The RISKS Digest
Volume 26 Issue 48

Tuesday, 21st June 2011

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


United Airlines system-wide computer failure
The Bitcoin fiasco
Mark Thorson
A new speed record for exposing plagiarism by web search?
Mark Brader
Risks of automatically generated weather forecast data
Nick Brown
Citi Says Credit Card Customers' Data Was Hacked
Chris V. Nicholson via Monty Solomon
SecurIDs Come Under Siege
Siobhan Gorman and Shara Tibken via Monty
Hackers steal quantum code
Peter Houppermans
Spam "e-books" becoming a major problem on Kindle e-book store
Lauren Weinstein
Nissan Leaf reportedly leaks data via RSS, including location/speed
Casey Halverson via Lauren Weinstein
British Spies Replace Terrorists' Online Bomb Instructions with Cupcake Recipe
Paisley Dodd via Monty Solomon
iPhone app measures frequency of common passcodes
Mark Thorson
RSA Insecurity
Nelson D. Schwartz and Christopher Drew via Monty Solomon
Customers angry at RSA over delay in admitting depth of breach
Lauren Weinstein
Conceal your breaches, and steel your breeches?
Dan Goodin
Spyware, the FBI, and The Failure of ISPs
John Dvorak via Monty Solomon
Hacker Community Infiltrated?
The Thomas Drake Case
CD cover art not best place for a bar code
Mark Brader
Cloud computing: back to the VAX
Fox News mistakenly uses Tina Fey picture in Sarah Palin story
Monty Solomon
Re: Skype is reportedly reverse-engineered
Rob Slade
Re: Cars that drive themselves
Spencer Cheng
Re: "Automatic Updates" considered Zombieware
David Gillett
Info on RISKS (comp.risks)

United Airlines system-wide computer failure

"Peter G. Neumann" <>
Tue, 21 Jun 2011 15:18:22 PDT

Passengers were stranded at airports across the country Friday night [17 Jun
2011]after a failure in United Airlines' computer system.  The disruption
set off widespread delays at airports in San Francisco, Chicago and
Washington, with many passengers left sitting in terminals or stuck on
planes that were grounded.  United said in a statement that the problems
began at 8:15 p.m. New York time, when the computer failure knocked out its
flight departures, airport processing and reservations systems. The
statement did not address the nationwide delays, and a spokesman did not
return a phone call seeking comment.

AND THEN ON Slashdot:
*United Airlines Passengers Stranded By Computer

A computer outage with effects to dwarf those of the one that [0]stranded
thousands of US Airways passengers last week. This time, it's United
Airlines' systems that are [1] out of commission and [2] unable to handle
passenger reservations, [3] leaving passengers stranded all over the U.S.
Experiencing the resultant delays first-hand at Dulles Airport, our reporter
saw United planes being sent on—along with their passengers' luggage --
to the cities from which they're to leave tomorrow morning, in anticipation
of the computer system being fixed in the interim.  Links:


Also (from Lauren Weinstein):
United Airlines blames 5 hour computer outage on "network connectivity issue"  (This message in Google Buzz)  (NPR Article)
who added his own interpretation:
  United's explanation is a bit vague, but luckily through my own sources
  I've been able to obtain photographic evidence of the actual cause:  (Lauren's Blog [JPG])

The Bitcoin fiasco

Mark Thorson <>
Mon, 20 Jun 2011 16:04:42 -0700

I first heard about the electronic currency Bitcoin from this article:

Naturally, I was a bit skeptical about a so-called currency not backed up by
a government or hard assets, but the implementation seemed technically
sweet.  I didn't have to wait long for my doubts to be confirmed.

Oooh!  Loses a third of its value in one day!  I better watch the market
a little longer before jumping in.

Whoa!  Some guy got hacked and lost bitcoins "worth" $500,000.
This is obviously not a game for amateurs.  Wonder what that guy
was doing with so many bitcoins in the first place?

Yikes!  The main bitcoin exchange just got robbed for $8.75M!  What were the
purported reasons for using this "currency"?  I know the arguments that the
guy who got hacked wasn't using proper security (he admits it) and the
problem at the exchange had nothing to do with the underlying Bitcoin
technology model.  I tend to think, though, that a currency invented by an
anonymous computer programmer is not something to jump right into.  If it's
still around in 10 years, I might re-evaluate, but in the meantime I'll
stick to currencies that have been around a couple hundred years.

A new speed record for exposing plagiarism by web search?

