The RISKS Digest
Volume 25 Issue 54

Wednesday, 4th February 2009

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Automated BART trains crash during manual operation of one of them
Rob McCool
Earthquake Alert System Failed To Work Properly
Max Power
'Foul play' suspected in Tucson Super Bowl porn feed
Brian J. Pedersen via Monty Solomon
Perils of html e-mail
Charles Wood
Votes lost in Finnish e-voting
Antti Vaha-Sipila
Fannie Mae Logic Bomb
Jim Schindler
"This site may harm your computer" on every search result
Maxim Weinstein via Monty Solomon
Google Account Takeover, Mark Ghosh
Local Police Want Right to Jam Wireless Signals
Spencer S. Hsu via Monty Solomon
911 service not prepared for new generation of pranksters
David Chartier via Monty Solomon
Re: Digital road sign in Austin, TX was altered ...
Mark Feit
Re: MP3 player contained US military secrets
Geoff Kuenning
Re: American Express Kept a *Very* Watchful Eye on Charges
David Alexander
Re: Statue of Frauds
Mark Jackson
Re: Tony Hoare: "Null References"
Dimitri Maziuk
Tony Finch
Jay Carlson
Info on RISKS (comp.risks)

Automated BART trains crash during manual operation of one of them

Rob McCool <>
Wed, 4 Feb 2009 08:53:19 -0800 (PST)

Two BART subway trains crashed yesterday on a Y junction in Oakland. The
automation in the BART system made this crash a surprise for some, and the
newspaper article specifically says that one of the trains was under manual
operation at the time of the collision. Many will likely conclude that the
cause of the crash was operator error, which is certainly a possibility.

But a common risk of automated systems is the problem of what happens when
they fail, and infrequently used manual protocols must come into
effect. Complacency is always a risk with automation. It will be interesting
if the details of this crash are found and are released.

Earthquake Alert System Failed To Work Properly

Max Power <>
Sun, 1 Feb 2009 17:13:53 -0800

  [See note at end on request from Max for help requested on a paper on
  Hyperinflation impact on electronic commerce.  PGN]

The risk is that older computer and networking systems can be overloaded
when not updated regularly. Yes, there are risks in upgrading too — so
the success or failure here is in the backup systems.

Max Power, CEO
Power Broadcasting
Wellington / Adelaide / Vancouver / Seattle

When an earthquake larger than magnitude 3.0 strikes the Northwest, an
automated system is supposed to page University of Washington seismologists
and notify emergency managers.

But that's not what happened with Friday morning's magnitude 4.5 jolt.  The
*Seattle Times* reported that because computers were apparently overloaded
with data from an expanded network of seismic instruments, the scientists
were awakened instead by predawn calls from journalists.  "The system has
worked flawlessly for 10 years," said Steve Malone, emeritus professor and
former director of the Pacific Northwest Seismic Network. "This time,
nothing went off."

The quake didn't cause any damage, though it woke people across the region
and the shaking was felt from the Olympic Peninsula to Seattle.  The glitch
in the UW's routine also had no serious fallout, thanks to functioning
systems in other states.

An automatic warning from the U.S. Geological Survey in California arrived
at Washington's Emergency Management Division headquarters within seconds of
the 5:25 a.m. quake. Notification from Alaska's Tsunami Warning Center
followed minutes later.

"That's the value of redundancy," said EMD spokesman Mark Clemens.

It took Malone and other UW scientists about 15 minutes to check seismic
data and compute the earthquake's size and epicenter — about 14 miles
northwest of Seattle near Kingston, Kitsap County.

==> ALSO: Research assistance needed on
   Hyperinflation impact on electronic commerce

  I would like to do a fully detailed research paper [on Hyperinflation vs
  Electronic Commerce] that can be distributed on the web via my website -
  so if you have any practical suggestions on how to expand this paper do so.

THERE IS NO WIKIPEDIA PAGE ON THIS TOPIC, as there is little if any
official research.

Hopefully, I will be able in future to submit the core conclusions to RISKS
-- to the amusement or horror of this strategically important part of the IT

  [DRAFT deleted by PGN]

'Foul play' suspected in Tucson Super Bowl porn feed

Monty Solomon <>
Mon, 2 Feb 2009 20:27:14 -0500

Brian J. Pedersen, *Arizona Daily Star*, 2 Feb 2009

The pornographic content that interrupted thousands of local Comcast
subscribers' Super Bowl broadcast was the result of an "isolated malicious
act," a company spokeswoman said Monday.

