The RISKS Digest
Volume 26 Issue 11

Wednesday, 21st July 2010

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Hospital files with data of 800,000 are missing
Finucane/Lazar via Monty Solomon
Jim Reisert
Colorado warns of major corporate ID theft scam - Computerworld
Jonathan Kamens
Steve Bellovin blogs on Common Sense
Electronic business cards anyone?
Mike Scott
Virus targeted at Siemens industrial control systems
Robert McMillan
Tweet Less, Kiss More
Bob Herbert via Monty Solomon
Quiet electric & hybrid cars endanger blind pedestrians
Steven J Klein
Subaru offering wi-fi in Outbacks
Peter Van Allen via Monty Solomon
Trusting Your Friends—and Trusting the Cloud
Lauren Weinstein
Winning on points
Amos Shapir
Re: Con-Ed Nerve Center Fights to Keep Lights On
Steven Bellovin
iPhone 4: "My cheek must have called you"
Mark Brader
iPhone 4: Risks of relying on impressions
Tim Bradshaw
iPhone 4: Apple Knew of iPhone Antenna Glitch
Kane/Sheth via Monty Solomon
The iPhone 4 Redux
Klug/Shimpi via Monty Solomon
Re: Cal payroll data system cannot be changed ...
Al MacIntyre
Kelly Bert Manning
Info on RISKS (comp.risks)

Hospital files with data of 800,000 are missing (Finucane/Lazar)

Monty Solomon <>
Wed, 21 Jul 2010 08:52:46 -0400

Computer files from South Shore Hospital that contain personal information
for about 800,000 people may have been lost when they were shipped to a
contractor to be destroyed.  Reportedly, an independent information security
consulting firm has determined that specialized software, hardware, and
technical knowledge would be required to open and decipher information in
the files.  They also said they had no evidence that the information in
those files had been improperly used by anyone.

[Source: Martin Finucane & Kay Lazar, *The Boston Globe*,  20 Jul 2010; PGN-ed]

  [Also noted by Jim Reisert.  PGN]

Hospital says 800K records may be missing

Jim Reisert AD1C <>
Mon, 19 Jul 2010 15:59:55 -0600

Once again, risks aren't confined to computers; humans are still the weakest

Hospital says 800K records may be missing

"The backup computer files were shipped out on Feb. 26, 2010, the hospital
said.  When the company did not provide certificates of destruction, the
hospital inquired and learned from the company that only a portion of the
files had been received and destroyed. A search is underway for the missing
files.  ...  The hospital said the information on the files could include
people's names, addresses, phone numbers, birth dates, Social Security
numbers, driver's license numbers, medical record numbers, patient numbers,
health plan information, dates of service, and information on diagnoses and
treatments. For a very small subset of people, bank account and credit card
information was included."

Jim Reisert AD1C, <>,

Colorado warns of major corporate ID theft scam - Computerworld

"Jonathan Kamens" <>
Tue, 20 Jul 2010 14:28:45 -0400

Colorado's corporate registration Web site allows anyone to change any
company's contact information (registered agent) anonymously, i.e., without
the changer authenticating or identifying him/herself to the site in any
way. It was implemented this way for ease of use "at a time when identify
theft was not a rampant problem."

Some enterprising individuals changed the registered agent for various
companies, allowing them to apply for and be granted credit lines in those
companies' names at retailers such as Home Depot, Lowe's, Office Depot,
Apple, and Dell. At least $750,000 in fraudulent purchases were made from
Home Depot alone.

The Secretary of State's office says there are no plans to institute site
authentication right now because they'd have to hire a half dozen people to
support it, and there's no budget for that, at least not until the matter is
taken up in the next session of the legislature, which resumes next January.

The office is recommending that businesses sign up for email alerts when
their information is changed (Can the crooks change the email alert
settings? Does the old email address get notified when the alert address is
changed to a new one?). They are also supposedly monitoring address changes
and comparing them against the addresses of around 10,000 virtual offices
around the country.

