The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 25 Issue 68

Saturday 23 May 2009

Contents

NY voter voted absentee, then died; ballot ruled invalid
PGN
In a Lab, an Ever-Growing Database of DNA Profiles
David Hollman
Computers and Medical Practice: Some actual data
Jerry Leichter
Risks: Hackers 'destroy' flight sim site
Gabe Goldberg
A Lesson in Internet Anatomy: The World's Densest Meet-Me Room
jidanni
Re: "Server issues" delay Nielsen ratings
Jesse W. Asher
Re: Materials Database Problem
Stuart Levy
Re: Australian emergency services
Bob Frankston
How small does the disk chunk have to be?
Fred Cohen
Authentication and Identity theft
Jay R. Ashworth
Re: Tail strikes from improper settings
Ken Knowlton
Re: FAA ATC shutdown
Stewart Fist
Is "security through obscurity" being called for in RISKS?
Fred Cohen
Re: On Government IT competence
Scott Miller
Book Review: The Science of Fear, Daniel Gardner
Bruce Schneier
Info on RISKS (comp.risks)

NY voter voted absentee, then died; ballot ruled invalid

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 22 May 2009 9:27:05 PDT

[Source: Tiebreaking Vote Cast by Dead Man; Runoff Required, AP item, PGN-ed.
Thanks to Joseph Lorenzo Hall for spotting this one.]
http://www.1010wins.com/Tiebreaking-Vote-Cast-by-Dead-Man--Runoff-Required/4443153

OGDENSBURG, N.Y. (AP) -- A school board election ended in a tie after an
absentee ballot from one candidate's dead brother-in-law was ruled invalid.
Vicky Peo and John Wilson each received 388 votes Tuesday for a seat on the
Ogdensburg City School Board.  The tying tally came after an absentee ballot
from Peo's brother-in-law, Franklin "Peanut'' Bouchey, was ruled invalid
because he died three days before the election.  Superintendent Timothy
Vernsey said the ruling was based on both education and election law.
Vernsey says a special election pitting Wilson against Peo must now be held.

  [This is one of those cases that might fall through different cracks in
  different places.  If this voter had opted for in-person early voting, his
  actual completed ballot was supposedly not attributable to him, and could
  not have been individually revoked.  We know that in-person voting and
  absentee voting generally have different RISKS.  In this case they might
  also have had different RULINGS -- especially the ambiguity of a one-vote
  margin under these circumstances might have caused a partisan judge to
  demand a revote anyway.  Besides, dead people have been voting for many
  years -- unfortunately, it seems to be an old tradition.  And in some
  voting technologies, one-vote margins are statistically a virtual tie
  anyway.  PGN]


In a Lab, an Ever-Growing Database of DNA Profiles

David Hollman <dah8@cornell.edu>
Tue, 12 May 2009 10:59:00 +0100

>From http://www.nytimes.com/2009/05/12/science/12quan.html

Interesting article on how the FBI processes thousands of forensic samples
into its DNA database.  Scant detailed information, but some mention of how
the FBI plans to ramping up the quantity and quality of is processing by
increasing automation.  They claim that this will reduce the error rate, an=
d maybe so (or not), but will the inevitable errors that remain be harder to
detect and eliminate?  (Is there a a nice catchphrase for the effect where
information in digital form has more credibility than in other forms?)

Excerpts:

In a Lab, an Ever-Growing Database of DNA Profiles
NY Times

...

The computers contain the National DNA Index System
<http://www.fbi.gov/hq/lab/codis/national.htm>, a database of 6.7 million
genetic profiles, the world=92s largest repository of forensic DNA
information. Under a 2005 federal law, the database will continue to include
convicted felons, but it will also add genetic profiles of people who have
been arrested but not convicted and of immigrant detainees =97 for an
estimated 1.3 million more profiles by 2012. ...

But keeping pace with the expansion of DNA databases is a major challenge
for the agency, which has sought ways to speed the processing of DNA
evidence. As of 2007, the Justice Department estimated the backlog at
600,000 to 700,000 samples.  In 2002, the F.B.I. was processing about 5,000
DNA samples each year. With the help of new robotic systems, analysts with
the crime lab plan to process 90,000 samples each month by 2010.  ...