But company officials have yet to determine how that act was committed,
spokeswoman Kelle Maslyn said, though any sort of equipment malfunction has
been ruled out.

"We did an extensive preliminary check on our technical systems, and
everything appeared to be working properly when the incident occurred,"
Maslyn said.

Meanwhile, the U.S. Attorney's office in Phoenix said it is looking into the
interruption, which lasted about 30 seconds, and featured full male nudity.

"We take this matter seriously," spokesman Wyn Hornbuckle said.  "We're
working with appropriate agencies to review the incident."

One of those agencies, the Federal Communications Commission, was not aware
of any formal complaints made regarding the porn clip, FCC media relations
director David Fiske said Monday afternoon.

It is still unclear how many viewers saw the clip, from a porn movie being
shown on Shorteez, an adult cable channel offered by Comcast on a
pay-per-view basis.

Only Comcast subscribers who received a standard definition signal could see
the clip, while those who watched the game on high-definition televisions
were not affected, Maslyn said.

Comcast is Southern Arizona's second-largest cable subscriber, with more
than 80,000 customers in unincorporated Pima County, Marana and Oro
Valley. ...

Perils of html e-mail

Charles Wood <>
Sun, 1 Feb 2009 12:41:44 +0900

  We just cut and paste from the e-mail to the program we use for printing
  the edible images, we are usually in such a hurry that we really don't
  have time to check. and if we do the customers yell at us for bothering them.




ASCII art anyone?

Votes lost in Finnish e-voting (Antti Vaha-Sipila)

"Peter G. Neumann" <>
Mon, 2 Feb 2009 15:50:01 PST

Kirjoittaja: Antti Vaha-Sipila, Lokakuu 28, 2008 - 19:12.
Electronic Frontier Finland ry

[29th Oct 2008 Updated the e-voting interface link to point to the
English version]
[29th Oct 2008 Edited to add a report of touchscreen issues]

A fully electronic voting system was piloted in the Finnish municipal
elections on the 26th of October, 2008.

Electronic Frontier Finland (EFFI) had criticised the pilot program for
years, recently releasing a report on its deficiencies

Today, the Ministry of Justice revealed
<> that due to a
usability issue, voting was prematurely aborted for 232 voters. The pilot
system was in use in three municipalities; this amounts to about 2 per cent
of the electoral roll. Seats in the municipal assemblies are often
determined by margins of only a couple of votes.

It seems that the system required the voter to insert a smart card to
identify the voter, type in their selected candidate number, then press
"ok", check the candidate details on the screen, and then press "ok"
again. Some voters did not press "ok" for the second time, but instead
removed their smart card from the voting terminal prematurely, causing their
ballots not to be cast.

This usability issue was exacerbated by Ministry of Justice instructions,
which specifically said
<> that in
order to cancel the voting process, the user should click on "cancel" and
after that, remove the smart card. Thus, some voters did not realise that
their vote had not been registered.

[Added 29th Oct:] There has now been at least one report
of touchscreen issues. A voter had repeatedly tried to click on "ok", but
either due to system lag or touchscreen sensitivity problems, it took
"minutes" to get the button press registered. If hit by this type of
problem, the voters may well have thought that the ballot casting process
had completed.

EFFI argues that the election should be re-run in the affected
municipalities, and has issued a press release
(in Finnish) arguing for the legal basis of a re-election. According to
Finnish election law, this would require a decision from the
Administrative Court.

A Flash demo of the e-voting user interface is available
<> on the
Ministry of Justice elections portal.

Fannie Mae Logic Bomb

Jim Schindler <>
Sat, 31 Jan 2009 23:13:36 -0800

(Just imagine the 'excitement'!)

Fannie Mae Logic Bomb Would Have Caused Weeklong Shutdown
Kevin Poulsen <>
29 Jan 2009

A logic bomb allegedly planted by a former engineer at mortgage finance
company Fannie Mae last fall would have decimated all 4,000 servers at the
company, causing millions of dollars in damage and shutting down Fannie Mae
for a least a week, prosecutors say.

Unix engineer Rajendrasinh Babubha Makwana, 35, was
Tuesday in federal court in Maryland on a single count of computer sabotage
for allegedly writing and planting the malicious code on Oct. 24, the day he
was fired from his job. The malware had been set to detonate at 9:00 a.m. on
Jan. 31, but was instead discovered by another engineer five days after it
was planted, according to court records.

