The RISKS Digest
Volume 25 Issue 41

Thursday, 23rd October 2008

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Re: Computer likely caused Qantas plunge
Peter Bernard Ladkin
Dag-Erling Smørgrav
Guy Dawson
Chris Kuan
U.S. Government to Take Over Airline Passenger Vetting
IEEE Spectrum review process upgrade curiosity
Dan Wallach's report on a vote-flipping examination
Deceptive practices in elections
Straight Party Voting Issues
Leonard Finegold
GAO report on Social Security Numbers
Re: More Password Reset Procedures
Ralph Jacobs
Re: Amazon e-mail accounts
Dimitri Maziuk
Klaus Johannes Rusch
2 of 3 navigational devices functioning
Daniel P. B. Smith
Info on RISKS (comp.risks)

<Peter Bernard Ladkin <>>
Wed, 22 Oct 2008 10:48:19 +0200

Re: Rieden and Garret (RISKS-25.40)

I don't think it helps to suggest that the manoeuvre would be something
passengers are "unlikely to have noticed" (Rieden) or "typical" (Garret).
It's not the vertical speed that mattered, it is the acceleration used to
get there.

The vertical acceleration was -0.8g according to the Airbus
All-Operators-Telex, enough to throw unbelted people against the ceiling
(but with not quite their full weight) and 14 people were injured seriously
enough to be transported by medical helicopter to hospital. The ATSB has
classified it as an accident. Their preliminary report is on their WWW site.

It was more than a "terrifying plunge", it was one sufficient to break
people's bones.

Peter Bernard Ladkin, Causalis Limited and University of Bielefeld

  [We received a slew of messages on this topic.  The following three are
  more or less representative of different key points.  PGN]

Re: Investigator: Computer likely caused Qantas plunge (RISKS-25.40)

<=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <>>
Wed, 22 Oct 2008 12:02:35 +0200

> Rieden: Perhaps this should be re-titled "Risk of Inflammatory reporting".

Or perhaps "risk of becoming so cynical that you dismiss the story out of
hand instead of doing your own research and finding out that the reporter
left out a zero, and that more than forty passengers sustained injuries,
fifteen of them serious, in a 6,500-foot drop".

Dag-Erling Smørgrav -

Re: Computer likely caused Qantas plunge (RISKS-25.40)

<Guy Dawson <>>
Wed, 22 Oct 2008 13:30:40 +0100

What does not appear to be considered is that descent during the 20 seconds
may not have been linear. There may have been an initial rapid descent
followed by a recovery phase.

I know that if I were sitting in my airliner seat and suddenly found the
cabin seat coming down to meet me at 22mph I'd be pretty scared!

Guy Dawson, I.T. Systems Manager, Crossflight Ltd

Re: Computer likely caused Qantas plunge (RISKS-25.40)

<Chris Kuan <>>
Thu, 23 Oct 2008 08:54:01 +1000

In reply to both Peter and Ron, it seems that while misreporting is to blame
here, it is merely vaguely imprecise rather than deliberately misleading.

At a press conference, the Australian Transport Safety Bureau played an
animation of the incident — based on recorded flight data.  It clearly
shows that while the entire incident lasted about 20 seconds, the most
severe event was a change in the aircraft's pitch from +2.1 degrees to -8.3
degrees over a period of approximately 1 second.

U.S. Government to Take Over Airline Passenger Vetting

<"Peter G. Neumann" <>>
Thu, 23 Oct 2008 10:19:42 PDT

  [RISKS has previously reported on the overly aggressive name matching in
  use of the no-fly list (e.g. David Nelson and Senator Kennedy, RISKS-22.80
  22.81, 25.15).  This might minimize those problems.  However, any error in
  the databases used for matching may now be even more difficult to surmount
  in time to catch your plane.]

The Department of Homeland Security will take over responsibility for
checking airline passenger names against government watch lists beginning in
January, and will require travelers for the first time to provide their full
name, birth date and gender as a condition for boarding commercial flights,
U.S. officials said Wednesday.  Security officials say the additional
personal information — which will be given to airlines to forward to the
federal agency in charge — will dramatically cut down on cases of mistaken
identity, in which people with names similar to those on watch lists are
wrongly barred or delayed from flights.

The changes, to be phased in next year, will apply to 2 million daily
passengers aboard all domestic flights and international flights to, from or
over the United States. By transferring the screening duty from the airlines
to the federal government, the Secure Flight program marks the Bush
administration's long-delayed fulfillment of a top aviation security
priority after the Sept. 11, 2001, terrorist attacks.