  [For some reason this story brings to mind an article that ran a few days
  ago ("Best place to raise abducted children") in The Onion.],17729/

Steve Bellovin blogs on Common Sense

"Peter G. Neumann" <>
Mon, 12 Jul 2010 4:49:11 PDT

  [Steve revisits the old adage, Common Sense is Not Common.  PGN]

He's posted his comments on his blog:

Electronic business cards anyone?

Mike Scott <>
Fri, 16 Jul 2010 14:52:40 +0100

I don't mind having electronic documents, well not usually.  Today someone
sent me an electronic business card (..._Electronic_Business_Card.exe). Yes,
that's right, a full-blown executable just, apparently, to display a pretty
facsimile of a business card.

I suspect this one would possibly have been OK (I know the sender), but I
notice a number of web sites offering their own such cards. The risks?  The
first, too obvious to state here. The second - it didn't actually reach me,
because my mail server like many is paranoid about attachments. The third -
I'm not using windows, so it wouldn't have been of much use anyway!

Companies entering this field should really do their homework!

And what's wrong anyway with a bit of plain, honest text?!!

Virus targeted at Siemens industrial control systems

"Peter G. Neumann" <>
Tue, 20 Jul 2010 11:53:06 PDT

[Thanks to Jeremy Epstein.  PGN]

Robert McMillan, IDG News Service, 17Jul 2010

Siemens is warning customers of a new and highly sophisticated virus that
targets the computers used to manage large-scale industrial control systems
used by manufacturing and utility companies.

Security experts believe the virus appears to be the kind of threat they
have worried about for years—malicious software designed to infiltrate
the systems used to run factories and parts of the critical infrastructure.
Some have worried that this type of virus could be used to take control of
those systems, to disrupt operations or trigger a major accident, but
experts say an early analysis of the code suggests it was probably designed
to steal secrets from manufacturing plants and other industrial facilities.

Tweet Less, Kiss More (Bob Herbert)

Monty Solomon <>
Sun, 18 Jul 2010 10:41:11 -0400

Bob Herbert, *The New York Times*, 16 Jul 2010

I was driving from Washington to New York one afternoon on Interstate 95
when a car came zooming up behind me, really flying. I could see in the
rearview mirror that the driver was talking on her cellphone.  [...]

A few days later, I was talking to a guy who commutes every day between New
York and New Jersey. He props up his laptop on the front seat so he can
watch DVDs while he's driving.  "I only do it in traffic," he said. "It's no
big deal."

Beyond the obvious safety issues, why does anyone want, or need, to be
talking constantly on the phone or watching movies (or texting) while
driving? I hate to sound so 20th century, but what's wrong with just
listening to the radio? The blessed wonders of technology are overwhelming
us. We don't control them; they control us.

We've got cellphones and BlackBerrys and Kindles and iPads, and we're
e-mailing and text-messaging and chatting and tweeting - I used to call it
Twittering until I was corrected by high school kids who patiently explained
to me, as if I were the village idiot, that the correct term is
tweeting. Twittering, tweeting - whatever it is, it sounds like a nervous

This is all part of what I think is one of the weirder aspects of our
culture: a heightened freneticism that seems to demand that we be doing, at
a minimum, two or three things every single moment of every hour that we're
awake. Why is multitasking considered an admirable talent? We could just as
easily think of it as a neurotic inability to concentrate for more than
three seconds. ...

Quiet electric & hybrid cars endanger blind pedestrians

Steven J Klein <>
Tue, 13 Jul 2010 23:37:25 -0400

Car manufacturers have long sought to make quieter cars, and they probably
viewed the near-silence of electric and hybrid vehicles as a wonderful side
benefit.  But this is creating a new problem for blind pedestrians who rely
on being able to hear vehicles to avoid being hit.

This has led to calls for new regulations mandating *minimum* noise levels!

  So far, Japan is the only country to have come up with voluntary noise
  guidelines for makers of electric and hybrid vehicles, but the government
  is leaving it up to individual manufacturers to decide on the type of
  sound a vehicle will make.  The result is a wide variety of sounds that
  some industry watchers are already calling noise pollution.

