The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 25 Issue 75

Thursday 6 August 2009


Software never fails, people decide that it does
Paul Robinson
Seven water mains break due to computer glitch
Joseph Lorenzo Hall
Stock Traders Find Speed Pays, in Milliseconds
Charles Duhigg via Monty Solomon
GPS typo saves couple?
Joel Baskin
How To Hijack 'Every iPhone In The World'
Andy Greenberg via Monty Solomon
10 ways your voice and data can be spied on
Gene Wirchenko
The NSA Is still Listening to You
Beware of Outdated E-mail Addresses
Gene Wirchenko
Funniest security faux pas this week
Ron LaPedis
You think Adobe bug reports are tough to submit...
Michael Albaugh
Re: Risks of hierarchical map displays
Leonard Finegold
Gavin Treadgold
Gene Wirchenko
Industrial object-oriented language made void-safe
Bertrand Meyer
Ari Juels, Tetraktys, a `cryptographic thriller'
Ben Rothke via PGN
Info on RISKS (comp.risks)

Software never fails, people decide that it does

Paul Robinson <>
Sun, 26 Jul 2009 18:17:14 -0700 (PDT)

There was an article [1] on Slashdot saying how Software Engineering and
Computer Science are two different things. It also refers to an article [2]
on Dr. Dobbs Journal that says that Software Engineering will never be a
rigorous, formal discipline. Which is true.

The statement that software engineering - which is a mislabel - cannot be a
rigorous, formal system is so obvious that it might as well be one of those
things we never think about until we have to and when we do think about it
it's intuitively obvious.

Consider what will happen when you die, there are only three possibilities:
You exist after you die and you like the results; you exist after you die
and you do not like the results; you do not exist after you die. All three
possibilities are equally valid since we have no evidence of any of them. If
as it turns out, that when you die you cease to exist, it is not something
you need to worry about. Now, the thought probably terrifies you - it used
to terrify me, too - until you realize something: if you cease to exist, you
will know nothing. You'll never know that you don't exist.

So consider the conditions of the existence of software. Software is always
perfect and is always the same, it never changes. It does not rot, rust,
age, get moldy, crumble, break, shatter or fail. It never needs maintenance,
lubrication, cleaning, sharpening, polishing, repair or replacement. As long
as the hardware that copies it makes identical copies, it is perfect and
always will be perfect, except for the extremely rare and unusual case of
deterioration of the storage media due to cosmic ray damage. Which can be
detected by mathematical algorithm, in which case, if there is another
source, another perfect copy can be made and it's right back where it
was. Software is never defective and can never be defective other than the
case I've given of the rare possibility of cosmic-ray damage to media or
hardware failure in copying, and thus it never needs change, modification or

Every year, every country makes changes to its tax laws. Any software which
must comply with those new changes has to be changed according to the
decisions of tax accountants and lawyers as to what is needed to be in
compliance. If you have a cellular network and want to add new features, you
have to modify the software - in the switches, the handsets, the gateways,
and/or all of these - to be able to enable them to offer new features. In
both cases the software needs updating.

Both statements are true, but you might ask how they can be when they appear
to be conflicting. They're not, and I'll explain why.

Any software package, from a 1-line APL function to a 20 million-line COBOL
behemoth application suite that runs a trillion dollar bank, large insurance
company or government agency, only requires maintenance or change because in
someone's subjective opinion it needs a change. A bridge needs replacement
when it collapses or when it is beyond its useful life; a building needs
replacement under the same circumstances. A piece of metal furniture needs
replacement when its structure rusts into dust, fails or is unable to
support a load due to metal fatigue. These are objective facts, either the
structure is usable or it isn't. An engineer can determine by experience and
judgment that the structure is at its lifespan limit or can point to signs
of physical rust, deterioration, or structure failure indicators that prove
their opinion.

