The RISKS Digest
Volume 25 Issue 38

Tuesday, 14th October 2008

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Investigator: Computer likely caused Qantas plunge
Paul Saffo
Qantas A330 accident
Martyn Thomas
B-2 crash on takeoff
Ken Knowlton
Illinois high-speed trains
Jon Hilkevitch via David Lawver
D10T: National Debt Clock is out of digits
Mark Brader
Passport RFID attack: missing validation
Aaron Emigh via PGN
Missing hard drive "not encrypted" because it was "secure"
John Carlyle-Clarke
Russian researchers achieve 100-fold increase in WPA2 cracking speed
Monty Solomon
Defective news submission website
Steven M. Bellovin
Risks of a new laptop
Nick Brown
Researcher Liuba Belkin: Workers more prone to lie in e-mail
Monty Solomon
Thomas Crown escape, revisited
Peter Houppermans
Re: Sydney NS vs. Sydney NSW
Steve Schafer
Oyster card hack details revealed
Gabe Goldberg
Re: Remarkable — United Airlines Stock
Russ Nelson
Info on RISKS (comp.risks)

Investigator: Computer likely caused Qantas plunge

<Paul Saffo <>>
Tue, 14 Oct 2008 07:55:32 -0700

  [Brings back memories of the early A320 accidents caused in part by a
  stubborn fly-by-wire system... -p]

Investigator: Computer likely caused Qantas plunge
Rod McGuirk, Associated Press, 14 Oct 2008

A faulty computer unit likely caused a Qantas jetliner to experience two
terrifying midair plunges within minutes last week.  More than 40 people
were injured when the Airbus A330-300 briefly nose-dived twice during a
flight from Singapore to the western Australian city of Perth last Tuesday.

Julian Walsh, chief air investigator at the Australian Transport Safety
Bureau, said an initial investigation indicated the cause was a computer
unit that detects through sensors the angle of the plane against the
airstream. He said one of the plane's three such units malfunctioned and
sent the wrong data to the main flight computers.

The flight data recorder indicated the plane, carrying 303 passengers and 10
crew, climbed about 200 feet from its cruising level of 37,000 feet and then
went into a nose-dive, dropping about 650 feet in 20 seconds, before
returning to cruising level, the safety bureau said last week. The sharp
drop was quickly followed by a second of about 400 feet in 16 seconds.

  [The Air Data Inertial Reference Unit (ADIRU) was sending "erroneous,
  spike" data to the Flight Control Primary Computers ("PRIM", comparable to
  the A320's ELACs), which event disconnected the autopilot.  A short while
  later the ADIRU sent "very high, random, incorrect" values to the PRIM,
  causing a pitch-down command. The same occurred again another short while
  later.  See the ASTB press release:
  Incidentally, early suspicions centered on air turbulence, which were
  incorrect.  I have disregarded many of the earlier postings from RISKS
  readers, but thank you for them.  PGN]

The problem is the latest in a series of malfunctions and near-misses for
Australia's flagship carrier in recent weeks.

Australian authorities are still investigating an explosion aboard a Qantas
747-400 aircraft carrying 365 people over the South China Sea in July that
ripped a hole in the fuselage. That explosion caused rapid loss of pressure
in the passenger cabin but no one was injured.

Walsh said the French manufacturer Airbus had notified all operators of A330
and A340 aircraft, which are equipped with the same sensors, about how crews
should respond to such a malfunction.  But aircraft are unlikely to be
grounded over a malfunction that had never happened before, he said.  "It is
probably unlikely that there will be a recurrence, but obviously we won't
dismiss that," Walsh told reporters, saying they would investigate the
problem further.

The faulty unit will be sent to the U.S. component manufacturer for testing,
he said. A report on the accident is to be released next month.  Qantas said
the preliminary findings showed that the fault lay with the manufacturer
rather than the airline.  "This is clearly a manufacturer's issue and we
will comply with the manufacturer's advice," the airline said in a

Qantas A330 accident

<Martyn Thomas <>>
Tue, 14 Oct 2008 14:44:11 +0100

The ATSB report raises a few questions:

* Why wasn't the fault in ADIRU 1 screened out by comparison with the other
  two ADIRUs?

* Why were "spikes" treated as valid input by the primary flight computers?

* Was the possibility of erroneous input to the primary flight computers
  from the ADIRU considered in the hazard analysis? If so, with what result?
  If not, why not?

