The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 25 Issue 96

Saturday 13 March 2010

Contents

Silly season: DST is approaching
David Magda
Sony PS3: Yet Another leap year folly
Steve Summit
Sony thinks 2010 is a leap year
Debora Weber-Wulff
Old models of PS3 failed to connect to network due to leap-year miscalculation
Chiaki Ishikawa
Re: The Century Bug Will Repeat
Jerry Leichter
Death in the Atlantic: The Last 4 Minutes of Air France Flight 447
F John Reinke
Software flaws may be at the root of Toyota's woes
Gene Wirchenko
Risk: Toyota secretive on 'black box' data
AP via Gabe Goldberg
Breakthrough in Electron Spin Control Brings Quantum Computers Closer to Reality
NSF
German Data Retention Law Overturned
Bob Gezelter
USGov rescinds 'leave Internet alone' policy
Richard Forno
Man posts "wanted" poster of himself on own Facebook page
Mark Brader
Car insurance bug
Clive D.W. Feather
Daily cyber attacks on the UK
Martyn Thomas
"Traffic analysis" from data
David Magda
Paranoia 101
Paul Wexelblat
Risks of having friends with computers
Rob McCool
Computer core risks
Robert Schaefer
4th International Conference on Network and System Security
NSS 2010
IEEE Symposium on Security and Privacy
Ulf Lindqvist
Info on RISKS (comp.risks)

Silly season: DST is approaching

David Magda <dmagda@ee.ryerson.ca>
Mon, 1 Mar 2010 08:06:58 -0500

  [This one was stuck in my queueueueue.  But it's more appropriate
  tonight anyway, on the eve of U.S. DST.  PGN]

Everyone gird your loins as it's March, so that means we're now entering
"silly season": the bi-annual event of adjusting our time pieces by one
hour.  North America will be making the great leap forward on 14 Mar,
while in Europe it's 28 Mar.

Anyone want to start a pool on how many time incidents will make the news
this time around?


Sony PS3: Yet Another leap year folly

Steve Summit
Mon, 01 Mar 2010 23:18:10 -0500

It's been widely reported that some models of Sony's PS3 game console
malfunctioned today, evidently because they thought the date was 29 Feb.
Hard to believe that in this 21st century, programmers are still having
trouble with this algorithm...
  http://news.cnet.com/8301-17938_105-10461881-1.html

  [PGN notes Mark Brader commented on this one:
    Well, maybe it's not the *same* programmers who had trouble with it
    in the 20th century...]


Sony thinks 2010 is a leap year

Debora Weber-Wulff <weberwu@htw-berlin.de>
Sat, 06 Mar 2010 01:37:08 +0100

As noted on
http://scitech.blogs.cnn.com/2010/03/01/playstation-network-down/ Sony's
Playstation 3 was convinced that 2010 was a leap year and attempted to use
Feb. 29, 2010. This kept gamers from connecting to the Playstation Network
(http://blog.us.playstation.com/2010/03/playstation-network-service-restored/)

It seems that the clock is a necessary part of the DRM scheme that Sony uses
to make sure that people don't use bootleg copies of their games.

It rather incensed some users to be locked out of using their perfectly
legal copies because the programmers had a little trouble dividing by 4.

Prof. Dr. Debora Weber-Wulff, Treskowallee 8, 10313 Berlin +49-30-5019-2320
weberwu@htw-berlin.de http://www.f4.htw-berlin.de/people/weberwu/


Old models of PS3 failed to connect to network due to leap-year miscalculation

"ishikawa,chiaki" <ishikawa@yk.rim.or.jp>
Wed, 03 Mar 2010 02:43:58 +0900

Japan may have experienced the problem due to timezone differences earlier
than others.

Sony Computer Entertainment announced on 2 Mar 2010 (and many users have
complained on blogs and twitters) that old models of PS3 popular game
console experienced failures such as failing to connect to network since its
software miscalculated the year 2010 to be a leap year and its internal date
was set to bogus 29 Feb on 1 Mar.

The model sold after September of 2009 didn't experience this bug.

As the date rolled to March 2nd (UCT), the problem disappeared.

Every now and then I noticed this leap-year miscalculation occur in OS and
other basic software, but please note 2010 is not even a multiple of four.
I wonder what faulty calculation was done in the software.

