The RISKS Digest
Volume 25 Issue 85

Saturday, 28th November 2009

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


London's stock exchange crashes again
John Oates via Kevin Pacheco
Your wallet in the cloud
Martin Ward
Used ATM Machines for Sale on Craigslist
Ben Moore
The Joy of satellite navigation failures
Steve Loughran
Re: Toyota Toyota uncontrolled acceleration
David Lesher
JC Cantrell
Patients' data used as Packing (Robert
Bob) Waixel
Re: Apostrophe in Your Name? You Can't Fly!
Andy Behrens
Bob Frankston
Re: Warren Buffett cell phone skills: did they doom Lehman?
Curt Sampson
Henry Baker
Re: Teleportation via Skyhook
Charles Wood
Android Mythbusters
Matt Porter via jidanni
Solving the Android "Grayed Out Application" Deadlock
Lauren Weinstein
Info on RISKS (comp.risks)

London's stock exchange crashes again (John Oates)

Kevin Pacheco <>
Thu, 26 Nov 2009 18:17:57 +0000

John Oates, Who's to blame this time? *The Register*, 26 Nov 2009

The London Stock Exchange has suffered yet another systems crash, leaving
brokers high and dry since 9.30 this morning.  The Exchange last went down
in September 2008 and took almost the entire day to get back online. That
outage, on one of the Exchange's busiest days, was the day after the $200bn
bailout of US housing giants Freddie Mac and Fannie Mae, leading to lots of
conspiracy theories.  [It resumed operation at 14.00.]


Your wallet in the cloud

Martin Ward <>
Fri, 27 Nov 2009 11:20:16 +0000

(was: At Checkout, More Ways to Avoid Cash or Plastic)

"What we're trying to do and what we think is very important is to displace
the use of cash or checks," said Scott Thompson, president of PayPal, "We'll
just have one wallet, and it lives in the cloud."

The "dream scenario" for any financial institution is to be in the position
to take a cut from *every* financial transaction carried out by *every*
person in the country. This is why the president of PayPal thinks it is so
important to "displace the use of cash or checks."

For the rest of us, this is a nightmare scenario.

If you think it would be bad to have all your data is held hostage in a
proprietary format on a machine you have no control over: think what it will
be like when *all* your money is controlled by a single organisation which
decides (purely on the basis of maximising profit) how big a cut to take out
of each and every transaction.


Used ATM Machines for Sale on Craigslist

"Ben Moore" <>
Thu, 26 Nov 2009 04:49:10 GMT,news-5203.html

Used ATM machines are for sale on auction sites, many of which still contain
credit card numbers.

Identity theft expert Robert Siciliano is claiming that he bought a used ATM
machine on Craigslist for $750. Apparently, this isn't unusual: he found
plenty of machines on both Craigslist and eBay ranging between $500 and
$2000 USD. However, this particular ATM machine was listed by a bar north of
Boston, and contained 1000 credit card numbers.

That's right: the machine wasn't wiped. Siciliano said, in an interesting
way, that his "hacker friend" came over with a manual and gutted the
machine's eprom, spilling the 150-foot spread of sensitive data all over the
floor. Surprised and excited, Siciliano thus called a "TV producer friend,"
and now his local FOX affiliate is running a series on ATM hacking and
Siciliano's discovery.

Siciliano also said in his report that he was considering a scheme to use
the numbers to leech millions from unsuspecting victims, however his wife
told him a firm "NO!"

FOX Boston, on the other hand, added that the credit cards stored in the ATM
consisted of numbers processed in a four month period. With that said, it's
highly likely that many more used ATM machines for sale on eBay, Craigslist,
and other auction sites contain credit card numbers, ripe for the
picking. Then again, consumers are more susceptible to identity theft thanks
to ATM skimming devices sold on the very same auction sites.

So how do you protect yourself from ATM hackers? "By paying attention to your statements," Siciliano said. "Don’t use just any ATM. Instead, look for ATMs in more secure locations." He also said to cover your pins when punching them into the keypad on the ATM or within retail stores.