Makwana, an Indian national, was a consultant who worked full time on-site
at Fannie Mae's massive data center in Urbana, Maryland, for three years.

On the afternoon of Oct. 24, he was told he was being fired because of a
scripting error he'd made earlier in the month, but he was allowed to work
through the end of the day, according to an FBI
in the case.  "Despite Makwana's termination, Makwana's computer access was
not immediately terminated," wrote FBI agent Jessica Nye.

Five days later, another Unix engineer at the data center discovered the
malicious code hidden inside a legitimate script that ran automatically
every morning at 9:00 a.m. Had it not been found, the FBI says the code
would have executed a series of other scripts designed to block the
company's monitoring system, disable access to the server on which it was
running, then systematically wipe out all 4,000 Fannie Mae servers,
overwriting all their data with zeroes.

"This would also destroy the backup software of the servers making the
restoration of data more difficult because new operating systems would have
to be installed on all servers before any restoration could begin," wrote

As a final measure, the logic bomb would have powered off the servers.

The trigger code was hidden at the end of the legitimate program, separated
by a page of blank lines. Logs showed that Makwana had logged onto the
server on which the logic bomb was created in his final hours on the job.

Makwana is free on a $100,000 signature bond. His lawyer didn't
immediately return a phone call Thursday.

(Updated January 30, 2009 | 3:00:00 PM to correct Makwana's employment

"This site may harm your computer" on every search result

Monty Solomon <>
Sat, 31 Jan 2009 19:42:13 -0500

If you did a Google search between 6:30 a.m. PST and 7:25 a.m. PST this
morning, you likely saw that the message "This site may harm your computer"
accompanied each and every search result. This was clearly an error, and we
are very sorry for the inconvenience caused to our users.

What happened? Very simply, human error. Google flags search results with
the message "This site may harm your computer" if the site is known to
install malicious software in the background or otherwise
surreptitiously. We do this to protect our users against visiting sites that
could harm their computers.  ...

Google glitch causes confusion

Maxim Weinstein, 31 Jan 2009

This morning, an apparent glitch at Google caused nearly every [update 11:44
am] search listing to carry the "Warning! This site may harm your computer"
message. Users who attempted to click through the results saw the
"interstitial" warning page that mentions the possibility of badware and
refers people to for more information. This led to a denial
of service of our website, as millions of Google users attempted to visit
our site for more information. We are working now to bring the site back
up. We are also awaiting word from Google about what happened to cause the
false warnings. ...

Google Account Takeover, Mark Ghosh

Mon, 02 Feb 2009 06:50:44 +0800

What if you woke up tomorrow and your Gmail, Orkut, Docs, Reader, Google
Checkout account was gone?

  [Check out this one.  Mark Ghosh, Et Tu Google?  Then Fail, Net Safety.
  Mark is the "owner" of the Orkut community.
  Apologies to those of you who complain when I occasionally run items that
  are URLs only.  In this one, Mark speaks for himself.  PGN]

Local Police Want Right to Jam Wireless Signals

Monty Solomon <>
Sun, 1 Feb 2009 14:14:37 -0500

Spencer S. Hsu, *The Washington Post* 1 Feb 2009

As President Obama's motorcade rolled down Pennsylvania Avenue on
Inauguration Day, federal authorities deployed a closely held law
enforcement tool: equipment that can jam cellphones and other wireless
devices to foil remote-controlled bombs, sources said.

It is an increasingly common technology, with federal agencies expanding its
use as state and local agencies are pushing for permission to do the
same. Police and others say it could stop terrorists from coordinating
during an attack, prevent suspects from erasing evidence on wireless
devices, simplify arrests and keep inmates from using contraband phones.

But jamming remains strictly illegal for state and local agencies.  Federal
officials barely acknowledge that they use it inside the United States, and
the few federal agencies that can jam signals usually must seek a legal
waiver first.

The quest to expand the technology has invigorated a debate about how widely
jamming should be allowed and whether its value as a common crime-fighting
strategy outweighs its downsides, including restricting the constant access
to the airwaves that Americans have come to expect. ...

911 service not prepared for new generation of pranksters

Monty Solomon <>
Wed, 4 Feb 2009 00:36:38 -0500
  (David Chartier)

Prank callers are using VoIP and caller ID spoofing services to pull
expensive wool over the eyes of 911 call centers. Solutions are available to
bring these centers into the 21st century, but even the cheapest ones are
priced outside the realm of the aging service.