It could be a classic example that should be put in software engineering
textbook if the faulty line is made public.


Re: The Century Bug Will Repeat (Pollard, RISKS-25.94)

Jerry Leichter <leichter@lrw.com>
Sun, 14 Feb 2010 19:44:11 -0500

Jonathan de Boyne Pollard discusses software that ignores even quite recent
experience and continues to use techniques - like 2-digit years - that have
quite recently caused us much grief and expense.  He asks why we don't seem
to learn from this experience.

I really hate to point this out but ... there are two reasons that, in other
engineering and technological fields, we *do* manage to avoid repeating at
least the reasonably common mistakes:

1.  We develop standards and practices that have the force of law.
Electrical circuitry in houses is subject to a variety of such standards.
So is plumbing.  You can't sell a house if it fails to meet code.  In some
cases, you'll be required to make modifications to come up to code even to
remain in your own nose.  If you're an electrician or a plumber and you do
work that doesn't meet code, you'll lose your license and no longer be
allowed to work in the field.  You may be subject to criminal penalties.
You can certainly be sued if someone is injured or property is damaged
because you didn't follow the rules.

2.  We require training and passing of exams *on those standards and
practices*.  We enforce this requirement by requiring licenses to work in
many fields - and those licenses depend on passing the exams.

Now, I know all the downsides of this approach - the technology that's
frozen in place for years, the use of licensing to limit competition, the
pointlessness of much of what's on those exams.  But the fact is that we
have indoor plumbing that (usually) doesn't leak water on us, and that only
very rarely causes disease even as it pumps gallons of pure stuff we eat and
drink right near gallons of contaminated stuff.  And we have electrical
systems in our houses that don't (usually) start fires or electrocute us.
We're so used to this latter feature that we've forgotten that this doesn't
happen automatically.  At least 12 US soldiers died in Iraq - not due to
battles, but electrocuted due to incorrect wiring, like improperly grounded
pumps that killed several soldiers in their showers.

We in the software industry have been leading charmed lives for many years.
We've managed to avoid liability, avoid serious training in good practices,
avoid any kind of standards - all by arguing that this would cramp our style
and keep us from continuing to innovate.  Maybe that's true - but we've been
building up a massive debt side by side with all that innovation.
Eventually, that debt's going to come due.  If we don't clean up our own
mess, the greater society will come along and do it for us - and the results
won't be pleasant.


Death in the Atlantic: The Last 4 Minutes of Air France Flight 447

fjohn reinke <fjohn@reinke.cc>
Mon, 1 Mar 2010 09:15:30 -0500

A lot of people are dead because they depended upon obsolete testing to keep
them safe. While there is probably a lot of blame to go around, the failure
of knowledgeable experts to make bureaucrats and bean-counters do the "right
thing" seems to be obvious all throughout this story. I submit any risk
reader will find this fascinating, educational, and, if you fly, scared!
What else is hidden, overlooked, or just lazily ignored. There is a hint of
corruption as well (i.e., failure to come down hard on a local business);
the possibility of politics or payoffs can't be overlooked. Even if
unprovable, suspicion is warranted. Argh!

  In fact, the problem with the airspeed indicators lies far deeper. To this
  day, the relevant licensing bodies still only test pitot tubes down to
  temperatures of minus 40 degrees Celsius (minus 40 degrees Fahrenheit) and
  an altitude of about 9,000 meters (30,000 feet). These completely
  antiquated specifications date back to 1947 -- before the introduction of
  jet planes.

  What's more, most of the incidents of recent years, including that
  involving the ill-fated flight AF 447, occurred at altitudes above 10,000
  meters (33,000 feet).  (SPIEGEL ONLINE - News - International)
  http://www.spiegel.de/international/world/0,1518,679980-2,00.html

Blog "Reinke Faces Life", http://krunchd.com/reinkefj


Software flaws may be at the root of Toyota's woes

Gene Wirchenko <genew@ocis.net>
Thu, 04 Mar 2010 11:21:50 -0800

While Toyota CEO President Akio Toyoda insists that neither electronics nor
software can be blamed for the rash of runaway Toyotas, others aren't so
sure.  [Source: Joab Jackson, *IT Business*, 4 Mar 2010]
  http://www.itbusiness.ca/it/client/en/home/news.asp?id=56648

Page 2 has discussion of an electronic control module (ECM) that supposedly
has fail-safe, but "David Gilbert, a professor of automotive technology at
Southern Illinois University Carbondale, found that the ETC is not
foolproof, despite Toyota's claims. In tests, which he later described
before last week's Congressional hearings, he found that the ETC did not
detect certain types of short-circuit malfunctions that could occur with the
pedal sensors.  If the ETC did not detect the complete possible range of
errors, then it could not enter into a fail-safe mode, he argued."


