The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 25 Issue 43

Wednesday 29 October 2008


Driver hits NIPSCO pole; surge fries sewage treatment plant
Shawn Merdinger
Risks of escalating complexity: AA757 electrical power loss
David Lesher
Schlage BrightBlue wireless lock controllers
Shawn Merdinger
Computer screens out distress call from kidnap victim
David Tombs
Finnish E-Voting System Loses 2% of Votes
Pertti Huuskonen
Article on voting through American history
*The New Yorker* via Harlan Rosenthal
Poison-pill auto-disclosure for security vulnerabilities
Paul Robinson
They got us coming and going: tire monitoring
Paul Wexelblat
Holistic Systems
Pierre-Jacques Courtois
Twitter Jitters
Zachary Tumin
Info on RISKS (comp.risks)

Driver hits NIPSCO pole; surge fries sewage treatment plant

<"Shawn Merdinger" <>>
Tue, 28 Oct 2008 22:31:05 -0400

Kevin Nevers, Driver hits NIPSCO pole; surge fries sewage treatment plant

When a motorist, at approximately 12:11 a.m. on Sunday, struck a NIPSCO pole
on Woodlawn Ave. just west of North Eighth Street, he not only interrupted
electric service to the Chesterton wastewater treatment plant, he caused a
power surge which zapped into oblivion the whole of the plant's automated
computer system.    [Added note in archive copy: Chesterton, Indiana, USA]

Since early Sunday morning, Superintendent Steve Yagelski told the Town
Council at its meeting Monday night, operators have been working the plant
by hand, after the computer system known as SCADA -- tasked with running the
facility automatically -- was fried and failed.  Yagelski hastened to add
that no by-pass occurred, thanks to the fact that a backup alarm system not
connected to SCADA activated and alerted staffers.

One backup system which did not work, however, was the emergency power
supposed to be provided by two generators. Yagelski told the Chesterton
Tribune after the meeting that the surge was so powerful and comprehensive
that SCADA failed before it could send the activation message to that pair
of generators.  A NIPSCO crew subsequently got those emergency generators
running and then restored electric service to the plant as a whole. Now
Yagelski is performing triage, trying to assess the damage done to the most
critical components of the facility. "This is an unusual thing," he
said. "We lost the entire plant. Virtually every breaker in the facility was
blown and had to be re-set."

Yagelski expects the cost of replacing damaged computers and electronics to
be considerable. "I have no idea at this point what it will cost," he
said. "But I'm sure we're in the thousands of dollars."  Yagelski added that
he is "hopeful" that insurance -- the plant's or the motorist's -- will
reimburse at least part of the expense.  Until systems can be restored,
though, operators will continue to "walk the plant around the clock" to keep
it in operation.

Risks of escalating complexity: AA757 electrical power loss

<"David Lesher" <>>
Mon, 27 Oct 2008 11:27:36 -0400 (EDT)

On 22 Sept, 2008 a AA 757 diverted to ORD with an in-flight electrical
issue. It landed, not on the longest runway, skidding on locked brakes for
thousands of feet.  The pilot opted to angle off the runway near the end; I
assume seeking better braking action in sod. [It worked.]
There was a long delay in evacuation as the crew could not get the
engines to shut down (!?!?!).

The NTSB preliminary report is out, and it's got almost enough Risks to
fill a sequel to PGN's book by itself:

NTSB Identification: CHI08IA292

Greatly shortened, they had a "AIR/GRD SYS" alert message, consulted the
Quick Reference Handbook, changed to a standby power configuration and
continued. This configuration was battery powered, and they appear to have
thought from what the QRH said that the battery charger was still working.

It wasn't... and they later lost multiple systems, including some flight
controls, interphone, PA, antilock brakes, thrust reversers, spoilers, AND
engine shutdown controls.

