The RISKS Digest
Volume 25 Issue 72

Monday, 6th July 2009

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


More on the DC Metro collision 22 June 2009
David Lesher
Al Stangenberger
Re: Train collisions
Dave Parnas via PGN
Earlier autopilot problem on New York City subway trains
George Mannes
More focus on computers in the Air France crash
Steven M. Bellovin
Clear clears its ownership, but not stored data
Use of GPS leads to wrong house being destroyed
Sequoia Voting Systems vs DC
David Lesher
A Less than Simple Flight from Rome to Heathrow
Chris J Brady
Train and iPod do not mix
Barry Munns
Billions stolen in online robbery
HOW many? 12.000 laptops lost PER WEEK in US airports
Peter Houppermans
That old "object reuse" problem ...
Rob Slade
Politicians, personal e-mail, and the ECPA
Bob Gezelter
Lindsay Marshall
Google Earth a tool for thieves and scoundrels?
John Hatpin via Mark Brader
Re: A new way to lose money via ATM...
Jim Haynes
Re: Bozeman
Andrew Koenig
I think we're all Bozemans on this bus
Steve Lamont
Info on RISKS (comp.risks)

More on the DC Metro collision 22 June 2009 (Thompson, RISKS-25.71)

"David Lesher" <>
Thu, 25 Jun 2009 22:09:40 -0400 (EDT)

On Monday 22 June 2009, 6-car southbound train #112 rear-ended stopped
6-car southbound train #214, just north of Ft. Totten station. The lead
car of 112 split open horizontally, with the frame crushed to half its
length, and the sides/roof climbing the last 214 car.
Since this was inbound at afternoon rush hour, the trains were far from
full; there are 9 dead, including the operator of 112, and ~75 injured.

The NTSB reports that 112 was in automatic mode, where trackside block
limits and Central Command dictates the train's movements. An interview
with the 214 operator disclosed that it was stopped in manual mode.

Based on track and wheel markings, the operator of 112 started an
emergency stop several hundred feet before the collision.  Despite that,
214 was displaced 6-7 feet by the collision. (An empty 6-car train weighs
about 460,000 lbs.)

On Tuesday and Wed, NTSB ran tests on the blocks of signaling system.  On
Wednesday, they found that a train stopped where 214 was did NOT register on
the ATP system.


It's way too early to jump to conclusions, but the above is exactly what
100+ years of railroad signaling supposedly makes impossible. There will
be a lot of work in the coming months to discern what happened.

ref: past NTSB reports on Metro incidents. One discusses the signaling
system; the other shows another 1000-series car similarly split by a


More on the CD Metro collision

Al Stangenberger <>
Fri, 26 Jun 2009 10:07:54 -0700

In case you missed it, NTSB issued a press release yesterday on
investigation progress.

One significant finding:

> Investigators conducted tests at the accident site last night with a
> similar train and found that when the train was stopped at the same
> location as the stopped struck train, the train control system lost
> detection of the test train.

This is certainly only one factor in a complex incident, for example the
operator of the leading train says he was running the train in manual mode
all his shift - why??

This will be an interesting one to watch.

Re: Train collisions (Re: RISKS-25.71)

"Peter G. Neumann" <>
Tue, 23 Jun 2009 13:25:50 PDT

Comment from Dave Parnas:
  This problem already seems to be solved on German trains.  If you watch
  them, you will see that they punch in some numbers when they pass a sign
  along the tracks.  In this way, you know if they are not alert.

On the other hand, the system is supposedly designed to make it impossible
for a train to cross the red light indicating a train on the tracks ahead,
with automated braking based on maintaining a safe distance between trains.

Later reports seem to indicate that the signaling across one stretch
of track was inoperative, which prevented the system from working properly.

Earlier autopilot problem on New York City subway trains

George Mannes <>
Tue, 23 Jun 2009 16:30:19 -0400

There was a train problem in the news two weeks before the DC disaster.
[Source: Heather Haddon, Autopilot causes L trains to bypass platforms,
*AM New York*, 10 Jun 2009]

More focus on computers in the Air France crash

"Steven M. Bellovin" <>
Mon, 29 Jun 2009 11:13:58 -0400

According to the Wall Street Journal, 27 Jun 2009, investigators "suspect a
rapid chain of computer and equipment malfunctions stripped the crew of
automation today's pilots typically rely on to control a big jetliner."
Much of the article concerns the hypothesized sequence of events, but this
paragraph should resonate with RISKS readers:

  Unlike jetliners built in previous decades — which required pilots to
  frequently manipulate controls and often manually fly the planes for long
  stretches — newer computer-centric aircraft such as the A330 and Boeing's
  777 are designed to operate almost entirely on automated systems. From
  choosing engine settings and routes to smoothing out the ride during
  turbulence and landing in low visibility, pilots essentially monitor
  instruments and seldom interfere with computerized commands. So when those
  electronic brains begin to act weirdly at 35,000 feet, the latest crop of
  aviators may be less comfortable stepping in and grabbing control of the

There's on other point worth noting.  As has often been noted, it's rarely
one thing that brings down a modern airliner.  The current presumed
scenarios are known to be incomplete:

  Planes can — and occasionally do — fly safely without pitot probes
  functioning properly. That's why investigators believe some other
  important factor, which hasn't been identified yet, likely contributed to
  the crash.

The plane is a system, where the different pieces interact in complex ways.

Clear clears its ownership, but not stored data

"Peter G. Neumann" <>
Fri, 26 Jun 2009 13:18:15 PDT

Out of Business, Clear May Sell Customer Data <>
Posted by kdawson Friday June 26, @11:40AM
from the but-don't-worry-it's-perfectly-safe dept.

privacy <>

narramissic <> writes "Earlier this week, the Clear
airport security screening service ceased operations, leaving many to wonder
what would become of the personal information, including credit card
numbers, fingerprints, and iris scans, of Clear's customers.  And now we
know.  The information could be sold to the provider of a similar service.
Until then, Clear has erased PC hard drives at its airport screening kiosks
and is wiping employee computers, but the information is retained on its
central databases (managed by Lockheed Martin).  Clear customer David
Maynor, who is CTO with Errata Security in Atlanta, wants Clear to delete
his information but that isn't happening, the company said in a note
<> posted to its Web site Thursday.  'They had your
Social Security information, credit information, where you lived, employment
history, fingerprint information,' said Maynor. 'They should be the only
ones who have access to that information.'"


Use of GPS leads to wrong house being destroyed

"Peter G. Neumann" <>
Thu, 11 Jun 2009 19:28:46 PDT

The demolition crew was given only the GPS coordinates, and demolished the
wrong house.  No one home, no confirmation.  Ugly case.  [PGN-ed; Thanks to
Lauren Weinstein.]

Sequoia Voting Systems vs DC

"David Lesher" <>
Fri, 5 Jun 2009 23:23:12 -0400 (EDT)

Sequoia Voting Systems agreed yesterday to turn over sensitive information
to the D.C. Council about how the District's voting machines work and
tabulate results, setting the stage for one of the most comprehensive probes
on the reliability of electronic voting equipment.  The agreement is a
response to the election night chaos in the September primaries, when
Sequoia machines tabulated more ballots than there were voters, resulting in
thousands of phantom votes. ...  [Source: Tim Craig, *The Washington Post*,
6 Jun 2009]

A Less than Simple Flight from Rome to Heathrow

Chris J Brady <>
Tue, 23 Jun 2009 08:48:18 -0700 (PDT)

I thought Heathrow was bad enough with its new multi-million pound Terminal
5. Remember the opening fiasco of the thousands of delayed bags being
trucked around Europe and then back again, eventually to be auctioned at
Gatwick as unclaimed? But at least at Heathrow they always get the departure
gates correctly displayed on the computer driven LED displays.

But recently Rome FCO airport produced a first for me. The screens
displaying departures were like huge 6 foot / 2 metre laptop screens on
end. In detail they listed the airlines, flight codes, departure gates, and
important information like 'now boarding.' When I discovered them upstairs
in Terminal C, incidentally in the time-distracting shopping area, one
screen showed up-to-date / minute by minute listings for 12.00 through to
about 14.00, and the two screens next door had listings for 19.00 through to
21.00 and 21.00 to 24.00. On the two latter screens some of the flights were
listed as 'now boarding' including one for Toronto at about 20.00. However
the actual time was 13.00. Hmm ...

Interestingly a possible explanation could have been seen at the bottom left
hand corners of the errant screens where there was that ubiquitous Windows
'Start' button in green. I tried pressing it but the screens were not touch

Clearly Windows had crashed and apparently left the previous day's flights
on display on the two screens. When I told an official he shrugged - like
airport officials tend to do - and walked away. The screens stayed like that
until I left the area at 16.30 for my BA flight to London.

But as we queued at the BA flight's departure gate, to have our boarding
passes processed, I noticed that the Windows driven screen there clearly
stated that the flight we were about to board was on Gulf Air to Dubai. The
BA contract staff had not noticed, so I assumed that this misinformation was
not unusual. I was correct.