David Chartier, arstechnica, 2 Feb 2009

The Internet and the hooligans who exploit it have evolved over the past few
years, but sadly, America's 911 service hasn't kept up.  Pranksters are
wreaking havoc on the service and on call center budgets by placing fake
calls through a flaw in the way the aging emergency phone system handles
VoIP networks.

After paying a small fee to one of the readily available caller ID spoofing
services available on the Web, a prank caller with a grudge or a serious
psychological problem can call 911 and tell the operator just about any
story he or she wants. Since the 911 system wasn't built with VoIP in mind,
these calls appear to originate from anywhere, and said hooligans take full
advantage of the opportunity.  The practice has been dubbed "swatting,"
typically because the spoofed emergency stories that these troubled
individuals make up are horrible enough to send police and even SWAT teams
to unsuspecting victims on the other side of town or the continent.

The AP reports one recent incident that occurred in 2007, when 18-year-old
Randal Ellis in Mukilteo, WA falsified his location and called a 911 support
center in Orange County, CA. For 27 minutes, Ellis spun a story about drugs
and murder that sent the Orange County Sherriff's department SWAT team to
the house of Doug and Stacey Bates. Ellis told the operator that he was high
and had just shot his sister, and after police stormed the house, Doug and
Stacey were handcuffed.

This was just one of the 185 calls Ellis made to 911 call centers around the
US, according to Yahoo Tech, and the Bates family was picked at
random. After being caught, the teen pleaded to five felony felony counts
that include computer access and fraud, as well as false imprisonment by
violence, and was sentenced to serve three years in prison. Another major
case involved eight people who arranged over 300 swatting calls, while
another in 2006 involved a teen in Dallas, TX who made up a story about
killing family members and threatening hostages with an AK-47. ...

Re: Digital road sign in Austin, TX was altered ...

Mark Feit <>
Sun, 1 Feb 2009 06:16:06 -0500

In RISKS-25.53, David Hollman <> writes:

 > [Signs] manufactured by IMAGO's ADDCO division can be easily
 > altered because their instrument panels are frequently left
 > unlocked and their default passwords are not changed.

Even more worthy of mention here is the fact that ADDCO's signs allow
themselves to be reset to their from-the-factory state, complete with
default password, using what is now a well-known password:

 | Should it will ask you for a password.
 | Try "DOTS", the default | password.
 | In all likelihood, the crew will not have changed it. However if they
 | did, never fear. Hold "Control" and "Shift" and while holding, enter
 | "DIPY". This will reset the sign and reset the password to "DOTS" in the
 | process. You're in!

Re: MP3 player contained US military secrets

Geoff Kuenning <>
Sat, 31 Jan 2009 22:54:41 -0800

> 60 US military files labeled top secret popped up on his screen. ...
> Kerri Ritchie: The files contained the social security numbers, home
> addresses, even mobile phone numbers of American soldiers based in
> Afghanistan and Iraq.

Although I'm disturbed by the several levels of carelessness needed to allow
this to happen, I think I'm even more disturbed by the idea that the names
and personal information of soldiers is "top secret".

Confidential, definitely.  Maybe even "secret", since some of those people
are high-ranking officers and I can imagine movie-plot scenarios involving
their home addresses.  But "top secret" on the level of attack plans and
nuclear technology?  I think not.

    Geoff Kuenning

Re: American Express Kept a *Very* Watchful Eye on Charges

David Alexander <>
Sun, 01 Feb 2009 08:57:30 +0000

Ron Lieber's submission about surveillance of account activity reminded me
of an incident some years ago when I applied for a mortgage through my bank.

I completed the forms with the help of my Bank Manager for a mortgage
through their partner (UK) Building Society. The application charges would
be debited from my bank account. Two days later I received a call from the
Fraud detection department of the bank - Did I owe "XYZ loans" (name
obscured to protect those involved) £900, which they were trying to take
by direct debit ?

"No" said I.

"That will be fraud then, we'll stop the payment, cancel the card and send
you a new one" they replied.

'Thank you my bank's fraud team, job well done' I thought.

The very next morning I received a letter from the Building Society in
question with all the relevant mortgage paperwork. One of those papers
informed me that the mortgage application fee of £900 was being requested
from my bank. Yes, that's right, the mortgage fee request from the Building
Society to the Bank had been detected by the bank as fraudulent and denied.