Any declaration that a software package needs updating, change, or
replacement is strictly based upon the subjective opinion of someone saying
that it needs the work. All software change is the result of some person's
opinion that the change needs to be made and have no basis in reality except
their opinion. Their opinion is correct if you agree with them or if in your
opinion you can't disagree with their opinion. They may be correct that
because of errors in how the software performs its desired function, need
for new function, or need for changes in existing function, the software
needs change, replacement or updating, but they can only be "correct"
because it is considered that in someone's opinion they agree with their
opinion that the change is needed.

But the claim by someone that a software package needs change, updating or
replacement is, and always will be, a subjective opinion based on nothing
more than "because I say so."


Seven water mains break due to computer glitch

Joseph Lorenzo Hall <>
Tue, 28 Jul 2009 19:32:16 -0400

Jersey City is my hometown during my visiting postdoc at Princeton's CITP.
From the story:

  Seven water mains broke in the Jersey City Heights today — the result of
  a computer glitch that caused a false low pressure reading and kicked on
  pumps at a United Water facility, officials said.  Due to low water
  pressure in the Heights following the ruptures, fire officials posted four
  water tanker trucks at two locations in the area for use in the event of a
  fire, Fire Director Armando Roman said.  [...]"

Pretty serious consequences from this glitch, no doubt... and a mighty
efficient way to mess up fire response.  And I can attest with video
evidence that the water was indeed brown:

UC Berkeley/Princeton

Stock Traders Find Speed Pays, in Milliseconds

Monty Solomon <>
Fri, 24 Jul 2009 22:40:44 -0400

Charles Duhigg, *The New York Times*, 14 Jul 2009

It is the hot new thing on Wall Street, a way for a handful of traders to
master the stock market, peek at investors' orders and, critics say, even
subtly manipulate share prices.  It is called high-frequency trading - and
it is suddenly one of the most talked-about and mysterious forces in the

Powerful computers, some housed right next to the machines that drive
marketplaces like the New York Stock Exchange, enable high-frequency traders
to transmit millions of orders at lightning speed and, their detractors
contend, reap billions at everyone else's expense.  These systems are so
fast they can outsmart or outrun other investors, humans and computers
alike. And after growing in the shadows for years, they are generating lots
of talk.

Nearly everyone on Wall Street is wondering how hedge funds and large banks
like Goldman Sachs are making so much money so soon after the financial
system nearly collapsed. High-frequency trading is one answer.  And when a
former Goldman Sachs programmer was accused this month of stealing secret
computer codes - software that a federal prosecutor said could "manipulate
markets in unfair ways" - it only added to the mystery. Goldman acknowledges
that it profits from high-frequency trading, but disputes that it has an
unfair advantage.  Yet high-frequency specialists clearly have an edge over
typical traders, let alone ordinary investors. The Securities and Exchange
Commission says it is examining certain aspects of the strategy. ...

GPS typo saves couple?

Joel Baskin <>
Tue, 28 Jul 2009 13:17:58 -0700

A Swedish couple touring in Italy drove to Carpi instead of Capri due to a
typo.  Who knows if they would have tried to drive to the intended island --
so this may have saved them. :)

This is just another case of user error — but should GPS systems check
spelling, and if so how? Could there be a database of places with similar
names within defined distances? Extended metadata would be of use — but
effort would increase quite quickly for several reasons.

  [Also noted by Rick Moen in the *San Francisco Chronicle* and by Gene
  Wirchenko.  PGN]

How To Hijack 'Every iPhone In The World'

Monty Solomon <>
Wed, 29 Jul 2009 08:14:30 -0400

Andy Greenberg, 28 Jul 2009

On Thursday, two researchers plan to reveal an unpatched iPhone bug that
could virally infect phones via SMS.  If you receive a text message on your
iPhone any time after Thursday afternoon containing only a single square
character, Charlie Miller would suggest you turn the device off. Quickly.

That small cipher will likely be your only warning that someone has taken
advantage of a bug that Miller and his fellow cybersecurity researcher
Collin Mulliner plan to publicize Thursday at the Black Hat cybersecurity
conference in Las Vegas. Using a flaw they've found in the iPhone's handling
of text messages, the researchers say they'll demonstrate how to send a
series of mostly invisible SMS bursts that can give a hacker complete power
over any of the smart phone's functions. That includes dialing the phone,
visiting Web sites, turning on the device's camera and microphone and, most
importantly, sending more text messages to further propagate a mass-gadget
hijacking.  ...