Risk: Toyota secretive on 'black box' data (AP)

Gabe Goldberg <gabe@gabegold.com>
Fri, 05 Mar 2010 17:06:18 -0500

Toyota has for years blocked access to data stored in devices similar to
airline "black boxes" that could explain crashes blamed on sudden unintended
acceleration, according to an Associated Press review of lawsuits nationwide
and interviews with auto crash experts.  The AP investigation found that
Toyota has been inconsistent -- and sometimes even contradictory -- in
revealing exactly what the devices record and don't record, including
critical data about whether the brake or accelerator pedals were depressed
at the time of a crash.

By contrast, most other automakers routinely allow much more open access to
information from their event data recorders, commonly known as EDRs.

AP also found that Toyota:

* Has frequently refused to provide key information sought by crash victims
  and survivors.

* Uses proprietary software in its EDRs. Until this week, there was only a
  single laptop in the U.S. containing the software needed to read the data
  following a crash.

* In some lawsuits, when pressed to provide recorder information Toyota
  either settled or provided printouts with the key columns blank.

[Source: Curt Anderson and Danny Robbins, Associated Press Writers, 4 Mar 2010]
http://finance.yahoo.com/news/AP-IMPACT-Toyota-secretive-on-apf-1294427692.html?x=0&sec=topStories&pos=1&asset=&ccode=

Gabriel Goldberg, 3401 Silver Maple Place, Falls Church, VA 22042 703-204-0433


Breakthrough in Electron Spin Control Brings Quantum Computers Closer to Reality

National Science Foundation Update <nsf-update@nsf.gov>
Fri, 26 Feb 2010 14:29:33 -0600 (CST)

  [Noted by Bob Rosenberg in Dave Farber's IP distribution.  PGN]

Illustration showing optical beam splitter method and new method of
controlling electron spin. Research allows control of a single electron
without disturbing other nearby electrons.
More:
http://www.nsf.gov/discoveries/disc_summ.jsp?cntn_id=116456&WT.mc_id=USNSF_1


German Data Retention Law Overturned

Bob Gezelter <gezelter@rlgsc.com>
Wed, 03 Mar 2010 10:26:31 -0500

*The New York Times* (pp A6) 3 Mar 2010

"The country's highest court ruled Tuesday that a security law requiring the
mass storage of telephone, e-mail, and Internet data violated a constitution
provision on privacy and must be revised. The 2008 law required
telecommunications carriers to retain customer usage data for six months so
authorities could use it to track criminal networks."

The citation to the actual law was not given in the small article. Mass
retention of data without specific cause is a challenge. The retained data
can be used for its intended purpose, but its mere existence presents a
hazard for inappropriate use.

I addressed similar issues in an item entitled "Will Long Term Dynamic
Address Allocation Record Retention Help or Hurt?" in the context of the
"Internet Stopping Adults Facilitating the Exploitation of Today's Youth Act
of 2009" (S.436) introduced by Senator John Cornyn (R-Texas).
http://www.rlgsc.com/blog/ruminations/retain-dynamic-address-allocation-logs.html

Bob Gezelter, http://www.rlgsc.com


USGov rescinds 'leave Internet alone' policy

Richard Forno <rforno@infowarrior.org>
February 26, 2010 9:06:56 PM EST

  [From Dave Farber's IP list.  PGN]

US government rescinds 'leave Internet alone' policy
Kieren McCarthy, Networks, 27 Feb 2010>
http://www.theregister.co.uk/2010/02/27/internet_3_dot_0_policy/

The US government's policy of leaving the Internet alone is over, according
to Obama's top official at the Department of Commerce.  Instead, an Internet
Policy 3.0 approach will see policy discussions between government agencies,
foreign governments, and key Internet constituencies, according to Assistant
Secretary Larry Strickling, with those discussions covering issues such as
privacy, child protection, cybersecurity, copyright protection, and Internet
governance.
The outcomes of such discussions will be *flexible* but may result in
recommendations for legislation or regulation, Strickling said in a speech
at the Media Institute in Washington this week.

