The RISKS Digest
Volume 25 Issue 24

Wednesday, 23rd July 2008

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Washington Metro farecard fraud
David Lesher
The $100,000 Keying Error
Patrick O'Beirne
What happened to handcuffing the briefcase to James Bond's wrist?
Randall Webmail
Taking a grab at what's the real system error
What's in a name?
Peter Houppermans
Yet more GPS risks: Angry Mob Stones Lost Tourist
Steven J Klein
Shocking idea for air passenger security
Robin Stevens
Re: Oyster card hack to be published
Amos Shapir
Re: San Francisco admin hijacks city net: Paul Venezia
David Lesher
Re: ComCast in Concrete? MAC addresses
R A Lichtensteiger
Re: P2P Data Breach affects SCOTUS
Pete Klammer
Jay R. Ashworth
Re: Approval voting and sincerity
Geoffrey Brent
Richard Gadsden
NC State Voter site exposes voter addresses
John O Long
Info on RISKS (comp.risks)

Washington Metro farecard fraud

<"David Lesher" <>>
Sun, 20 Jul 2008 01:25:01 -0400 (EDT)

*The Washington Post* reports six arrests in a Metro Farecard fraud scheme.


Allegedly the accused would buy a paper farecard; split the 0.25" wide
magstrip into 4 ribbons and glue each atop a blank card.

Then they'd trade in the card by adding some small cash value, getting a new
card in return.

Metro's first response was to lower the allowable trade-in value from $30 to

It's not clear if a Metro employee noticed the altered cards in the discard
bin inside of a ticket vending machine; or they were tipped off by other
system safeguards, such as. A duplicate-card serial-number detector.

Comment: I recall a similar BART fraud of about 2 decades ago, which used a
steam iron and knowledge of Curie points.

I wonder if Metro will try to use this to mandate moving to their traceable
stored value "Smartrip" cards...

What happened to handcuffing the briefcase to James Bond's wrist?

<Randall Webmail []>
Sun, 20 Jul 2008 7:40 PM

  [From Dave Farber's IP distribution.]

On 20 Jul 2008, the Ministry of Defence confirmed another laptop with
"sensitive information" has been stolen while one of their officials checked
out of a hotel.  An MoD spokesman said the theft from the Britannia Adelphi
hotel in Liverpool city centre on 17 Jul 2008 brought the total of laptops
stolen to 659.  On 18 Jul 2008 the MoD admitted that 658 of its laptops had
been stolen over the past four years - nearly double the figure previously
claimed. The department also said 26 portable memory sticks containing
classified information had been either stolen or misplaced since January
2008.  [Another MoD laptop stolen, *The Guardian*, 20 Jul 2008; PGN-ed]

IP Archives:

The $100,000 Keying Error

<"Patrick O'Beirne" <>>
Wed, 23 Jul 2008 11:45:55 +0100

When testing your systems, you do check for length as well as checksum
errors, don't you?

An ordinary bank customer, Grete Fossbakk, used Internet banking to transfer
a large amount to her daughter. She keyed one digit too many into the
account number field, however, inadvertently sending the money to an unknown
person. This individual managed to gamble away much of the sum before police
confiscated the remainder.

Patrick O'Beirne, Systems Modelling Ltd.
(+353)(0) 5394 22294

Taking a grab at what's the real system error

<jared <>>
Sat, 19 Jul 2008 09:33:28 -0600

The Capital Letters feature of the Saturday Guardian discusses a risk of
on-line banking - what you see is not what you have.

Q: I have a number of savings accounts with Bradford & Bingley which I
access online.  The total value is around 100,000 pounds. But often the on-
screen version does not tally with the balance over the phone.  Even worse,
sometimes one of my accounts shows a negative figure, even though savings
accounts cannot go below zero.  The call centre says there must be a system
error — this appears every month.

A: At first B&B said it was impossible to be in the red on a savings account
-- yours showed minus 1,100 pounds.  But once you sent in your screen grab,
clarity emerged.