However that wasn't quite the end of my computer malfunctioned
experience. At Heathrow T5 BA/BAA, with their spanking brand new computer
controlled baggage delivery system, they kindly delivered my hold baggage
onto the wrong belt so that after waiting for about 30 minutes I then
reported it missing. After interrogating their computer system the BA staff
told me that it had not even been loaded onto the plane at Rome, that this
was not unusual from Rome, and that it would (probably) arrive the next day
and be delivered to my home by courier. [Incidentally it appears that
thousands (millions?) of 'delayed' bags actually do fly around the world
without their owners on board - but that's another risk.] However as I was
about to leave the hall and go through customs, and in a less than happy
mood, I spotted my lonely bag all by itself on a delivery belt at the far
end of the baggage hall.

So I guess it was all a case of a human workforce who don't care about
giving out the wrong information, or at least in Rome FCO Airport simply not
switching off (or rebooting) displays that were clearly giving out the
incorrect information, together with "the principal of computer automation"
(e.g. for baggage delivery) "that things automatically go wrong;" a mix that
can't fail to cause an interesting experience if not one of concern. And
this was during a simple flight from Rome to London.

Train and iPod do not mix (Re: Wirchenko, RISKS-25.70)

Barry Munns <>
Fri, 19 Jun 2009 16:47:42 +1000

Not an area I'm an expert in, but many years ago I worked as an auditor for
the New South Wales (Australia) State Rail. As the job on occasion required
us to walk around the maintenance workshops and railway tracks, we received
safety training. My recollection of the training was an emphasis on not
relying on actually hearing a train coming at you, as the sound waves mostly
radiate sideways (not forward of the train). Hence, despite being very big
and noisy the trains can 'sneak up on you' (even at very low speeds). Which
is why when workers are doing track maintenance they put explosive charges
down the track to provide an audio cue that the train is coming.

So, whilst wearing an ipod didn't help the situation, walking on a railway
track is not very clever in the first place.

Billions stolen in online robbery

"Peter G. Neumann" <>
Fri, 3 Jul 2009 15:59:07 PDT

  [Thanks to Gunnar Peterson for spotting this one.]

Space trading game Eve Online has suffered a virtual version of the credit
crunch.  One of the game's biggest financial institutions lost a significant
chunk of its deposits as a huge theft started a run on the bank.  One of the
bank's controllers stole about 200billion credits and swapped them for real
world cash of 3,115 pounds.  As news of the theft spread, many of the bank's
customers rushed to remove their virtual cash.  ...  The scandal is not the
first to play out in Eve Online. In early 2009 one of the game's biggest
corporations, called Band of Brothers, was brought down by industrial

HOW many? 12.000 laptops lost PER WEEK in US airports

Peter Houppermans <>
Tue, 30 Jun 2009 10:31:32 +0200 (CEST)

This is probably an interesting paper to draw figures from to see if you can
somehow convince people to (a) leave full disk crypto alone and (b) properly
shut down a laptop when not in use, despite the lengthy boot time of a
modern enterprise laptop lumbering under anti-virus, corporate software
management tools and a fragmented file system.

Ponemon rang up 106 big airports in 46 states to discover that Business
travelers lose about 12,000 laptops a week in US airports.  Not all, or even
most, are stolen by airport staff — 40 per cent of losses occur at security
checkpoints.  But of the laptops that are found, just 33 per cent are
reclaimed by their owner. The rest are sold off, leaving "potentially
millions of files containing sensitive or confidential data that may be
accessible to a large number of airport employees and contractors."  40% of
loss occurs at security checkpoints. Should that not be IN security
checkpoints then?

That old "object reuse" problem ...

Rob Slade <>
Tue, 23 Jun 2009 17:23:50 -0800

UBC graduate students and instructors visited Ghana, China (the world's
largest electronic waste dump, in Guiyi), and India to find out what happens
to electronic trash.  Criminals scour the hard drives for credit card
information and other personal information.  (The electronic waste also
pollutes the environment and poisons scavengers seeking to extract metals.)

In Ghana, students bought a hard drive originally used by U.S. defence
contractor Northrop Grumman, containing about 50 files marked as competitive
and sensitive, including information on government contracts for the U.S.
Department of Homeland Security.  Northrop spokesman Thomas Henson said that
the company has a detailed procedure to dispose of electronics and the drive
was likely stolen from a vendor that handles its disposed electronics.
(Yeah, right.)

(Maybe the Chinese don't have to hack into important computers to get
sensitive info ...)