(http://www.ntia.doc.gov/presentations/2010/MediaInstitute_02242010.html)
The new approach is a far cry from a US government that consciously decided
not to intrude into the Internet's functioning and growth and in so doing
allowed an academic network to turn into a global communications phenomenon.

Strickling referred to these roots arguing that it was ``the right policy
for the United States in the early stages of the Internet, and the right
message to send to the rest of the world.''  But, he continued, ``that was
then and this is now. As we at NTIA approach a wide range of Internet policy
issues, we take the view that we are now in the third generation of Internet
policy making.''

Outlining three decades of Internet evolution - from transition to
commercialization, from the garage to Main Street, and now, starting in
2010, the Policy 3.0 approach - Strickling argued that with the Internet is
now a social network as well a business network.  We must take rules more
seriously.

He cited a number of examples where this new approach was needed: end users
worried about credit card transactions, content providers who want to
prevent their copyright, companies concerned about hacking, network
neutrality, and foreign governments worried about Internet governance
systems.

The decision to effectively end the policy that made the Internet what it is
today is part of a wider global trend of governments looking to impose rules
on use of the network by its citizens.

In the UK, the Digital Economy Bill currently making its way through
Parliament has been the subject of significant controversy for advocating
strict rules on copyright infringement and threatening to ban people from
the Internet if they are found to do so. The bill includes a wide variety of
other measures, including giving regulator Ofcom a wider remit, forcing ISPs
to monitor their customers' behavior, and allowing the government to take
over the dot-uk registry.

In New Zealand, a similar measure to the UK's cut-off provision has been
proposed by revising the Copyright Act to allow a tribunal to fine those
found guilty of infringing copyright online as well as suspend their
Internet accounts for up to six months. And in Italy this week, three Google
executives were sentenced to jail for allowing a video that was subsequently
pulled down to be posted onto its YouTube video site.

Internationally, the Internet Governance Forum -- set up by under a United
Nations banner to deal with global governance issues -- is due to end its
experimental run this year and become an acknowledged institution. However,
there are signs that governments are increasingly dominating the IGF, with
civil society and the Internet community sidelined in the decision-making
process.

In this broader context, the US government's newly stated policy more in
line with the traditional laissez-faire Internet approach. Internet Policy
3.0 also offers a more global perspective than the isolationist approach
taken by the previous Bush administration.

In explicitly stating that foreign governments will be a part of the
upcoming discussions, Strickling recognizes the United States' unique
position as the country that gives final approval for changes made to the
Internet's Croot zone.  Currently the global Internet is dependent on an
address book whose contents are changed through a contract that the US
government has granted to the Internet Corporation for Assigned Names and
Number (ICANN), based in Los Angeles.  [long item truncated for RISKS, with
considerable subsequent discussion in IP. PGN]

  [Dan Lynch added: It was good while it lasted.  The cat is out of the bag
  and now all the watchdogs of our morals are descending for good reasons.
  We have foisted communications anarchy on the world quite successfully.
  Let's see how they route around their paranoia.]

IP Archives: https://www.listbox.com/member/archive/247/


Man posts "wanted" poster of himself on own Facebook page

Mark Brader
Fri, 5 Mar 2010 03:17:01 -0500 (EST)

Chris Crego, of Lockport, New York, pleaded guilty to assault but fled the
state before sentencing.  However, he then put up Facebook and MySpace pages
under his real name, showing his photo, his place and hours of employment,
and -- in case there was any doubt -- the police "wanted" poster of him.  He
was arrested and returned to Lockport, and police posted a "thank you"
notice on his page.

http://www.cbsnews.com/blogs/2010/02/08/crimesider/entry6186573.shtml
http://www.buffalonews.com/2010/03/02/974619/crego-back-in-lockport-held-on.html


Car insurance bug

"Clive D.W. Feather" <clive@davros.org>
Sat, 6 Mar 2010 09:33:46 +0000

I bought a new car a couple of weeks ago, though for obvious reasons [1] I
didn't collect it until Monday.