The pilots deserve credit for their prompt recovery.

Martyn Thomas CBE FREng

B-2 crash on takeoff (Bob Charette, Re: RISKS-25.19)

<Ken Knowlton <>>
Mon, 13 Oct 2008 16:28:36 EDT

  [Bob Charette's item amplifies what was summarized in Paul Saffo's item in
  RISKS-25.19, and is included here for archival purposes.  Bob is a
  well-known authority on risk analysis, but has not been a regular RISKS
  contributor.  PGN]

Bad Data into Computers Caused B-2 Crash
Posted to *IEEE Spectrum* online by Robert Charette on June 9, 2008 5:00  AM

The US Air Force reported that the February crash on take-off of the $1.4
billion B-2 stealth bomber called the Spirit of Kansas was caused by
moisture interfering with the operations of 3 of the aircraft's 24 air
pressure sensors. The sensors were all on the port side of the aircraft. The
moisture problem was found to skew the data being fed into the aircraft's
flight control computers.

According to news reports, "The aircraft crew believed the bomber had
reached the takeoff speed of 140 knots when in reality it was traveling ten
knots slower and rotated for takeoff. The misfunction also meant that the
sensors showed the plane to be in a nose down position, causing it to
command a high level of pitch, around 30 degrees. This, combined with the
low takeoff speed, caused the aircraft to stall and veer to the left."

The pilot and co-pilot ejected successfully, although the co-pilot was hurt.

What the Air Force noted was that the crash could have prevented by more
effective risk communications.

Again, according to the story, "The vulnerability of the sensors to moisture
was first detected by air crews and maintenance staff in 2006, at which time
it was discovered that turning on the 500 degree pitot heat prior to sensor
calibration would evaporate the water and cause a return to normal readings.
However, this was never formally noted and so the pilots of the aircraft
were unaware of the potential problem or its solution."

In fact, another B-2 had to abort a takeoff at the same base because of the
same problem apparently last year, but the pilots of the B-2 that crashed
hadn't been briefed about it.

On a personal side, the B-2 belong to the 509th bomb wing, my old outfit. I
was an avionics tech back in the early 1970s, and I find it strange that the
problems with the sensors were not logged, nor that when an abort happened,
the causes were not formally briefed. I also find it interesting that the
information about heating the pitot at the very least wasn't informally
spread among the very small B-2 pilot community. If memory serves me
correctly, the problem back when I was in the Air Force was that pilots
complained about everything - even if a system worked as designed but didn't
work the way they wanted it to - on their aircraft during after-flight
debriefs, which were all noted, filed, cataloged and analyzed. No issue was
too small not to make note of.

Illinois high-speed trains

<David Lawver <>>
Thu, 2 Oct 2008 15:41:46 -0500

Jon Hilkevitch, *Chicago Tribune*, 1 Oct 2008

Improvement in train-control mechanisms on the corridor through Illinois to
St. Louis will give Amtrak engineers precise information in the locomotive
cab that reinforces what the signals along the tracks are saying and
indicates track conditions ahead.  For instance, sensors indicating that
gates and warning lights are operating properly at railroad crossings and no
vehicles are blocking the tracks will enable approaching trains to maintain
top speeds through the crossings, officials said.

The system is considered fail-safe, even at high speeds. If an engineer
violates the signals, the system will stop the train.  The new signal system
is being installed on about 25 miles of track, from Joliet to Mazonia, to
improve the safety and reliability of passenger service, according to the
Federal Railroad Administration.

The improved technology will also boost train speeds from 79 m.p.h. to 110
mph on sections of 118 miles of track between Mazonia and Ridgely, near

  [And we know this fail-safe system is implemented by computers, of course,
  so we all feel reassured that Nothing Can Go Wrong.]

Full article at:,0,7784079.story

David Lawver, UW-Madison DoIT/SNCC-SM    Operational Process Coordinator
1-608/262-8159  3108 CS&S

D10T: National Debt Clock is out of digits

< (Mark Brader)>
Wed, 8 Oct 2008 13:21:09 -0400 (EDT)

[Search Google News for "debt clock".]

  In a sign of the times, the National Debt Clock in New York has run out of
  digits to record the growing figure.  The government's current debt at
  about 10.2 trillion dollars.  The organisation that runs the sign said it
  plans to update it next year by adding two digits to make it capable of
  tracking debt up to a quadrillion dollars.