You have, among others, an eSavings account where daily "updates" take place
between the "core" system and the "Internet platform".  To ensure the
systems are fully aligned, B&B runs numerous "exchanges" of information.

So there can be times when the "processed balance" does not coincide with
your available balance.  Had you looked even a few minutes later, the minus
figure would have gone.  You have not lost by this.

B&B says it has not encountered this elsewhere and will have its systems
people work on your account.  It will apologise and send 50 pounds as a
goodwill gesture.

  [Sounds like you need some *original* B&B: Benedictine and Brandy.  PGN]

What's in a name?

<Peter Houppermans <>>
Sat, 19 Jul 2008 10:26:25 +0200

Well, I found sequencing to be a problem too.

It is traditional to have more than one first name where I come from, so I
have 3.  One of them is the name by which I'm called, "Peter".  The twist is
that it is not the FIRST name of the three.

In my country of origin this is not a problem, it's accepted practice and
calling names are stored separately from forenames (also because the formal
names are often written in a more archaic form).  But cross the borders and
problems start, sometimes to the point of causing danger.

In the UK, for instance, it's a bit pot luck.  When I moved to another place
I had quite some trouble convincing a GP administrator to then enter my
calling name first, but that "wasn't as in my passport" - the fact that
business cards, credit cards and even the data from the former GP were
labeled "Peter" had no impact.  Only when I presented her with a letter to
sign for acceptance of liability was it suddenly possible - the RISK was
that an accident could put me in hospital in a state unable to explain they
should look for my data under another name.

I moved again (this time to another country), and the circus has restarted.
On entry, some official omitted the flag that marks the name by which I am
called (in the new county they appear to have at least a way of marking the
name - if it wasn't for the fact that my passport does NOT have such a mark
- I think it's an omission in the EU passport standards).  The knock-on
effect is that I have to undo insurances, car registration and personal ID
all in the wrong name.  It's a long process..

Over the years I even had an official suggesting I should change my name or
at least the sequence.  So the idea is that I change my name to suit what is
a clear lack of flexibility in official systems.  Alas, I'm just on the
wrong side of stubborn to rename myself to 12889-999-111, the logical end of
that route.

Besides, I do derive some professional amusement from breaking systems :-).

Yet more GPS risks: Angry Mob Stones Lost Tourist

<Steven J Klein <>>
Tue, 08 Jul 2008 11:18:56 -0400

RISKS has run numerous reports of the trouble people get into by blindly
following the instructions of their GPS navigation devices.

The Jewy News website just published the stories of two people who,
following instructions from their GPS units, drove into dangerous
neighborhoods and were attacked by mobs.  Excerpt:

  An American tourist was lightly injured by rocks hurled at him when he
  accidentally drove into the Qalandiyah refugee camp, west of Ramallah,
  Wednesday afternoon.  Army sources said Wednesday that since the beginning
  of this year there have been several dozen cases of Israeli civilians
  mistakenly entering Area A, because of GPS navigational errors, and
  despite clear signs at the entrance to Palestinian towns warning Israelis
  not to enter.

Steven J Klein  Your Mac Expert  Phone: (248) YOUR-MAC or (248) 968-7622

Shocking idea for air passenger security

<Robin Stevens <>>
Wed, 23 Jul 2008 18:45:38 +0100

  In order to enhance the security of air travel and to help manage illegal
  immigration, the Department of Homeland Security has solicited a proposal
  from a Canadian security company to develop a passenger stun bracelet.
  "By further equipping the bracelet with EMD technology, the bracelets will
  allow crew members, using radio frequency transmitters, to quickly and
  effective subdue hijackers"

Now, what could *possibly* go wrong with this idea?

Robin Stevens  <>

Re: Oyster card hack to be published (RISKS-25.22)

<Amos Shapir <>>
Tue, 22 Jul 2008 17:40:58 +0300

"Details of how to copy the Oyster cards used on London's transport network
can be published, a Dutch judge has ruled."