Homeland Security Secretary Michael Chertoff and Transportation Security
Administration (TSA) chief Kip Hawley said yesterday that, except in rare
situations, passengers who do not provide the additional information will
not be given boarding passes.

... DHS has received more than 43,500 requests for redress since February
2007 and has completed 24,000 of them, with the rest under review or
awaiting more documentation, TSA spokesman Christopher White said.  But the
number of people who actually match the names on the watch lists is
minuscule, officials acknowledged. On average, DHS screeners discover a
person who is actually on the no-fly list about once a month, usually
overseas, and actual selectees daily, Hawley said.

To bolster their case for the new program, U.S. officials for their first
time disclosed that the no-fly list includes fewer than 2,500 individuals
and the selectee list fewer than 16,000. Ten percent of those named on the
no-fly list and fewer than half on the selectee list are U.S. citizens,
Chertoff said.  [Source: Spencer S. Hsu, *The Washington Post*, 23 Oct 2008;

  [Of course, if the TSA database information is as riddled with errors and
  other variations as are the voter registration databases, the employment
  eligibility verification databases, and so on, there will still be many
  false positives on would-be fliers.]

IEEE Spectrum review process upgrade curiosity

<"Peter G. Neumann" <>>
Wed, 22 Oct 2008 11:36:02 PDT

I just received a note saying that my review of a submitted paper that was
due on 22 Nov 2006 was now overdue.  To make matters worse, when I tried to
bring up the details on their website, my browser found itself an an
infinite loop.  I clearly thought I had submitted my evaluation two years
ago, and queried Elizabeth Bretz — who does an excellent job overseeing the
review process.  This is her response:

  ``Peter — no worries.  They upgraded the peer review system, and a queue
  of old papers suddenly sprang to life. There's no need for you to do
  anything, except disregard the e-mails.  Apologies for the interruption
  and aggravation.  Elizabeth''

As the RISKS graybeard, I feel Upgrayeded by just one more example of an
upgrade that did not work as expected.

Dan Wallach's report on a vote-flipping examination

<"Peter G. Neumann" <>>
Thu, 23 Oct 2008 10:17:59 PDT

See Dan Wallach's analysis of vote-flipping in the Hart Intercivic e-slate

Deceptive practices in elections

<"Peter G. Neumann" <>>
Tue, 21 Oct 2008 10:40:50 PDT

Remember that many of the problems with elections are not directly related
to the voting systems themselves.  For example, two reports were released
yesterday that should be of interest to those of you who are not fed up with
risks in voting, relating to deceptive campaign practices:

E-Deceptive Campaign Practices
Electronic Privacy Information Center and The Century Foundation
20 Oct 2008

Deceptive Practices 2.0: Legal and Policy Responses
Common Cause, The Lawyers Committee for Civil Rights under Law,
and the Century Foundation
20 Oct 2008

Straight Party Voting Issues

<Leonard Finegold <>>
Tue, 21 Oct 2008 17:34:47 -0400

  [This is forwarded by Leonard from someone else, who says:] Lest any of
  you think this is a hoax, i just checked and it is verified as TRUE on
  Snopes-- <> Unbelievable!  I
  rarely like to pass on stuff but this one i encourage everyone to pass on
  to EVERYONE so we don't have another 8 years of DISASTER. just got this
  from a friend of mine, pass it on:

"Straight Party Voting" Trap.  Here are the details and what to do about it:

THE PROBLEM: "Straight party voting" on voting machines is revealing a bad
pattern of miscounting and omitting your vote, especially if you are a
Democrat.  Most recently (Oct. 2008), a firm called Automated Election
Services was found to have miscoded the system in heavily Democratic Santa
Fe County, New Mexico such that straight party voters would not have their
presidential votes counted.

STRAIGHT PARTY VOTING is allowed in 15 states. Basically, it means that you
can take a shortcut to actually looking at who you are voting for and
instead just select a party preference. Then the voting machine makes your
candidate choices, supposedly for the party you requested.

HOW TO PROTECT THE COUNT against the Straight Party Vote trap:

computer as to your party preference and allows software code to trigger
whatever function the programmer has designed.

toot it out there to get the word out.

which have straight party voting options:
  Alabama, Indiana, Iowa, Kentucky, Michigan, New Mexico, North Carolina,
  Oklahoma, Pennsylvania, Rhode Island, South Carolina, Texas, Utah, West
  Virginia, Wisconsin


5) LOOK FOR UNDERVOTES (high profile races with lower-than-average number of
votes cast) and flag them, post them, bring them to the attention of others
for additional scrutiny.