[Mark added subsequently:]

Say, if this is the first time this has happened, does that make it 1D10T? :-)

Passport RFID attack: missing validation (Aaron Emigh)

<"Peter G. Neumann" <>>
Sat, 11 Oct 2008 19:31:26 PDT

  [Aaron Emigh sent me an article that discusses generally the issue of
  the absence of validation of 35 out of 45 countries' public keys used
  to validate data in RFID passport chips.
  (Note: The PKD participants' list [1] lists only nine participants:
  Australia, Canada, Germany, Japan, New Zealand, Singapore, Korea, the UK,
  and the USA.  Either the reported number is incorrect, or another country
  has begun participating since the list was published in April of this

The ICAO seems to understand the issue; the PKD's 2007 report [2] states
"The business case for validating ePassports is compelling: border control
authorities can confirm that the document held by the traveler: was issued
by a bona fide authority, has not been subsequently altered, is not a copy."
In the ICAO PKD Procedures [3], it says (section 7.2): "The Country Signing
CA Certificate (Ccsca) must be disseminated by the Participant prior to
eMRTD [electronic machine readable travel document] issuance."  So it does
seem that this was understood, and that the way to enable validation of
ePassport data is to participate in the PKD.

The article implies that Secunet Golden Reader accepts self-signed certs
from countries that have not filed a Ccsca, and that this data could be
accepted by border patrol agents.  It would obviously seem a better choice
to force border personnel to validate the printed documents, where they
presumably have some expertise in rejecting fraudulent credentials, in lieu
of accepting any digital data that can't be validated.  Does anyone know
whether there are processes that capture a requirement for manual review for
non-PKD-participating countries' passports?  I don't have a copy of ICAO


Missing hard drive "not encrypted" because it was "secure"

<John Carlyle-Clarke <>>
Mon, 13 Oct 2008 22:57:34 +0100

This form of story is becoming depressingly familiar at the moment in the UK
to the point where numbness is setting in.

  "Up to 1.7m people's data missing.  A missing computer hard drive may
  have contained details of 1.7 million people who had enquired about
  joining the armed forces, the government has said."

What made this story stand out for me was a quote in it from EDS, via Bob
Ainsworth, the government minister with responsibility.  They said:

  "EDS assesses that it is unlikely that the device was encrypted because it
  was stored within a secure site that exceeded the standards necessary for
  restricted information."

To paraphrase: there was no way this could go missing, so we didn't bother
to encrypt it.

Russian researchers achieve 100-fold increase in WPA2 cracking speed

<Monty Solomon <>>
Sun, 12 Oct 2008 18:21:47 -0400

Russian security company Elcomsoft posted a press release on 12 Oct 2008
detailing a new method to crack WPA and WPA2 keys:

  With the latest version of Elcomsoft Distributed Password Recovery, it is
  now possible to crack WPA and WPA2 protection on Wi-Fi networks up to 100
  times quicker with the use of massively parallel computational power of
  the newest NVIDIA chips. Elcomsoft Distributed Password Recovery only
  needs a few packets intercepted in order to perform the attack. ...

Defective news submission website

<"Steven M. Bellovin" <>>
Mon, 6 Oct 2008 10:31:22 -0400

My department is hosting a distinguished lecturer, so I went to the
university web site for submitting important campus news items.  I described
the talk and the speaker, clicked submit — and was presented with a request
to log in with my university login and password.  A bit odd, I thought, but
perhaps not unreasonable — maybe only faculty can submit news items.  So I
logged in — and got a web form for administering database access control
lists and tables...

This would be Just Another Buggy Web site, but there's one final detail
that elevates this incident to a classic: the distinguished lecturer is
Peter Neumann...

Steve Bellovin,

  [Very amusing.  My talk was given one-half hour after Steve sent that
  message, on Integrity of Elections.  I suppose examples of voting machines
  (and ATMs) showing a blue screen of death or an operating system login
  prompt would also tickle Steve's fancy.  PGN]

Risks of a new laptop

<Nick Brown <>>
Thu, 9 Oct 2008 13:36:02 +0200

I've just received a flyer from Dell which, among other things, describes a
whole range of new services for which I can sign up when I buy a new PC.

1. "Recovering your data".  For 60 Euros, during 3 years, Dell will "help me
  recover my data following flood, fire, or other incident".  No indication
  is given of how likely this is to by physically possible, nor exactly how
  much effort Dell will put into this before declaring my disk to be dead.
  I'll still be making my own backups, thanks.