Full story at:

IMHO the most important sentence in the judge's ruling is : ""Damage to NXP
is not the result of the publication of the article but of the production
and sale of a chip that appears to have shortcomings."  IOW (unlike what
seems to be the law in the USA), if the King is naked it's his fault, not
the little boy's.

Re: San Francisco admin hijacks city net: Paul Venezia (RISKS-25.23)

<David Lesher <>>
Sat, 19 Jul 2008 23:49:23 -0400

[Source: Paul Venezia, *InfoWorld*, 19 Jul 2008]

On 13 Jul 2008, Terry Childs, a network administrator employed by the City
of San Francisco, was arrested and taken into custody, charged with four
counts of computer tampering. He remains in jail, held on US$5 million
bail.  News reports have depicted a rogue admin taking a network hostage for
reasons unknown, but new information from a source close to the situation
presents a different picture.

In posts to my blog <>, I postulated
about what might have occurred.  Based on the small amount of public
information, I guessed that the situation revolved around the network
itself, not the data or the servers.  A quote from a city official that
Cisco was getting involved seemed to back that up, so I assumed that Childs
must have locked down the routers and switches that form the FiberWAN
network, and nobody but Childs knew the logins.  If this were true, then
regaining control over those network components would cause some service
disruption, but would hardly constitute the "millions of dollars in damages"
that city representatives feared, according to news reports.

Apparently, I wasn't far off the mark.  In response to one of by blog posts,
a source with direct knowledge of the City of San Francisco's IT
infrastructure and of Childs himself offered to tell me everything he knew
about the situation, under condition that he remain anonymous.  I agreed,
and within an hour, a long e-mail arrived in my in box, painting a very
detailed picture of the events.  Based on this information, the case of
Terry Childs appears to be much more — and much less — than previously

It seems that Terry Childs is a very intelligent man.  According to my
source, Childs holds a Cisco Certified Internetwork Expert certification,
the highest level of certification offered by Cisco.  He has worked in the
city's IT department for five years, and during that time has become simply

Although Childs was not the head architect for the city's FiberWAN network,
he is the one, and only one, that built the network, and was tasked with
handling most of the implementation, including the acquisition,
configuration, and installation of all the routers and switches that
comprise the network.  According to my source's e-mail, his purview extended
only to the network and had nothing to do with servers, databases, or

"Terry's area of responsibility was purely network.  As far as I know (which
admittedly is not very far), he did not work on servers, except maybe VoIP
servers, AAA servers, and similar things directly related to the
administration of the network.  My suspicion is that you are right about how
he was "monitoring e-mail"; it was probably via a sniffer, IPS, or possibly
a spam-filtering/antivirus appliance.  But that's just conjecture on my

Re: ComCast in Concrete? MAC addresses (Fife, RISKS-25.23)

<R A Lichtensteiger <>>
Sat, 19 Jul 2008 11:18:38 -0400

> The ethernet adapter in a PC and the ethernet "WAN Port" on a router both
> have a unique six-byte identification known as a MAC (Medium Access Control)
> address. The first three bytes identify the manufacturer (i.e., Linksys),
> and the other three bytes identify the specific device. Default values are
> assigned by the manufacturer and programmed into the hardware.

Forgive the pedantry ...

The last three octets of a MAC aren't a "default" — they are uniquely
assigned to one device within all the ethernet interfaces that manufacturer
builds [1] and the entire six octet address is globally unique because the
value in the upper three octets are assigned to a single vendor by the IEEE.
This is one of the fundamental points in the ethernet spec.

> If this doesn't work, I would turn off remote management, "Universal Plug
> and Play," and anything else that might allow the cable company to interact
> with your router over the network and recognize its specific behavior.

This is useful advice in that one should never expose to network access any
functionality that isn't required.