Mark Brader
Tue, 14 Jun 2011 19:47:30 -0400 (EDT)

At the University of Alberta, Philip Baker, the dean of medicine and
dentistry, was beginning an inspiring commencement speech when some people
in the audience thought they remembered a distinctive expression—a
reference to a made-up medical term "velluvial matrix".  They pulled out
their smartphones and quickly found the entire speech online on *The New
Yorker*'s web site at

The speech was actually written by Atul Gawande (who writes for the New
Yorker and has is the author of several books, as well as being a professor
and a surgeon), to give last year at Stanford University.  Baker has
apologized to Gawande.  See:

I include a CBC link because I'm sure it will be durable, but their version
is less dramatic in that it doesn't mention the plagiarism being exposed
while in progress:

Risks of automatically generated weather forecast data

Nick Brown <>
Tue, 14 Jun 2011 13:02:33 +0200

Looks like householders in Bridgwater, England should prepare for, umm, very
high winds this coming weekend.  And the coldest June night in history, with
an effective temperature of about -30C after factoring in wind chill.

  (Sanity checks on data ?  Who needs 'em ?)
  Nick Brown, Strasbourg, France

Citi Says Credit Card Customers' Data Was Hacked (Chris V. Nicholson)

Monty Solomon <>
Thu, 9 Jun 2011 10:11:53 -0400

Citigroup acknowledged on Thursday that unidentified hackers had breached
its security and gained access to the data of hundreds of thousands of its
credit card customers in North America. ...
[Source: Chris V. Nicholson, *The New York Times*, 9 Jun 2011]

SecurIDs Come Under Siege (Siobhan Gorman and Shara Tibken)

Monty Solomon <>
Mon, 6 Jun 2011 23:25:09 -0400

SecurIDs Come Under Siege:
Security Breach Forces RSA to Offer to Replace Millions of 'Tokens'

Siobhan Gorman and Shara Tibken, *The Wall Street Journal*, 7 Jun 2011

RSA Security is offering to provide security monitoring or replace its
well-known SecurID tokens-devices used by millions of corporate workers to
securely log on to their computers-"for virtually every customer we have,"
the company's Chairman Art Coviello said in an interview.

In a letter to customers Monday, the EMC Corp. unit openly acknowledged for
the first time that intruders had breached its security systems at defense
contractor Lockheed Martin Corp. using data stolen from RSA.

SecurID tokens have become a fixture of office life at thousands of
corporations, used when employees log onto computers or sensitive software
systems. The token is an essential piece of security, acting as an
ever-changing password that flashes a series of six digits that should be
virtually impossible to duplicate. ...

Hackers steal quantum code

Peter Houppermans <>
Sun, 19 Jun 2011 11:48:51 +0200


"While in principle unbreakable, quantum cryptography is known to have
weaknesses in practice. One shortcoming has now been graphically illustrated
by physicists in Singapore and Norway, who have been able to copy a secret
quantum key without revealing their presence to either sender or
receiver. The researchers are now working to remove the loophole they have

  And so the arms race continues...

Spam "e-books" becoming a major problem on Kindle e-book store

Lauren Weinstein <>
Fri, 17 Jun 2011 15:27:25 -0700

  [From Network Neutrality Squad,  PGN]

"Spam has hit the Kindle, clogging the online bookstore of the top-selling
eReader with material that is far from being book worthy and threatening to
undermine Inc's publishing foray."  (Reuters)

Nissan Leaf reportedly leaks data via RSS, including location/speed

Lauren Weinstein <>
Tue, 14 Jun 2011 09:01:21 -0700

  [From Network Neutrality Squad,  PGN]  (This message on Google Buzz)  (Casey Halverson)

"Looking at the GET string above, "lat" and "lon" variables contain the
current position of the vehicle, "speed" is the vehicle speed, "car_dir" is
the direction of the car, and "lat_dst" and "lon_dst" is your destination
configured in your navigation system ... All of these lovely values are
being provided to any third party RSS provider you configure: CNN, Fox News,
Weather Channel, it doesn't matter! While a lot of these providers are
probably not aware of these (rather valuable) parameters the car passes,
they probably sit in thousands of HTTP logs already, waiting to be parsed
out - or perhaps supported in the future."

"Update June 13 3:23 PDT: While nobody bothered to inform the customers,
Nissan does document this functionality in this obscure Japanese developer
document. [Google Translated]."