The Joy of satellite navigation failures

Steve Loughran <>
Fri, 27 Nov 2009 12:44:36 +0000

Part of BMW's new "Joy" marketing campaign includes one on GPS, that claims
that if "Joy" does get lost, GPS will get it home again.

As any reader RISKS readers will know, that is not always the case, so it is
a shame that vehicle vendors can make this claim in their advertising. Here
in the UK, the Advertising Standards Authority does let you complain about
adverts making false claims; it is even possible for them to ban adverts.

Accordingly I did actually file a complaint on the the ASA's web site
(  The complaint
is attached below, it lists many of the failure modes of GPS as documented
on RISKS, and Volpe's 2001 paper discussing the vulnerability to the US
transport infrastructure to GPS failures. I was curious to see what the
reaction of the ASA/BMW would be.

Last week I got a reply, telling me that:
1. I was the only person that complained
2. It was meant to be metaphor, and therefore the fact that GPS fails
   is unimportant.

I'm disappointed by this. The more adverts that imply GPS is infallible, the
more people believe the claims, the more they drive off cliffs and under
bridges too low for their trucks, and the less equipped they are to deal
with failures of GPS or the maps themselves.

Yet clearly there is no point for a single individual to complain, because
the complaint gets dismissed, without any attempt to consider the technical
merits of the argument.

Which means that the myth "GPS doesn't fail" is going to keep on being
repeated, while on this list we get to read about more vehicles getting into
trouble, yet the root cause -people blindly doing what their satellite
navigation devices tell them to do- remains.

  I wish to complain about the accuracy of the advert for a BMW X1 which
  appeared in the Guardian on September 21 2009, an advert which included
  the statement "On the rare occasion Joy finds itself hopelessly lost, a
  GPS can guide it back home"

  I believe this statement is dangerously misleading as it implies that GPS
  is something drivers can rely on in emergencies. This is untrue.  As a
  computer scientist I believe it places excessive faith in complex
  computing infrastructure, and perhaps reflects the copywriter's own lack
  of awareness of the infrastructure behind GPS satellite navigation, and
  the risks that the abdication of decision making to computers presents to
  car drivers, passengers and other road users.

  The Navstar Global Positioning Satellite System (GPS) is run by U.S.  Air
  Force Systems Command's Space Division in Los Angeles [1]. A constellation
  of atomic clocks are in low-earth orbit, continually announcing the
  location of all the satellites and their local clock's time, the latter
  compensated for relativity effects so as to appear consistent with atomic
  clocks on the earth's surface. GPS receivers pick up the signal from three
  or more satellites, and by comparing the differences in time received,
  estimate their location on the geode, the ellipse that represents their
  view of the Earth's surface in their mapping tool's datum. The location of
  the satellites is calculated in advance by observing the satellites orbits
  and predicting their future locations, information which must be regularly
  updated and relayed to the satellites themselves for rebroadcasting.

  The time and location data is broadcast on an encrypted "P" signal which
 can only be decrypted by military receivers, and a civilian "C/A"
 signal. The civilian signal was made available after the shooting down of
 the KAL 007 passenger airliner over Soviet Airspace, and receivers for
 which have become a feature built into cars and mobile phones. It is not
 digitally signed; there is no way to distinguish a spoof civilian signal
 publishing invalid information.

  In computing circles, there are number of well-known failure modes for
  GPS. The natural failures are:

   1. Geomagnetic storms. Affects all civilian GPS receivers, and
magnetic compasses. As well as effecting the signal, the expansion of
the atmosphere alters the satellite's orbits, and hence the locations
they claim to be at becomes incorrect. [2]
   2. "Canyoning", loss of signal while deep inside a natural canyon,
or an artificial one (such as street with skyscrapers).
   3. Reflected Signal. This is a known problem in Scottish
Mountaineering: large cliff faces can reflect GPS signals. The extra
delay can result in the receiver's location being misplaced.
   4. Accidental interference with GPS from sources including consumer
electronics. [3]
   5. Loss of signal due to overhead materials. Civilian GPS can be
lost in woods and forests, and of course in tunnels, covered car parks
and the like there is minimal likelihood that a signal will be picked

Note that as no satellites in the GPS constellation orbit at a
latitude above 54 degrees N, the risk of canyoning and reflection
increases above this point -which means the Lake District and points
north, including all of Scotland. From the Lake District up, no GPS
satellite will ever be directly above the receiver, they will either
be in the south, or near the horizon to the far north, those being the
satellites on the other side of the earth becoming visible.

