The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 25 Issue 50

Sunday 4 January 2009


Sunrise on the post-leap-second era
Tony Finch
Zounds! Zinger: Zune Zapped Zealously with Zero-tolerance
David Magda
Backward Hebrew writing on iPhone calendar
Steven M. Bellovin
We can't stop the train because our GPS is broken
Hawkins Dale
Medical devices lag in iPod age; Patients' safety is at risk
Carolyn Y. Johnson via Monty Solomon
JournalSpace wiped out; no backups
Lindsay Marshall
Some *digital* reception will go black in February!
Daniel P. B. Smith
Digital photo frames: risks of infecting PCs
Deborah Gage via PGN
Risks of Australians shouting at your hard drive?
Alec Muffett
Firewall product uses man-in-the-middle attack to defeat SSL crypto
Mike Coleman
Woman fools Japan's airport security fingerprint system
The danger of DNA: It isn't foolproof forensics
Maura Dolan and Jason Felch via Monty Solomon
Phishing Scam Spreading on Twitter
Chris Pirillo via David Farber
Domain registrar hacked; numerous repointings...
Danny Burstein
Qwest cuts off Internet subs in NM, including government VoIP
Lauren Weinstein
Computer vs. food and warmth
Yahoo tracking where you go - invasion of privacy
Intelligent Speed Adaptation
Martin Ward
Re: License plate camera readers
Danny Burstein
Info on RISKS (comp.risks)

Sunrise on the post-leap-second era

<Tony Finch <>>
Thu, 1 Jan 2009 08:10 +0001

Just before the start of this year there was a leap second, and I am
looking forward to reading the usual collection of stories about the
problems it caused.

Over the last several years there has been discussion about abolishing leap
seconds, to eliminate the glitches they cause and simplify standard time so
that it agrees with the naive model built in to much software and many API
and protocol standards.  For a recent update on the discussion, see the
following slides.

The disadvantage is that atomic time has a different length of day to the
Earth, and this difference is increasing more and more rapidly.  Some people
object strongly to the idea of decoupling civil time from the rotation of
the Earth, and the break with historical ways of measuring time that this
implies. The problem is how to reconcile the simple uniformity of atomic
time with the erratic deceleration of the Earth.  I believe that my proposal
for a rational replacement for daylight saving time also provides an answer
to the leap second question.

The essence of sunrise time is that we reset our clocks each day (by
slightly adjusting their timezone) to a fixed time when the sun rises at a
benchmark location.  For the UK, the benchmark location would be where the
Greenwich meridian crosses the Tropic of Cancer.  This simple mechanism
makes even more daylight available when people are awake than conventional
DST, and eliminates political argument.

If you are setting civil time according to when the sun rises, then it is by
definition coupled to the rotation of the Earth, and there can be no
accelerating difference between them.  This is true even if the underlying
time scale does diverge in this way because it uses fixed-length SI seconds.
This mechanism even lasts beyond the time when the current leap second rules
become unworkable because we need more than 12 each year.

Our systems would only have to know about atomic time and local time,
translating between them using the existing time zone mechanism.  There
would no longer be any need for complicated and unpredictable UTC.  Instead
we'd gain straight-forward compatibility between the most modern way of
keeping time - the atomic clock - and the most ancient - getting up when the
sun rises!

f.anthony.n.finch  <>

Zounds! Zinger: Zune Zapped Zealously with Zero-tolerance

<"Peter G. Neumann" <>>
Fri, 2 Jan 2009 14:40:27 PST

Starting at midnight on 30 December 2008, the 366th day of the year, Zunes
(Microsoft's portable media players) displayed only a frozen start-up
screen.  [Source: Jenna Wortham, A Year Ticks Over, and Zunes Get Hiccups,
*The New York Times*, 1 Jan 2009, National Edition B9; PGN-ed]

The most logical cause of this bug would seem to be a programmer forgetting
that not all years have 365 days.

