The RISKS Digest
Volume 26 Issue 16

Friday, 17th September 2010

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Virginia state govt computer outage, a silver lining, & a new risk
Jeremy Epstein
2008 Attack on Military Computers Is Confirmed
Brian Knowlton via PGN
Pentagon computers attacked with flash drive
Jim Reisert
American Express: big oops!
Tony Lima
Intel Confirms HDCP Master Key for Blu-ray Is Real
Lindsey Mastis via Richard Forno
New Facebook feature; Backfire to Come?
Gene Wirchenko
Hackers blind quantum cryptographers ...
Zeeya Merali via Monty Solomon
Hacking commercial quantum cryptography systems by tailored bright illumination
Lydersen et al. via Monty Solomon
Amazon strikes again: payphrase
Tony Lima
Bedbug rumors spread at speed of Twitter
Mark Brader
Epic failures: 11 infamous software bugs
Matt Lake
Re: Software glitches, systemic failure and airplane crashes
Peter Ladkin
Spanair crash revisited
Re: A Strong Password Isn't the Strongest Security
Curt Sampson
Re: Scary e-mail—invite from Facebook
Geoff Kuenning
Jeffrey Hunker: Failure of US cybersecurity policy, what to do
Info on RISKS (comp.risks)

Virginia state govt computer outage, a silver lining, & a new risk

Jeremy Epstein <>
Tue, 7 Sep 2010 22:12:02 -0400

Many parts of the Virginia state government suffered computer slowdowns and
outages ranging from days to weeks, apparently due to a redundant storage
device that had simultaneous failures.  Virginia DMV was particularly
hard-hit, being largely incapacitated for a week.  (And 4000 drivers who had
renewed their licenses just prior to the failure have to come back - the
photos stored on the server were lost, so they can't issue the licenses.)
And now a possibly silver lining: DMV has asked the state police not to
ticket anyone for driving with an expired license (*) if the license expired
between Aug 25 and Sep 30.  And the new risk (or advantage, depending on
your perspective): if you come in to get your license renewed "customers who
renew licenses prior to the revised expiration date will not be required to
provide documentation of their U. S. citizenship or legal presence in the

So if someone wants to get a license but isn't a legal resident, now is the
time to get it - while they're on sale!

[The governor has promised an independent examination of what caused the
spectacular failure.  I hope there will be technical experts, and not just
politicians, on the review board.]

(*) On the other hand, if you're in another state or country, will you get
off so easily - "honest officer, the DMV in my state was closed for a week,
so I couldn't renew my license, and they've given an automatic extension".

2008 Attack on Military Computers Is Confirmed (Brian Knowlton)

"Peter G. Neumann" <>
Wed, 25 Aug 2010 23:42:44 PDT

Brian Knowlton, *The New York Times*, 25 Aug 2010

Report begins: "A top Pentagon official has confirmed a previously
classified incident that he describes as 'the most significant breach of US
military computers ever,' a 2008 episode in which a foreign intelligence
agent used a flash drive to infect computers, including those used by the
Central Command in overseeing combat zones in Iraq and Afghanistan."

  [There was a somewhat similar quote from a top Pentagon official regarding
  the Cloverdale kids: the "most organized and systematic" attack
  (RISKS-19.60).  Neither quote seems to realistically capture the depth and
  extent of the overall problems.  PGN

Pentagon computers attacked with flash drive

Jim Reisert AD1C <>
Wed, 25 Aug 2010 17:42:11 -0600

Pauline Jelinek, Associated Press

A foreign spy agency pulled off the most serious breach of Pentagon computer
networks ever by inserting a flash drive into a U.S. military laptop, a top
defense official said Wednesday.  The previously classified incident, which
took place in 2008 in the Middle East, was disclosed in a magazine article
by Deputy Defense Secretary William J. Lynn and released by the Pentagon
Wednesday.  He said a "malicious code" on the flash drive spread undetected
on both classified and unclassified Pentagon systems, "establishing what
amounted to a digital beachhead, from which data could be transferred to
servers under foreign control."

I guess you can refer to this as a "man on the inside" attack.