An 747 & 757-qualified pilot for another carrier remarked that the
manuals have gotten simpler and simpler over the decades. While such is
inevitable given the orders-of-magnitude complexity difference between
say a 727's three paralleled generators, and the multiple power buses on
a 757 [They lost four buses out of many.] there is a price to pay -- "too
simple" is not better than too complex.

I have to wonder about external tech support. Boeing has a 24x365 support
center for in-flight problems, but in their previous strike, it was at
least impaired if not inoperative. Did the crew ask for help?

Schlage BrightBlue wireless lock controllers

<"Shawn Merdinger" <>>
Mon, 27 Oct 2008 03:18:48 -0400

... power panel with HTTP interface.  Oh, and Telnet is enabled by default
and not covered very deeply at all in the installation manual.

Computer screens out distress call from kidnap victim

<"David Tombs" <>>
Tue, 28 Oct 2008 21:57:22 +1000

This tragic case was reported in the UK press a couple of weeks ago.
Broadly, a teenage girl was abducted and later murdered. Under duress, she
secretly and very bravely called the 999 emergency number on her mobile,
hoping the operator would hear and understand the situation and organise a
rescue. Unfortunately there is a function in the emergency response software
to screen out and terminate calls where the caller does not speak clearly to
the operator within a given time, which is what happened here. A log of the
call was recovered later and the girl was obviously in distress.

The screening function is valuable in stopping accidental emergency calls
clogging up the system. However in a minority of situations, like this one,
it is the wrong thing to do, with life-critical consequences.  This case
seems to present another situation where the decision-making of a machine is
wrongly preferred over a human. How well was the screening function
specified, and what analyses of failure modes were undertaken?

"Hannah Foster, the A-level student kidnapped and strangled in 2003, called
999 in a desperate attempt to get help after she was abducted from the
street, a court heard today. The 17-year-old dialed the emergency services,
hoping that the operator would be able to hear the conversation with a man
alleged to be Maninder Pal Singh Kohli, who was accused of snatching her
after a night out with friends in Southampton, Winchester Crown Court was
told. But Nicholas Haggan QC, prosecuting, told the jury that the operator
could not hear what was being said and there was a system which disconnected
the call after a short time to stop accidental emergency calls clogging up
the system."

Finnish E-Voting System Loses 2% of Votes

<Pertti Huuskonen <>>
Wed, 29 Oct 2008 10:14:47 +0200

Finland has for decades used a reasonably efficient and transparent
paper-based election process. Now we are experiencing almost a total
ignorance of the e-voting issues already discussed in RISKS for years.

There have been many warnings from the nerds and IT crowd towards the
government, but they have still decided to push for e-voting machines.
Classic mistakes include dismissing paper records to verify individual votes
and sourcing the infra from closed-source contractors. There was even a
strikingly ignorant comment from the Minister of Justice, Ms. Tuija Brax,
dismissing the reported problems in electronic voting as "science fiction".
   (in Finnish)

Now this incident below (232 unexecuted votes) is little more than a minor
usability glitch, not a security issue, but gives an idea of the sloppy
attitudes.  Sounds like the voting system involved was never tested *with
actual users*, just experts.  Besides RISKS, this contractor has not been
reading their basic usability testing books, either.

EFFi (Electronic Frontier Finland) are doing their best to keep the public
aware here, though.

-- Pertti Huuskonen (

`"Finland piloted a fully electronic voting system in municipal elections
last weekend. Due to a usability glitch, 232 votes, or about 2% of all
electronic votes were lost. The results of the election may have been
affected, because the seats in municipal assemblies are often decided by
margins of a few votes. Unfortunately, nobody knows for sure, because the
Ministry of Justice didn't see any need to implement a voter-verified paper
record. The ministry was, of course, duly warned about a fully electronic
voting system, but the critique was debunked as 'science fiction.' There is
now discussion about re-arranging the affected elections. Thanks go to the
voting system providers, Scytl and TietoEnator, for the experience."

