The RISKS Digest
Volume 25 Issue 45

Monday, 17th November 2008

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Chinese hackers breach white house computer systems
Hacker Tool Targeting MS08-067 Vulnerability
Websense via Monty Solomon
Lose the BlackBerry? Yes He Can, Maybe: President-Elect Obama
Jeff Zeleny via Monty Solomon
Texas Suspends Massive Outsourcing Contract
Keith Price
Driver Blames GPS System For Car-Train Collision
Paul Saffo
Stop! Buses only! --What do you mean, you ARE a bus?
Mark Brader
Martian deep freeze: NASA's Mars Lander dies in the dark
Sharon Gaudin via PGN
The "Two Focaccia Buttons Defense"
Robert Hall
Risks of assuming constant hours in a day
Toby Gottfried
Excel auto-formatting
David Magda
Texting bug hits the Google phone
Amos Shapir
Vintage IBM tape drive in Apollo moon dust rescue
Chris Leeson
gnus-mime-print-part vs. Mom's room
False security from privacy screens
David Alan Gilbert
Re: BBC Domesday Project
Martin Ward
Theo Bucher
Re: Poison pill auto-disclosure
Terje Mathisen
Al Macintyre
Richard O'Keefe
Info on RISKS (comp.risks)

Chinese hackers breach white house computer systems

<"Peter G. Neumann" <>>
Sun, 16 Nov 2008 18:44:23 PST

Chinese hackers have penetrated the White House computer network on multiple
occasions and obtained e-mails between government officials, a senior US
official told the *Financial Times*.  On each occasion, the attackers
accessed the White House computer system for brief periods, allowing them
enough time to steal information before US computer experts patched the
system.  US government cyber intelligence experts suspect the attacks were
sponsored by the Chinese government because of their targeted nature. But
they concede that it is extremely difficult to trace the exact source of an
attack beyond a server in a particular country.  "We are getting very
targeted Chinese attacks so it stretches credulity that these are not
directed by government-related organisations," said the official.  [Source:
The *Financial Times* website has items by Demetri Sevastopolu, dated 7, 8,
and 17 Nov 2008.  The above text is an excerpt from the most recent.  PGN-ed]

Hacker Tool Targeting MS08-067 Vulnerability

<Monty Solomon <>>
Tue, 11 Nov 2008 12:37:35 -0500

Websense Security Labs has noticed a special hacker tool in China. In the
past few weeks, Microsoft has announced and released a patch for the
MS08-067 vulnerability, and a hacker tool named "wolfteeth bot catcher" has
been widely used by hackers to attack machines running Windows operating
systems without the KB958644 patch. Our write up of the original
vulnerability details can be found here.  11 Nov 2008.

Lose the BlackBerry? Yes He Can, Maybe: President-Elect Obama

<Monty Solomon <>>
Sun, 16 Nov 2008 15:53:42 -0500

President-elect Barack Obama will have to give up his habitual use of his
BlackBerry when he becomes president — largely because of the Presidential
Records Act (but presumably also because of its inadequate security).  His
use of e-mail is likely to also be constrained.  However, he apparently
intends to be the first president with a laptop on his desk.  [Source: Jeff
Zeleny, *The New York Times*, 16 Nov 2008; PGN-ed]

  [Recall previous items (RISKS RISKS-19.29,32,33) regarding the ban against
  laptops on the Senate floor: fears of surfing, lobbyists, spamming,
  real-time on-line influence, etc., eschewing possible benefits of being
  able to search through pending legislation and to better communicate!

Texas Suspends Massive Outsourcing Contract

<Keith Price <>>
Thu, 30 Oct 2008 15:12:40 -0700

Late last week, the *Dallas Morning News* ran a story about a massive
computer crash that destroyed hundreds of Texas Attorney General Greg
Abbott's confidential documents which may prevent scores of Medicaid fraud
prosecutions.  ...

