The RISKS Digest
Volume 25 Issue 59

Sunday, 1st March 2009

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Iridium and Cosmos satellites collide
Ken Knowlton
When your files are online and you aren't
Hiawatha Bray via Monty Solomon
Man charged $81 billion for a fuel fill-up
Peter Gregory
Computer "Glitch" Results in $31 billion Error
Malcolm Pack
Best Buy swindled for $31 million by chip supplier
Jim Haynes
Google Gaffe: Gmail Outage Shows Pitfalls of Online Services
Jonathan B Spira
Power outage disables power failure alarm
Jim Haynes
UK building society online account open to DOS attack
Andy Repton
Wikileaks cracks key NATO document on Afghan war
Jeff Nye
Re: Hiding in plain sight
Al Macintyre
Mark Feit
Phil Smith III
Steve Lamont
Marcos H. Woehrmann
Urban legends in RISKS
David Guaspari
Info on RISKS (comp.risks)

Iridium and Cosmos satellites collide

<KCKnowlton@aol.com>
Sun, 22 Feb 2009 20:31:24 EST

Reported in *The Week* magazine 27 Feb 2009 and its website: Two satellites
have collided in orbit, destroying both, creating two large clouds of
debris: an old Russian Cosmos satellite and an Iridium satellite (one of a
fleet of communication satellites launched by Motorola in the late 90s and
early 2000s). Nicholas Johnson of NASA said "This is the first time we've
ever had two intact spacecraft accidentally run into each other."
http://www.theweek.com/article/index/93177/Iridiums_satellite_collision


When your files are online and you aren't (Hiawatha Bray)

Monty Solomon <monty@roscom.com>
Fri, 20 Feb 2009 11:12:02 -0500

Hiawatha Bray, When your files are online and you aren't, *The Boston
Globe*, 19 Feb 2009

Funny thing about cloud computing - it's useless at 35,000 feet.

In cloud computing, you rely on applications running on the Internet instead
of on your personal machine. So rather than write a file in Microsoft
Corp.'s Word or Excel, you might use Google Docs. This online suite from
Google Inc. features word processor and spreadsheet programs and stores your
documents in the Internet cloud.

But online documents aren't much use when you're disconnected from the
Internet - like when you're flying. Airline companies are beginning to
deploy on-board Wi-Fi service, but it'll be a couple of years before it is
generally available. And even on the ground, you can't always find an
Internet connection.

With earthbound copies of critical files, you can work on them as needed and
upload any changes to the Net, first chance you get. And if you work on
multiple computers, you can share updated files with all your other
machines.

If you're a Google Docs user, get a copy of Gears. This free program,
available at gears.google.com, lets you download your Google-generated
documents onto your computer. Work with them even when you're offline, and
when you log in again, Gears uploads your modified documents to the Google
Docs Internet server, so your up-to-date document is available on any
Internet-connected machine.

Gears isn't just for Google Docs fans; it works with other cloud computing
services, including Zoho, a rival online document editing service, and
Google's Gmail messaging service. You can plow through your e-mail on the
plane, write up replies, then transmit them once you're back online.

But Gears has its limitations. For instance, you can edit your existing
Google Docs when offline, but you can't create new ones.  Besides, Gears
gives you no easy way to share multimedia files, like video, audio, and
digital photographs. ...

http://www.boston.com/business/technology/articles/2009/02/19/when_your_files_are_online_and_you_arent/


Man charged $81 billion for a fuel fill-up

Peter Gregory <petergregory@yahoo.com>
Fri, 27 Feb 2009 12:20:25 -0800 (PST)

Washington State resident Juan Zamora filled his Camaro at a local Conoco
station using his PayPal debit card just as he does every week. The pump
registered $26, but his account was debited $81,400,836,908 instead.  The
cause of the error has not yet been identified.

http://seattletimes.nwsource.com/html/localnews/2008790918_webbigbill27.html

Peter Gregory, CISA, CISSP, DRCE | Security and Risk Manager
petergregory@yahoo.com | www.peterhgregory.com |  Biometrics For Dummies


Computer "Glitch" Results in $31 billion Error

Malcolm Pack <risks.2009.02.25@potnoodle.net>
Wed, 25 Feb 2009 10:40:59 +0000

<http://news.bbc.co.uk/1/hi/business/7909627.stm>

  UBS in $31bn bond order mistake

  A Japanese unit of Swiss banking group UBS has mistakenly placed an order
  for 3 trillion yen ($31bn) of bonds.