  [Also noted in part by Matti Siivola, and by Ian Oliver -- who noted
  the role of proportional (preferential) balloting.  PGN]

Article on Voting through American history (*The New Yorker*)

<Harlan Rosenthal <>>
Mon, 27 Oct 2008 12:18:16 -0500 (CDT)
includes discussion of "voter-fraud fraud" - and how parties in power try to
change the vote by changing the voter lists.

Sounds suspicious -- unless you know that despite all the hysteria, from
2002 to 2005, only twenty people in the entire United States of America were
found guilty of voting while ineligible and only five of voting more than
once.  By contrast, consider the lede on this story, published a week ago
today: ``Tens of thousands of eligible voters in at least six swing states
have been removed from the rolls or have been blocked from registering in
ways that appear to violate federal law, according to a review of state
records and Social Security data by *The New York Times*.''

Poison-pill auto-disclosure for security vulnerabilities

<Paul Robinson <>>
Mon, 27 Oct 2008 02:15:20 -0700 (PDT)

I have thought of something regarding researchers who have made security
discoveries, and I thought of a way in which they might legally develop, in
effect, a 'poison pill' to those who would want to silence them.  I'm not a
lawyer and I don't know all of the exact requirements but I thought of an
interesting way to cause "blowback" on those who try to browbeat others into

A poison pill refers to a provision in a corporation's bylaws or charter
that makes a takeover attempt by a suitor which management does not agree
with to trigger a provision which essentially would cause the company to be
too expensive for the acquirer.  Sometimes done by allowing others than the
acquirer to buy company stock at a much lower price, which requires the
acquirer to buy even more stock of the company and raises the cost
dramatically.  So my thought was, why can't security researchers do that, so
that an attempt to do a 'hostile takeover' of the information triggers the
poison pill defense, making the hostile takeover attempt of their
information backfire worse than if they had tried to be civil and not
institute legal proceedings.

Here's one way I think it can be done.  My effort here is to make all
actions legal so that nobody gets cited for contempt or commits a crime or
otherwise violates the law in doing so..

Bob discovers some security hole in something, and sends a document with
full and complete disclosure of the entire explanation including how to
exploit, to Alice, who is not part of his team but is simply a third-party.
His instructions are, as long as he keeps re-sending the full instructions
to her, every day, to do nothing, but as soon as he stops sending the full
instructions, to publish and disseminate the information as widely as
possible.  To ensure he has not been, say, grabbed by criminals, she is to
presume any order from him to change this which does not include full
disclosure to be a false order given under duress or to ignore unread any
order not accompanied by the full, complete disclosure document..

Bob then publicizes the security hole either to the vendor to give them time
to find a patch or makes a public announcement in a less than full manner.

Bob and his team are sued with a restraining order not to give out details
to anyone else..

As a result, Bob is legally prohibited from sending Alice any documents
because he can't send a full disclosure.  As Bob has set up the instructions
to Alice before he had any idea he would be sued, he isn't violating the
order with what he sent because he sent it before the case was even filed or
he was aware of it.  So the only way that Bob can comply with the order, is
to not send anything to Alice or not send the same document, which triggers
the poison pill and she then posts the information everywhere she can.

The company suing can't come after Alice later, she's not releasing a trade
secret nor was she under any obligation to do so.  If it's Bob's paper, it's
his copyright so she hasn't violated anything relating to the vendor either.
Nor did she have any knowledge of the lawsuit, presuming that the lawsuit
would have anything to do with her or that she would be a party to the
lawsuit anyway.

Thus, if the vendor or the other party is civil and polite, either
disclosure is delayed, or only a partial disclosure at the conference
occurs, but a lawsuit causes automatic and unpreventable full disclosure.

If Alice is not an employee of Bob and has no legal responsibility to him, I
don't see where she has any obligation to remain silent.  She hasn't been
served with any court order, only Bob has.  She has no knowledge of why Bob
stopped, only that he has.  And if she's in another jurisdiction, the court
might not even have authority to issue an order to her.