This is a field that cries out for standardization. Will blind people (and
guide dogs) have to memorize dozens of new sounds for each make & model of
car, bus & truck?

Source:  Putting the Noise Back Into Whisper-Quiet Vehicles from the Wall Street Journal:

Steven Klein | Mac, PC & Network Expert | Phone: (248) 968-7622

Subaru offering wi-fi in Outbacks

Monty Solomon <>
Sun, 18 Jul 2010 10:27:12 -0400

[Source: Peter Van Allen, Philadelphia Business Journal, 16 Jul 2010]

Subaru of America Inc. said Friday it will offer wi-fi in its 2011 Outback
models.  The Subaru Mobile Internet system creates a wi-fi hotspot for 10 or
more users within 150 feet of the vehicle.  The system, which operates on a
3G network, was created by a San Francisco-based company, Autonet Mobile,
which was founded in 2005.  Autonet has also form partnerships with
Chrysler, Jeep, Dodge, Cadillac, GM and Volkswagen, according to its

Trusting Your Friends—and Trusting the Cloud

Lauren Weinstein <>
Tue, 20 Jul 2010 13:01:22 -0700

  [From Network Neutrality Squad]

               Trusting Your Friends—and Trusting the Cloud

Greetings.  Internet "cloud"-based services, both for data storage and as
computing resources, are expanding rapidly, and have become a flash point of
controversy among some persons in the computer science and privacy

On various discussion lists and forums, dialogues about the value and risks
of "cloud computing" have devolved into name-calling and impassioned
arguments about whether the term "cloud computing" itself is somehow
misleading—with suggestions that data storage services (where encryption
is more easily applied by users) should be considered separately from remote
computing services—sometimes called "SaaS" (Software as a Service).

I'm more interested in issues than word wars, so for now (despite the
related complaints that I'll receive) I will continue to refer to this
entire area as "cloud computing"—"the cloud" for short.

Some other time we can have a technical discussion of cloud computing's
benefits and risks.  But there are a couple of truths about the cloud that
are in my opinion undeniable, and are too often lost amidst the forest of
technical details.

Realize this: The future of computing and communications will increasingly
be Internet cloud-based.  There is no escaping this truth.  The complexity
of the services that will be demanded by persons around the world will
increasingly be impractical to provide wholly through traditional
locally-based resources.

Despite ever more encompassing attempts at automatic software updating
regimes, many or most users' computers are in states of relatively poor (or
even awful) security, and sport feeble or non-existent data backups, putting
immense amounts of personal and business data at risk on users' local disks
at any given time.

And to expect non-technical users to somehow manage these ever more
complicated computing devices, even with the help of increasingly complex
updating environments, is becoming about as nonsensical as requiring that
everyone be their own auto mechanic.

That there are privacy and security challenges in the cloud is undeniable --
but research in these areas is proceeding rapidly and holds great promise.
Laws that in some cases treat cloud-based user data as having fewer legal
privacy protections than locally-based data are no longer tolerable and need
to be harmonized so that user data gets the highest practicable level of
legal privacy safeguards regardless of where that data resides at any given
time ( [Digital Due Process]).

But for some who dislike the cloud, no amount of technical and legal
assurances will ever suffice, simply because they have a fundamental
distrust of remote services—"We never *really* know what's going on in
the cloud!" they say.

And yet, do we really know everything going on in our local computers, even
those of us who have spent our professional lives building these

In most cases, the answer is no.  Unless we've written every line of code
ourselves, or have compiled every program personally from source code that
we've inspected (and presumably understood!) line by line, there is a leap
of faith involved in everything we do on these machines.

For that matter, if you're of a conspiratorial bent, do you *really* know
for sure what's going on in those CPU cores that run your computer?  Have
you inspected every line of microcode?  Are you *positive* that something
nefarious isn't going on deep within those busy chips??

