The RISKS Digest
Volume 25 Issue 19

Sunday, 8th June 2008

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Control-Alt-SCRAM; update reboots nuke plant
Brian Krebs via David Lesher
Sensor error caused $1.4 bill B2 crash!
David A. Fulghum via Paul Saffo
UK bank takes 9 months to combine computer systems
Peter Mellor
Online registration for US visa waiver scheme from August 2008
Donald Mackie
The ID Divide: Peter Swire and Cassandra Q Butts
Monty Solomon
ISP Secretly Added Spy Code To Web Sessions: Ryan Singel
Monty Solomon
Advice from HM Revenue & Customs on NI number fraud
Peter Mellor
Stanford employees' data on stolen laptop
Sometimes the computer is right...
David Hollman
"She'll never fail to stop at a railroad crossing ever again"
Jeff Rosen via Mark Brader
Experts Revive Debate Over Cellphones and Cancer
Tara Parker-Pope via Monty Solomon
Re: Risks in Instant Runoff Voting
Richard Gadsden
Re: Fire at The Planet takes down thousands of websites
Paul Czyzewski
Re: Whose Rules Does Your Media Center Play By?
Steve Wildstrom
Re: Beware of Error Messages At Bank Sites
Paul Czyzewski
Re: An iTunes ... problem Apple will never fix
Henry Baker
Max Power
Info on RISKS (comp.risks)

Control-Alt-SCRAM; update reboots nuke plant

David Lesher <>
Thu, 5 Jun 2008 17:47:22 -0400 (EDT)
Brian Krebs, *The Washington Post*, 5 Jun 2008

A nuclear power plant in Georgia was recently forced into an emergency
shutdown for 48 hours after a software update was installed on a single
computer.  The incident occurred on March 7 at Unit 2 of the Hatch nuclear
power plant near Baxley, Georgia. The trouble started after an engineer from
Southern Company, which manages the technology operations for the plant,
installed a software update on a computer operating on the plant's business

The computer in question was used to monitor chemical and diagnostic data
from one of the facility's primary control systems, and the software update
was designed to synchronize data on both systems.  According to a report
filed with the Nuclear Regulatory Commission, when the updated computer
rebooted, it reset the data on the control system, causing safety systems to
errantly interpret the lack of data as a drop in water reservoirs that cool
the plant's radioactive nuclear fuel rods. As a result, automated safety
systems at the plant triggered a shutdown. ...

Sensor error caused $1.4 bill B2 crash!

Paul Saffo <>
Fri, 6 Jun 2008 18:53:02 -0700
  [ouch!  Reminds me of an early error with the Airbus fly-by-wire system
  that ended up with a controlled flight into terrain bec of a computer
  problem.  -p]

Forgotten Lesson Caused B-2 Crash, 6 Jun 2008
David A. Fulghum/Aerospace Daily & Defense Report

Crews and maintainers never formally recorded information on a vulnerability
involving the B-2's air pressure sensors and the simple workaround crews
came up with to mitigate it, a crucial omission that set the stage for a
Feb. 23 B-2 crash in Guam.

Aircrews and maintenance teams learned about the sensors' susceptibility to
moisture during a Guam deployment in 2006. They also discovered that turning
on the 500-degree pitot heat would quickly evaporate the water and the
flight computer would receive normal readings.

But the information was not formally 'captured' in maintenance or
lessons-learned publications, said Maj. Gen. Floyd Carpenter, president of
the accident investigation board and vice commander of 8th Air Force. The
result was that by the 2008 deployment, the information was passed on by
word of mouth so that “some people knew about it and some people did not,''
he said during a Pentagon briefing June 5. Crews never encountered the
problem at the bomber's home base of Whiteman Air Force Base, Mo.

Earlier incident

Earlier in the 2008 deployment, another B-2 had reached 70 knots in its
takeoff roll when abnormal indications caused the pilot to abort.  The
aircraft taxied back to maintenance, the moisture was evaporated with pitot
heat and the mission continued without incident.

But on Feb. 23, calibration of the sensors was done without turning the
sensor heaters on. The skewed information from three of the 24 air pressure
sensors on the Spirit of Kansas fed distorted information into the flight
control computer. When the aircraft reached 130 knots, the computer thought
it was at the 140-knot takeoff speed and rotated for takeoff.

The sensors also indicated the bomber was in a nose-down attitude so it
commanded a rapid pitch up that reached 30-31 degrees before the pilots
could correct and stop the climb at an altitude of about 80 feet. The
effects of the low takeoff speed and high angle of attack caused the B-2's
speed to deteriorate until the aircraft stalled and began a roll to the
left, when its left wing tip struck the ground. At that point the pilots
ejected (Aerospace DAILY, March 28).