Or we can push this further by her doing the same thing and handing it off
to a third party herself, so that if she doesn't continue to do so, or she
AND Bob do not continue to send the complete document, that the third party
is to publish it.

Do this with two or three third parties each, and you essentially create a
web of poison 'pill boxes' so that attempts to stop information do the exact

As I see it, the company wanting the information has to (1) sue bob; (2) get
him to reveal whom he gave copies of the paper to; (3) find them and get
service on them; (4) get them to reveal whom they gave copies to; and so on,
and do this before the promise expires.  And some of these people can be
such that they are only reachable by e- mail, and despite what some people
would like to have, one can't be served a court order by e-mail; there is no
proof of delivery nor proof that the recipient saw it.

In some cases the vendor would have to go back to court, get a summons,
serve it on Alice's ISP, get her information - if the ISP or mail service
provider has any - then use that to find where Alice is and try to get good
service on her.  And do all of this before Bob's original request to her
expires and she publishes.

Could even be done using a web site in which you have to keep re-uploading
the same paper to prevent its publication.  Once you've been served with a
gag order, you can't do that any more and you have no means to stop the
publication from taking place.  In order to stop it, the company suing
would, again, have to contact their ISP or look up the Whois page of the
website owner (if it's theirs and not simply a nominee acting as party for
service of process, or even simply a page seller who sells web space to
people), contact them, and, presuming the company is in the same
jurisdiction and can reach them - they have no legal obligation to answer
the phone or read e-mail - to get them to stop the automatic publication.
It's only if they can actually get good service on someone in person that it
would really be significant to be able to force them to stop.  Or have
proven evidence that someone was notified of a legal proceeding where the
court could have or get jurisdiction over them.

And if the party who answers for the website is simply an answering service
or it's an answering machine, the party who gets the message might not get
notice until after the document is published.  As their website is
automatic, they don't need to monitor it unless it reports something wrong.
And if the website owner is in one jurisdiction but their webserver is in
another then it may mean the company suing has to try to find yet someone
else to stop that website.

Seems like an interesting scheme to thwart threats and from what I am aware
of, legally sound although again, I'm not a lawyer.

They got us coming and going: tire monitoring

<Paul Wexelblat <>>
Sat, 25 Oct 2008 17:52:12 -0400

I just bought a new car. When I went to to look at winter
tires, I was informed of the TPMS (Tire Pressure Monitoring System) that
appears mandatory as of 2007. This system typically includes an
RFID-attached sensor in each wheel that sends data to a sensor that...

The issue is that it seems, according to
each one of these has a unique ID that would allow tracking of an individual
vehicle. Unsubstantiated - by me, so far- research indicates that it is
illegal to disconnect this system (federal) and that some states actually
check operation at state inspections.

Vehicle tracking - speeding - big brother - sheer nosiness.

I'm sure that there is no need to further enumerate the risks to this audience.

P.M. Wexelblat PhD, Erst of the Dept. of Computer Science
University of Massachusetts Lowell, One University Ave, Lowell, MA 01854

  [Are you *tired* of items on monitoring and the age of surveillance?  If
  not, check out the extremely well-done five-part British series, "The Last
  Enemy" (with a massively cross-coupled database system called TIA), which
  concludes this Sunday on PBS's Masterpiece Theater.  If you missed the
  first four episodes, don't start with the fifth.  The plot is much too
  convoluted to grasp from the end, but should be quite relevant for RISKS
  readers.  The series will apparently be available online "for a limited
  time" only.  PGN]

Holistic Systems

<Pierre-Jacques Courtois <>>
Wed, 29 Oct 2008 12:07:51 +0100

Looking through old issues of SIGSOFT, I just come across your 2006 article
(sorry for my slowness...), and just wish to let you know how much I agree
with its conclusions and recommendations.  It happens that I have a book just
a main theme of which is precisely to advocate an hologrammatic approach
to computer dependability justification.  You are referenced in it, as an
author, but for another of your contributions!