UPnP is used particularly by games that need to open inbound connections on
a device that filters traffic (usually a residential router device like a
Linksys router performing network address translation [NAT]); the
application needs to be able to receive incoming packets from a remote host
for purposes of network gameplay.

In the case of the Linksys routers, the last time I looked at the source
code (which Linksys makes available because the "firmware" in the device is
linux) the routers didn't accept UPnP packets from the outside [WAN]

[1] Or, more likely, purchases from a silicon vendor who builds ethernet

Re: P2P Data Breach affects SCOTUS (Ashworth, RISKS-25.23)

<Pete Klammer <>>
Sat, 19 Jul 2008 14:02:49 -0600

Many financial websites now allow you to choose your own security
question(s), either from a multiple-choice list, or even an original one of
your own choosing.

While considering the dossier that could be constructed from accumulating
them (each one knows only my eye color, or only my birthplace, but together,
my whole identity may be assembled); it dawned on me recently that I do not
have to answer these questions truthfully — only consistently.  That is, if
I set up with my eye color purple, and later remember and answer that
question with purple, I can have my password resent, etc.

So now I answer all those security questions (even mother's maiden name)
dishonestly, but with answers that I will not be able to forget.

In fact, it might behoove the webpage security designers to change the
security questions to promote such behavior: "If Abcorp needs to confirm
your identity, how would you answer the question, 'What color are your

Peter F. Klammer, P.E. / NETRONICS Professional Engineering, Inc.
3200 Routt Street / Wheat Ridge, Colorado 80033-5452  1-303-915-2673

Re: P2P Data Breach affects SCOTUS (Klammer, RISKS 25.24)

<"Jay R. Ashworth" <>>
Mon, 21 Jul 2008 15:03:02 -0400

In light of the recent MySpace case, where prosecutors with nothing else to
hang a case on are trying to convict that mother of *lying on her profile*,
perhaps you *shouldn't* lie in the answers to those questions... but of
course that just makes it worse.  1/2 :-)

You make a good point though, which was inherent in the observations I made,
but subtle enough that I missed it: since you can't trust the site operators
with passwords, there's no reason you believe that you can trust them with
any other data either.

People would be inclined to say "but it's not reasonable to believe that
large corporate sites would be involved in this sort of collusion!".

But we wouldn't have expected either of these things either:

and yet they appear to have happened.

Some sites do, in fact, ask the applicant to supply both the question and
the answer, which seems perfectly reasonable: at least, it permits
security-thoughtful applicants to protect themselves from this sort of

All of this is also akin to the Middle Initial Gambit: tracking junkmail
(usually of the paper variety) by putting a different middle initial in your
name for each primary source, something which will usually pass in-band
through the filters of the mailers in the middle.  This sort of service is
handled by disposable email addresses in this day and age, of course.

Jay R. Ashworth, Ashworth & Associates, St Petersburg FL USA +1 727 647 1274   <>

Re: Approval voting and sincerity (Re: Youngman, RISKS-24.23)

<Geoffrey Brent <>>
Sat, 19 Jul 2008 11:50:00 +1000

"Unless you get a very weird result (i.e., it's statistically very
unlikely), one candidate will win all his individual contests.  That person
should be elected. Failing that, someone will almost certainly lose all his
contests and should be eliminated. When they're removed from consideration
the win-lose cycle can be repeated until you're left with a winner."

It won't do that. If you don't *immediately* have a candidate who has won
all his individual contests (call that a 'universal winner'), then
iteratively eliminating 'universal losers' will never produce a universal

If nobody wins all their individual contests, then each candidate loses to
somebody else. Suppose you can indeed find a 'universal loser' candidate
Z. By definition, Z is *not* the guy that anybody else loses to, so if you
remove him from the pool each of the remaining candidates still lose to one
of the other remaining candidates. Removing Z might produce a new universal
loser amongst the remaining candidates, but it will never produce a
universal winner (and since you only have a finite number of candidates,
eventually you'll hit the point where you run out of universal losers too).