In addition to speeding up DNA typing, the robotics will help avoid
mistakes. Contamination and mislabeling have been documented in at least
five states; the fewer hands needed to process DNA, the better, said Richard
A. Guerrieri, chief of the forensic DNA lab.  Despite these improvements,
F.B.I. officials still expect to struggle to stay abreast of the millions of
new DNA samples expected to pour into the lab. Federal officials said that
when Congress mandated the database expansion, it did not provide enough
money. ...


Computers and Medical Practice: Some actual data

Jerry Leichter <leichter@lrw.com>
Mon, 18 May 2009 05:28:49 -0400

The recent arguments about just how much computerization of medical data
will help ultimately need to face up to real data.  Some such data recently
appeared.
http://www.journalacs.org/article/S1072-7515(09)00200-2/abstract
(Full article requires membership or payment - I haven't read it.)

Summarizing the abstract: The study looked at the effects of the
introduction of a Computerized Physician Order-Entry System (CPOE) on
patient safety and on efficiency.  "A total of 15 (0.22%) medication errors
were discovered in 6,815 surgical procedures performed during the 6 months
before CPOE use. After implementation, 10 medication errors were found
(5,963 surgical procedures [0.16%]) in the initial 6 months and 13 (0.21%)
in the second 6 months (6,106 surgical procedures) (p = NS). Mean total time
from placement of order to nurse receipt before implementation was 41.2
minutes per order ... compared with 27 seconds per order using CPOE (p <
0.01)."  (The dramatic time decrease was primarily due to the elimination of
a transcription step.)  There was also a reduction in "ancillary personnel
positions".

The study concludes: "Present CPOE technology can allow major efficiency
gains, but refinements will be required for improvements in patient safety."


Risks: Hackers 'destroy' flight sim site

Gabe Goldberg <gabe@gabegold.com>
Sun, 17 May 2009 13:20:49 -0400

  [More details on the destruction and hackers would be interesting, as
  would some info on how a site running since 1996 wasn't backed up anywhere
  but ... on the site itself.]

Hackers 'destroy' flight sim site

Flight simulator site Avsim has been "destroyed" by malicious hackers.

The site, which launched in 1996, covered all aspects of flight simulation,
although its main focus was on Microsoft's Flight Simulator.

The attack took down the site's two servers and the owners had not
established an external backup system.

http://news.bbc.co.uk/2/hi/technology/8049780.stm


A Lesson in Internet Anatomy: The World's Densest Meet-Me Room

<jidanni@jidanni.org>
Sun, 17 May 2009 06:17:59 +0800

In the bowels of the world's most densely populated Meet-Me room -- a room
where over 260 ISPs connect their networks to each other -- a phalanx of
cabling spills out of its containers and silently pumps the world's
information to your computer screen. One tends to think of the Internet as a
redundant system of remote carriers peppered throughout the world, but in
order for the net to function the carriers have to physically connect
somewhere. For the Pacific Rim, the main connection point is the One
Wilshire building in downtown Los Angeles.

If this facility went down, most of California and parts of the rest of the
world would not be able to connect to the Internet. Tour one of the web's
largest nerve centers, hidden in an otherwise nondescript office building.
  http://www.wired.com/techbiz/it/multimedia/2008/03/gallery_one_wilshire
  http://en.wikipedia.org/wiki/Meet-me-room


Re: "Server issues" delay Nielsen ratings (Mannes, RISKS-25.66)

"Jesse W. Asher" <jesse.w.asher@gmail.com>
Sun, 10 May 2009 17:15:18 -0400

While it will certainly be denied, the length of this outage can be directly
attributed to the outsourcing of server administration to an Indian firm
Tata Consultancy.  Nielsen laid off (or drove off) many of its most
important assets and replaced them with Indians brought into this country
from India to run these servers.  The vast majority of the talent being used
is sub par with very little experience in dealing with a complex set of
systems such as those used by Nielsen.

See
http://tvdecoder.blogs.nytimes.com/2009/05/06/tv-networks-frustrated-by-lengthy-ratings-delay/#comments
for more information.