However, now that this book is completed, I have the feeling that a holistic
approach for embedded computer systems may not be, as you cautiously suggest
at the very end of your article, an "easier" challenge than in other
disciplines.  One reason perhaps is that the huge number of variables to be
kept under control includes all those of the application supported by the
computer system, and not only those, but also all those of the detailed
inner levels of the software and hardware implementation.

Pierre-Jacques Courtois BEL V (Fed. Agency for Nuclear Control Subsidiary)
Rue Walcourt, 148, B-1070 Brussels, Belgium +32 2 5280 268
Louvain School of Engineering Universite' catholique de Louvain B-1348
Louvain - la -Neuve, Belgium, Phone: +32 10 47 31 50
Home page <>

  [P-JC, I think it is an enormous challenge practically speaking.  But it
  might be aided by being somewhat less obscured by politics; also in the
  research communities at least, some of the architectural and software
  engineering issues and other precursors are perhaps less contentious.

Twitter Jitters

Wed, 29 Oct 2008 09:37:38 GMT

Last week a report by the US Army's 304th Military Intelligence Battalion
roiled government social web (web 2.0) advocates. The microblogging service
Twitter, it found, can be used as a potent tool by terrorists.  There
followed some handwringing on Twitter and among journalists, and even some
thinking across the river -- here at Harvard.

Will this dustup affect the move to the social web in the defense and
intelligence communities -- wikis, blogs, Facebook, and the like?  After
all, there's been good movement in recent months, impressive gains, and some
major wins.  But there's been little enterprise wide embrace. To many, the
current position feels unstable.  [... Long item truncated.  Read the rest
of Zachary's blog item at .  PGN]

REVIEW: "Security Engineering", Ross Anderson

<"Rob, grandpa of Ryan, Trevor, Devon & Hannah" <>>
Mon, 27 Oct 2008 12:20:02 -0800

BKSECENG.RVW   20080929

"Security Engineering", Ross Anderson, 2008, 978-0-470-06852-6,
%A   Ross Anderson
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2001
%G   978-0-470-06852-6 0-470-06852-3
%I   John Wiley & Sons, Inc.
%O   U$70.00 416-236-4433 fax: 416-236-4448
%O   Audience i+ Tech 3 Writing 2 (see revfaq.htm for explanation)
%P   1040 p.
%T   "Security Engineering: A Guide to Building Dependable Distributed
      Systems, Second Edition"

Anything written by Gene Spafford is important.  Anything written by Bruce
Schneier is readable, and, even if you disagree with it, worth thinking
about.  Anything written by Ross Anderson is important, readable, worth
considering, and correct.

The preface states that this book is intended as a text for self-study or
for a one term course, a reference for professionals, an introduction to the
underlying concepts, and an original scientific contribution in terms of the
foundational principles for security engineering.  In addition, the preface
to the second edition notes that these concepts now need to be understood by
legal investigators, managers, and, in the wake of 9/11, everyone.  A very
tall order to fulfill, but one which, for once, seems to have been
accomplished.  I have often been asked, in regard to these reviews, whether
there are, in fact, any books that I do like.  Well, I like this one.  If
you are involved with security and you haven't read "Security Engineering,"
you should.  And you have no excuse if you haven't.  This is the second
edition to be printed, and the first edition is available online, in its

(And, if the first edition is available online for free, why should you buy
the second?  Because the second edition has more, in almost every respect.)