10 ways your voice and data can be spied on

Gene Wirchenko <>
Tue, 28 Jul 2009 10:55:12 -0700

1. Wireless keyboard eavesdropping
2. Wired keyboard eavesdropping
3. Laptop eavesdropping via lasers
4. Commercial keyloggers
5. Cell phones as remotely activated bugs
6. Cell phone SIM card compromise
7. Law enforcement wiretapping based on voice print
8. Remote capture of computer data
9. Cable TV as an exploitable network
10. Cell phone monitoring

Some of these ways have been covered in RISKS before.
Item 9 caught my eye:
  Commercially available software claims to capture cell phone conversations
  and texting. Attackers need to get physical access to the phone to upload
  the software that enables this.

The NSA Is still Listening to You

Thu, 23 Jul 2009 10:31:34 +0800

This summer, on a remote stretch of desert in central Utah, the National
Security Agency will begin work on a massive, 1 million-square-foot data
warehouse. Costing more than $1.5 billion, the highly secret facility is
designed to house upward of trillions of intercepted phone calls, e-mail
messages, Internet searches and other communications intercepted by the
agency as part of its expansive eavesdropping operations. The NSA is also
completing work on another data warehouse, this one in San Antonio, Texas,
which will be nearly the size of the Alamodome.

Beware of Outdated E-mail Addresses

Gene Wirchenko <>
Fri, 24 Jul 2009 11:41:27 -0700

Twitter hack illustrates danger of chained exploits

The article discusses a few attacks.  The one that struck me as interesting
is the one at the bottom of page one and top of page two.

  "The second example of a chained exploit is even more intriguing. In this
  case, a malicious hacker broke in to one or more Twitter employees' e-mail
  accounts, then publicly posted both personal and company confidential

  The hacker accomplished this feat after discovering that a Twitter
  employee used Gmail and that a request for a new password for the account
  would be sent to the employee's Hotmail account. However, the employee had
  not used the Hotmail account in a very long time, so their Hotmail address
  was available for anyone to adopt.

  The hacker registered for the Hotmail address and had Gmail send a
  password reset for the Twitter employee's Gmail account to what was now
  the hacker's Hotmail account. With the new password, the hacker gained
  access to the Twitter employee's Gmail account. Using information found in
  the employee's e-mail, the hacker was able to acquire personal information
  about the employee and data to exploit Twitter's own network. TechCrunch
  has an excellent step-by-step account of the hack."

The TechCrunch link referred to is full of yummy technical details.

Funniest security faux pas this week

Ron LaPedis <>
Wed, 22 Jul 2009 17:01:31 -0700

According to the About Us blurb on their web site, "The Payment Card
Industry (PCI) Knowledge Base ( ) is the largest an
independent research community focused on the security of payment and
related financial and personal data.  Our registered membership includes
approximately 2000 persons, including retailers, hoteliers, academics,
bankers, payment processors, PCI assessors (QSAs), providers of payment
systems and security technologists."

Yet when I registered on the site, their confirmation e-mail contained my
username and password in clear text. I think we already know the RISKS in
that, no?

FOLLOW UP: An e-mail to the founder of the organization resulted in him
asking the webmistress to remove the password from the confirmation e-mail
which she did within the hour. Now THAT is service!

Ron LaPedis, MBCP, MBCI, CISSP-ISSAP, ISSMP  +1 415 939 8887
Seacliff Partners International, LLC Business Continuity & Security Advisors

You think Adobe bug reports are tough to submit...

Michael Albaugh <>
Wed, 22 Jul 2009 14:37:33 -0700

Gene Wirchenko should be glad he was only trying to report a bug.
(RISKS Digest 25.74).

When I upgraded to PageMaker7 (Yes, that long ago, they may have
reformed by now), I got porn-spam within 15 minutes of entering "my
e-mail address" into their online registration.
Yes, it was one I created for this specific purpose. When I tried to
report this, I found that did not apparently exist. would
not accept my e-mail either.