There are also receiver-side software or hardware problems

   1. Errors in the maps. These are common and widely documented. Note
that such errors effects are invariably amplified by the trust that
drivers place in the SatNav units, following them up footpaths and off
river banks. To cite one example of this general problem, we would
draw attention to a BMW 5 series which recently got stuck on a cliff
in Yorkshire when the driver followed the SatNav's instructions to
drive down a bridleway. [6]
   2. Software errors in the system. This has been discovered on a
number of occasions, including in such vehicles as the International
Space Station [4].
   3. Hardware errors. In the absence of formally verified hardware,
the reliability of the underlying microprocessor and other hardware in
a GPS receiver cannot be guaranteed.

Finally, the entire GPS infrastructure is vulnerable to malicious
attack. This is covered in Vulnerability Assessment of the
Transportation Infrastructure Relying on the Global Positioning System
[5]. This paper by the US Department of Transport, spells out clearly
the how vulnerable GPS is.

The author's concerns are of malicious failures, either from local
jamming, or "Loss of GPS satellites or the Operational Control
Segment" though on the latter they note that "attacking these elements
can be more challenging and likely would produce a more aggressive
U.S. Government response". Given the report was published, poignantly,
on September 10, 2001, we know what a more aggressive response would

A key recommendation of the paper is:

    "Create awareness among members of the domestic and global
transportation community of the need for GPS backup systems or
operational procedures, and of the need for operator and user training
in transitions from primary to backup systems, and in incident
reporting, so that safety can be maintained in the event of loss of

Given that US Government, the providers of GPS, believe that it
constitutes a Single Point of Failure ("SPOF") for land, sea and air
travel in the US, it seems unlikely that BMW can state unequivocally
that GPS will get their customers out of trouble. All the advertisment
does is reinforce the mistaken belief that GPS is reliable, and that
the SatNav units' instructions should be followed blindly.

Please can this advert not be printed again, or could its claims be
qualified to state that a number of natural and human problems may
affect GPS coverage in an area, and that the stored maps cannot be
trusted. The US Department of Transport report should act as a
foundation for these qualifications. They may also mention that the
risks of canyoning, reflection and other problems become more common
above 54 degrees north, and therefore that GPS is less trustworthy in

A more accurate statement would therefore be

    "On the rare occasions that Joy finds itself lost, GPS will guide
it home, provided Joy did not get lost in Scotland, or in woodland,
the GPS maps are kept up to date, and none of the failure modes
outlined in (Volpe 2001) have occurred. In keeping with Volpe's
guidelines, should Joy consider getting home to be critical, we
recommend gaining familiarity with alternate non-GPS navigation
techniques, such as using a printed map in conjunction with a magnetic

Thank you


1. 2001 GPS SPS Performance Standard Final
2. The Geomagnetic Storm of 13 March 1989. ACM Risks Digest Volume 8 Issue 72
3. Detrimental Effects of Installing Consumer Electronics on Ships,
Ken Hamer 1997
4. "Truncation error" found in GPS code on International Space Station
ACM Risks Digest Volume 21 Issue 11.
5. Vulnerability Assessment of the Transportation Infrastructure
Relying on the Global Positioning system, John A. Volpe, U.S.
National Transportation Systems Centre, 2001,
6. £900 fine for sat nav nut. The Sun, 2009


Re: Toyota uncontrolled acceleration (Lesher, RISKS-25.82)

David Lesher <>
Fri, 27 Nov 2009 17:59:38 -0500

Update: Toyota has announced a 3.8E6 vehicle recall for the unattended
acceleration problem discussed before.