Voting machine miscounts of straight party votes were proven by California
researcher Judy Alter in the 2004 New Mexico presidential election; in
Alabama Democrat straight party votes were caught going to a Republican, and
Wisconsin a whole slew of straight party votes disappeared altogether. Both
DRE and optical scan machines are vulnerable. Private contractors are
involved; private firms like LHS Associates, Automated Election Services,
Harp Enterprises, Casto & Harris and others will program almost all systems
in the USA this November. ES&S scanners were involved in examples cited, but
Diebold has also issued a cryptic Product Advisory Notice in 2006 about
unexpected results from certain Straight Party option programming practices.

  [Incidentally, I wandered into a voting station in Vancouver, Canada, a
  couple of weeks ago.  They use paper ballots; I asked if they're counted
  manually, reply "you bet ".  They handled more people much more
  expeditiously than in my PA, USA station, 'cos we have only a couple of
  voting machines, and they had effectively lots more, and simpler
  ones...aka ballot boxes.  And results were available certainly by next
  morning (and prob. earlier).  LF]

Leonard X. Finegold, Physics, Drexel University, 3141 Chestnut Street
Phila. PA 19104  1-215.895.2740

GAO report on Social Security Numbers

<"Peter G. Neumann" <>>
Wed, 22 Oct 2008 11:42:02 PDT

Social Security Numbers Are Widely Available in Bulk and Online
  Records, but Changes to Enhance Security Are Occurring
GAO-08-1009R September 19, 2008

Various public records in the United States contain Social Security numbers
(SSN) and other personal identifying information that could be used to
commit fraud and identity theft. For the purposes of this report, public
records are generally defined as government agency-held records made
available to the public in their entirety for inspection, such as property
and court records. Although public records were traditionally accessed
locally in county courthouses and government records centers, public record
keepers in some states and localities have more recently been maintaining
electronic images of their records. In electronic format, records can be
made available through the Internet or easily transferred to other parties
in bulk quantities. Although we previously reported on the types of public
records that contain SSNs and access to those records, less is known about
the extent to which public records containing personal identifying
information such as SSNs are made available to private third parties through
bulk sales. In light of these developments, you asked us to examine (1) to
what extent, for what reasons, and to whom are public records that may
contain SSNs available for bulk purchase and online, and (2) what measures
have been taken to protect SSNs that may be contained in these records. To
answer these questions, we collected and analyzed information from a variety
of sources.  Specifically, we conducted a survey of county record keepers on
the extent and reasons for which they make records available in bulk or
online, the types of records that they make available, and the types of
entities (e.g., private businesses or individuals) that obtain their
records. We focused on county record keepers because, in scoping our review,
we determined that records with SSNs are most likely to be made available in
bulk or online at the county level. We surveyed a sample of 247
counties--including the 97 largest counties by population and a random
sample of 150 of the remaining counties, received responses from 89 percent,
and used this information to generate national estimates to the extent
possible. Our survey covered 45 states and the District of Columbia,
excluding five states where recording of documents is not performed at the
county level (Alaska, Connecticut, Hawaii, Rhode Island, and Vermont). We
used the information gathered in this survey to calculate estimates about
the entire population of county record keepers.

Many counties make public records that may contain Social Security numbers
(SSNs) available in bulk to businesses and individuals in response to state
open records laws, and also because private companies often request access
to these records to support their business operations. Our sample allows us
to estimate that 85 percent of the largest counties make records with full
or partial SSNs available in bulk or online, 3 while smaller counties are
less likely to do so (41 percent). According to county officials and
businesses we interviewed, SSNs are generally found in certain types of
records such as property liens and appear relatively infrequently. However,
because millions of records are available, many SSNs may be displayed.
Counties in our survey cited state laws as the primary reason for making
records available, and requests from companies may also drive availability,
as several told us they need bulk records to support their businesses
models. Counties generally do not control how records are used. Of counties
that make records available in bulk or online, only about 16 percent place
any restrictions on the types of entities that can obtain these records. We
found that title companies are the most frequent recipients of these
records, but others such as mortgage companies and data resellers that
collect and aggregate personal information often obtain records as
well. Private companies we interviewed told us they obtain records to help
them conduct their business, including using SSNs as a unique
identifier. For example, a title company or data reseller may use the SSN to
ensure that a lien is associated with the correct individual, given that
many people have the same name. Information from these records may also be
used by companies to build and maintain databases or resold to other
businesses. Businesses we contacted told us they have various safeguards in
place to secure information they obtain from public records, including
computer systems that restrict employees' access to records. In some cases,
information from these public records is sent overseas for processing, a
practice referred to as offshoring. We were not able to determine the extent
of offshoring, but both record keepers and large companies that obtain
records in bulk told us that it is a common practice. In the course of our
work, we found that public records data are commonly sent to at least two
countries--India and the Philippines. State and local governments, as well
as the federal government, are taking various actions to safeguard SSNs in
public records, but these actions are a recent phenomenon. Based on our
survey, we estimate that about 12 percent of counties have completed
redacting or truncating SSNs that are in public records-- that is, removing
the full SSN from display or showing only part of it--and another 26 percent
are in the process of doing so. Some are responding to state laws requiring
redaction or truncation, but others have acted on their own based on
concerns about the potential for identity theft. For example, California and
Florida recently passed laws that require record keepers to truncate or
redact SSNs in their publicly available documents, while one clerk in Texas
told us that in response to public concern about the vulnerability of SSNs
to misuse, the county is redacting SSNs from records on its own
initiative. In recent years, 25 states have enacted some form of statutory
restriction on displaying SSNs in public records. Some states have also
enacted laws allowing individuals to request that their SSNs be removed from
certain records such as military discharge papers.