[This risk was also noted by Martyn Thomas, Martin Ward, and Peter Gregory
-- who added this comment:
  Microsoft is yearning to expand its market space into embedded systems in
  automobiles, military systems, and other areas. Am I being overly fearful
  of the consequences of a Microsoft whose products are even more deeply
  embedded into the machinery of our lives?  Today is one of those days when
  I am distrustful of technology as a path for an easier life.  PG
See also the following follow-up item from David Magda.  PGN]

This is of course reminiscent of numerous previous leap-year fiascos
previously reported in RISKS.  For leap-year historians, do a search on
"leap" (year and day help narrow it a little).  Even apart from the
leap-year digital watch problems noted repeatedly over the years by Mark
Brader (see RISKS-25.07), the number of RISKS items is quite large --
particularly in volume 6 (1988), 13 (1992), 17 (1996), 20 (2000), and 25

Zounds! Zinger: Zune Zapped Zealously with Zero-tolerance

<David Magda <>>
Thu, 1 Jan 2009 15:26:18 -0500

On Dec 31, 2008, at 20:36, David Magda wrote:

> People still can't get leap years right even though they've been
> around since Pope Gregory XIII's decree in 1582:

> Q:  Why did this occur at precisely 12:01 a.m. on December 31, 2008?

> A: There is a bug in the internal clock driver causing the 30GB device
> to improperly handle the last day of a leap year.


The issue is an infinite loop:

> while (days > 365) {
>     if (IsLeapYear(year))    {
>         if (days > 366) {
>             days -= 366;
>             year += 1;
>         }
>     } else {
>         days -= 365;
>         year += 1;
>     }
> }

> Under normal circumstances, this works just fine. The function keeps
> subtracting either 365 or 366 until it gets down to less than a year's
> worth of days, which it then turns into the month and day of month. Thing
> is, in the case of the last day of a leap year, it keeps going until it
> hits 366. Thanks to the if (days > 366), it stops subtracting anything if
> the loop happens to be on a leap year.  But 366 is too large to break out
> of the main loop, meaning that the Zune keeps looping forever and doesn't
> do anything else.

Backward Hebrew writing on iPhone calendar

<"Steven M. Bellovin" <>>
Thu, 1 Jan 2009 12:21:24 -0500

I recently succumbed to the reality distortion field and bought myself an
iPhone.  To make sure I have Jewish holidays on my calendar, I used a Mac to
subscribe to a web-based calendar; this particular one will, on request,
include the name of the holiday in Hebrew as well as in English
transliteration.  The result was amusing: the Hebrew words are written
left-to-right, rather than the proper right-to-left.  It's a display problem
on the iPhone itself; my Mac's iCal program (from which the iPhone got the
data) and the open source Sunbird calendar both display the text correctly.

The iPhone's web browser is even more amusing.  It displays the text of
Hebrew language web pages correctly; however, the characters in the title
bar are reversed.  Again, Safari on MacOS gets it all right (or, rather,
gets it right-to-left).

Ah, well -- at least it's not a 30GB Zune on December 31 of a leap year....

Steve Bellovin,

We can't stop the train because our GPS is broken

<Hawkins Dale <>>
Fri, 02 Jan 2009 10:18:04 -0500

  "Passengers on a Southern [England] service from East Croydon were stunned
  when they were told that their stopping train would skip six stations and
  go direct to the end of the line in Caterham, Surrey.  When they got there
  the driver said the reason was that the train had lost its satellite link.

Apparently the GPS isn't there to determine where to line up the train with
the platform.  Instead, it senses which station the train's in, so that it
knows not to open doors that may not be lined up with the platform, since
some stations have short platforms.

Other methods, such as having the driver look out the window at the sign,
have apparently been discarded in favor of these more modern techniques.

There'll always be a Nengland, I guess.

  [I cannot res-train myself from chuckling.  PGN]

Medical devices lag in iPod age; Patients' safety is at risk

<Monty Solomon <>>
Wed, 31 Dec 2008 13:46:47 -0500

[Source: Carolyn Y. Johnson, *The Boston Globe*, 29 Dec 2008]

A 32-year-old woman was on the operating table for routine gall bladder
surgery, and doctors needed a quick X-ray. To keep her chest still while the
image was shot, her ventilator was switched off. But the anesthesiologist,
distracted by another problem, forgot to turn the breathing machine back
on. The woman died.

The case is an extreme example of the kind of error that could be prevented
if medical devices were designed to talk to each other, says Dr. Julian
Goldman, a Massachusetts General Hospital anesthesiologist who has compiled
such instances from across the United States to highlight the need for
medical device "connectivity." In this case, he says, synchronizing the
X-ray machine with the ventilator, so the image was automatically timed to a
natural pause in breathing, would have made it unnecessary to turn it off.

As technology moves forward, people expect the electronic devices of
everyday life to work together, from cellphones that can call or
text-message other phones, to computers that interconnect with a slew of
gadgets. But in the medical world, where the stakes are higher, such
flexible interconnection is rare. Each device operates in its own silo.