Press reports indicate that Toyota will modify the floormats and pedals.
Further, they'll install engine cut-offs that activate when the brake and
accelerator are both depressed, at least on new production vehicles.
(Reports vary widely re: their backfitting to existing vehicles.)

Unmentioned is any change to the ignition switch design; which requires the
driver hold down the START button to stop. Also no mention of transmission

Re: Toyota uncontrolled acceleration (Lesher, RISKS-25.82)

JC Cantrell <>
Mon, 9 Nov 2009 12:41:33 -0800 (PST)

David Lesher wrote:
"... The second is more alarming. I thought that there was a {?unwritten}
 requirement that no US road-legal car could even overpower its own brakes;
 i.e., given full throttle and full brakes; the car stops, period. (This may
 not be the case for a dedicated race car...) "

LA Times story on 8 November:
"In reviewing consumer complaints during its investigations, the NHTSA
relied on established "positions" that defined how the agency viewed the
causes of sudden acceleration. Cases in which consumers alleged that the
brakes did not stop a car were discarded, for example, because the agency's
official position was that a braking system would always overcome an engine
and stop a car. The decision was laid out in a March 2004 memorandum.",0,2472257,full.story

Now, it sounds to me that the NHTSA believes (i.e., its official position)
that the brakes should stop the car, but it does not sound like an edict,
regulation or that it is even tested.

Well, that is why I buy a manual transmission. When that clutch is in, I
KNOW I can stop the car...


Patients' data used as Packing

"Robert (Bob) Waixel" <>
Sat, 21 Nov 2009 22:37:59 +0000

Jeweler finds hospital records sent in packaging for gift boxes;
Confidential records from "solicitor's office acting for patients" were
shredded (but not enough) and then used as gift box packing.

Jeweler had ordered gift boxes for her Jewelry products, and the boxes came
with the shreddings as packing. Patients' data came from Papworth Hospital,
Cambridge, England, 'who were horrified' and 'were investigating'.

"I could clearly make out the name and address and the name of the hospital
and solicitors" said the finder.  The solicitors said " we don't shred paper
here and we will be having a chat with our suppliers".  Papworth Hospital
described the secure shredding service it used onsite to make sure that all
confidential paperwork was completely unidentifiable.  "In certain
circumstances a patient will request that their notes are given to a third
party, such as a solicitor.  In these circumstances we would expect that
extreme care is taken in the disposal of these documents by this third

Reported by Raymond Brown <>
[Abridged summary by R Waixel from Cambridge Evening News Fri 20 Nov 09 Pp 1, 5]

Bob's Comments
* Clear breach of UK Data Protection Act 1998 and Principle 7 (Security) by
  the solicitors...  Wonder whether the hospital has any written procedures
  for handing personal data over to solicitors. Presumably not as such
  professionals have their own clear professional duty of care as well as
  legal (Data Protection) one.
* How easily the Hospital can be tarnished by the Solicitor's carelessness
  (Hospital data lost not Solicitor's!) Page 1 headline.
* Solicitor possibly had the data because of potential litigation against
  Hospital? (mere speculation by me)
* The solicitors seem to be remarkably relaxed over the matter - perhaps it
  could invest in (several) cross cut shredders?
* Pity the solicitor [who was] not identified.
* There for the grace of God goes many another organisation too...

Robert (Bob) Waixel, MBCS, MCInstM, FHEA, RW Systems, Cambridge, UK
Chartered Information Technology Professional (CITP) <>


Re: Apostrophe in Your Name? You Can't Fly!

Andy Behrens <>
Wed, 25 Nov 2009 23:01:54 -0500

I would call this a bureaucratic problem rather than a technological one.
It is well known that airline computer systems drop apostrophes, remove
accents from letters, and truncate long names.  The insanity lies in the
fact that someone wrote a regulation which requires an exact match, even
though it should be clear that such a match is frequently not possible.

At least there are no signs posted saying "No Irish Need A-fly".