Jim Reisert AD1C, <>,

American Express: big oops!

Tony Lima <>
Fri, 17 Sep 2010 09:17:17 -0700

I tried to log on to the AmEx site this morning (17 Sep, 9:15 am, left coast
time).  The first page told me to click "reload."  I did.  Here is a small
part of what happened next.  Oops!
Prof. Tony Lima, Dept. of Economics, CSU, East Bay,  1-510-885-3889

<TITLE>American Express/Cards/We're Sorry -

        <!-- Global Nav Changes start By Siva  -->
        <!--Created by CMAX: Mon Jun 07 08:34:27 MST 2010
File: US_en_s_T1_DualRelationshipQuickWin.html DO NOT
MODIFY--><link rel="stylesheet"
type="text/css" media="all">
  [most of the rest of the html blather deleted by PGN]

   [<!-- Global Nav Changes start By Siva  -->

   "Siva" must have been the outsourced Indian deity having REVENGE.
   Webster gives us this:
     Etymology: Sanskrit Siva, 1788
     : the god of destruction and regeneration in the Hindu sacred triad

Intel Confirms HDCP Master Key for Blu-ray Is Real (Lindsey Mastis)

Richard Forno <>
September 16, 2010 6:52:42 PM EDT
  [From Dave Farber's IP distribution.  PGN-ed]

  [PGN prepends Lauren Weinstein had previously noted this item:
     HDCP/HDMI DRM master key reported cracked  (]

Tom Waldrop, a spokesman for Intel, confirms the HDCP Master Key for Blu-ray
released online, is real.  They have tested the code, and found it to work.
Waldrop says they believe the code was generated using a computer system,
and was not leaked by anyone internally. He says to rip Blu-rays using the
code, hardware would have to be created. He says it is costly and he
believes it is unlikely anyone will use it to rip Blu-rays.  Waldrop says
HDCP will continue to be used in Blu-ray discs and is still a secure way to
keep people from pirating the movies.  [Lindsey Mastis; PGN-ed]

New Facebook feature; Backfire to Come?

Gene Wirchenko <>
Tue, 07 Sep 2010 12:16:00 -0700

Robert McMillan, Spammers get the boot with Facebook's new remote logout
IT Business, 7 Sep 2010
  The social-networking company is rolling out a new security feature
  that lets users see which computers and devices are logged into their
  Facebook accounts, and allowing them to knock off spammers.

Why could a spammer using a stolen account not regularly monitor for other
logins under the account and knock them off?

Hackers blind quantum cryptographers ... (Zeeya Merali)

Monty Solomon <>
Sun, 29 Aug 2010 21:22:45 -0400

Zeeya Merali, Hackers blind quantum cryptographers;
Lasers crack commercial encryption systems, leaving no trace.
*Nature*, 29 Aug 2010 doi:10.1038/news.2010.436

Hacking commercial quantum cryptography systems by tailored

Monty Solomon <>
Sun, 29 Aug 2010 21:28:13 -0400
  bright illumination

Lars Lydersen, Carlos Wiechers, Christoffer Wittmann, Dominique Elser,
Johannes Skaar & Vadim Makarov, Hacking commercial quantum cryptography
systems by tailored bright illumination, *Nature Photonics*, online, 29 Aug
2010 | doi:10.1038/nphoton.2010.214


The peculiar properties of quantum mechanics allow two remote parties to
communicate a private, secret key, which is protected from eavesdropping by
the laws of physics. So-called quantum key distribution (QKD)
implementations always rely on detectors to measure the relevant quantum
property of single photons. Here we demonstrate experimentally that the
detectors in two commercially available QKD systems can be fully
remote-controlled using specially tailored bright illumination. This makes
it possible to tracelessly acquire the full secret key; we propose an
eavesdropping apparatus built from off-the-shelf components. The loophole is
likely to be present in most QKD systems using avalanche photodiodes to
detect single photons. We believe that our findings are crucial for
strengthening the security of practical QKD, by identifying and patching
technological deficiencies.