The aircraft's remains were boxed and will be sent to the U.S., where the
cockpit, seats and hatches will be used for training.

Additional information, including the crash investigators report and video,
is posted on Air Combat Command's Web site at .

  [Also noted by Gabe Goldberg. PGN]

UK bank takes 9 months to combine computer systems

Fri, 6 Jun 2008 20:25:28 EDT
The system in use by building societies* for some older types of account
involves a "pass book" to record transactions.  With computer systems
universally in use, the counter clerk no longer writes each transaction into
the book by hand, but inserts the book into a printer.  The system keeps
track of which line on the page the previous transaction was printed on and
prints the next transaction immediately below it.

Over the last 6 months or so I have found that the transactions in my pass
book are frequently overprinted on top of the previous transaction (or
transactions, if I made more than one on the previous visit).  When this
happened again today (6th June) I asked the clerk why.

My building society (the Abbey: now a bank) merged last September with a
Spanish financial institution which forced a new computer system onto it.  I
noticed that there was frequent chaos at the time with the system being down
or running slowly.  According to the clerk, the overprinting is a related
problem, and is due to there being effectively two systems working in
parallel, since the roll-out of the new system is not yet complete (or the
merger of the two computer systems is not complete).  Which system you get
depends on which branch you visit, so the system at the Stevenage branch
"remembers" the last transaction I made _in Stevenage_ and prints over any
more recent transactions that I made at one of the branches in London, and
vice versa!

* I won't go into details about what a "building society" is, for non-UK
readers.  Suffice it to say that they are rather like banks, and over the
past few years, most of them have actually turned themselves into banks.

Peter Mellor <>    +44 (0)20 8459 7669

Online registration for US visa waiver scheme from August 2008

Donald Mackie <>
Wed, 4 Jun 2008 19:49:07 +1200
The US has a visa waiver scheme for visitors from a number of countries
(including NZ). Citizens of those countries do not need to apply for a visa
to visit the US up to 90 days. They currently complete an I94 form on the
plane and are admitted (after screening) with appropriate visitor stamp in
their passports. A new scheme has been announced that will require
prospective visitors to register online. The website will be online from
August and the system will be compulsory from January. There is a fuss in
the media here
over the requirement to register 72 hours before travel, a problem for
people making urgent business or family visits. A spokesperson on the radio
today said that there will be mechanisms to address those situations, which
is fine. Only one commentator has so far expressed anxiety about the greater
risk which is that of security around personal information submitted to such
a site. The spokesperson also said that people will be able to update their
travel details online, only increasing my concerns about security. Bear in
mind that the current I94 includes DOB, passport number etc. Risks self

The ID Divide

Monty Solomon <>
Sun, 8 Jun 2008 12:24:21 -0400
Addressing the Challenges of Identification and Authentication in
American Society

By Peter Swire, Cassandra Q. Butts, Center for American Progress, 2 Jun 2008

How individuals identify themselves in our country grows more complex by the
year. Just last month, 12 nuns were turned away from voting booths during
the Indiana presidential primary because they lacked state identification
(none of them drives), a stark reminder that the recent Supreme Court ruling
that upheld Indiana's voter ID law poses lasting consequences to our
democracy. And two years ago last month the personal identification data of
26.5 million veterans were lost from a government laptop, the latest in a
series of data breaches that threaten the integrity of everyone's

Those 12 nuns are among 20 million other voting age citizens without
driver's licenses, and they join those 26.5 million veterans and many
millions of other Americans who suddenly find themselves on the wrong side
of what we call the ID Divide-Americans who lack official identification,
suffer from identity theft, are improperly placed on watch lists, or
otherwise face burdens when asked for identification.  The problems of these
uncredentialed people are largely invisible to credentialed Americans, many
of whom have a wallet full of proofs of identity. Yet those on the wrong
side of the ID Divide are finding themselves squeezed out of many parts of
daily life, including finding a job, opening a bank account, flying on an
airplane, and even exercising the right to vote. ...

Full report (pdf)

Identification and Authentication Resources page

ISP Secretly Added Spy Code To Web Sessions: Ryan Singel

Monty Solomon <>
Fri, 6 Jun 2008 23:13:42 -0400
Ryan Singel, *WiReD* blog, 5 Jun 2008
Leaked Report: ISP Secretly Added Spy Code To Web Sessions, Crashing Browsers

An internal British Telecom report on a secret trial of an ISP eavesdropping
and advertising technology found that the system crashed some unsuspecting
users' browsers, and a small percentage of the 18,000 broadband customers
under surveillance believed they'd been infected with adware.