Part one deals with the basic concepts of engineering and security.  Chapter
one presents four example situations of security needs.  Protocols are not
limited to the precise but limited structures with which computer people are
familiar.  Security is a people problem, and chapter two, entitled
"Usability and Psychology," addresses this issue up front, along with a set
of more conceptual, but more formal, authentication problems and protocols.
It is unlikely that the models presented exhaust the field, but some thought
indicates that they are pertinent to a wide variety of applications.  Much
the usual thoughts and advice on passwords is issued in chapter three,
although the research is better documented, and some additional research
(passphrase generated passwords are as secure as randomly assigned ones, and
as memorable as naively chosen ones) is presented.  (Anderson's writing is
clear enough, but he does betray a taste for symbolic logic that might limit
the audience for the book.  Still, perseverence on the part of the reader
will be amply rewarded.)  It is strange not to see any mention of the work
factor of passwords overall.  Chapter four reviews access control, but
primarily from the perspective of system and hardware internals.
Cryptography, in chapter five, is covered reliably and well, although the
structure and flow of the material is not always in developmental order.
The problems of distributed systems are examined; in terms of concurrency,
failure resistance, and naming; in chapter six.  Economics can be used to
examine a great many aspects of security (and insecurity).  Chapter seven
looks at a number, but I was disappointed to note that risk analysis was not
one of them.

Part two uses a number of applications of secure systems to introduce
particular concepts or technologies.  Chapter eight discusses
multilevel security, which encompasses most of the formal security
models such as Bell-LaPadula.  Medical (and census) databases are
used, in chapter nine, as examples of multilateral, or compartmented,
security: the need to deal with information of equal sensitivity, but
restricted to different groups.  Controls particularly related to the
banking system and fraud are presented in chapter ten, although the
material is long on anecdotes, and contains weaker analysis than the
preceding text.  A somewhat limited, but still interesting, review of
physical security has been added in chapter eleven.  Chapter twelve
reviews monitoring systems, of both monitoring and metering types.  In
regard to nuclear command and control systems, chapter thirteen
examines the tension between availability (the ability to fire a
missile) and confidentiality (or authentication: making sure nobody
else does).  Various aspects of the technology for security printing
and seals is dealt with in chapter fourteen.  Biometrics, in chapter
fifteen, gets a good, but fairly standard, treatment.  Chapter sixteen
delves into tamper-resistance in cryptographic gear and smartcards
(expanding on the content of fourteen).  The TEMPEST and Teapot (no,
I'm not kidding) projects on emission security are reviewed in chapter
seventeen.  Chapter eighteen examines the security problems inherent
in the use of application programming interfaces (APIs).  There is
good coverage of the basics of traditional electronic warfare in
chapter nineteen, although the material on information warfare is not
as thorough.  Chapter twenty looks at telecommunications system
security, with some material on phone phreaking and lots on cellular
encryption.  Network attack and defense, in chapter twenty-one, is
less focused than other chapters, and adds malware.  Copyright and
DRM (Digital Rights Management) systems are examined in chapter
twenty-two, with solid coverage of recent controversies.  Gaming,
social networks, elections, and other complex applications are
discussed in chapter twenty-three.

Part three turns to politics, management, and assurance.  Chapter
twenty-four, under the title of "Terror, Justice, and Freedom," has a
fascinating discussion of major issues in public policy.  Management
issues, in chapter twenty-five, are presented in an interesting but
generic manner.  The discussion of system evaluation and assurance
asks the usual question in regard to how we know our systems are
secure.  In a sense, though, the subtitle of the book is wrong: much
of the material points out how *not* to build dependable systems, and
chapter twenty-six is a bit disheartening.  The conclusion, in chapter
twenty-seven, is that we need more engineers and engineering.

Although the material is presented in a very formal way, the writing
is usually quite readable, and the exceptional stilted passages are
still accessible to the determined reader.  On occasion, one could
hope for additional explanations of some items that are mentioned
briefly and passed over.  The constant emphasis on how security
protections have failed can be depressing, but the examination of the
errors of others does provide the basis for better designs in the

copyright Robert M. Slade, 2002, 2008   BKSECENG.RVW   20080929

Please report problems with the web pages to the maintainer