  UBS Securities Japan said the error was caused by a glitch in its computer
  system, and that it had asked the Tokyo Stock Exchange to cancel the
  order.

  According to reports, this request has now been granted by the stock
  exchange."

[...]

  This is not the first time that a UBS unit has given the Tokyo Stock
  Exchange an incorrect order.

  In 2001, a UBS business mistakenly issued an order to sell shares in
  Japanese advertising firm Dentsu. USB subsequently had to buy more stock
  in Dentsu in order to honour the order.

  This and a number of incidents by other firms saw the Tokyo Stock Exchange
  introduce new rules in 2007 that allow the cancellation of large-scale
  erroneous orders.

Increasingly we see new mitigations being put into place for bad outcomes
from risks that ought, by right, to be mitigated at source. A little
sense-checking on such trades - don't sell more than you own (or
significantly more, if automated short trading is to be allowed), don't
spend more than a billion Yen in a single automated transaction, that kind
of thing - should not be beyond the wit of the programmers, nor the wit of
the bank's risk managers.


Best Buy swindled for $31 million by chip supplier

Jim Haynes <jhhaynes@earthlink.net>
Tue, 24 Feb 2009 11:19:10 -0600 (CST)

Deerfield couple swindled $31 million from Best Buy, federal court documents
say; $2.75 million used to buy the land and build their house were `the
proceeds of fraud'
Jeff Long, Chicago Tribune, 24 Feb 2009
http://www.chicagotribune.com/business/chi-best-buy-fraudfeb24,0,6558363.story


Google Gaffe: Gmail Outage Shows Pitfalls of Online Services

"Jonathan B Spira" <jspira@basex.com>
February 26, 2009 3:51:52 PM EST

  [From Dave Farber's IP list]

I didn't realize the number of Gmail users was so large until the outage.

"Google's Gmail system was down for 2.5 hours earlier this week, the sixth
such outage in the past eight months.  It isn=92t unusual that an e-mail
system crashes, but most such occurrences are limited to one organization.
When Gmail, a service Google touts to businesses as more reliable and easier
to use than Microsoft Exchange and Lotus Notes/Domino, goes down, it makes
headlines - as well it should. " ...

Just imagine if all of the phone lines to your office failed - not today but
ten years ago, when the telephone was the most important means of
communication (along with fax, I should add).  That's what Gmail's users
were facing on Monday.  The silence was deafening..."

http://www.basexblog.com/2009/02/26/google-gaffe-gmail-outage-shows-pitfalls-of-online-services/

Jonathan B. Spira, CEO and Chief Analyst, Basex, Inc. 8 www.basex.com


Power outage disables power failure alarm

Jim Haynes <jhhaynes@earthlink.net>
Tue, 24 Feb 2009 11:05:24 -0600 (CST)

An item in Santa Cruz Sentinel for 24 Feb 2009 tells of a power outage
affecting pumps that provide water to a storage tank, causing the tank to
run dry.  "Power also was cut to the communication lines designed to alert
the district to a problem."


UK building society online account open to DOS attack

Andy Repton <risks@pteron.org>
Tue, 24 Feb 2009 15:04:16 +0000

Recently, I needed to access my online account with the Nationwide building
society. I'd recorded my secret number in an encrypted store, but had
mistyped one digit. After three attempts to log in to my account I received
the message that my account was now locked and I should re-register and wait
for up to 5 days for the new details to appear through the post.

I called the internet helpline and they confirmed that there is nothing they
can do, the system forces the lockout and indeed I had to re-register. I
pointed out the potential denial of service aspects of this approach but the
only response was "Why would anyone do that?"