The January 2007 report (.pdf)—published Thursday by the whistle blowing
site Wikileaks—demonstrates the hazards broadband customers face when an
ISP tampers with raw Internet traffic for its own profit. The leak comes
just weeks after U.S. broadband provider Charter Communications told users
it would be testing a technology similar to what's described in the BT

The report documents BT's partnership with U.K. ad company Phorm, which
specializes in building profiles of ISP customers, then serving targeted ads
on webpages the user visits.

From late September to early October 2006, British Telecom secretly
partnered with Phorm to let the company monitor and track 18,000 of the BT's
customers. Phorm installed boxes on BT's network that redirected web
requests through their proxy server.

Those boxes inserted JavaScript code into every web page downloaded by the
users. That script then reported back to Phorm the contents of the web page,
which Phorm used to create ad profiles of a user.  Additionally, Phorm
purchased advertising space on prominent web sites, showing a default ad for
a charity. But when a user who had previously looked at car sites visited
one of those pages, he instead got an advertisement for car insurance.

The users were not informed they were being made guinea pigs for a new
revenue system for BT and had no way to opt out of the system, according to
the report. The JavaScript caused flickering problems for some users as the
script reported back information about the content of the web page to a
Phorm server. The script also crashed browsers that loaded a website that
relied excessively on anchor tags. Additionally, the rogue JavaScript showed
up unexpectedly in user's posts to some web forums. ...

Advice from HM Revenue & Customs on NI number fraud

Sat, 7 Jun 2008 10:26:09 EDT
The following is a link to document NIM39140 - National Insurance Numbers
(NINOs): Format and Security: What to do if you suspect or discover fraud.
(For non-UK readers, the NI number is the UK equivalent of the US Social
Security number.)

I am sure that we all appreciate this sound advice from HMRC! :-)

Stanford employees' data on stolen laptop

"Peter G. Neumann" <>
Sun, 8 Jun 2008 10:03:37 PDT
Stanford University has notified tens of thousands of past and present
employees that their personal information was on a university laptop that
was stolen for people hired before 28 Sep 2007—possibly as many as
72,000.  [Someday encrypting such data sets will become the default.  PGN]

Sometimes the computer is right...

David Hollman <>
Fri, 6 Jun 2008 00:57:29 +0100
Here's a case where social engineering defeated an apparently correctly
working automated security system and allowed a burglary:

"An experienced jewelry thief may have hoodwinked the University of British
Columbia's campus security by telling them to ignore security alarms on the
night of last month's multi-million dollar heist at the Museum of

Four hours before the break-in on May 23, two or three key surveillance
cameras at the Museum of Anthropology mysteriously went off-line.

Around the same time, a caller claiming to be from the alarm company phoned
campus security, telling them there was a problem with the system and to
ignore any alarms that might go off.

Campus security fell for the ruse and ignored an automated computer alert
sent to them, police sources told CBC News."

Full article:

"She'll never fail to stop at a railroad crossing ever again"

Mark Brader
Wed, 4 Jun 2008 14:39:11 -0400 (EDT)
Posted by Jeff Rosen, 3 Jun 2008,

  Correction: Due to incorrect information received from the Clerk of Courts
  Office, Diane K Merchant was incorrectly listed as being fined for
  prostitution in Wednesday's paper.  The charge should have been failure to
  stop at a railroad crossing.  The Public Opinion apologies for the error.

I don't know what happened here, but it's got to involve a computer,
hasn't it?

  [Well, it could have been a typo in the officer entering the description
  code.  Or the officer could have been on the wrong track himself.  PGN]

Experts Revive Debate Over Cellphones and Cancer

Monty Solomon <>
Wed, 4 Jun 2008 09:03:17 -0400
Experts Revive Debate Over Cellphones and Cancer;
What do brain surgeons know about cellphone safety that the rest of us don't?
Tara Parker-Pope, *The New York Times*, 3 June 2008

Last week, three prominent neurosurgeons told the CNN interviewer Larry King
that they did not hold cellphones next to their ears. "I think the safe
practice," said Dr. Keith Black, a surgeon at Cedars-Sinai Medical Center in
Los Angeles, "is to use an earpiece so you keep the microwave antenna away
from your brain."

Dr. Vini Khurana, an associate professor of neurosurgery at the Australian
National University who is an outspoken critic of cellphones, said: "I use
it on the speaker-phone mode. I do not hold it to my ear." And CNN's chief
medical correspondent, Dr. Sanjay Gupta, a neurosurgeon at Emory University
Hospital, said that like Dr. Black he used an earpiece.