The website kindly directed me to send a registered letter to some
lawyers in Los Angeles, at a post-office box. I found it simpler to
delete the account, as it had served its purpose. I also chose at that
point to never again buy from Adobe.

Re: Risks of hierarchical map displays (Wallich, RISKS-25.74)

Leonard Finegold <>
Wed, 22 Jul 2009 18:20:12 -0400

Where was this, and what was the GPS?  Sympathy.  Have experienced just this
for Cathedral Valley, UT (beautifully deserted).  GPS = Garmin Nuvi 350.
Had happily driven around the dirt roads, using the GPS.  Afterwards, I
wanted to check another route in and out, and found just what you did.

PS. Could you just have stopped on the road, presumably no-one around?

Re: Risks of hierarchical map displays (Wallich, RISKS-25.74)

Gavin Treadgold <>
Thu, 23 Jul 2009 12:14:31 +1200

I am most familiar with Garmin handheld and auto GPS units, but this
probably applies to other brands as well. Under Settings > Maps, there
usually exists an option entitled Map Detail. By default on Garmins, it is
set to Normal. It also has options such as Least Detail, Less Detail, More
Detail and Most Detail. If you increase the level of detail, you will see
the roads that exist lower in the hierarchy at a wider zoom level - which is
probably what Paul was attempting to achieve. E.g. roads that previously may
on have been shown at the say a 500m scale (as set by the map developer) now
become visible up to say 1.2km or 2km scales. A number of units also offer
more granular control of what layers are visible up to what zoom level.

This works well in the countryside, but can be a real problem in cities with
dense road networks as the map display takes longer to redraw, and when it
has redrawn it becomes too cluttered to be readable.

It is certainly possible to force the display of more roads at higher zoom
levels, once again, the risk is actually user awareness of the features of
the device they are using, and how to customise their device to achieve the
desired display.

Gavin, Immediate Past President of the NZ Recreational GPS Society

Re: Risks of hierarchical map displays (Wallich, RISKS-25.74)

Gene Wirchenko <>
Wed, 22 Jul 2009 18:14:40 -0700

Paul Wallich wrote "I wonder whether such hierarchical displays contribute
to some of the GPS-aided navigation debacles that sometimes grace this
publication — a driver may have some idea that they're going the wrong way,
but their display doesn't offer enough information to plan a new route
easily, and the psychological pressure to keep moving forward can increase
as conditions get worse."

I have similar problems with Google Maps.  I frequently look up locations
mentioned in articles that I read.  Sometimes, even after zooming out as far
as I can, I still do not know where the location that I am looking at is.

In another case, the urban, residential location indicated was a bit off
from the actual location.  Normally, this would not be of much consequence,
but in this case, between the two locations was a deep gully.

Industrial object-oriented language made void-safe

"Bertrand Meyer" <>
Sun, 26 Jul 2009 23:57:43 +0200

Re: Tony Hoare: "Null References: The Billion Dollar Mistake"

In January-February there was a discussion on comp.risks on the risks of
null references, following the publication of a talk abstract by Tony Hoare

For the past five years we have been working at making Eiffel completely
void-safe ("void" being the same as "null"). Part of the significance of
this work is that we are not dealing with an experimental design but with an
existing industrial language and millions of lines of code that cannot just
be discarded. The mechanism was included in the ECMA/ISO standard for
Eiffel, but a full implementation required upgrading the libraries,
providing a migration path for existing code, and refining the mechanism.
With the release of EiffelStudio 6.4 in June, the language is entirely
void-safe. Our recent paper "Avoid a Void: The eradication of null
dereferencing" describes the challenges of void safety, the design of the
Eiffel mechanism, and the difficulties encountered in making it practical.
It is available at

Bertrand Meyer, Eiffel Software
ETH Zurich

Ari Juels, Tetraktys, a `cryptographic thriller'

"Peter G. Neumann" <>
Wed, 29 Jul 2009 13:11:36 PDT

Ari Juels, Tetraktys, Emerald Bay Books, 2009, 351 pages, ISBN 978-0982283707
Reviewed by Ben Rothke
Review from

"Imagine for a moment what his novels would read like if Dan Brown got
his facts correct. The challenge Brown and similar authors face is to
write a novel that is both compelling and faithful to the facts. In
Tetraktys, author Ari Juels is able to weave an interesting and
readable story, and stay faithful to the facts. While Brown seemingly
lacks the scientific and academic background needed to write such
fiction, Juels has a Ph.D. in computer science from Berkeley and is
currently the Chief Scientist and director at RSA Laboratories, the
research division of RSA Security."