"It is really unacceptable, and it's one of the reasons we're unable to make
dramatic improvements in patient safety," said Goldman, a leader in calling
for a new generation of medical devices that talk to each other.

Now the push for greater connectedness in hospital electronics is gaining
momentum. The goal is devices that can not only plug into one another, but
can also "understand" each other and automatically identify potential
life-threatening problems sooner than they would have been caught by busy
nurses and doctors.

In October, a task force -- including Partners HealthCare, Mass.  General,
Johns Hopkins Medicine, Kaiser Permanente, and the Boston-based Center for
Integration of Medicine and Innovative Technology -- released sample
language that hospitals can incorporate into contracts with vendors of
medical devices, requiring that manufacturers create products capable of
communicating with other devices using agreed-upon standards. ...

JournalSpace wiped out; no backups

<Lindsay Marshall <>>
Sun, 4 Jan 2009 09:37:37 +0000

Blogging service JournalSpace has been completely wiped out after the drives
that housed their entire database were overwritten.  The problem was that
their backups weren't actually backups at all.  The servers were set up with
a mirrored RAID system so that if the primary drive should fail, the
secondary drive would be used to recover the primary.  As a result, when the
data was overwritten on one drive, the other followed suit and cleared
itself.  A data recovery team was unable to retrieve the database.

Some *digital* reception will go black in February!

<"Daniel P. B. Smith" <>>
Wed, 31 Dec 2008 23:03:41 -0500

I'm pretty sure I'm right about this, but I haven't succeeded in getting a
clear answer from anyone. It isn't discussed in any FAQ I've seen.

On 17Feb 2009, some of the people most surprised by the transition will be
those who carefully prepared in advance and are happily watching digital TV
over the air with an "HDTV antenna."  Because, on February 17th, some of the
stations they are watching in _digital_ now will effectively go black.

The reason is that the antennas that have been sold for years as "HDTV
antennas" or "digital antennas" are UHF-only antennas. This made sense,
because VHF antennas are large, bulky, expensive, and difficult to install,
and because _currently_ all digital television frequency assignments are in
the UHF band.

The problem is that on 17 Feb 2009, when the transition occurs, some
stations will be moving their signals from the UHF band to the VHF band, to
take advantage of VHF spectrum that has been freed up by the cessation of
analog broadcasting.

For example, according to, WHDH-DT in Boston, which is
currently broadcasting on UHF channel 42, will move to VHF channel 7.

However, you will not find any discussion of this on WHDH's website, which
contains the stock DTV advice and says nothing about any special
considerations in receiving WHDH-DT. Like other FAQs, it refers vaguely to
antennas and does not emphasize any need to be sure that your antenna
includes VHF capability if you want to receive all stations after February

Not very many people will be affected by this problem. Only those who
actually prepared!

Another issue is that digital television receivers and converter boxes
generally set themselves up automatically when first powered on, scanning
through the channels and identifying and marking those where digital signals
were found. It is a one-time process and people can forget that it ever took
place. I wonder how many DTV receivers will handle the channel reassignments
automatically and gracefully? I suspect many people, even if their antennas
receive VHF, will simply lose the reassigned channels, perhaps for
weeks... until they figure out that they need to initiate a manual rescan
and can remember how to do it.

Digital photo frames: risks of infecting PCs

<"Peter G. Neumann" <>>
Fri, 2 Jan 2009 15:02:47 PST

More than 7 million digital frames were sold in 2008, with expectations that
perhaps 10 million more might be sold in 2009.  However, the 2008 holiday
sales included a Samsung 8-inch frame sold by, a 9-inch Element
frame sold by Circuit City and a 1.5-inch Mercury frame sold by Wal-Mart --
all of which were infected with malware.  [Source: Deborah Gage, *San
Francisco Chronicle*, 2 Jan 2009, C1-C2, in a long article, PGN-ed here]

Those of you with good memories may recall this as another example of an old
problem that keeps recurring: similar infections were experienced during the
2007 holiday sales in frames sold by Sam's Club, Best Buy, Target, and
Costco, as reported by Deborah Gage, 15 Feb 2008 and noted in RISKS-25.13.
[Thanks to Deborah and the *Chronicle* for the intellectual history as well
as the new report.]

Risks of Australians shouting at your hard drive?