As soon as I knew the new registration number, I contacted my insurance
company to alter the details. The paperwork finally arrived yesterday. At
one point it reads:

    It has been owned by, and registered to you or your partner,
    for approximately - 1 year(s) 11 month(s).

This puzzled me, so I phoned them, to be told "it always does that for new
cars". Then I realized what had happened; the clue was that the previous
paperwork did *not* have the dash in this text.

The computer must have done something like "now = Feb 2010, bought Mar 2010,
therefore owned for -1 months". Then it converted months to years by
dividing by 12 and determining the remainder. There are two sensible
answers for "-1 div/rem 12" (0 remainder -1 and -1 remainder 11) and which
gets used depends on what properties you want to preserve. Or, in this
case, because nobody had thought about negative inputs!

The only remaining problem: how on earth do I get this information past the
call centre and to the people who actually maintain this code? Perhaps
they read RISKS.

[1] Well, obvious to UK readers - it gives the car a "10" registration
rather than a "59" one, affecting the resale value.

Clive D.W. Feather <clive@davros.org> http://www.davros.org  +44 7973 377646


Daily cyber attacks on the UK

Martyn Thomas <martyn@thomas-associates.co.uk>
Sun, 07 Mar 2010 09:39:41 +0000

Foreign states and terrorist groups are regularly launching cyber-attacks on
the UK's computer systems with the potential to cause widespread damage,
according to the government's security tsar.  Lord West of Spithead, who is
parliamentary under-secretary for security and counter-terrorism, told the
*Observer* that the UK was under daily cyber attack, often from agencies
working on behalf of foreign governments.  He said there had been "300
significant attacks" on the government's core computer networks in the last
year and warned of chaotic scenes if one successfully targeted
infrastructure such as the UK's communications systems...
http://www.guardian.co.uk/technology/2010/mar/07/britain-fends-off-cyber-attacks


"Traffic analysis" from data

"David Magda" <dmagda@ee.ryerson.ca>
Fri, 12 Mar 2010 09:09:50 -0500 (EST)

A little while ago the Ontario Privacy Commissioner released a report on
the privacy implication of electrical smart grids (RISKS-25.84: "Your
smart meter is watching"). Well, it turns out water pressure is another
way that "traffic analysis" can be done on people's activities:

> The water utility in Edmonton, EPCOR, published the most incredible graph
> of water consumption last week. By now you've probably heard that up to
> 80% of Canadians were watching last Sunday's gold medal Olympic hockey
> game. So I guess it stands to reason that they'd all go pee between
> periods.

http://tinyurl.com/yedz5jt
http://www.patspapers.com/blog/item/what_if_everybody_flushed_at_once_Edmonton_water_gold_medal_hockey_game/
Via: http://www.boingboing.net/2010/03/11/the-effects-of-gold-.html

Not so much a technological RISK, but more of a reminder that as chips and
sensors are placed in more places, we get more data. The more data we have,
the more it can be linked with other data, and that can lead to unforeseen
consequences.


Paranoia 101

Paul Wexelblat <wex@cs.uml.edu>
Mon, 1 Mar 2010 09:07:23 -0500

Are they tracking us (a/k/a Paranoia 101) - Or,
What I'd do if I was "one of 'them'".
OK, Let's do an update
1. How many "Smart Cards" are you carrying?
2. How about your "New, Improved" Passport?
3. EZ Pass (or equivalent)?
4. How about those Tire Pressure things in your
   tires (4 and the spare!)- they're RFID's
5. Y'know, that "keyless entry" thingie in your pocket/key - RFID, again.
6. Oh, that ON-Star like thing in your car, can
you turn it off? (Are you sure?)
7. About that cellphone,
   You want Paranoia -
8. Um, about the remote diagnostic capability of my Mom's pacemaker
9. The implanted ID chip in your pet
10. Do those "security" bags really protect
    RFID's from concerted reading devices?
11. "They" could easily record the serial numbers
    of the cash you get from the ATM
12. While they're doing facial recognition of
    everyone within range of the camera.
How many of these things can be read from how far away?  [Quite a few.  PGN]