Politicians, personal e-mail, and the ECPA

Bob Gezelter <>
Sun, 28 Jun 2009 14:22:45 -0500

The matter of the e-mails between Governor Mark Sanford (R-SC) and his
paramour becoming public raises any number of questions. However, what has
been notable in much of the press coverage is the lack of question of
whether a crime was committed in the process of supplying them to The State
(a South Carolina newspaper).

A more detailed discussion of this affair appears in my blog under the
under "Governor Sanford Email Disclosure: An ECPA Violation" at

Robert "Bob" Gezelter, 35-20 167th Street, Suite 215,
Flushing, New York  11358-1731  +1 (718) 463 1079


Lindsay Marshall <>
Tue, 9 Jun 2009 18:56:27 +0100

There are now full-text RSS 1, RRS 2 and Atom feeds available from the website at .

Google Earth a tool for thieves and scoundrels?

Mark Brader
Mon, 29 Jun 2009 15:16:49 -0400 (EDT)

* From: John Hatpin <>
* Newsgroups:
* Subject: Google Earth a tool for thieves and scoundrels?
* Message-ID: <>
* Date: Mon, 29 Jun 2009 13:29:34 +0100
* Xref:

Just happened across this report today from an unlikely source, the BCS
(British Computer Society):

|Thieves in Hull are thought to be using Google Earth to help them
|steal sought after fish from people's gardens.
|Up to 12 cases of fish going missing have been reported during a
|three-week period, with many of those missing Koi carp, worth
|several hundred pounds each.
|Police believe the online technology is being used as it would
|otherwise be impossible to locate gardens with fish and ponds in.
|Sam Gregory, Humberside police community support officer, said:
|'Google shows what is in your garden and you can see people's
|ponds. One of the properties targeted has an eight foot fence and
|is set back from the road.'
|'The pond is in the corner and can't be seen. Unless you were
|standing right next to the wall, you wouldn't be able to hear
|the running water,' he added.
|Previously, Google Earth had led to the arrest of two muggers in
|Holland after their victim saw them on Google's Street View.

Firstly, it took me a while to realise that "12 cases of fish going
missing" wasn't talking about big boxes of fish.

Now, I'd heard people complaining that "Google Earth can be used by
burglars to case out their targets", but always dismissed it as
Luddite hysteria; this is the first time I've actually seen it to be
the case.  Of fish.

Have there been any previous instances where GE has been used by
ne'er-do-wells to redistribute wealth nefariously?

John Hatpin

Re: A new way to lose money via ATM... (RISKS-25.71)

Jim Haynes <>
Tue, 23 Jun 2009 19:42:46 -0500 (CDT)

I wonder why an ATM needs an operating system anyway.  Maybe we should
go back to software as it was done in 1950 and write the instructions to
tell the hardware what to do, no more and no less.

But if it does need an operating system, there was a paper written by David
Parnas long ago where he explained how to write software so that it was
hierarchically modular.  That is, the kernel was as simple as possible; and
increased functionality was achieved by adding modules on top of what was
already there, never having to modify something underneath the modules being
added.  Philip Levy designed an operating system for the Z-80 using these
principles.  The result was a system that could serve anything from an
embedded microcontroller to a multitasking workstation simply by adding the
right set of modules as needed.  Seems like I was told that Data General had
an operating system designed along the same lines, again so that a machine
could span a wide range of different kinds of applications.

Maybe the problem is that today memory is essentially free, so it's easier
to throw in baggage we don't need than it is to decide just what we do need.

Re: Bozeman (RISKS-25.71)

"Andrew Koenig" <>
Wed, 24 Jun 2009 09:16:23 -0400

When I read the article about Bozeman requiring job applicants to grant
access to their online personae, I immediately wondered whether the same
principle might not apply in the physical domain as well.

That is, I wonder what would happen if a prospective employer were to
require all applicants to sign a contract that assigns the applicant's
fourth-amendment rights to the employer as a condition of consideration for
employment.  In other words, in exchange for the company looking at your job
application, you would agree to give the company power of attorney to
authorize police searches of your home and possessions.

Would such a contract be considered binding?  Would it even be considered
conscionable?  If not (and I certainly hope not), what is the difference
between such a contract and what Bozeman is doing?  In both cases it is a
matter of using a contract to force someone to divulge information to a
government entity that would ordinarily require a search warrant.

I think we're all Bozemans on this bus

Steve Lamont <>
Tue, 23 Jun 2009 18:43:50 -0700

Regarding that recent story about Bozeman, Montana, requesting usernames
and passwords for social networking sites:

They appear to have backed down and apologized.

Please report problems with the web pages to the maintainer