More realistically, Ken Thompson—co-creator of the UNIX Operating System
itself—noted in his 1984 paper "Reflections on Trusting Trust"
( [Univ. of Waterloo]), that you can't necessarily even
depend on the compilers that you use being free of self-compiling malware
and other subterfuge.

What this all boils down to in the end is—to paraphrase Bob Dylan—You
Gotta Trust Somebody.

And in our modern world, you have to trust lots of somebodies at various
levels or our entire technological civilization would simply grind to a

We certainly depend on trust in our personal lives.  Even though that trust
may turn out to be misplaced in particular instances, this doesn't change
the fact that trust is fundamental to getting virtually anything done in our
modern world.

And trust isn't only a concept for individuals.  Just as we trust our
friends and lovers—whose inner thoughts we can never truly know for sure
-- we need to make decisions about trust related to technology as well.

The fact that we can't know everything about every aspect of cloud computing
services is ultimately just another nuance of the same sort of necessarily
incomplete information with which we make every other trust decision in our

Ultimately, if you trust that a provider of cloud computing services is of
good ethical standing, will defend your privacy rights against unreasonable
intrusions, and provides services with a degree of security and reliability
that you consider to be acceptable—especially in contrast to what you can
and do provide locally on your own machines, then an inability to personally
inspect every aspect of operations in the cloud should not be an automatic
deterrent to its use.

Technical and standards advances are making the cloud even more attractive.
For example, Open Source cloud standards ( [*The New
York Times*]) and efforts such as Google's "Data Liberation Front"
( [Google Data Liberation]) provide increasing levels of
transparency and data portability.

There are many factors to take into account when choosing cloud
services—just as there are in the process of making bosom buddies.
There are no absolute guarantees—there always risks in life, both
today and tomorrow.  But the various aspects of trust are key in both
cases, and trust is possible without total knowledge of and control
over the other parties involved.

Like love, trust makes the world go 'round.

Lauren Weinstein (
PFIR (People For Internet Responsibility):
NNSquad (Network Neutrality Squad): +1 (818) 225-2800

Winning on points

Amos Shapir <>
Tue, 20 Jul 2010 18:26:21 +0300

This interesting article has recently been published in the daily Haaretz
paper in Israel:

  "An increasing number of complaints of abuse during the interrogation of
  Palestinians from the Hebron area can apparently be traced to a computer
  program that grades police performance. An investigative report on the
  digitization of evil."

Full story at:

Re: Con-Ed Nerve Center Fights to Keep Lights On (Goldberg, R-26.10)

Steven Bellovin <>
Sun, 11 Jul 2010 22:05:23 -0400

Gabe Goldberg asks if the protocol that Con Ed uses to cycle thermostats is
secure.  I've never looked at that one, but a few years ago I evaluated an
Internet-connected thermostat I was contemplating installing in my house.
From a security perspective, it was very poorly designed, with many gaping
hole.  In fact, I use it as an example for some of my classes...

Steve Bellovin,

iPhone 4: "My cheek must have called you"

Mark Brader
Fri, 16 Jul 2010 17:55:00 -0400 (EDT)

It says here:
that iPhone 4 users are often finding that a touch-screen may not be the
best user interface for a device meant to be held next to the face in
normal use.  Accidental calls, accidental hangups, accidental muting in
the middle of a call, confusion all around.

[The URL I actually found the story at was

But Clive Feather pointed out to me recently that in these long news-media
URLs, often the part that just repeats the headline is ignored and it's the
numerical bit before or after it that actually selects the story.  I use
"anykey" as an allusion to "Where's the 'Any' key?", of course.

It occurs to me that for people who actually read URLs, this could be a
medium of deception.  You know, send someone a URL like[horrifying-situation]/19556328
and maybe they won't figure out what's happened.

iPhone 4: Risks of relying on impressions (Re: RISKS-26.10)

Tim Bradshaw <>
Tue, 20 Jul 2010 16:15:06 +0100

There's been a huge amount of coverage of the notorious iPhone 4 signal
problems.  A large amount of this coverage (including the RISKS story)
includes reports of people saying that they have more dropped calls with the
new phone than the previous version.