The book, which might be the world's first cryptographic thriller, tells
the story of Ambrose Jerusalem, a gifted computer security expert, still
haunted by his father's death, a few months shy of his doctorate, who
has a beautiful and loving girlfriend, and a bright future ahead of him.
This is until the government gets involved and Jerusalem's plans are put
on hold when the NSA asks him to join them to track down a strange and
disturbing series of computer breaches.

Tetraktys, like similar thrillers, has its standard set of characters;
from corrupt State Department and World Bank officials, a dashing
protagonist with a long-suffering girlfriend, to mysterious and obscure
terrorist groups. This terrorist group is in the book is comprised of
followers of Pythagoras.

As to the title, a tetraktys is a triangular figure of ten points
arranged in four rows, with one, two, three, and four points in each
row. It is a mystical symbol and was most important to the followers of
Pythagoras. While mainly known as the creator of the Pythagorean
theorem, Pythagoras of Samos was an influential Greek mathematician and
founder of the religious movement of Pythagoreanism. Those wanting more
information can watch a video
<> about the symbol.

As to the storyline, the NSA is trying to recruit Ambrose as they feel
that the terrorists, who form a secret cult of followers of Pythagoras
have broken the RSA public-key algorithm. Breaking RSA is something that
is not expected for many decades, but if a revolution in factoring
numbers were to occur sooner, RSA's demise could happen that much
quicker. And if RSA was indeed broken by the antagonists, it would
undermine the security of nearly every government and financial
institution worldwide and create utter anarchy.

A good part of the book centers on the cult of Pythagoras. Its followers
believe that truth and reality can only be understood via their system
of numbers. The NSA needs Jerusalem's assistance as he is one of the few
people who have the mathematical, classical and philosophical background
to help them. It is he who ultimately connects the dots that the
Pythagoreans have left, which leads to the books dramatic conclusion.

The book is a most enjoyable read and one is hard pressed to put it down
once they start reading it. The reader gets a good understanding of who
Pythagoras was and his worldview via Juels weaving of Pythagorean
philosophy into the storyline.

While the book is not autobiographical, there are many similarities
between Ambrose Jerusalem and Ari Juels. From identical initials, to
their lives in events in Berkeley and Cambridge, to RSA and more.

For a first book of fiction, Tetraktys is a great read. As a novelist,
Juels style approaches that of Umberto Eco, in that he weaves numerous
areas of thought into an integrated story. Like Eco's works, Tetraktys
has an arcane historical figure as part of it storyline, and an
intricate plot that takes the reader on many, and some unexpected,
turns. While not as complex and difficult to read as Eco, Tetraktys is a
remarkable work of fiction for someone with a doctorate in computer
science, not literature.

The book though does have some gaps, but that could be expected for a
first novel. The reader is never sure what the Pythagoreans are really
after or why they have resurfaced, and one of the characters is killed,
for reasons that are not apparent. Readers who want more information can
visit the Tetraktys web site <>.

As to the book's protagonist, Ambrose Jerusalem is to Juels what Jack
Ryan is to Tom Clancy, meaning that his adventures are just beginning,
and that is a good thing.

For those interested in a cryptographic thriller, Tetraktys is an
enjoyable read. The book interlaces Greek philosophy, mathematics, and
modern crime into a cogent theme that is a compelling read. And if the
exploits of Ambrose Jerusalem continue, we may have found the successor
to Umberto Eco.

Ben Rothke is the author of Computer Security: 20 Things Every Employee
Should Know

Please report problems with the web pages to the maintainer