Re: More Password Reset Procedures

<"Ralph Jacobs" <>>
Tue, 21 Oct 2008 17:10:08 -0600

In response to the Civil Air Patrol example and the statement "This is YOUR
government at work, folks."...

The vast majority of the Civil Air Patrol is made up of volunteers.  The few
paid employees that exist work for CAP the non-profit corporation and are
not government employees.  That doesn't excuse any of the errors described
during the password reset process; just that they weren't committed by the
government in this case.

Re: Amazon e-mail accounts (Loughran, RISKS-25.39)

<Dimitri Maziuk <>>
Sat, 18 Oct 2008 13:49:33 -0500

> ... an Amazon user does not have a 1:1 mapping of e-mail->userID.

Counterpoint: back when PayPal was created, they came up with 1:1 mapping of
credit card number->userID. Guess how that works for people with joint bank

(OK, we're weird: my wife kept her maiden name and we don't have 8 credit
cards, we only have one. And has the same number for two different
cardholder names, unlike our one debit card. Still, we can't be the only two
people on the net with a joint visa account.)

I wonder if an analysis of my wife's PayPal/Ebay purchase history would get
her diagnosed with multiple personality disorder...

Re: Amazon e-mail accounts (Loughran, RISKS-25.39)

<Klaus Johannes Rusch <>>
Sun, 19 Oct 2008 14:20:54 +0200

Amazon's approach to allow multiple accounts with the same e-mail address
has advantages when it comes to e-mail address changes. A customer returning
to Amazon years later can still login with the original account data,
getting access to purchase history, gift certificates, reviews etc. and
change the e-mail address from there even when another customer has used the
same e-mail address in the meantime. The downside is that a customer can
easily end up with multiple accounts, and merging those later requires
manual intervention by Amazon staff.

Klaus Johannes Rusch

2 of 3 navigational devices functioning

<"Daniel P. B. Smith" <>>
Sun, 19 Oct 2008 12:42:03 -0400

In RISKS-25.37, Mark F wrote: "I've been on commercial flights that weren't
permitted to take off because they had only 2 of 3 navigational devices

It was standard practice to equip sailing ships with three chronometers.
This requirement forms a pivot for the plot in *Michael, Brother of Jerry*,
a very bad and justly obscure 1915 novel by Jack London (better known for
*The Call of the Wild*). Here's a key passage (with ethnic slurs redacted).
(Needless to say the voyage ends in disaster due to the shipowner's
pennypinching ways).

"It's a pity," he would suggest to Captain Doane, "that you have only one
chronometer.  The entire fault may be with the chronometer.  Why did you
sail with only one chronometer?"

"But I WAS willing for two," the owner would defend.  "You know that,

The wheat-farmer would nod reluctantly and Captain would snap:

"But not for three chronometers."

"But if two was no better than one, as you said so yourself and as Grimshaw
will bear witness, then three was no better than two except for an expense."

"But if you only have two chronometers, how can you tell which has gone
wrong?" Captain Doane would demand.

"Search me," would come the pawnbroker's retort, accompanied by an
incredulous shrug of the shoulders.  "If you can't tell which is wrong of
two, then how much harder must it be to tell which is wrong of two dozen?
With only two, it's a fifty-fifty split that one or the other is wrong."

"But don't you realize--"

"I realize that it's all a great foolishness, all this highbrow stuff about
navigation.  I've got clerks fourteen years old in my offices that can
figure circles all around you and your navigation.  Ask them that if two
chronometers ain't better than one, then how can two thousand be better than
one?  And they'd answer quick, snap, like that, that if two dollars ain't
any better than one dollar, then two thousand dollars ain't any better than
one dollar.  That's common sense."

Please report problems with the web pages to the maintainer