually involved in navigation and
maneuvering) on a military vessel usually includes a couple of dozen people,
including several equipped with nothing more sophisticated than binoculars
and a sound-powered phone. That all of them missed seeing the boat until
they hit it speaks less of electronic failures and more of some kind of
systemic personnel issue.

Rick Damiani, Applications Engineer, The Paton Group, California: (310)429-7095

Re: Arrest over phone system bug: Trailing zeroes (RISKS-25.09)

Graham Reed <>
Thu, 27 Mar 2008 20:31:20 -0400
The "trailing zeros" bug Rick Damiani wrote about in RISKS 25.09 reminded me
of a similar, but fortunately far less intrusive, problem a friend of mine
had with his ADSL connection.

I had recommended the ISP I had recently begun using, and he'd happily
signed up and got his modem and router configured and working
perfectly... well, mostly perfectly.  A few web sites, without any apparent
relation, just wouldn't work when he went to them with his new DSL account.
Switching back to the old account, everything was fine.  (And I'd thought
PPPoE could never have a benefit.)

Since I'd recommended the ISP, I was on the hook here, especially since my
connection had been, and continues to be, quite reliable.

So I did the usual pings and traceroutes and didn't notice anything other
than the usual "ICMP is scary" lossage.  No two of the failing web sites
seemed to be network-ologically related, so it didn't look like a particular
carrier having issues with that ISP... and, anyway, I could get to all of
them--via the same hops.

In desperation, we went into his router's set-up.  It didn't _feel_ like a
Path MTU discovery problem, but I was out of ideas.  Then I noticed the IP
address of his modem: x.y.z.0/32.  A perfectly legitimate host address for a
point-to-point connection.

So we called up the ISP's support desk, and told the guy there what was
happening and my suspicion about the "trailing 0" being a problem.  It
wasn't _wrong_, but it was the only thing odd I could see.  The guy at the
ISP agreed, right down to the "it's not wrong but it's unusual" feeling, and
assigned a new IP with a non-zero final octet to my friend.  Sure enough,
all the missing web sites turned up.

My guess was that some providers were dumping packets purporting to be from
a /24 network address, making the assumption that an all-zeroes final octet
must mean the packet is spoofed.  Which is fine for /24 all the way up to
/31.  But for anything else, you're at RISK of having a legitimate host
address junked.

/24 is common.  Really, really common.  But we all know the RISKs that arise
when we treat "common" as if it was "only".  You can't tell what my address
structure is; even before CIDR, I was regularly working in subnetted class A
space, and our netmasks never left the building.

(Either that, or someone had heard the old saw that "auditors reject any
line item that ends in 5 or 0.")

Thieves become victims?

Thu, 27 Mar 2008 18:35:48 -0700 (PDT)
In RISKS-25.09, Mark Brader wrote a submission with the subject: "Hoax on
Craiglist causes duped victims to steal property." A demonstration of how
making the "long story short" changes the story completely.  [PGN-ed and
oversimplified; don't blame Mark.]

The victim was not unsuspecting when he returned home. He had received a
phonecall while away from home from someone about the horse, which was in
much better shape than it should have been had it been abandoned. While
driving home, he passed several people with truckloads of property he knew
was his. When stopped and told they had his property, they ignored him. When
he arrived home, he found more people, some of whom showed him a printout of
the craigslist entry as proof that they could steal his property, and many
of them drove off with more of his stuff, after being told they were

There were no "duped victims". The victim cannot, by definition, steal his
own property. Those who stole were dupes, but they aren't the victims here
in any reasonable sense of the word. The people who got the property

The local sheriff has already gone on record as saying that those who took
the property face criminal charges if caught, but have been given an
opportunity to return what they took with no questions asked.

Let's not allow technology cloud the ethics and results. Sometimes dupes are
the victims, as in 419 scams, but here the victim was the fellow whose
property was stolen. Those who were presented with a "too good to be true"
opportunity this time are the thieves, and could have prevented a lot of
damage had they simply called the fellow whose stuff they wanted to take to
make sure.

Please report problems with the web pages to the maintainer