2. "Tracking down your stolen laptop" (55 Euros).  If, during the first 3
  years, my laptop is stolen and connected to the Internet, "its location
  can be determined" and "local law enforcement agencies will help you get
  it back".  I'd be interested in seeing Dell's worldwide agreement with
  "local law enforcement agencies", and what the penalty clauses are if said
  agencies fail to return my laptop.  I'd also be interested to know what
  other mechanisms Dell has planned to track where my laptop was used
  *before* I reported it stolen.  Naturally, we will be assured that "strict
  safeguards are in place to stop this happening".  (I'd be interested to
  know how this works... do they use some form of ID built into the CPU, or
  is there an open port on the firewall, or are the MAC addresses of the
  network cards - Ethernet and WiFi - piggybacked into network packets in
  some way?)

3. (The best one) "Formatting your data remotely" (70 Euros).  Note that I'm
  translating from French here; what I presume they mean is "formatting your
  disk [partitions] remotely", not some service whereby they right-justify
  your paragraphs for you.  The description of the service is breathtaking:
  "Dell can remotely format (sic) your sensitive data if your PC is lost or
  stolen.  Your critical data will not fall into the wrong hands".

Wow.  So if I buy this service (and probably, even more worryingly, if I
don't), my Dell laptop will have software on it which will listen for a
message from the mother ship which will tell it to "format the data".

The RISKs are beyond enumeration, but let's start with:
- If your PC is stolen and the thief is sufficiently clever to backup
  the data before connecting it to the Internet, then not only does she
  have all your data, but you might naively think she doesn't.
- If the guy I met at the airport last week, to whom I lent my laptop
  for a minute so he could check his webmail after we swapped business
  cards, happened to note the service tag of the PC, and it turns out that
  he works for a rival company, he will likely have all the info he needs
  to ensure that I have a very bad day.
- If Joe in Cincinnati calls Dell to say his laptop has been stolen, and
  his serial tag is off by one from mine, and someone presses the wrong
  key in the mother ship, how much is Dell's liability for my data?

However, all (data) may not be lost.  Because Dell also offers:

4. "Certified data destruction" (18 Euros).  When the time comes to get a
  new PC, Dell will take my old one and guarantee the secure destruction of
  all the data on the hard drive, and recycle its components.  So apparently
  a simple format (remote or otherwise) isn't enough to keep your data out
  of the hands of the bad guys.  I'm confused.  I would also be very
  interested to have a list of people who are so serious about the need for
  their data to be securely destroyed, that they are prepared to pay in
  advance for it.  I wonder if a disgruntled former call-center employee
  might sell me that data?  No, surely not.  And the people in charge of
  actually destroying the data wouldn't take a copy, either.

Nick Brown, Strasbourg, France.

Researcher Liuba Belkin: Workers more prone to lie in e-mail

<Monty Solomon <>>
Fri, 10 Oct 2008 08:48:03 -0400

In two studies co-authored by Lehigh's Liuba Belkin, people using e-mail
lied almost 50 percent more often than those using pen-and-paper.  Workers
are significantly more likely to lie in e-mail messages than in traditional
pen-and-paper communications, according to two new studies co-authored by
Lehigh's Liuba Belkin.

More surprising is that people actually feel justified when lying using
e-mail, the studies show.  "There is a growing concern in the workplace over
e-mail communications, and it comes down to trust," says Belkin, an
assistant professor of management in the College of Business and
Economics. "You're not afforded the luxury of seeing non-verbal and
behavioral cues over e-mail. And in an organizational context, that leaves a
lot of room for misinterpretation and, as we saw in our study, intentional

The results of the studies are reported in the paper, "Being Honest Online:
The Finer Points of Lying in Online Ultimatum Bargaining."  Belkin and her
co-authors-Terri Kurtzberg of Rutgers University and Charles Naquin of
DePaul University-presented their findings at the annual meeting of the
Academy of Management held in August. ...

Thomas Crown escape, revisited

<Peter Houppermans <>>
Fri, 3 Oct 2008 13:26:43 +0200 (CEST)

A crafty bank robber in America made a Thomas Crown style escape from the
scene of his crime by recruiting a crowd of unsuspecting identically-dressed
accomplices on the Internet. reports that the well-organised
villain struck as an armoured van was picking up cash from the a Bank of
America branch in Monroe, Washington.  Wearing a dust mask, safety goggles,
dayglo vest and a blue shirt, he pepper-sprayed a security guard and grabbed
a bag of cash before fleeing briskly.