Amazon strikes again: payphrase

Tony Lima <>
Fri, 27 Aug 2010 13:33:29 -0700

I've previously written about putting someone else's packing slip
in the box with my order.  Yesterday I ordered a couple of books from them. has a new procedure that (supposedly) speeds up ordering.  You
enter a secret phrase and Amazon puts your order on the fast track to

The payphrase worked well until I got my e-mail receipt. The unencrypted
phrase was included with the message—in the subject line.  As soon as I
finish lunch I'm deleting that phrase from

RISKS?  Too obvious and numerous to list. - Tony Lima

Prof. Tony Lima, Dept. of Economics, CSU, East Bay,  (510) 885-3889

Bedbug rumors spread at speed of Twitter

Mark Brader
Wed, 1 Sep 2010 17:28:26 -0400 (EDT)

A few days ago a Toronto woman woke up with itchy spots after seeing a movie
at one of the city's larger cinemas.  As this is about to be a venue for the
Toronto International Film Festival, she was concerned about bedbugs and
contacted the management.  When she hadn't heard back after a couple of
days, she mentioned it to a friend—who proceeded to assert on Twitter
that the cinema *had* bedbugs.

The management, meanwhile, had had the place inspected and found no bedbugs,
and said so themselves on Twitter.  But when they made it clear that they
were taking the report seriously, this was promptly interpreted as
confirmation that there *were* bedbugs...

Mark Brader, Toronto, | "Fast, cheap, good: choose any two."

Epic failures: 11 infamous software bugs (Matt Lake)

"Peter G. Neumann" <>
Fri, 10 Sep 2010 20:55:50 PDT

  [Reported by Lauren Weinstein in Network Neutrality Squad]

Epic failures: 11 infamous software bugs  (Matt Lake, *Infoworld*)

Most of these bugs should be well-known to long-time RISKS readers:
  Mars Climate Orbiter doesn't orbit
  Mariner 1 five-minute flight
  Moth in the machine:  Debugging the origins of `bug' [Grace Hopper]
  Forty seconds of Ariane-8
  Pentium chips fail math [and more math bugs]
  Call waiting ... and waiting ... [the AT&T Martin Luther King Day fiasco]
  Windows Genuine Disadvantage
  Patriot missile mistiming
  Therac-25 Medical Accelerator disaster [multiple deaths]
  Multidata systems/Cobalt-80 overdoses
  Osprey aircraft choice
  End-of-the world bugs
  The bug that never was: Black Monday's dark secret [1987]

Matt includes 38 URLs for your convenience.  Also, see the risks archives
and my Illustrative Risks compendium index for background references.

Re: Software glitches, systemic failure and airplane crashes

Peter Bernard Ladkin <>
Thu, 09 Sep 2010 12:05:44 +0200
  (Wayner, RISKS-26.15)

In RISKS-26.15, Peter Wayner refers to the article
in *USA Today*, which claims to have shown

> Flaws in flight simulator training helped trigger some of the worst airline
> accidents in the past decade

and that

> More than half of the 522 fatalities in U.S. airline
> accidents since 2000 have been linked to problems with simulators

I like to think I keep well up to date with commercial aircraft accidents,
their analyses and causes, and am aware of simulator strengths and
weaknesses. This suggestion struck me as somewhat thin. But if one reads the
sentences literally, with their main verbs "helped trigger" and "have been
linked to", they do not speak of causes or causal factors. I can "help
trigger" an accident if some *USA Today* journalist is so enraged by reading
this note on hisher Blackberry that heshe runs a red light. And I can link
*USA Today* with whom I wish simply by mentioning them in the same sentence
in a RISKS note. I am sure the newspaper intends stronger links than this,
but it would be good to know what and how, and the article gives no
clue. The NTSB uses the words "probable cause" and "contributing factors" in
their conclusions and these terms have more precise meanings.

The article mentions three accidents: the 12 Nov 2001 American Airlines
Airbus A300-600 loss of control on climb-out from New York; the 20 Dec 2008
Continental Airlines Boeing 737-500 takeoff loss of directional control at
Denver; and the 12 Feb 2009 Colgan Air Bombardier Q400 loss of control on
approach to landing at Buffalo. The abstracts and links to the full reports
are, respectively, these:

I invite RISKS readers to take a quick look at these very short
synopses. These three accidents total 315 deaths and the *USA Today* article
does not say which other accidents it counts.