<Alec Muffett <Alec.Muffett@Sun.COM>>
Fri, 02 Jan 2009 01:52:51 +0000

ObDisclaimer: I work for Sun, but this is really *neat*: it's a
demonstration of what happens when you shout at hard disks / other loud
noises, visualised as performance impact -- watch the latency spikes:

It makes you think.... maybe "audio tempest" next? A sort of inverse
of ? :-)

Firewall product uses man-in-the-middle attack to defeat SSL crypto

<"Mike Coleman" <>>
Fri, 2 Jan 2009 21:32:41 -0600

Here's a new wrinkle on man-in-the-middle attacks I'd not seen before.  Palo
Alto Networks' PA-4000 transparent firewall claims to decrypt SSL traffic
passing through it, so that organizations call apply tracking and blocking
to HTTPS traffic.  As explained in the review (link), users' browsers are
configured to trust a new root CA that the PA-4000 itself has the private
key for.  It then interposes itself into HTTPS requests (and other SSL
requests?) by automatically generating a masquerading certificate for the
site the user is trying to connect to, decrypting the traffic so that it can
be scanned in plaintext on the PA-4000, and finally re-encrypting the
traffic with a second HTTPS connection to the true site.

I invite my fellow RISKS readers to contemplate the technical, legal,
business, and ethical implications of this approach.

Woman fools Japan's airport security fingerprint system

<"Peter G. Neumann" <>>
Fri, 2 Jan 2009 20:27:02 PST

[Source: 2 Jan 2009, PGN-ed; thanks to Keith Schwalm]

A South Korean woman barred from entering Japan last year has reportedly
passed through its immigration screening system by using tape on her fingers
to fool a fingerprint reading machine.  She told investigators that she
placed special tapes on her fingers to pass through a fingerprint reader.
(She had been deported in July 2007 for illegally staying in Japan after she
worked as a bar hostess in Nagano.  She was not allowed to re-enter Japan
for five years after deportation but the Tokyo immigration bureau found her
in August 2008 again in Nagano.)

The biometric system was installed in 30 airports in 2007 to improve
security and prevent terrorists from entering into Japan.  Japan spent more
than Y4 billion ($A64 million) to install the system, which reads the index
fingerprints of visitors and instantly cross-checks them with a database of
international fugitives and foreigners with deportation records.

The danger of DNA: It isn't foolproof forensics (Dolan/Felch)

<Monty Solomon <>>
Thu, 1 Jan 2009 19:16:40 -0500

[Source: Maura Dolan and Jason Felch, *Los Angeles Times*, 1 Jan 2009]

In 2004, a New Jersey prosecutor announced that DNA had solved the mystery
of who killed Jane Durrua, an eighth-grader who was raped, beaten, and
strangled 36 years earlier.

"Through DNA, we put a face to the killer of Jane Durrua, and that face
belongs to Jerry Bellamy," prosecutor John Kaye said.

The killer, however, turned out to be someone else.

Two years after Bellamy's arrest, investigators discovered that evidence
from the murder scene had been contaminated by DNA from Bellamy, whose
genetic sample was being tested at the same lab in an unrelated case. He was
freed. Another man ultimately was arrested.

DNA has proved itself by far the most effective and reliable forensic
science. Over the past two decades, it has solved crimes once thought
unsolvable, brought elusive murderers and rapists to justice years after
their misdeeds, and exonerated innocent people. In courtrooms and in the
popular imagination, it often is seen as unassailable.

But as the United States rushes to take advantage of DNA's powers, it is
becoming clear that genetic sleuthing has significant limitations:

Although best known for clearing the wrongfully convicted, DNA evidence has
linked innocent people to crimes. In the lab, it can be contaminated or
mislabeled; samples can be switched. In the courtroom, its significance has
been overstated by lawyers or misunderstood by jurors.

The rush to collect DNA and build databases has in some cases overwhelmed
the ability of investigators to process the evidence and follow up on
promising leads. Some crime labs have huge backlogs of untested evidence,
including thousands of rape evidence kits. In some cases, criminals who
might have been caught have offended again. ...

Phishing Scam Spreading on Twitter

<David Farber <>>
Sun, 4 Jan 2009 09:35:25 -0500

[From Dave Farber's IP distribution]

  [Chris Pirillo suggests that you really shouldn't click on the Twitter
  phishing URL he exhibits.  You certainly don't want to sass pirillo [!],
  because he does show you what would happen.  PGN]

Domain registrar hacked; numerous repointings...

<danny burstein <>>
Sat, 3 Jan 2009 00:41:54 -0500 (EST)

  [This incident is related to the ongoing hostilities in the Mideast. I'm
  posting it here for the technical and security info value. Please keep
  this neighborhood in mind if following up.]