This was noted in the IEEE Spectrum Risks blog --

Driver Blames GPS System For Car-Train Collision

<Paul Saffo <>>
Tue, 11 Nov 2008 08:34:24 -0800

On the evening of 10 Nov 2008, a man's car got stuck on the Metro-North
tracks in Bedford Hills, N.Y. in Westchester County because he said his GPS
told him to make an immediate right turn.  Police blamed Jose Silva's
overdependence on GPS.  He was cited for driving on the tracks and not
obeying signs.  Metro-North spokeswoman Marjorie Anders said, "You don't
turn onto train tracks. Even if there are little voices in your head telling
you to do so. If the GPS told you to drive off a cliff, would you drive off
a cliff?"

The same thing had happened in Jan 2008.  Apparently the safety features
that were added then were not enough to deter Silva.  [Source: KPIX; PGN-ed]

Stop! Buses only! --What do you mean, you ARE a bus?

< (Mark Brader)>
Sun, 2 Nov 2008 03:43:29 -0500 (EST)

In some British cities, restricted-traffic lanes such as bus-only lanes are
protected by bollards that automatically lower themselves into the street
when a permitted vehicle is detected, and rise again behind it.

The other day in Manchester, though, a bollard rose *while* a bus was
passing over it.  The bus was brought to an abrupt stop and several
passengers were injured.

I was hoping to find a BBC story on this, as they have shorter URLs and I
know they don't expire quickly, but there doesn't seem to be one at present.
However, while looking for it, I came across this item

about bollards in the city of Truro rising suddenly under the feet of
pedestrians, which they also aren't supposed to do, earlier this year.

  [Later note added:]
Here's a followup story link, although the cause is still unknown:

Martian deep freeze: NASA's Mars Lander dies in the dark

<"Peter G. Neumann" <>>
Sun, 16 Nov 2008 12:00:37 PST

After five months digging up and analyzing soil samples on Mars, verifying
the existence of ice, and noting that snow falls from Martian skies, NASA's
Phoenix Mars Lander has gone silent — because the nights have grown longer
and there is less sun to recharge the solar batteries.  [Source: Sharon
Gaudin, Computerworld, 11 Nov 2008]

The "Two Focaccia Buttons Defense"

<Robert Hall <>>
Tue, 11 Nov 2008 17:22:18 -0500

I had lunch today at a local bakery/sandwich place, ordering a sandwich and
drink.  The bill seemed high to me, even for that place, so I looked at the
computer-generated register receipt:

6.29  [Sandwich]
1.59  [Drink]
8.77  Subtotal
0.61  Tax
9.38  Amount Due

The prices seemed consistent with the menu, and computers never make
arithmetic errors, right?

Oops, wrong.  (6.29 + 1.59 = 7.88, NOT 8.77)

When I went back to point this out, the response was "Sorry, sir, but our
system was reprogrammed recently and we have two focaccia buttons
now. That's the problem."

My first reaction was to want to understand better how it could make sense
for *any* number of "focaccia buttons" to make 6.29+1.59 = 8.77. But then I
remembered the Indiana Legislature and decided to accept my refund with
grace.  (In case you were wondering, I decided it was too risky to order pi
for dessert.)


1. Check your receipts. Don't assume the computer never makes arithmetic
   errors; don't even assume it is doing the same arithmetic problem
   displayed on the paper.
2. Verify your paper optical-scan ballot.
3. Why does anybody trust Internet gambling sites (or any software based
   gambling machines of any kind, for that matter) to play fair?

Robert J. Hall, AT&T Labs Research

Risks of assuming constant hours in a day

Sat, 1 Nov 2008 23:50:31 -0700

I am reporting [on] myself in this instance.  I recently developed a small
application for a group to sign up for some activities.

As such, it involves date calculations.

I made the (altogether reasonable, I thought) assumption that if you take a
timestamp and add 24 hours, it becomes the same time on the following day.

Well, not always.  Such as when clocks change for Daylight Savings Time.

24 hours after 00:30 on Sunday Nov 2, it is 23:30 on Sunday Nov 2. (In local
time that is.)

In this case, the problem self repaired after the clocks were changed - it
was only a bug during the 24 (23 ? 25? 2?) or so hours immediately before
the hour the clocks changed.