Only the Denver accident causes and factors specifically mention
simulators. The pilot flying lost directional control of the aircraft on the
runway during takeoff, because of very high gusting crosswinds. The gust
"exceeded the captain's training and experience", and according to the NTSB
he failed effectively to use rudder to control the aircraft in the gust. The
first contributing factor allows us to conclude that the crew did not
receive timely and accurate info on the actual wind strength and
direction. The second contributing factor is "inadequate crosswind training
in the airline industry due to deficient simulator wind gust modeling".

It is widely accepted in the industry that the most recurrent feature of
most large-airplane commercial air accidents worldwide in the last few years
has been loss of control. It used to be controlled flight into terrain, but
it is now widely accepted that the Ground Proximity Warning System (GPWS)
and its version Enhanced by terrain mapping using GPS and terrain maps
(EGPWS) have reduced the incidence of such accidents considerably (although
they still occur, as to an Airblue Airbus A321 on approach to Islamabad on
28 July, 2010 - see ).

The 2001 American Airlines accident was loss of control because of
structural failure: the vertical fin separated from the aircraft. The NTSB
found that the pilot flying had caused that separation by overstressing it
through "rudder reversal" control inputs; contributing were the rudder
control system design of Airbus, and American Airlines Advanced Aircraft
Maneuvering [sic] Program AAMP. The NTSB heard both that AAMP discussed use
of rudder to help recover from upsets, and that the FAA, Airbus and Boeing
had expressed concern about this in a letter to American Airlines four years
before. The pilot flying had been observed on a previous flight using rudder
to control unwanted aircraft movement from environmental disturbance, and
the captain on that flight, who gave evidence to the inquiry, had discussed
it with him then. I refer Risks readers interested in more to the report, as
well as to my paper:
The AAMP does involve simulator work, but a simulator cannot be known
accurately to represent what would happen during unusual piloting
rudder-reversal behavior because, well, until the accident nobody knew at
what point airframe structure would fail (it turned out to be some one-third
stronger than required by certification regulations)!

The pilot flying the Colgan Air accident aircraft reacted inappropriately to
a stall warning, by pulling on the stick, and holding it back against the
attempts of the automatic "stick pusher" system to push it forward. This
resulted in the aircraft stalling at low altitude. Pushing the stick forward
is the appropriate response. There was considerable discussion of the
pilot's aptitude, his level of awareness (relating to possible fatigue), and
his overall Q400 training at Colgan Air. The NTSB remarked on features of
that airline's training program, which of course involves simulator
work. But I don't think it would be appropriate to conclude that there is
anything much wrong with the simulators themselves.

Simulators do not necessarily accurately represent the behavior of aircraft
close to the "edge" of their "flight envelope", and they cannot be taken to
do so for flight outside the envelope.  Aerodynamicists study these "out of
envelope" characteristics by use of wind tunnel models, but actual aircraft
are not flown in flight test "out of envelope" except for certain restricted
manoeuvres prescribed in the certification regulations (such as flying at
"maximum operating airspeed" and initiating a 7.5 nose-down dive for 20
seconds, to mimic an overspeed excursion from cruise). For most "out of
envelope" flight, aerodynamicists can make very well-educated guesses (from
their wind-tunnel modeling) as to what might happen, but they are the first
people to say that they are not at all certain. Nobody goes out to
flight-test Boeing 747 aircraft in partially-inverted almost-vertical
semi-spins, such as what happened to a China Air Lines Boeing 747 over the
Pacific near San Francisco in 1985:

So there are limits to what simulators can achieve, and it is a matter for
research how much "out of envelope" behavior can be usefully and veridically
simulated. Since loss of control is now prominent amongst probable causal
factors of accidents, it seems to me obviously worthwhile to perform this
research. Where it will lead is anybody's guess, as with most
research. However, the NTSB's concern in the Denver report is with
situations that could be veridically modeled in flight simulators but
currently are not. That could be, and probably should be, fixed.