But do they, really?  People are really very poor at making this kind of
judgment, especially in the presence of a tide of news stories reporting
the problems and generally dismissive of Apple's counterclaims.  Probably
the only people who could really know are the network operators, and even
then it may be very hard for them to be sure.

Of course, in this case this does not matter very much, but this sort of
unquestioning reliance on people's impressions is not really a good thing.
The end point of this is variously audiophiles paying thousands of dollars a
foot for depleted uranium cables with aligned protons, or the pervasive
belief in the UK that crime is rising out of control and terrorists are just
round every corner.

iPhone 4: Apple Knew of iPhone Antenna Glitch (Kane/Sheth)

Monty Solomon <>
Thu, 15 Jul 2010 19:22:38 -0400

Yukari Iwatani Kane and Niraj Sheth, Apple Knew of iPhone Antenna Glitch,
*Wall Street Journal*, GADGETS & GAMES, 15 Jul 2010

Chief Executive Steve Jobs's insistence on strict control of Apple
Inc.'s product-design process appears to have backfired with his new
iPhone 4, leading the company to overrule internal concerns about
antenna reception and to deny carriers adequate time to test the
phone before selling it.

Apple's iPhone 4 has been dogged by reports of antenna-reception problems
since its launch last month. The company has called a news conference to
discuss the issue Friday. Apple doesn't plan to recall the phone, a person
familiar with the matter said.

Apple engineers were aware of the risks associated with the new antenna
design as early as a year ago, but Mr. Jobs liked the design so much that
Apple went ahead with its development, said a person familiar with the

The electronics giant kept such a shroud of secrecy over the iPhone 4's
development that the device didn't get the kind of real-world testing that
would have exposed such problems in phones by other manufacturers, said
people familiar with the matter.

The iPhones Apple sends to its carrier partners for testing are "stealth"
phones that disguise a new device's shape and some of its functions, people
familiar with the matter said. Those test phones are specifically designed
so the phone can't be touched, which made it hard to catch the iPhone 4's
antenna problem. ...

The iPhone 4 Redux (Klug/Shimpi)

Monty Solomon <>
Thu, 15 Jul 2010 19:22:38 -0400

Brian Klug & Anand Lal Shimpi, The iPhone 4 Redux: Analyzing Apple's iOS
4.0.1 Signal Fix & Antenna Issue anandtech, 15 Jul 2010

The iPhone 4's antenna design has come under considerable scrutiny. In our
iPhone 4 review, we investigated the iPhone 4 antenna and came to two
conclusions. First, that iOS 4 was displaying signal bars in an overly
optimistic manner, compressing the dynamic range of possible signal bars
users can see.  Second, we identified a worst case signal drop of around 24
dBm when the iPhone 4 is cupped tightly in the left hand, covering the black
strip and possibly detuning the antennas and adding additional attenuation
from the presence of the hand.

Since those initial measurements, we've been working tirelessly to both
characterize the problem, fully understand the mechanisms behind it, and
report on a number of possible solutions.  ...

Re: Cal payroll data system cannot be changed ... (RISKS-26.10)

Al MacIntyre <>
Sat, 10 Jul 2010 23:04:56 -0500

A system designed in the 1950's would have to have been either for mainframe
or punched cards or punched paper, but by 1970 redesign, data base
technology was available on IBM mini-computers which I programmed in the
1960's.  We did not have to read all records, because the master index file
constructs, and many transactions for that index, were in fact available by
the 1960's, but not from all the computer manufacturers.  I first saw "real
all records" mentality in the 1980's.  It had been popular in communities
that had limited storage, but unlimited time to process data, at a time when
computing power was much more expensive than people power, but that
trade-off had now gone in opposite direction, so I did many conversions from
that mentality, in the 1980's, to valuing people time instead.  Typically,
until the 1960's, people would deliver their wants to a data processing
center, then get their results back a week later from the computer
department, and that was considered normal.  But with the advent of
mini-computers, people had a TV screen to access data from hard disk, and it
was no longer acceptable to wait a week for results.  We now had the notion
of "sub-second" response time, because companies did not want their
employees staring out the window for 15 minutes at a time, waiting for
computer to respond with answers.