I guess that is one of the reasons that we do the clock changes late at
night during the weekend.  It minimizes the Risks.

Excel auto-formatting

<"David Magda" <>>
Mon, 17 Nov 2008 13:18:49 -0500 (EST)

Auto-formatting in Excel has reared its head again:

> Some of these details on various trading contracts were marked as hidden
> because they were not intended to form part of Barclays' proposed deal.
> However, this "hidden" distinction was ignored during the reformatting
> process so that Barclays ended up offering to take on an additional 179
> contracts as part of its bankruptcy buyout deal, Finextra reports. [...]
> It's unclear what the financial ramifications of the formatting error
> might be. Excel spreadsheets might seem a fairly unsophisticated method of
> logging multi-billion pound trading positions, but they are quick to
> produce and easy to understand--vital consideration in a financial
> market--which makes them widely used.

Texting bug hits the Google phone

<Amos Shapir <>>
Wed, 12 Nov 2008 17:53:54 +0200

A text conversation has revealed a big problem with the G1 mobile phone -
powered by Google's Android software.  The newly discovered bug causes the
phone to restart when owners type in the word "reboot" soon after starting
up the device.  Full story at:

This reminds me of a bug/feature of a popular model of phone modem, which
would hang up the line whenever it encountered the words NO CARRIER (I hope
nobody is reading this edition of Risks over a phone line...)Amos Shapir

Vintage IBM tape drive in Apollo moon dust rescue

<Chris Leeson <>>
Tue, 11 Nov 2008 11:16:52 -0000

Yet another data recovery exercise

A day after reading Mike Tibbetts post about the Domesday project, I came
across this article on The Register.

Data on Moon Dust from Apollo 11, 12 and 14 was stored on a number of tapes
requiring a "1960s-era IBM 729 Mark V tape drive". The tapes were archived
by NASA and Sydney University. Alas, due to an "archiving error", the NASA
copies were disposed of. The Sydney ones are, however, still available.

SpectrumData, a data recovery firm, have managed to track down a tape drive
in the Australian Computer Museum Society, and will be borrowing it to try
and read the tapes. They hope to have the hardware working by January, and
to extract the data from the tapes then.

The tapes were stored in a climate-controlled environment, so may still be
viable (although there are lots of things that can wreck tapes). On the
other hand, the restoration job is described as "It's going to have to be a
custom job to get it working again. It's certainly not simple, there's a lot
of circuitry in there, it's old, it's not as clean as it should be, and
there's a lot of work to do."

gnus-mime-print-part vs. Mom's room

Tue, 11 Nov 2008 01:50:04 +0800

'Twas the night before Christmas, when all through the house,
not a creature was stirring... except the old printer up in Mom's room:
In the "gnus" news reader, usually

  p runs the command gnus-summary-prev-unread-article
  Select unread article before current one.

Except when the cursor happens to be resting on an image, whereupon

  p runs the command gnus-mime-print-part
  Print the MIME part under point.

No problem. Trip the house circuit breaker, then go upstairs with a
flashlight. "Paper jam, blew a fuse, I'll take care of it!" better
than Mom: "So that's what you've been browsing! I'm returning the
computer to the department store. You can have a new one when you're 18."

False security from privacy screens

<"Dr. David Alan Gilbert" <>>
Sat, 1 Nov 2008 18:03:09 +0000

A major phone shop here in Manchester has just been redecorated; they've now
got a nice clean glass wall into the rest of the shopping centre.  That
would be the wall against which they have the PCs they take your information
and do credit checks on.

I explained to one of the shop workers that I thought it insecure and he
said 'It's ok, we've got privacy screens'.

A lot of places seem to treat privacy screens as silver bullets, they indeed
do stop people seeing the screens from off angle - but where you can stand
straight in front of the machine (e.g. when someone has just put a glass
wall up or as is common in new open plan banks when you can just stand a bit
further back) they are completely useless.

I took the assistant outside the shop and showed him; and he referred me to
the shop manager, who unfortunately just said 'well what can I do - I didn't
design the shop'.  So much for security.  I suggested he put a poster up on
the glass wall.