Along with Senator Edward M. Kennedy's recent diagnosis of a glioma, a type
of tumor that critics have long associated with cellphone use, the doctors'
remarks have helped reignite a long-simmering debate about cellphones and
cancer. ...

Re: Risks in Instant Runoff Voting

Richard Gadsden <>
Wed, 4 Jun 2008 11:33:19 +0100
Peter G. Neumann* (RISKS-25.18) has missed the point of Arrow's Theorem by
expressing it as identifying a problem with ranked preference systems.
Arrow presumes that voters have a ranking of candidates; indeed the
underlying assumption of Arrow is that voters' preference as between
candidates is ordinal, not cardinal.

  [* Not really.  The discussion of Arrow's Theorem should actually have
  been more clearly attributed to the review article by Peter Baker.  PGN]

Arrow's proof - that no election system can be simultaneously monotonic,
deterministic, universal, unrestricted in domain and independent of
irrelevant alternatives without being a dictatorship - applies not only to
ranked preference systems, but to all elections without exception.  Only by
rejecting the assumption of ordinality of preference, or by rejecting one of
criteria, can any voting system be established.  Most real election systems
- including simple plurality, instant runoff and conventional runoff - fail
on the criterion of independence of irrelevant alternatives (IIA); that is,
a (losing) candidate or candidates can be introduced into an election or
removed from an election and that will change the winner.

In many real-world elections, there is a "Condorcet" winner, ie someone who
is preferred by a majority of the electorate to every other candidate (it
may be a different majority in each case).  If there is such a winner, then
electing them fulfills Arrow's theorem.  The problem is that in some
elections, preferences are circular (ie A>B, B>C and C>A, where > represents
'is preferred to' rather than the usual 'is greater than').  Where this
occurs, no system can fulfill Arrow's criteria - either the system will
elect someone who would lose in a simple majority two candidate election
(which fails Arrow's dictatorship criterion) or IIA will be breached, as any
proposed winner can be defeated by the withdrawal of one of his opponents.

A key corollary of Arrow's theorem is that voters always have an incentive
to be insincere in how they cast their votes.  For example, in the 2000 US
Presidential election, voters whose true preference was Nader>Gore>Bush had
a strong incentive to insincerely vote for Gore.  Similar arguments can be
applied to all electoral systems - even ones that elect a Condorcet winner,
as they must have a (by definition manipulable) tie-breaker when there are
circular preferences, and voters could vote insincerely to create a
circularity and then manipulate the tie-breaker.

Re: Fire at The Planet takes down thousands of websites (R 25 18)

"Paul Czyzewski" <>
Sat, 7 Jun 2008 20:19:10 -0700
< [Power was restored on 2 Jun.  PGN]

Actually, things didn't go that smoothly and, in fact, it appears that
some users (those whose hard drives were damaged by the initial power
failure) are *still* having problems.

The Planet forum (
contains about 80 messages from the Planet, sent over the past week, on the
status of their outage.  It includes such highlights of the sort "now all
the remaining servers are up on generators".  "oops, the generator tripped
its circut breakers, so those 3000 servers are down again."  "We fixed the
generator."  "Oops, the fix to the generator didn't work and ...."  you get
the idea.

I have no reason to doubt the competence of the Planet staff; it's not an
easy problem to recover from.

Re: Whose Rules Does Your Media Center Play By? (RISKS-25.18)

Steve Wildstrom <>
Wed, 4 Jun 2008 09:07:51 -0400
Bashing Microsoft is fun-I've done it often enough myself-but in this case,
EFF is barking up the wrong tree. Assuming, arguendo, that this wasn't just
a dumb mistake, the party at fault is NBC. As the Microsoft spokesperson
said, the Media Center code merely implements what was, at the time the code
was written, an FCC requirement. The later court rejection of the broadcast
flag rules didn't require changing the code, it prohibited broadcasters from
implementing the flag. NBC broadcast a program with the flag set, which it
should not have done, and the Media Center responded exactly the way it was
supposed to, and, for the record, exactly the way Microsoft has always said
it would.

Steve Wildstrom, BusinessWeek, 1200 G St NW, Suite 1100, Washington, DC 20005
Technology & You <>

Re: Beware of Error Messages At Bank Sites (Sherwood, R 25 18)

Paul Czyzewski <>
Sat, 7 Jun 2008 20:26:21 -0700
This scam sounded vaguely familiar, and I found this article, The Failure of
Two-Factor Authentication, which was written by Bruce "Nostradamus" Schneier
three years ago.