A major problem with "read all records" designs was that individual records
would not have unique identification such as employee #.  We could have a
record that pointed at a record, that pointed at a record, which . for a
string of 1,000 records, all of which must be read to find all the data
needed, which might actually be contained within 10 of the records actually
read, and if there was a crash of any kind while in midst of updating, we
had to go back to last backup and reprocess all transactions since then.
The logic for this was to save on disk space, by excluding the redundancy of
key index data that the programs could match on, but then every record had
to have all those pointers to other records, which ate more disk space than
what was being excluded.  As the cost of disk space dropped, and cost of
humans increased to exceed the computer resources, it became a standard at
least in the 1970's on business mainframes and mini-computers, to use some
kind of relational data base structure (although it was not called that
then), so that needed records could be accessed with no more than 2 disk
reads: access index for a file, which has key you looking for, and where on
disk that is located, then read the actual record needed.

A system re-designed in the 1970's would have been when the micro computer
was emerging in the hobbyist market, so it is unlikely California's payroll
system is running on PC servers.  Maybe it is Unix-based.  If the payroll
system cannot be changed, it is more probably because it is written in a
programming language unknown to off-shore outsourced programmers, or the
documentation has been thrown away, not that it is impossible to reprogram.

I cannot believe that employee salaries have not been changed since the
1970's.  There must be a way to do that.  I can certainly believe that with
management turnover, no current employee knows how to do that.

  Allowing one's computer to be unprotected, while connected to the
  Internet, can be compared to owning a handgun and putting it out on your
  doorstep every night, in case a passing robber might be in need of one.
  Unfortunately millions of people are doing exactly that, while thousands
  of them do so through networks of companies and government agencies that
  they manage.

  [My friend Bob Speth found an earlier article on the CA payroll system.

from the Yahoo News article:
  "Absent ... completion of the state's payroll system overhaul"

I wonder how much of the "overhaul" remains. <>
articles/100010  Jun 27, 2006, News Report

  SAP will provide software, five years of maintenance, and will train state
  employees to run the software. BearingPoint will adapt SAP's software and
  implement it among the state's various agencies.  The system will go
  online in November 2007. Full implementation is expected by June 2009.

So the question is: "What happened to the SAP and BearingPoint project?"

SAP is not antique architecture, but pretty close to state-of-art.  The main
problem I have seen with large ERP systems designed for multiple tasks is
that sometimes payroll updates to meet new government rules are delivered
after government deadlines, so they require high levels of extra
maintenance, to meet the deadlines, then merge in the patches.

Could it be that to save $$$, the state did not pay for needed hardware,
maintenance or training?

Re: Cal payroll data system cannot be changed ... (RISKS-26.10)

Kelly Bert Manning
Tue, 13 Jul 2010 22:07:37 -0400 (EDT)

I am trying to connect the dots on we can make the logical leap from the story to this being a sequential versus direct access issue.

Perhaps this is an illustration of the Risk of making assumptions.

A few years ago the top half of the back cover page of the Vancouver Sun
Business Section had a large point headline story about the vast majority of
British Columbia Public Sector employees still waiting for their Income Tax
return forms, just 2 weeks before the penalty data for late filing.

Sequential files had nothing to do with that. A major payroll application
had just been converted to Oracle on Open System Servers from IMS and DB2 on
a mainframe.

Six weeks after the Statutory Deadline for providing forms for Employees the
BC Government had still not been able to print even a fraction of them.

My money is on someone not knowing how to optimize SQL or Indexes being
responsible for that one.

I also suspect it was a case of someone assuming that the latest and
greatest DB software would spare them of trivia such as access path analysis
or Query tracing and tuning.

While 1950s mainframes didn't have database management systems
IMS DB / DC and ISAM go back to the 1960s.

Please report problems with the web pages to the maintainer