Wikileaks cracks key NATO document on Afghan war

Jeff Nye <jpn213@gmail.com>
Fri, 27 Feb 2009 11:24:08 -0500

The best encryption in the world won't help you if your passphrase sucks.
Jeff

 - --------- Forwarded message ----------
From: Wikileaks Press Office <press-office@wikileaks.org>
Date: Fri, Feb 27, 2009 at 08:11
Subject: [WIKILEAKS] Wikileaks cracks key NATO document on Afghan war
To: wl-press@lists.riseup.net

WIKILEAKS EDITORIAL
Fri Feb 27 13:10:25 GMT 2009

"Wikileaks cracks key NATO document on Afghan war"

Wikileaks has cracked the encryption a key NATO document relating to the war
in Afghanistan. The document, titled "NATO in Afghanistan: Master
Narrative", details the key facts and themes NATO representatives are to
give--and to avoid giving--to the world press.

Among the revelations, which we encourage the public to review in detail, is
Jordan's presence as secret member of the US lead occupation force.

The encrypted document, from October, and believed still to be current, can
be found on the Pentagon Central Command website "oneteam.centcom.mil":

http://oneteam.centcom.mil/isc/Shared%20Documents/NATO%20Master%20Narrative.doc

The password is "progress", which perhaps reflects the Pentagon's
desire to stay on-message, even to itself.

Jordan is a US backed middle eastern monarchy, and historically the CIA's
closest partner in its extraordinary renditions program. In Jordan, "the
practice of torture is routine", according to a January 2007 report by UN
special investigator for torture, Manfred Nowak.

NATO spokespersons are instructed conceal the country's involvement in the
ISAF coalition. Publicly, Jordan withdrew in 2001. It does not appear on the
current (Feb 13, 2009) NATO list of ISAF member states:
  http://www.nato.int/isaf/docu/epub/pdf/isaf_placemat.pdf

Some other sensitive instructions on what not to say are:

* Any decision on the end date/end state will be taken by the respective
national and/or Alliance political committee. Under no circumstances should
the mission end-date be a topic for speculation in public by any NATO/ISAF
spokespeople.

* The term "compensation" is inappropriate and should not be used because it
brings with it legal implications that do not apply.

* Any talk of stationing or deploying Russian military assets in Afghanistan
is out of the question and has never been the subject of any considerations.

Only if pressed: ISAF forces are frequently fired at from inside Pakistan,
very close to the border. In some cases defensive fire is required, against
specific threats. Wherever possible, such fire is pre-coordinated with the
Pakistani military.

Altogether four classified or restricted NATO documents of interest on the
Pentagon site were discovered to share the 'progress' password.  Wikileaks
has decrypted the documents and released them in full:

* http://wikileaks.org/wiki/NATO_Media_Operations_Centre:_NATO_in_Afghanistan:_Master_Narrative%2C_6_Oct_2008
* http://wikileaks.org/wiki/ISAF_Afghanistan_Theatre_Strategic_Communications_Strategy%2C_25_Oct_2008
* http://wikileaks.org/wiki/NATO-ISAF_Afghanistan_Strategic_Communications_External_Linkages%2C_20_Oct_2008
* http://wikileaks.org/wiki/NATO-ISAF_Strategic_Communications_Ends%2C_Ways_and_Means%2C_slide%2C_20_Oct_2008


Re: Hiding in plain sight (PHSIII, RISKS-25.57)

Al Macintyre <macwheel99@wowway.com>
Sun, 22 Feb 2009 23:02:00 -0600

IBM does the same thing with all of its specialized kinds of computer lines
... business, scientific, mainframe, servers. There is a move afoot to merge
IBM "I" business line with the "p" scientific, so soon there will be a few
less types of IBM systems.

Supposedly if you know about IBM's fantastic systems, you don't need to use
a search engine to find out about them.  But the reality is that there's
lots of non-IBM companies serving the IBM market place, and it can be hard
to locate them when IBM changes its product naming so often, into generic
words and letters.