Besides the bank scam, Bruce discusses the inherent flaws in two-factor
authentication, generally.

Re: An iTunes ... problem Apple will never fix (McDonald, R-25.18)

Henry Baker <>
Wed, 04 Jun 2008 11:43:02 -0700
Alistair, This iTunes file retention bug happens to me all the time.  When
audio podcasts are deleted in iTunes, the underlying file is deleted.
However, when video podcasts are deleted in iTunes, the underlying file
isn't deleted—there's no error message or anything.  I've gotten to
playing video podcasts directly from the underlying file system & deleting
the files behind iTunes's back, just to make sure that the file really gets
deleted.  Since video files are typically much larger than audio files, the
inadvertent retention of video files can quickly fill up your disk.

I haven't tried this on Mac iTunes, but I suspect that the same thing
happens there, so I don't think this is an OS-specific bug.

I've given up reporting bugs to large corporations, because they don't even
bother to acknowledge the email.  They're too busy putting in additional
misfeatures to have time to fix the ones they already have.

Re: An iTunes ... problem Apple will never fix (McDonald, R-25.18)

Max Power <>
Wed, 4 Jun 2008 19:06:37 -0700
I ASSURE YOU THAT THE iTunes 'disk usage' bug IS REAL.

* iTunes (across all OSes it runs on) offers [or has access to] a built
  in update program [offers: Win; access: OSX]
* Most people use that update program most of the time. Most people have
  the current version of iTunes
* Apple has no obvious way to submit bugs for the software it writes.
  There may be ways, but I don't know what they are.
* I am a telecommunications consultant: if I can't find a way to submit
  iTunes bugs to Apple, it is probable no one can.
* UNLESS there is an outstanding telecommunications issue that makes
  updating Apple software more difficult or impossible [like the user
  living on Pitcairn, with a 56kbs link] it would reason that 90% of iTunes
  users are up to date.
* It is impossible [or not highly likely] for this disk usage problem to
  affect older versions of iTunes.
* I don't know where this bug originated in the iTunes version tree.

Known or Suspected 'problem areas'
Operating systems affected: ALL
  (Windows family 100%, OSX assumed 100% pending proof)
TCP / IP version issues:
  NONE that I know of, this is a File System issue (?) not an IP issue
User Interfaces affected: ALL CURRENT

iTunes Versions affected [addendum]
* It is probable that all versions since the introduction of Podcasts
  and Vodcasts are affected by this FS or UI problem.
* I don't know where to find an adequately detailed Apple iTunes version
  tree, iTunes is not Winamp.
* This lack of traceability makes it extremely difficult to track down
  where this disk space issue started, much less submit a bug report.

Will Apple ever fix the problem?
Since the transmission of my original "Comp.Risks" submission I have not
received a single e-mail or postal letter from Apple [asking me for
clarifications of the iTunes disk usage problem]. My suspecting that Apple
may never fix this is based on a total lack of contact from Apple.

It would be nice if Apple would toss one of their mini PCs my way for my
BOINC distributed computing project [for uncovering such a fundamental
software design flaw] ... but Apple is an American corporation so I don't
see this ever happening. As corrupt as Microsoft is [as a corporation] and
as vast as its' labyrinthine bureaucracy is ... Microsoft is more responsive
to bug reports.

Where is the program problem finding itself?  Is this a User Interface (UI)
bug and not a File System (FS) usage tracking bug?  I don't know.  I believe
it is clearly a UI problem, but it may be a side effect of the way that
iTunes interacts with the host OS file systems.  Further use at my end
implies it is a Vodcast problem, at least on my hardware and software
platform.  Podcasts seem to delete cleanly and their existence seems to be
reported correctly, but I have not experimented with 20 gb+ of MP3 podcasts
with this software to see if the same phenomena is at work.


No matter what
* You should not be able to "delete all Vodcasts" (when disk use = 99%)
  and not have the podcasts continue to reside on your HD eating up space.
* There should only be mechanisms for moving or deleting podcasts on a
  PC's file system for programs like iTunes.
* RSS feed displays (be they Podcasts or Vodcasts) need to have a 1 to 1
  correspondence with the files represented on the drive.
* Programs that use [and manage] a lot of disk space need to be truthful
  about how the disk space is being used to the user.
* All high profile programs need to have a clearing house for submitting

I am still working on figuring out the extent of the bug, but I don't
expect it to be fixed before 2009 or 2010.

Max Power, CEO, Power Broadcasting
Adelade / Wellington / Vancouver / Seattle

Please report problems with the web pages to the maintainer