Re: Apostrophe in Your Name? You Can't Fly! (Brady, RISKS-25.84)

"JosephKK" <>
Fri, 27 Nov 2009 18:49:38 -0800

And the next (or as likely at the same time) problem will be hyphenated
names.  I have seen this way too much already.  And current programming (CS)
courses do not help.  I have met people with names like O'Hara-Mgabe and

  [Not to mention multiple hyphens, and multipart middle names such
  as Charles Henry Anthony Richard.  PGN]

Re: Apostrophe in Your Name? You Can't Fly! (Brady, RISKS-25.84)

Dag-Erling_Smørgrav <>
Thu, 26 Nov 2009 12:54:19 +0100

They can't print accented letters either, or in fact any character not used
in English, such as in German, Scandinavian, Icelandic, Finnish, Sami, etc.
  [And my mailer has trouble with them also!]

Re: Apostrophe in Your Name? You Can't Fly! (Brady, RISKS-25.84)

"Bob Frankston" <>
Fri, 27 Nov 2009 00:50:01 -0500

We'll have to see what happens in practice as there are too many such
examples because the airlines are stuck with 1960's US 6 bit character sets.
No hyphens, accents or other markings. I suspect special characters will be
simply ignored. Though optional spaces may be an issue..

More problematic will be ambiguous translations into English characters and
name variations like Bob vs. Robert or insisting on matching my middle name.

When flying from SFO on Virgin America a two weeks ago where I am Bob I did
ask the security people and was told it would be no problem. 100% strictness
won't work in practice but I do worry about depending on the security
people's willingness to be flexible.


Re: Warren Buffett cell phone skills: did they doom Lehman?

Curt Sampson <>
Thu, 26 Nov 2009 14:42:06 +0900

For the record, here's are the final two paragraphs of the above
misleadingly titled article:

> It makes a great story - but as Michael Corkery of the Wall Street
> Journal wrote last night: "If the Oracle from Omaha really thought he
> could profit from insuring Lehman's assets, he would have followed up
> with Diamond. Likewise, if Diamond thought he had a realistic chance
> of closing a deal with Buffett, don't you think he would have likely
> lobbed a follow up call?"
> Here's the truth according to Corkery: "Buffett may not know how
> to use a cell phone, but he's pretty savvy about avoiding terrible
> investments. That was one call he has to be glad he never answered."

In other words, there was a system in place to deal with the risk of
failure, it it simply wasn't activated because he wasn't interested in
the deal.

Curt Sampson       <>        +81 90 7737 2974

Re: Warren Buffett cell phone skills: did they doom Lehman?

Henry Baker <>
Thu, 26 Nov 2009 05:21:49 -0800

Oh, and you've never used the old "your cellphone signal is fading, I'll
have to call you back" excuse to get out of a call ?

Buffet is nothing, if not polite.


Re: Teleportation via Skyhook (RISKS-25.84)

Charles Wood <>
Fri, 27 Nov 2009 12:01:13 +0800

Checking on the Skyhook wireless site they describe their location
methodology in

As part of the location process all available information is collected by
the mobile device and sent to the server system for location calculation.  A
result is then sent back. From the wording it appears that only phone tower
and wireless network information is sent; though there is an option to
manually enter a street address.

What seems odd to me is why they don't collect and transmit GPS information
at the same time. It would make a lot more sense to have a host of end users
doing their mapping for them rather than having to pay for expensive vans to
go around and do the mapping.

The fairly accurate location of the user is usually known already based on
their database. The addition of GPS would not significantly affect the
privacy of the user as they have already agreed to submit location
identifying information. In fact the user's main focus is to get very
precise location information as quickly as possible and has agreed to let
skyhook wireless access to all data that will achieve that aim.

I also tried the service from a windows laptop. I am not in an area of the
world that is especially likeley to have been mapped and so it returned an
error. What surprises me is that they don't appear to have a fallback to IP
geolocation. Nor do they seem to use it for verification purposes - The
example in the teleportation post would very easily have been solved by use
of IP geolocation and sanity checks on successive readings


Android Mythbusters (Matt Porter)

Sun, 15 Nov 2009 03:52:05 +0800

Executive summary: Android is a screwed, hard-coded, non-portable


Solving the Android "Grayed Out Application" Deadlock

Lauren Weinstein <>
Mon, 16 Nov 2009 14:40:32 -0800 (PST)

Lauren Weinstein's Blog Update: Solving the Android "Grayed Out Application"

                           November 16, 2009

Greetings.  Since I'm fairly vocal in my support of — and enthusiasm for --
Google's Android OS, I tend to have quite a few people who send me their own
Android experiences, both pro and con.