Adrenaline kicks in, as it tends to do at moment like that, 'Gosh' (or words
to that effect) I thought, 'there goes my mortgage'. Fortunately logic
kicked in about 2 minutes later, together with my knowledge of Behavioral
Analysis and the Merchant Account payment systems for credit/debit cards (my
wife runs an e-commerce business and I set one up for her, together with the
encrypted links to the Payment Service Providers).

I could see what must have happened, the Building Society was using a
Merchant Account name for the debit card transaction that bore no
resemblance to their actual name. The fraud system had no knowledge of it
and wondered why I was getting a request from a loan company when I had a
five figure positive balance in my account. What got me is that it's a major
Bank and Building Society. I couldn't have been the first to be processed
through a new system could I ? One where the new Merchant Account details
had not been entered into the Fraud System as a 'trusted' account ? Did they
set up a different one for each kind of mortgage to make the accounting
simpler ?

By good fortune I know the CTO of the Bank in question and rang him up. I
explained what had happened and my theory. He rang back later, I was right
on the money - or not in this case. It was exactly as I had supposed. I was
one of more than 240 people to whom this had happened in the last 48 hours,
but no-one in the Bank had realised the reason why.

The good thing was that, for identifying their problem, the Bank waived my
application fee and the mortgage was approved.

The risks - that not everyone knows the CTO of their bank personally, that
mortgages get declined and there is an adverse impact on one's credit
rating, that you don't get that dream get the idea.

David Alexander, Towcester, Northamptonshire, England
Founder member, European Top Methanol Racers Association

Re: Statue of Frauds (Thomas, RISKS-25.53)

Mark Jackson <>
Tue, 03 Feb 2009 16:47:34 -0500

Martyn Thomas wrote:

>   "The common law has traditionally accepted oral contracts - special cases,
>   going back the the oddly-named Statue of Frauds, ..."
> What an excellent idea! Where is it? What does it look like?

In Paris - across from the Musée de la Contrefaçon, of course:

Mark Jackson -

Re: Tony Hoare: "Null References" (Blaak, RISKS-25.53)

Dimitri Maziuk <>
Sat, 31 Jan 2009 19:35:38 -0600

> For any language with reference semantics, trying to program without being
> able to express a "reference to nothing" would be quite difficult.

I expect about as difficult as dealing with integers without int NaN.

Let's see — just off the top of my head. If a function returning a pointer
had no way to return an unambiguous error value, we'd have to have a global
errno that nobody bothers checking and (except when it's or)
application-specific error semantics. Some functions would return a
reference to a zero value, others would return reference to zero to indicate
success. Some would return 0xdeadbeef, others: negative one, or
9999.999. Hopefully it is all correctly documented and everybody gets the
memo when things change in the next release.

Then we'll try to work around that mess by returning the actual value as a
var parameter and using return value as an error code. In which case
everyone will start ignoring the return value, just as they were ignoring
the errno before.

There'd also be a bit of a problem fetching values from sources that
understand nulls: we'd have to define a second function in our API and then
everyone will forget to call wasNull() after each and every get().

In other words, it'd be situation normal.
  [Presumed reference to SNAFU.  PGN]

Re: Tony Hoare: "Null References" (Blaak, RISKS-25.53)

Tony Finch <>
Sun, 1 Feb 2009 23:17:13 +0000

Perhaps Prof. Hoare is apologising because he knew a better way but took the
short cut instead. The better way is to make nullability distinct from
referencing, as in ML's option type or Haskell's Maybe type. A halfway house
is to distinguish nullable and non-nullable references, which is getting
closer to mainstream via things like Java @NonNull type annotations.

f.anthony.n.finch  <>

Tony Hoare: "Null References: The Billion Dollar Mistake"

Jay Carlson <>
Tue, 3 Feb 2009 01:23:31 -0500

IMO the real blindspot is in how we think of aggregate textual types.
Clearly, it is a type error, detected at compile-time to add an integer to a
Date and expect an integer.  My compiler hates me when I say things like
what.  But it is perfectly happy to take a string representing a Date and
then concatenate a string representing hours past that date.  And in fact,
it's pretty happy for me to just glue some random HTML sludge string onto a
nice valid Date.

Spackman pointed out that flat text is just *never* what we want.  But as
long as (char *) is the (void *) of throwing random crap together without
reference to eventual contract I see no motivation not  to view the world as
a vast ocean of Unicode codepoints and then go sailing those Seven Seas.

Please report problems with the web pages to the maintainer