Re: BBC Domesday Project (Re: Tibbetts, RISKS-25.44)

<Martin Ward <>>
Sun, 9 Nov 2008 13:04:43 +0000

> so far as I can tell, they seem to have lost it!

Not completely lost. The whole Domesday Project  appears to be
available on the web here:

Re: BBC Domesday Project (Tibbetts, RISKS-25.44)

Sun, 9 Nov 2008 21:28:03 +0100

Writing History as a Pioneer is Taking a Risk

I sympathize with Mike Tibbetts, as I think it unfair to cite 'lack of
foresight' as a cause of the loss of the Domesday data.  Lack of knowledge
may be closer. But anyone claiming anything like that today has the benefit
of 20/20 hindsight. It's not a fair comparison.

Who was to blame?  Well, perhaps nobody, unless naivety is a sin.  The
Domesday Project was a pioneering feat.  Pioneers sometimes pay a high price
for their achievements. In this case no one really suffered, although it is
sad that the collection disintegrated.  History should be viewed in the
light of the times of its happening.

I submit that the outcome of this project and other such experiences were
inevitable, contemplating the sociotechnomics (sociology in the space
between technology and economics).

Consider the following probable or possible circumstances.

Conservation in public Archives works something like this:
1.  Most archive holdings are on paper or photographic film.
2. The preservation of paper or photographic film requires a certain amount
   of knowledge, diligence and skill, but it's not extremely difficult.
3. Such know-how evolves only slightly over time, as, for example, new types
   of paper are used and new methods of conservation are developed. The
   know-how needed for conservation of conventional materials is therefore
   relatively stable, systematic and it is relatively easily learned and
   remembered, given a good general education in natural sciences.  The
   basic information is freely available (and useful for all sorts of other
   purposes too). It remains available in a cheap and stable form: in Basic
   Object-Oriented Knowledge Systems (books), universally catalogued using a
   standard system (ISBN).
4. It is conventionally accepted that archives conserve their materials
   based mainly on controlling the environmental conditions and protecting
   from external influences.
5. The costs of preservation may rise slowly year on year.  Not so slowly if
   the price of energy burgeons, but even that rise in costs will be
   accepted as essential to doing business; it impacts the complete
   conventional holdings of the archive. Incidentally, many public archives
   have collections of ancient historical documents in urgent need of
   restoration, lest they decay completely, but no funds for such a project.
6. The interest of a Chief Archivist will be mainly on keeping the gros of
   the inventory in good condition, and *accessible* and to provide good
   services to the customers of the day.
7. To hang on to their jobs, archivists will do what other people do. They
   put priority on keeping the overwhelming majority their customers happy,
   especially their top paying customers.

Now consider some not improbable circumstances of a set of hi-tech
recordings on a rare or obscure hi-tech medium needing to be migrated in
1992 (take it with a pinch of salt):

1. The hi-tech holding acquired in 1986 is a single holding (or one of only
   a very few) among thousands of other holdings having significant
   historical value that you can feel (because some of them are falling
2. The archivist is not a hi-technologist. (S)he has no idea what is needed
   to conserve the holding. Asks the single IT specialist on archive staff
   (an expert in DOS/Windows 2.0).
3. Migrating data on a rare medium to a new medium, or (oh horror!) to a
   new *data format* is a P-R-O-J-E-C-T.  But it's not a project like
   restoring some ancient books. It can't be done by the usual staff, it
   needs IT specialists. The archivist has no such IT specialist on staff.
4. IT specialists are only very rarely conservationists. IT jobs are secured
   by constantly inventing new kinds of wheels, excuse me, I mean, of
   course, by innovation.  Can't hire any IT conservationists in 1992
   because top IT people are busy thinking about how to integrate Wind-OS
   3.x into a conventional IT environment - enough to do, and it's a
   sellers' market.  The archivist needs to hire a C-O-N-S-U-L-T-A-N-T.
   Consultants cost more than staff.  Gritting teeth, the archivist hires a
5. Much of the information that IT specialists will need for the project is
   in the system documentation.  That's the *system* documentation (not
   the user manuals). The system documentation is unique knowledge in the
   hands of the manufacturer.  New generations of hardware and software
   entail learning new programming languages, new programming tools, new
   concepts for structuring and manipulating data, also new workarounds for
   the bugs in the systems, and that includes the bugs (errors and
   omissions) in the documentation, which may have been hurriedly completed
   shortly before the custom product was shipped (if 'complete'
   documentation was written at all). The consultant tells the archivist
   (s)he needs additional documentation that is not available, and not
   easily obtained, and, especially in view of the circumstances - custom
   development - the documentation may also be incomplete or inaccurate.
   Success is not guaranteed (and keeping within budget, even less so).
6. Formal methods of project management for IT existed in 1992, but were
   not as well developed as they are now and were not so widely applied.
   Even so 30 to 50% of projects fail to deliver.
7. The project is competing for funds with another project to restore
   high-profile irreplaceable tomes from 1066, to save them from complete
   annihilation.  No customer has expressed any interest in this hi-tech
   holding since it was acquired.
8. You are the archivist. What would you do?