Fwd: British Spies Replace Terrorists' Online Bomb Instructions

Monty Solomon <>
Sun, 12 Jun 2011 10:37:13 -0400
 with Cupcake Recipe

Paisley Dodd, 3 Jun 2011

LONDON—Britain's spy agencies have a new message for terrorists: make
cupcakes, not war.  Intelligence agents managed to hack into the extremist
Inspire magazine, replacing its bomb-making instructions with a recipe for
cupcakes.  It's the first time the agents sabotaged the English-language
magazine linked to U.S.-born Yemeni cleric Anwar al-Awlaki, an extremist
accused in several recent terror plots.

The quarterly online magazine, which is sent to websites and email
addresses as a pdf file, had offered an original page titled "Make a
Bomb in the Kitchen of Your Mom" in one of its editions last year.
The magazine's pages were corrupted, however, and the instructions
replaced with the cupcake recipe. ...

MI6 attacks al-Qaeda in 'Operation Cupcake'
British intelligence has hacked into an al-Qaeda online magazine and
replaced bomb-making instructions with a recipe for cupcakes.

Duncan Gardham, Security Correspondent, 02 Jun 2011

The cyber-warfare operation was launched by MI6 and GCHQ in an attempt to
disrupt efforts by al-Qaeda in the Arabian Peninsular to recruit "lone-wolf"
terrorists with a new English-language magazine, the Daily Telegraph
understands. ...  The code, which had been inserted into the original
magazine by the British intelligence hackers, was actually a web page of
recipes for "The Best Cupcakes in America" published by the Ellen DeGeneres
chat show. ...

iPhone app measures frequency of common passcodes

Mark Thorson <>
Wed, 15 Jun 2011 08:13:22 -0700

An iPhone app has been indirectly capturing and compiling statistics on the
distribution of passcodes.  About 10% are either 1234 or 0000.

This reminds me of something that happened about 30 years ago.  I had
scanned nearly a thousand 800 numbers looking for interesting things, and I
gave a list of anomalous numbers to a friend of mine.  A day or two later he
told me that one of the numbers was a call diverter with the password 321.
I said "I'll bet you tried 320 numbers before you found that out."  He
replied "More than that.  I tried all the obvious stuff first, like 111,
222, 333 . . .".

RSA Insecurity (Nelson D. Schwartz and Christopher Drew)

Monty Solomon <>
Wed, 8 Jun 2011 22:36:14 -0400

Nelson D. Schwartz and Christopher Drew, RSA Faces Angry Users After Breach
*The New York Times*, 7 Jun 2011

The nation's biggest banks and large technology companies like SAP rushed
Tuesday to accept RSA Security's offer to replace their ubiquitous SecurID
tokens as many computer security experts voiced frustration with the

The company's admission of the RSA tokens' vulnerability on Monday was a
shock to many customers because it came so long after a hacking attack on
RSA in March and one on Lockheed Martin last month. The concern of customers
and consultants over the way RSA, a unit of the tech giant EMC, communicated
also raises the possibility that many customers will seek alternative
solutions to safeguard remote access to their computer networks.

Bank of America, JPMorgan Chase, Wells Fargo and Citigroup said they planned
to replace the tokens as soon as possible. The banks declined to say how
many customers would be affected, although SAP said that most of its 50,000
employees used RSA's tokens and that it was seeking to replace them all. ...

Customers angry at RSA over delay in admitting depth of breach

Lauren Weinstein <>
Wed, 8 Jun 2011 15:37:21 -0700

Customers angry at RSA over delay in admitting depth of breach  (This message in Google Buzz)  (New York Times)

  "For now, however, the biggest worry for RSA is how to appease angry
  customers as well as mollify computer security consultants, who have been
  increasingly critical of how long it took the company to acknowledge the
  severity of the problem."

Just a quick opinion: Once a firm has a reasonable handle on the depth
of a security problem that will affect customers, it is in both the
company's and the customers' best interests for the firm to "come
clean" at least regarding the seriousness of the situation, even if
all technical details are not yet available or in a form that can be
reasonably communicated with customers.

It is crucial that users understand to what extent they may have been
made vulnerable, so that they can take appropriate protective steps
themselves at least in the short run.

Most of all, trying to publicly minimize the seriousness of a
situation below the level you know to be true, or lying about how
serious matters really are, can be counted upon to make a bad
situation worse.

This applies pretty much equally in technology and in the rest of our
lives (just ask Rep. Anthony Weiner).