Re: Materials Database Problem (Wirchenko, RISKS-25.66)

Stuart Levy <slevy@ncsa.uiuc.edu>
Wed, 13 May 2009 20:21:40 -0500
 [bis(2-chloroisopropyl)ether == 2,2' dichlorodisopropyl ether!]

That looked funny to me.  I would have thought that both
bis(2-chloroisopropyl)ether and 2,2'-dichlorodiisopropyl ether would refer,
not just to compounds with the same numbers of atoms, but to the same
structure -- they should be chemical synonyms:

 Cl - CH2 - CH  -  O  -  CH - CH2 - Cl
            |            |
            CH3          CH3

And sure enough they are, and the EPA knows it.  Googling for each CAS
number turned up useful pages, especially this one from US EPA:

    http://www.epa.gov/iris/subst/0407.htm

    Substance Name Bis(2-chloro-1-methylethyl) ether CASRN 108-60-1

At the bottom of the page is the update history for this chemical's record,
including these:

06/06/2000  All	   CASRN changed from 39638-32-9 to 108-60-1
12/03/2002  I.A.6. Screening-Level Literature Review Findings message
                   has been added.
03/15/2004  VIII.  Edited synonyms.
11/30/2007  All	   Chemical name changed from bis(2-chloroisopropyl)
                   ether to bis(2-chloro-1-methylethyl) ether.

So, the 39638-32-9 number is a few years out of date and worth correcting,
but it's not the kind of confusion that the matching chemical formulas
suggested.

(I may well have other complaints about the IL EPA, but not this one.)


Re: Australian emergency services (Burstein, RISKS-25.67)

"Bob Frankston" <Bob19-0501@bobf.frankston.com>
Sun, 17 May 2009 18:56:53 -0400

... can't break through their own firewall

I do need to preface this with the usual caveat about the risk of taking
news stories at face value and setting policy in response to incidents.
That said ...

Just curious -- did anyone think of just playing the audio over a standard
phone line by holding the phone near a speaker? Did any involved in the
inquest think to ask that question?

Perhaps the bigger problem here is the reliance on the artifacts of
technology without basic understanding. But then how is it any different
from falsely ascribing to broadband the properties that are really due to
Internet connectivity (my current sound bite)? In this case the audio was in
the computer silo not the telephony silo.

To be fair, the failure to be creative is a general problem -- and one can
be taught not to think creatively by punishing exceptions like this one very
close to home, in which a cafeteria worker was suspended for offering
students an alternative to vegiburgers when their promised grilled cheese
sandwiches failed to arrive.
http://www.boston.com/yourtown/news/newton/2009/05/by_calvin_hennick_globe_c
orres_1.html

Well, I guess if someone thinks about it it could be added to the long list
of enumerated exceptions to the long list of rules. After all the term
"ambulance chaser" is a reminder of better dead than sued.


How small does the disk chunk have to be?

Fred Cohen <fc@all.net>
Sat, 16 May 2009 16:26:44 -0700

> ...Subject: Canada's tax agency computers pile up
> ...To properly destroy a drive, they say, it should be run through
> commercial equipment that slices it into bits no bigger than the width of
> a pencil." [from *The Week* mag. 8 May 2009, page 8]

RISKS readers will recognize immediately that the size of the chunks, if you
are doing it this way, will have to be small enough to make the content on
one chunk of no utility. At the density of a HDD, a pencil width holds quite
a bit of data. I won't do a calculation for you, but clearly this is not
small enough for a disk that holds even 100 gigabyte on 10 sq.in. (10
gigabytes/sq.in.)

Fred Cohen & Associates, 572 Leona Drive Livermore, CA 94550 1-925-454-0171
http://all.net/ Join http://tech.groups.yahoo.com/group/FCA-announce/join


Authentication and Identity theft

"Jay R. Ashworth" <jra@baylink.com>
Tue, 19 May 2009 10:17:54 -0400 (EDT)

In the last several issues of RISKS, there have been a disproportionate
number of stories about how the roof was going to fall in because there was
a "large data breach including people's (US) Social Security Numbers".

It seems worth taking a look again, explicitly, at why exactly that's a
problem... as that's not the underlying cause of the trouble, and no one
seems to be working on the thing that *is* the underlying cause, despite
over a decade -- at least -- of us flogging it around the barn here in
RISKS.