Responding plods were hampered in their pursuit by the fact that a dozen
other dayglo-vested, masked, goggled and blue-shirted men had congregated in
the vicinity — just as the legion of bowler-hatted suits assembled in New
York's Metropolitan Museum in the latest Thomas Crown film [to?]  fatally
embugger the authorities' efforts to bracelet the eponymous billionaire

In this case, it appears that the anonymous miscreant recruited his
unsuspecting dupes on Craigslist.  ...
[Source: The Register, 3 Oct 2008.  The rest of the story is good too.  PGN]

Re: Sydney NS vs. Sydney NSW (25.36)

<Steve Schafer <>>
Fri, 03 Oct 2008 09:41:06 -0400

I live in Athens, Ohio. One of the local newspapers is the *Athens News*
( As it turns out, there is also an
English-language *Athens News* in the other Athens

Not surprisingly, electronic correspondence intended for one *Athens News*
sometimes ends up at the other. This happened in July, with a letter
mistakenly sent to our local *Athens News*. The editor decided to print it

This set off a chain of events that eventually led to a successful
trans-Atlantic resolution of the situation:

I am also reminded of when, several years ago, I was walking past the gates
at Dallas-Fort Worth International Airport, I noticed that American Airlines
flights to "San Jose CA" and "San Jose CR" were departing from adjacent
gates. The scheduled departure times were less than two hours apart.

Oyster card hack details revealed (Re: RISKS-25.22,24)

<Gabe Goldberg <>>
Tue, 07 Oct 2008 10:43:53 -0400

The Oyster card is used on London's travel network.  Details of how to hack
one of the world's most popular smartcards have been published online.  The
research by Professor Bart Jacobs and colleagues at Radboud University in
Holland reveals a weakness in the widely used Mifare Classic RFID chip.
This is used in building entry systems and is embedded in the Oyster card
used on London's transport network.  Publication of the research was delayed
by legal action taken by the chip's manufacturer.

Paper chase

Prof Jacobs and his team first identified the vulnerability in a research
paper that was due to be published in March 2008.  However, the release of
the article was delayed after chip manufacturer NXP attempted to secure a
court injunction against its publication.  The paper was finally released on
Monday at the European Symposium on Research in Computer Security (Esorics)
2008 security conference held in Malaga, Spain.

Sensitive data stored on the Mifare Classic chip is protected by a unique
number that acts as a key. When the chip, or a card bearing it, is placed
near a reader it transmits and receives information based on its key. The
security of the system depends on the key remaining secret.  [Source: Peter
Price, BBC]

Re: Remarkable — United Airlines Stock

<Russ Nelson <>>
October 1, 2008 8:27:02 PM EDT

  [From Dave Farber's IP group.  PGN]

> PGN wrote (see RISKS-25.37) : blames "Erroneous
> trades" routed to Nasdaq sent Google shares tumbling.  Shares rebounded in
> after-hours trading to $413.06.

It's not necessarily erroneous trades.  A number of stockholders will have a
stop on their shares, so that they automatically sell if the price drops
below a certain amount, typically 10% or whatever they think is outside the
normal day's range of stock trading.

Other people are interested in buying the stock once its price climbs out of
its normal range.  There's a whole theory ("technical trading") which tries
to predict what is normal, and when a stock is going to exceed its normal
price range.  They have set a limit on the price they're willing to buy.
When the price goes above that, they buy the stock.

Sometime mean people will buy a bunch of shares of a stock, then sell them
all at once.  Depending on market conditions, they can depress the price of
the stock enough to hit people's stops, at which point they sell, which
drives the price down further, and further.  The mean people then buy all
the stock back (which takes a lot of cash, obviously), which sends the price
of the stock zooming.

If they're lucky, again, they'll send the price up so high that they'll
start to hit limits, and more and more people will buy the stock.  The mean
people are happy to sell the stock to them.

And when all of this winds down and the price returns to approximately its
original value, both the people with stops and limits are screwed and the
mean people make a lot of money.  Sounds like NASDAQ saw that happen, and
undid it.  Usually the effect is small and the mean people get away with it.

--my blog is at
521 Pleasant Valley Rd. Potsdam, NY 13676-3213  +1 315-323-1241

IP Archives:

Please report problems with the web pages to the maintainer