Lauren Weinstein (
Network Neutrality Squad:
PRIVACY Forum:   +1 (818) 225-2800

Conceal your breaches, and steel your breeches? (Dan Goodin)

"Peter G. Neumann" <>
Fri, 10 Jun 2011 10:40:52 PDT

Dan Goodin, Senator Sisyphus tries again, *The Register*, 8 Jun 2011

US-based companies would be required to report data breaches that threaten
consumer privacy and could face stiff penalties for concealing them under
federal legislation that was introduced in the Senate on Tuesday.

The Personal Data Privacy and Security Act aims to set national standards
for protecting the growing amount of personally identifiable information
being stored online. Its approval by the Senate Judiciary Committee
represents the fourth year the bill has been introduced, said its sponsor,
Senator Patrick Leahy of Vermont.  The latest incarnation comes amid a glut
of high-profile hack attacks on networks operated by Sony, email marketer
Silverpop Systems, gossip publisher Gawker Media, and others, which have
exposed sensitive data for hundreds of millions of Americans in the past six

Spyware, the FBI, and The Failure of ISPs (John Dvorak)

Monty Solomon <>
Thu, 9 Jun 2011 07:17:02 -0400

John C. Dvorak, 1 Jun 2011

Why can't ISPs routinely look at network activity and use deep-packet
sniffing to find infected machines and tell the customer in the first place?

Operation Adeona, it was called. It involved the FBI. Spyware.
Intrigue. Controversy. The FBI took it upon itself to attack one of the
miserable botnets that plagues the Internet to figure out how to intercept
its "calling home function." And essentially it ended up giving it new and
less destructive instructions. Let me try to explain.

Botnets generally consist of thousands of infected computers that have some
specific piece of malware installed. Your computer at home may be one of
them. The malicious code is usually in the form of a Trojan Horse that was
planted by a Web site or some code you mistakenly clicked on. Once installed
on your computer it doesn't really do much until called into action.

The idea nowadays is to inhabit your machine for nefarious purposes
including mailing spam from your account, pinging a target computer to
harass someone, or even to do odd sorts of market research. Most of the time
these infected machines do their dirty work after hours and seldom during
the day when an observant owner might spot the dubious activity.

It is a public nuisance. I cannot emphasize enough how people should run
some good scanners to ferret out these programs. Millions of machines are

Anyway, so the FBI decided to counterattack one of the major botnets called
Coreflood, which is used to loot bank accounts. The FBI was to replace the
servers communicating with infected Coreflood machines with its own servers,
and also to disable the Coreflood malware on the infected machines. This
process seems to have gone well and the botnet was mostly silenced and had
no way of getting any more nefarious instructions, rendering it useless. The
problem is that the code is still on the machines. Now it gets dicey. ...,2817,2385959,00.asp

Hacker Community Infiltrated?

"Peter G. Neumann" <>
Tue, 7 Jun 2011 11:13:18 PDT

"The underground world of computer hackers has been so thoroughly
infiltrated in the US by the FBI and secret service that it is now riddled
with paranoia and mistrust, with an estimated one in four hackers secretly
informing on their peers, a Guardian investigation has established."
[Source: *The Guardian*, 6 Jun 2011.]

  On the Internet, no one should even trust his dog.  PGN]

The Thomas Drake case

"Peter G. Neumann" <>
Fri, 10 Jun 2011 6:02:13 PDT

Thomas Drake, a former NSA employee who had been indicted on 10 counts
relating to retaining classified information and leaking it to a *Baltimore
Sun* reporter, pleaded guilty to a single misdemeanor charge for `exceeding
authorized use of a government computer', with the remaining charges being
dropped.  Jesselyn Radack (who represented Drake) said, “This was the wrong
person, this was the wrong case, and the Espionage Act was an overreach.''

[Source: Kim Hairston, *The Baltimore Sun*, 10 Jun 2011; PGN-ed],0,3140011.story?page=2&track=rss

CD cover art not best place for a bar code

Mark Brader
Fri, 10 Jun 2011 02:46:44 -0400 (EDT)

  In 2005, Sony BMG released a 3-CD set entitled Electric 80s The cover art
  for this compilation of "the greatest Eighties electric hits" featured a
  reproduction of a UPC bar code, with the title "ELECTRIC 80s" placed in
  the space at the bottom of the bar code where the human-readable numbers
  corresponding to that code would usually appear.  (The real bar code --
  the one used for scanning the price of the item at checkout counters --
  was placed in a corner on the back of the packaging, as it is for nearly
  every similar item.)