Niv Lillian, Israeli domain registration server hacked, *Israel News*,
2 Jan 2009, from: (an Israeli based web source)

An Islamic group based on Morocco hacked into DomainTheNet's registration
system server on Friday, effectively "highjacking" various prominent domain
names, the likes of and Bank Discount, and rerouting users to a
page featuring anti-Israel messages. ...  Appearing as a defacement attempt
at first, the attack soon turned out to be more sophisticated: The hackers
were able to obtain a password which granted them access to the server which
updates and "translates" the websites' IP addresses into a Domain Name
Service; and change the IP's numeral values, effectively rerouting users
away from the original websites. ...  The site formed by the group featured
graphic images of dead bodies and abused Iraqi prisoners. ...,7340,L-3649281,00.html

Qwest cuts off Internet subs in NM, including government VoIP

<Lauren Weinstein <>>
Sat, 3 Jan 2009 18:11:17 -0800 (PST)

Apparently as a result of a billing dispute and related lawsuit, Qwest
reportedly cut off Internet connectivity to ISP SkyWi in New Mexico,
suddenly leaving some 13000 Internet subscribers and 5400 SkyWi VoIP phone
subscribers without service.  Some reports indicate that those VoIP
subscribers suddenly without working phones included NM public safety

The NM Public Regulation Commission has now stepped in and ordered Qwest to
restore service, but the process has been taking some time.

Regardless of who is actually at fault in the billing matter, the behavior
of both companies in this situation appears to have been anything but
stellar, and again points to the need for a more proactive regulatory
approach to Internet access service provisioning.

Lauren Weinstein  +1 (818) 225-2800
Blog:  Network Neutrality Squad

Computer vs. food and warmth

Sat, 03 Jan 2009 04:11:48 +0800

In order to use the computer, I cannot use the frying pan nor electric
blanket.  Their cheap circuits cause the computer's uninterruptible power
supply to emit an awful whine:

  [A fine example of the EXCLUSIVE OR operation.  I hope you don't keep
  the awful w(h)ine in the refrigerator.  PGN]

Yahoo tracking where you go - invasion of privacy

Sat, 03 Jan 2009 05:20:22 +0800

Intelligent Speed Adaptation (Re: Douglass, RISKS-25.49)

<Martin Ward <>>
Wed, 31 Dec 2008 14:41:06 +0000

Re: Risks of excessive State data collection (Douglass, RISKS-25.49)

Answers to many of the questions posed by Toby can be found in the original
research paper:

The UK has reduced road deaths from 8,000 per year in 1964 to just over
3,000 per year in 2005:

Most of the reduction is due to "low tech" methods: repainting roads to
create space between traffic lanes, speed bumps and other traffic calming
methods in built up areas, more junctions controlled by lights, and so
on. But the paper above makes a strong case for the "high tech" option.

The savings may be overestimated: but every 1% reduction in fatal accidents
would mean 30 lives saved each year. When 35 people were killed in the
Clapham Junction rail crash, it was in the news for weeks and there was a
public Inquiry which led to major changes in the operation of the
railways. The inquiry recommended the introduction of an Automatic Train
Protection System, at a cost of over £1 billion. Nobody pointed out that in
the week of the crash, about 100 people died on the roads. And another 100
in the next week, and another 100 the week after...  In the time between the
crash and the publication of the report, nine months later, over 100 times
as many people had died on the roads, as had died in the crash.

Re: License plate camera readers (Re: Arthur T., RISKS-25.49)

<danny burstein <>>
Tue, 30 Dec 2008 17:31:42 -0500 (EST)

> Fun with speed-trap cameras for revenge

There's actually a very good reason why this won't work, at least in regards
to making people pay up for the bad tickets.

In fact, I've received one myself, which I got dismissed.

The key point is that the digital image is NOT a perfectly cropped
photograph of "just" the license plate. Rather, the picture (and often it's
a sequence of them) includes a hefty portion of the rear of the car, and
generally the sides and top as well.

In my own case the interpreter of the original photograph, whether human or
computer recognition, misread a "0" (the number zero) as an "8", and I
received a ticket in the mail.

I simply wrote back pointing out that the photo showed the license plate
attached to the rear end of a BMW, and that my car was most certainly not
from that line.

The ticket was promptly dismissed.

Annoying? Mildly. But far from critical.

Now finding the "real speeder" is left as an exercise to the student...

Please report problems with the web pages to the maintainer