That is maybe a generous scenario.  With a little thought, a number of other
kinds of SNAFU could probably be discerned as possible contributory causes.

I realise this was the National Data Archive, so some of the details that
I filled in are to be taken as metaphors and no more.  But it is
conceivable that the contributing parties were not at fault, i.e. that
they did not fail to learn from history, and they were certainly doing
something useful: they were writing history for others to learn from.

Re: Poison pill auto-disclosure (Robinson, RISKS-25.43)

<Terje Mathisen <>>
Fri, 31 Oct 2008 09:14:41 +0100

This is very similar to the setup used by (where I keep some
(encrypted) backups of critical information):

They have a "canary" page which they promise to update every week:

It states, among other things, that

" Warrant Canary

Existing and proposed laws, especially as relate to the US Patriot Act,
etc., provide for secret warrants, searches and seizures of data, such as
library records.

Some such laws provide for criminal penalties for revealing the warrant,
search or seizure, disallowing the disclosure of events that would
materially affect the users of a service such as and its principals and employees will in fact comply with such
warrants and their provisions for secrecy. will also make available, weekly, a "warrant canary" in the form
of a cryptographically signed message containing the following:

* a declaration that, up to that point, no warrants have been served, nor
  have any searches or seizures taken place

* a cut and paste headline from a major news source, establishing date

Special note should be taken if these messages ever cease being updated, or
are removed from this page."

If this message ever stops being updated, I must assume it was because they
either forgot to do so (hasn't happened yet), or some outside party have
indeed served them with a warrant, but without also forcing them to continue
making bogus updates to the canary message.

Re: Poison pill auto-disclosure (Robinson, RISKS-25.43)

<Al Macintyre <>>
Thu, 30 Oct 2008 11:58:17 -0600

I heard a similar story, which may be urban legend.

A librarian sent notification each day to the library's Board of Directors.
"We have not yet received any secret demand under the Patriot Act."  Then
when they got the first such demand, where the rules prohibit telling anyone
about it, she stopped sending the notification, so now they all knew.

Re: Poison pill auto-disclosure (Robinson, RISKS-25.43)

<"Richard O'Keefe" <>>
Tue, 4 Nov 2008 13:42:50 +1300

Paul Robinson (RISKS-25.43) proposed a "Dead man switch" technique for
forcing disclosure.  I am not a lawyer of any kind, but there seem to be
some flaws:

1. He assumes that it is legal for Bob to inform Alice about the defects.
   The contract under which he has access to the software may forbid this.
   According to the Wikipedia, UCITA has so far been passed in only two
   states, but wasn't it going to prohibit public criticism of bad software?
   Even in states or countries sans UCITA, specific software licences may
   forbid this.

2. If there is a court order prohibiting Bob from publishing information
   about the defects, then his failure to effectively cancel his prior
   arrangement with Alice will almost certainly count as defiance of the
   court order.

3. If I'm wrong about 2, then the scheme might work once.  But don't expect
   it to work twice; laws can be patched.

Please report problems with the web pages to the maintainer