What could possibly go wrong?  Right.  The reproduction bar code was a real
one, so if the clerk selling you the CD scanned the wrong side, you were
charged the wrong price.

Cloud computing: back to the VAX

Wed, 08 Jun 2011 12:27:30 +0800

All this talk about cloud computing.
So now our marriage to the PC has soured,
and we return back to the dumb terminal
and the university/cloud's VAX/PDP where we started.

  [It takes me back to MIT's CTSS in the early 1960s and Multics beginning
  in 1965.  Not just full circle, but perhaps 720 or 1080 degrees.  And The
  Shadow (from the 1940s radio shows), with the ability to *cloud* men's
  minds. PGN]

Fox News mistakenly uses Tina Fey picture in Sarah Palin story

Monty Solomon <>
Thu, 9 Jun 2011 07:08:20 -0400

Fox News found out the hard way that there's nothing like the real thing
when it comes to Sarah Palin, especially when it comes to Palin impersonator
Tina Fey.  A story on "America's News Headquarters" about Palin's current
bus tour, in which she may be testing the waters for a 2012 presidential
bid, was illustrated with a graphic of Fey portraying Palin, according to The snafu was particularly glaring since Palin works for Fox
as a correspondent. ...  [Source: *LA Times*]

Re: Skype is reportedly reverse-engineered (RISKS-26.46)

Rob Slade <>
Tue, 7 Jun 2011 12:10:22 -0800

I've always been wary of Skype for their SBO stance, despite the many
security friends who have used it, love it, and promote it at every turn.
Prior to this year's disclosures of increasing success in attempts to decode
the thing (and the purchase by Microsoft), I was even thinking that I might
have to jump on the bandwagon and start using it, as one of the most
realistic ways of phoning home from various countries overseas.

This new wrinkle in the situation reminds me of the battle royal, many years
ago, between Microsoft and AOL over instant messaging functions.  (Little
good can come out of the fight, I suspect, other than the high probability
that someone will come up with some form of realistic alternative to Skype.)
In the instant messaging scrap, both sides worked furiously on developing
new versions of their client software that would be incompatible with the
other.  This activity culminated in one vendor creating one with a buffer
overflow situation.  Not by accident: this was done deliberately so that
some instant messaging functions could *only* be accessed by a buffer
overflow, thus reducing the (comparative) functionality of the other client.

Not the actions of a vendor that has user security at heart ...

Re: Cars that drive themselves (Kamens, RISKS-26.47)

Spencer Cheng <>
Mon, 6 Jun 2011 22:13:53 -0400

[Kamens'] point is valid. However, if we consider the probability of a human
driver hitting a pedestrian, the distribution is probably random (X
incidents per 100K driver/year - dependent on a large variety of
factors). Think of it as wetware fault.

With self-driving car, the control S/W will be the same, or very similar,
across millions of cars so any S/W fault could be expressed by millions of
cars when a given set of input occurs. The distribution of incidences is not
likely to be random but rather predictable.

While formal methods and rigorous testing would reduce the number of
residual bugs, a S/W system like self-driving cars, which is probably very
complex and has millions of LOC, will not be bug free.

Have we exchanged the risk of a random incident, wetware failure, with the
risk of a rare but large scale S/W fault that could cause thousands of
incidents in very short period of time?

Re: "Automatic Updates" considered Zombieware (Baker, RISKS-26.45)

"David Gillett" <>
Tue, 7 Jun 2011 15:20:22 -0700

 wouldn't jump to the conclusion that all of the delta in disk space between
an initial Windows installation and an updated one is "the updates" per se.
Some of it is probably uninstall info for those updates, and some System
Restore points providing another method to roll them back.  All of which
would be completely unnecessary if those updates were flawless—but if
Microsoft had THAT capability, there would never be any need to update
Windows at all!

Memorable flaws include:

* WGA, already noted, multiple versions,

* Repeated delivery and installation of non-functional ATI video drivers
based on Windows Update (or ATI) misidentifying my installed hardware,

* Nightly server reboots caused by an update whose automatic installation
would consistently fail AFTER noting that a reboot would be required (manual
installation mysteriously succeeded).....

In the balance, review a top ten list of Windows worms of recent years to
see how many exploited a vulnerability for which the corrective patch had
been available as an update for at least three months.  How badly do you
prefer being in the Problem Set over being in the Solution Set?

Please report problems with the web pages to the maintainer