The problem, of course, is one of authentication, on two levels.

The second is easier to solve, but not as applicable to identify theft; the
first bears directly on identity theft (more properly, "unauthorized credit
reputation injury"), but is much harder to solve.

  ==

The first and larger problem is one of authenticating that a random person
presenting themselves to you is actually the individual -- with a name,
address, and possibly SSN -- whom they say they are, and not someone who has
stolen that person's credentials.

The other half of that is interlocking credit grantors with credit bureaus
so that they all agree they're talking about the same person... without the
requirement that the US start issuing national ID cards, which is a major
third-rail political issue -- to the point where states were refusing to
implement the RealID program for driver license conformation promulgated by
the last administration.

The second problem is authenticating already existing customers who wish to
make changes to their accounts.  This one is far easier to do properly; it
entails two major points:

1) Using ad-hoc authenticators instead of "things only the customer should
   know".  Once your mother's maiden name or the city in which you were born
   -- or your Social Security Number (which the government says should not
   be used as an authenticator for this sort of thing in the first place)
   "leak", they're useless as authenticators, because they never change.

  In fact, Microsoft/Carnegie Mellon research to be released at the IEEE
  Symposium on Security and Privacy this week shows just how insecure
  "fixed" challenges (obvious ones like Mother's Maiden Name, chosen by the
  business, not the customer) actually are: 1 in 4 chance of guessing by
  people who know the individual, *1 in 6* by random strangers.

  http://it.slashdot.org/article.pl?sid=09/05/19/0037208

  The only thing valid as an authenticator is a challenge and response *both
  chosen by the customer* -- at the time of account creation once you've
  authenticated the customer's ID, or in some secure out of band fashion
  when a breach may have occurred.

2) Anyone who holds authenticator information in a customer database needs
   to audit access to it, and do something about the audit data they gather;
   watching for patterns at the least, and actually checking who had access
   to it if an adverse report is made -- this is partially to protect from
   bad actors at the granting company, and partly to make it possible for
   customers stupid enough to use the same authenticator at multiple
   suppliers to determine who leaked it if they are stuck with fraudulent
   transactions.

We all know that people *shouldn't* reuse authenticators, but planning
systems around the idea that they won't is ... a poor design choice?

But even this seems too much for most companies: I have seen, in my personal
interactions with card companies, utilities, and the like, occasional bursts
of "we'll let you specify an authenticator question and answer, if you don't
like any of our pre-specified choices" (and you shouldn't), but they're a)
few, b) far between, and c) tend to go away again, mostly because they were
some smart person's good idea, instead of CIO level fixed company policy,
which is apparently what's necessary.  In at least one case, I have such an
authenticator, but the agents are always bemused to see it, because that
option "hasn't been offered for some years, now".

  ==

That first problem I mentioned, though, is the sticker: how do you
authenticate that a person is validly whom they claim to be when, randomly,
they walk up to you and ask to open an account -- or worse, call, write, or
web into you and ask to start an account.

Lots of companies placed in this position use the knowledge of an SSN -- and
let's be clear here; it's not just the contents of the SSN that are the
authenticator, *it's the fact that you know it* -- as authentication that
you are who you say you are.

[ Here comes the money quote :-) ]

And the result of that is that they've overloaded the semantics of a SECRET
onto a datum that was never meant to be secret -- or, more to the point, to
*need* to be secret.  In consequence of which, lots of older systems don't
treat it that way -- they don't obscure it from view, or audit access to it.
And it travels around in cleartext since it is not *only* an authenticator,
but *also* an *identifier* -- and this is the root cause of the problem.

It *must* be plaintext to be usable as an identifier... and it *must not* be
plaintext to be useful and safe as an authenticator.

[ Does that state it clearly enough? ]

At the moment, though, companies don't necessarily have any choice, since
there's no other cookie that can be passed from a customer to a credit
grantor to a credit reporting agency, and uniformly identify the same
person.