To see how something like this might come about, consider a three-cornered
election in which approximately one-third of voters are primarily concerned
about foreign policy, one-third about healthcare, and one-third about
taxation. If you randomly order the candidates' credibility on each of these
three issues, you have a 1/18 chance of getting a deadlock where people are
voting e.g. A-B-C, B-C-A, and C-A-B. Obviously real-life politics isn't that
clear-cut, and the chances of a deadlock may be somewhat lower... but they
could also be higher, especially when people modify their campaigning
strategies to take advantage of the new system, and even a small rate of
unresolved elections has the potential to cause a lot of trouble.

You can of course set up some sort of tie-breaker for such situations -
e.g. use some other form of preferential counting among the remaining
candidates - but this will inevitably run into one of the other clauses of
Arrow's Theorem.

Re: Approval voting and sincerity (Re: Youngman, RISKS-24.23)

<"Richard Gadsden" <>>
Tue, 22 Jul 2008 12:31:01 +0100

Not wishing to get into this debate in too much detail - this isn't infosec,
and really shouldn't be on RISKS - but this is a Condorcet system, which has
well-known vulnerabilities; voters who are confident that their first-choice
will win the tiebreaker can deliberately induce a top cycle to block a
sincere Condorcet winner where that winner is a centre-compromise candidate.

[Several of the words in the above paragraph are terms of art, notably
"Condorcet", "sincere", "centre-compromise", "top cycle", "vulnerability"]

Rather than doing a worked example, my suggestion of the RISK here is that
voting theory is a very specialised area of knowledge, and that non-experts
should no more expect to be able to invent a voting algorithm than an
encryption algorithm.  RISKS doesn't normally discuss design details of
encryption algorithms, and I would suggest that we should cease trying to
discuss voting algorithms.

Suffice it to say that there are many different properties of voting
algorithms, and different systems are optimised for different properties.
One property that many would like to optimise for is that voters should not
need information about other voters' likely ballots to determine how to cast
their vote most effectively.  What is meant (in the field of voting theory)
by a 'sincere vote' is the vote that voter would cast given no information
about other voters, just information about the candidates.
Gibbard-Satterthwaite and Duggan-Schwartz and the extensions of their
theorems to many non-preferential systems (approval, disapproval and scoring
systems included) prove that this property is unachievable in theory.

For those wishing to try their own thought experiments, usual insincere
votes are

1) Voting more strongly against a candidate you regard as middling in order
   to help your first choice.

2) Voting more strongly for a candidate you regard as middling to damage a
   candidate you are opposed to, often abandoning your first choice to do

3) Voting for a candidate you really hate in order to put them above someone
   you merely dislike, where the one you dislike has a chance of winning and
   the one you hate does not.

NC State Voter site exposes voter addresses

<John O Long <>>
Tue, 22 Jul 2008 09:57:49 -0400 (GMT-04:00)

The North Carolina Board of Elections has made it possible to learn quite a
bit about any registered voter in the state.

Go to their site at and click
on My Election Information.  Select Show Me My Voter Information and enter
your name and county.  You are then presented with all of the people who
match your first and last name in your county.  You can select any of them
and find out:

- their address
- what party they are registered with
- which elections and primaries they voted in
- voter registration number

I think a lot of people wouldn't want their address exposed in this way. I
know I wasn't too happy to see this.

However, it also makes it easier for voter fraud to take place.  If I find
someone in my county who doesn't vote very often, I can show up at their
polling place and vote for them.  If necessary, I can provide their voter
registration number. However, I don't need to provide a photo ID.

  [Most of this information is publicly available.  However, systematically
  data mining it to identify folks who were not voting could indeed lead to
  organized fraud.  For example, I recall a former North Carolina resident
  telling me that when he returned to NC after many years of voting as a
  resident of California, he went to register again in NC.  He was informed
  that not only was he *still* registered — he was recorded as having voted
  in every election (while he was voting in California)!  PGN]

Please report problems with the web pages to the maintainer