While by far most of these notes are positive, there has been a recurring
theme lately of reported deadlocks involving already installed applications
on Android phones.  Previously installed applications suddenly wouldn't run,
couldn't be uninstalled, and couldn't be reinstalled.  Apparently no
"official" explanation or cure for this condition has been apparent.

I wasn't in a position to investigate this myself until a few days ago, when
a significant number of apps on my Android 1.6 G1 phone suddenly entered
this "zombie" state, triggering my looking at the situation rather intently.

The primary symptom of these unusable apps is that not only won't they run
directly, but the Android "Market" mechanism refuses to either "Open" or
"Uninstall" them — those options are grayed out.  But since Market believes
the apps are still installed, they cannot be reinstalled either.

Even with a rooted phone, this presents a quandary — on a non-rooted phone,
even more so.

Here are the results of my investigation into this issue, and my recommended
procedure for recovery from such situations without completely resetting
your phone and having to manually rebuild your entire configuration from

The basic problem appears to occur when (for whatever reason) an installed
app's "apk" file has vanished from /data/app (or /data/app-private).  Once
this occurs the market app apparently goes out of sync, and then the
affected programs won't run, can't be uninstalled, and can't be reinstalled
-- via market directly, anyway.

The trick out of this dilemma is to obtain the original apk files that are
missing.  If you already have backups of these files, you can reinstall them
via the app package manager.  In my case, I used the Astro file manager to
select the app apk files for which I had backups — Astro then executes the
package manager.

The affected programs will appear to already be installed — that is, the
app package manager will offer an UNINSTALL choice, not an INSTALL choice.
Go ahead and tap UNINSTALL.  When the uninstall finishes, go back to the
package (e.g. via Astro again), then back to the package manager, and this
time tap the offered INSTALL.  The app should reinstall and be good to go.

It may also be possible to follow a similar sequence via the Android "adb"
tool externally, but I had mixed results trying this, so I recommend working
on the phone itself if possible, from backups on the sd card.  The adb tool
is still useful in this context for file copying operations — see below.

If you don't have backups of the necessary apk files for the desired apps,
you need to get them, but as noted above, market won't let you download them
since it thinks they're already installed.  Here's how to get them.

First, use Nandroid to back up the current state of the phone. I can't
emphasize enough the value of Nandroid — it's extremely useful.  Once you
have a Nandroid backup, do a factory data reset ("wipe") and reboot.  You'll
need to re-authenticate the phone to Google (that is, login with your Google
account).  Now go to the market program and install the programs for which
you were missing apk files earlier — you should be able to download them
successfully now.

Once they've downloaded and installed, the new apk files should be in
/data/app (or in some cases, /data/app-private).  Copy the files (e.g.
"cp") from the /data/app or /data/app-private dirs to the sdcard (/sdcard).
You can do this via a terminal console on the phone or through the "adb
shell" command.

Now reboot, then restore the Nandroid backup that you made before doing the
factory reset wipe.

After you're back in the previously saved system, you can navigate (e.g.,
with Astro) to the new apk files that you copied to the sd card, and follow
the procedure above to first "uninstall" and then "install" those programs
through the app package manager.

Using these techniques, I was able to completely restore all apps on my G1
that had mysteriously found themselves in the limbo of the unusable "grayed
out" state.  Why the apk files vanished from /data/app in the first place,
triggering this entire sequence of events, remains a mystery to me at this

Lauren Weinstein <>  Tel: +1 (818) 225-2800  Lauren's Blog:
Co-Founder, NNSquad - Network Neutrality Squad -
Co-Founder, PFIR - People For Internet Responsibility -
Founder, PRIVACY Forum -

Please report problems with the web pages to the maintainer