  ==

That's my analysis of the problem, anyway, and since I don't recall seeing
anyone really break down, either in the public press or in more technical
fora like RISKS, exactly where the failure lies, I have to assume that --
even though I know there are lots of people out there smarter than me -- the
problem might well be that the people in position to fix it don't really
know why it's a problem, be they systems designers, CIO's or legislators.

Since the problem affects both credit granting vendors *and*
credit-reporting agencies on the way to affecting the customers, it's likely
they will both have to cooperate to solve it.

One possible solution, as much as I hate granting to CRAs even more power
than they already -- some say, unjustly -- possess, is to have the CRAs
authenticate creditors directly in some reasonable fashion, and then do a
one-time cookie-authentication system for customers to authenticate
themselves to new credit-grantors, similar in spirit to the one-time credit
card numbers which some banks now issue for on-line purchases.

This will not fix the second, smaller problem -- at least not directly --
but would pretty much wipe out the larger problem or identify theft: if you
can't open a new account without tight coupling to the agency which
authenticates both you and the seller to one another, then people can't run
up bills in your "name", sticking you with both the bill and the reputation
problems.

Since this would probably reduce the incidence of credit fraud in general
quite markedly, I can't imagine that the credit grantors wouldn't want to
participate in such a system.

Even if those commercial parties are on board, though, the problem of making
the system design generally palatable to the public who also have to
cooperate is a tough one, and one for which I don't have a specific answer
yet.

It will be interesting (at least to me :-) to see what opinions others in
the RISKS community have to my delineation of the questions, at least.

Jay R. Ashworth, Ashworth & Associates, St Petersburg FL +1 727 647 1274
http://baylink.pitas.com http://photo.imageinc.us jra@baylink.com


Re: Tail strikes from improper settings (Landgren, RISKS-15.67)

Ken Knowlton <KCKnowlton@aol.com>
Tue, 19 May 2009 17:11:09 EDT

An airplane on a take-off run clearly could perform an automatic sanity
check (comparing thrust settings and actual acceleration with gross weight,
air speed/temperature/pressure, flap settings ...) and raise an alarm if
something's seriously amiss. (It cannot easily automatically know other
important things like runway length, aerodynamic effect of ice on wings,
obstacles ...). Indeed, the Halifax report does briefly mention that
authorities suggest "systems to warn crews of inadequate take-off
performance." So what's the problem with the development and installation of
such systems?  Technical complexity? Expense? Reliability? Training? Longer
checklist for pilots? Legal mess with false positives/negatives?


RE: FAA ATC shutdown (Gorman, RISKS-25.66)

Stewart Fist <stewart_fist@optusnet.com.au>
Sun, 17 May 2009 10:45:02 +1000

> ... one must believe that waiting lists, which exist in virtually all known
> government run health care systems, do not matter.

Waiting lists also exist in virtually all known private health care systems.
As an long-term ex-private patient, who has now been forced back onto the
Australian public health-care system for financial reasons, I've experience
the best and worst of both ends of the spectrum.

In my experience, there's very little between them in Australia - both in
terms of the quality of the care, the compassion and training of the staff,
and in the waiting time for access.  I've spent much more time in the
waiting rooms of specialist doctors who charge highly for their services, as
I do with my local bulk-billed (government paid) local doctor.

It is true that my public-hospital hip replacement waiting time would have
been shortened from three months, down to one month -- but since I'd put up
with the problem gradually worsening over the previous three years, this was
hardly consequential.  If it had been heart surgery, there would have been
no difference.

However the total cost of the hip replacement to me --- hospital, surgeons,
prosthesis, and everything was zero.  Loss of productivity for the nation --
also zero.  Risk of dying while waiting the extra two months -- not far
above zero

I think Ms Gorman needs to get out of Colorado and see how the rest of the
world operates before she influences the setting of the state's health-care
policy.

Stewart Fist, 70 Middle Harbour Rd, LINDFIELD, NSW 2070 Australia


Is "security through obscurity" being called for in RISKS?

Fred Cohen <fc@all.net>
Sat, 16 May 2009 16:33:48 -0700

Re: FAA ATC shutdown (McIntyre, RISKS-25.67)

> It is important for government to be open to the people in identifying
> problems, but some stuff needs to be kept confidential from potential
> trouble makers.