Risks of having friends with computers

Rob McCool <robm@robm.com>
Fri, 12 Mar 2010 12:21:59 -0800 (PST)

http://www.mpi-sws.org/~gummadi/papers/inferring_profiles.pdf

This paper discusses an interesting phenomenon for privacy. If a user
has turned on privacy in either LinkedIn or Facebook such that their
friends list is accessible but nothing else, the researchers were able
to infer with 80% accuracy the values of the hidden attributes based
solely upon 20% of those friends revealing their own value for those
attributes. The article states that 95% of Facebook users expose their
friends list to strangers, which means that for most people their
privacy may be effectively compromised by a relatively small
percentage of their friends.

To me, this is a difficult tradeoff for Facebook users. Hiding your
friends list means that people you know but with whom you have not
connected will have difficulty deciding if that's really you, or
another John Smith. The "N mutual friends" link is an incredibly
useful one for finding people you might want to reconnect with.


Computer core risks

Robert Schaefer <rps@haystack.mit.edu>
Wed, 10 Mar 2010 14:47:06 -0500

This came through via slashdot:
http://www.gearlog.com/2010/03/hands_on_fake_intel_core_i7-92_1.php

Apparently the computer core you thought you were purchasing is now the risk.

Robert Schaefer, Atmospheric Sciences Group, MIT Haystack Observatory
Westford MA 01886 781-981-5767 http://www.haystack.mit.edu rps@haystack.mit.edu


4th International Conference on Network and SystemSecurity

"NSS 2010" <ieee.nss@gmail.com>
Wed, 3 Mar 2010 23:29:33 +1000

4th International Conference on Network and System Security (NSS 2010)
September 1-3, 2010, Melbourne, Australia
http://www.anss.org.au/nss2010
In technical co-sponsorship with the IEEE and the IEEE Computer Society
Technical Committee on Scalable Computing

Workshop proposal due: March 31, 2010
Paper submission due: March 31, 2010


IEEE Symposium on Security and Privacy

Ulf Lindqvist <ulf.lindqvist@sri.com>
Thu, 11 Mar 2010 08:41:27 -0800

IEEE Symposium on Security and Privacy, May 16-19, 2010
The Claremont Resort, Oakland, California, USA

Sponsored by the IEEE Computer Society Technical Committee on Security and
Privacy, in cooperation with the International Association for Cryptologic
Research (IACR)

It is my pleasure to announce the 2010 IEEE Symposium on Security and
Privacy, to be held at the Claremont Resort 30 years after the very first
symposium in this series. Please visit http://oakland31.cs.virginia.edu/ for
information about the symposium and the co-located workshops.  [The SSP 2010
program is also in RISKS-25.95.  PGN]

*Important Highlights:*

    * Register <http://www.regonline.com/Checkin.asp?EventId=810837>
      before April 18 to take advantage of the early registration rates
    * Reserve your hotel room
      <http://oakland31.cs.virginia.edu/travel.html> early, especially
      if you require and qualify for the government rate
    * The 30th anniversary of Security and Privacy welcomes all in the
      security research community to a light-hearted *awards dinner* on
      May 17. Registered symposium attendees and registered guests are
      welcome at this retrospective event with Master of Ceremonies
      Peter G. Neumann. The ceremonies will include the presentation of
      the National Computer Systems Security Award for 2010 by the
      National Institute of Standards and Technology (NIST) and the
      National Security Agency (NSA).
    * The advance program
      <http://oakland31.cs.virginia.edu/program.html> is available
    * Student travel grants
      <http://oakland31.cs.virginia.edu/grants.html> are available, and
      applications are due by April 2
    * The Call for Posters
      <http://oakland31.cs.virginia.edu/posters.html> is now open, and
      poster abstracts are due by April 8
    * Three co-located workshops
      <http://oakland31.cs.virginia.edu/workshops.html> will be held in
      conjunction with the symposium on May 20:
          o Systematic Approaches to Digital Forensic Engineering (SADFE)
          o Web 2.0 Security and Privacy (W2SP)
          o Workshop on Security and Privacy in Social Networks

I hope to see you at the symposium on May 16-19!

Ulf Lindqvist, General Chair

Please report problems with the web pages to the maintainer

Top