There are conspiracy theorists that speculate IBM is killing off a line of
computers deliberately.  They are high performance, unhackable, have never
been hit by malware, upwardly compatible, incompatible with Microsoft, so
they don't have to be replaced as often.  IBM would sell a lot more
computers if they broke down as often as the competition.

On the 400, now i5/OS, an asterisk is pervasive.
names starting with asterisk are like keywords, functions, types of objects
names ending with asterisk are wild cards


Re: Hiding in plain sight (PHSIII, RISKS-25.57)

Mark Feit <mfeit@notonthe.net>
Mon, 23 Feb 2009 05:45:37 -0500

 > I can't imagine what their marketroids were thinking.

Me either, but "IBM i" and "System i" (without the quotes) return the
right page as the first hit when put into Google.

I can only imagine how difficult it must be for British secret agents
to find Q when they need new gadgets.  :-)


Re: Hiding in plain sight (RISKS-25.58)

"Phil Smith III" <lists@akphs.com>
Mon, 23 Feb 2009 08:14:04 -0500

Re: Al Macintyre:

Mmm, no, they haven't done the same with the other lines. There are four IBM
  hardware lines:
System p — Power (AIX machines)
System x — x86 (Intel)
System z — mainframes
i — which do indeed use Power hardware, same as System p. That's the
  convergence, and I've seen the speculation that IBM is trying to kill i5/OS.

(I write about this stuff for trade rags, and I also just checked
http://www-03.ibm.com/systems/i/, http://www-03.ibm.com/systems/p/,
http://www-03.ibm.com/systems/x/, and http://www-03.ibm.com/systems/z/.)

They are inconsistent, though: the i page just calls it "i", System p and
System x use those names, and the mainframe page says "Mainframe" and then
mentions both "System z" and "IBM z Can Do IT". But the mainframe is the
world I mostly live in, and I've been assured by Poughkeepsie that "System
z" is the real name; the latter usage is just shorthand.

Or perhaps I misunderstood what you were saying?

P.S. Mark Feit noted that "... 'IBM I' and 'System I' (without the quotes)
return the right page as the first hit when put into Google."

Interesting (and an improvement over a few months ago). I wonder if that
took search engine placement work, or if Google is just smarter? Of course,
in any OTHER case (such as searching in a document), the "i" nomenclature is
still impossible to find.


Re: Hiding in plain sight (PHSIII, RISKS-25.58)

Steve Lamont <spl@ncmir.ucsd.edu>
Wed, 25 Feb 2009 17:13:43 -0800

IBM i.  Easy to find.

Typing "IBM i" into the search field in Google gives as the first hit
 http://www.ibm.com/systems/i/


Re: Hiding in plain sight (PHSIII, RISKS-25.58)

""Marcos H. Woehrmann" <marcosw@gmail.com>
Mon, 23 Feb 2009 10:05:01 -0800

The original name of Archy was "The Human Environment" which was officially
shortened to "THE".  Needless to say it wasn't searchable either .  Though
it appears it now would be; searching for "THE" on Google brings up
theonion.com as the top hit.  However, Yahoo! might be the winner in this
odd contest, it brings up a the band "The The" as the second result, just
after "The N Network" (which is a website for teens and has nothing to do
with the pejorative term for persons of African descent).


Urban legends in RISKS

David Guaspari <davidg@atc-nycorp.com>
Mon, 23 Feb 2009 11:14:00 -0500

A recent RISKS posting referred (in a throwaway aside) to "the ex-President
who'd never seen a grocery store scanner."  As this newsgroup is populated
by rational people glad to have even trivial errors corrected, I'll note out
that the story of Bush 41's supposed amazement at seeing a scanner has been
pretty thoroughly debunked.  Snopes has a detailed discussion:
http://www.snopes.com/history/american/bushscan.asp

David Guaspari, ATC-NY, 33 Thornwood Drive, Suite 500, Ithaca NY 14850
(607) 266-7114  davidg@atc-nycorp.com

  [Also noted by Brent Krupp.  PGN]

Please report problems with the web pages to the maintainer

x
Top