  [Thanks, Fred.  I was hoping someone would make that observation!  PGN]


Re: On Government IT competence (Kaiser, RISKS-25.67)

Scott Miller <SMiller@unimin.com>
Mon, 18 May 2009 09:21:38 -0400

> Linda Gorman's note is a partisan rant where it suggests that government
> is uniquely incompetent.  That rant doesn't belong in RISKS.

In common (US) parlance, "partisan" refers to a bias in favor of one of the
two political parties enfranchised by voting regulations: Democrat or
Republican.  Since both parties routinely promote increased government power
as the superior solution to nearly every problem or issue (differences are
in the details, and increasingly marginal; e.g - the recent "rescue" of the
financial system, begun by a Republican regime, embraced and extended by the
Democrat politicians who replaced that regime), I fail to see how
Mr. Kaiser's characterization of her post as "partisan" (even if his
analysis is accepted at face value) is at all accurate.  Further, how is the
opinion expressed in Ms. Gorman's post less appropriate to this list than
the many others that I have read here on various topics suggesting that
government is uniquely competent?

> Shall we talk about voting devices?

Electronic voting systems are IT projects largely contracted by government
exclusively to favored private (some would write "mercantilist") contractors
(Diebold, Sequoia, etc.)  For well over a decade, ATC (tracon & en route
alike) systems have been IT projects largely contracted by government
exclusively to favored private (some would write "mercantilist") contractors
(LockMart, SunHelo<sp?>, etc.)  And the point of differentiation was
intended to be?


Book Review: The Science of Fear, Daniel Gardner

Bruce Schneier <schneier@SCHNEIER.COM>
Fri, 15 May 2009 02:13:07 -0500

Excerpted from Bruce's CRYPTO-GRAM, May 15, 2009
<crypto-gram-list@schneier.com>

Daniel Gardner's The Science of Fear was published last July, but I've only
just gotten around to reading it. That was a big mistake. It's a fantastic
look at how humans deal with fear: exactly the kind of thing I have been
reading and writing about for the past couple of years. It's the book I
wanted to write, and it's a great read.

Gardner writes about how the brain processes fear and risk, how it assesses
probability and likelihood, and how it makes decisions under
uncertainty. The book talks about all the interesting psychological studies
-- cognitive psychology, evolutionary psychology, behavioral economics,
experimental philosophy -- that illuminate how we think and act regarding
fear. The book also talks about how fear is used to influence people, by
marketers, by politicians, by the media. And lastly, the book talks about
different areas where fear plays a part: health, crime, terrorism.

There have been a lot of books published recently that apply these new
paradigms of human psychology to different domains -- to randomness, to
traffic, to rationality, to art, to religion, and etc. -- but after you read
a few you start seeing the same dozen psychology experiments over and over
again. Even I did it, when I wrote about the psychology of security. But
Gardner's book is different: he goes further, explains more, demonstrates
his point with the more obscure experiments that most authors don't bother
seeking out. His writing style is both easy to read and informative, a nice
mix of data an anecdote. The flow of the book makes sense. And his analysis
is spot-on.

My only problem with the book is that Gardner doesn't use standard names for
the various brain heuristics he talks about. Yes, his names are more
intuitive and evocative, but they're wrong. If you have already read other
books in the field, this is annoying because you have to constantly
translate into standard terminology. And if you haven't read anything else
in the field, this is a real problem because you'll be needlessly confused
when you read about these things in other books and articles.

So here's a handy conversion chart. Print it out and tape it to the inside
front cover. Print another copy out and use it as a bookmark.

  Rule of Typical Things = representativeness heuristic
  Example Rule = availability heuristic
  Good-Bad Rule = affect heuristic
  Confirmation bias = confirmation bias

That's it. That's the only thing I didn't like about the book.  Otherwise,
it's perfect. It's the book I wish I had written. Only I don't think I would
have done as good a job as Gardner did. The Science of Fear should be
required reading for...well, for everyone.

The paperback will be published in June.

http://www.amazon.com/exec/obidos/ASIN/0525950621/counterpane/

A copy of this essay, with all embedded links, is here:
http://www.schneier.com/blog/archives/2009/04/book_review_the.html

Please report problems with the web pages to the maintainer

Top