Peter Bernard Ladkin, Causalis Limited and University of Bielefeld,

Spanair crash revisited

"Peter G. Neumann" <>
Wed, 15 Sep 2010 15:41:23 PDT

By way of trying to keep RISKS content accurate, I have previously not
included in RISKS a lot of discussion relating a new report on the 2008
Spanair crash that killed all but 18 of 172 people aboard the plane.
Various people submitted and commented on the report that purportedly
claimed that a malware infection in the aircraft software was implicated in
the fatal Spanair plane crash because it had prevented three technical
problems from being detected.  More recently, this claim may have been the
result of a faulty translation from Spanish to English.  The cause is now
suspected to have been the pilot's failure to check flaps before takeoff.

  [I hesitate to suggest that the mistake might have been more obvious if
  the pilot's name had been Mal Ware.  But the flap that resulted over the
  misleading article was quite prolonged, until the subsequent rebuttal.

Re: A Strong Password Isn't the Strongest Security (Stross, R-26.15)

Curt Sampson <>
Thu, 9 Sep 2010 16:59:58 +0900

On Sun, 5 Sep 2010 09:09:33 -0400, Monty Solomon <>
discussed Randall Stross' article in the 4 Sep 2010 New York Times, "A
Strong Password Isn't the Strongest Security." This included classic quotes
such as

  Make your password strong, with a unique jumble of letters, numbers and
  punctuation marks. But memorize it - never write it down. And, oh yes,
  change it every few months.

Just add the advice to use a different password for every account you use
(including websites) and you're all set never to be able to log in again.

As Monty correctly points out: "These instructions are supposed to protect
us. But they don't."

Now here I'm going to reiterate something probably everybody reading this
list is aware of: Stross has fallen into the classic security
misapprehension error: the idea either you're "secure" or you're not.  The
real question, as we all know, should be, "against what sort of attacks am I

Here I was going to make a few more notes directly contradicting Stross.
For example, I write down all of my web site passwords. Why? Because it's
more important, in my threat model, to have a different password for every
site than it is to be able to memorize them. (Not to mention the additional
bonus of being able to use 12-16 character passwords that contain both
cases, numbers and punctuation--at least where the web site admins allow me
to do so.)

But clearly I'm preaching to the converted in this forum, which made me
think for a moment, and realize the real problem, which we also probably all
know about: how do we educate "the rest of us" (i.e., those who are not good
risk managers and/or who don't have adequate domain knowledge) about how to
chose "good" passwords, or even what the definition of "good" is in any
particular circumstance?

Should somebody write *Passwords for Dummies* and distribute it widely for
free? Is that going to be too long? Will anybody but Rob Slade read it in
detail? How about a summary document? A FAQ? A campaign to chase down the
media when they publish articles such as Stross' and push for corrections
and pointers to good information?

I'm open to suggestions on this one. It's clearly something that, as
security professionals we should be trying to address, yet the evidence
appears to be that we've failed for at least a decade now. Is it
addressable? Is our lack of success here our fault or humanity's?

Curt Sampson         <>         +81 90 7737 2974

Re: Scary e-mail—invite from Facebook (Lee, RISKS-26.15)

Geoff Kuenning <>
Thu, 09 Sep 2010 17:31:23 +1200

I think the answer is pretty simple: the other people involved uploaded
*their* address books to Facebook, and you were in them.

Many mail clients have what I consider a horrible misfeature: anybody you
correspond with is automatically added to your address book.  So your one
e-mail from John Smith permanently records you in his mail client; when he
uploaded his address list, Facebook now had the connection.

The obvious RISK of this design is that your privacy is dependent on
John Smith's decisions, not yours.  A secondary RISK, which I have
observed, is that typos and unwanted alternate e-mail addresses get put
into address books and are difficult or impossible to purge.  (When my
wife types "geoff", she gets several autocompletion addresses for me,
and had to be trained which one to use.)

Geoff Kuenning

  [Also noted by Dave Holland, who noted that "Ironically, giving one's
  Facebook password to a third party is against the Facebook terms of
  service..."  PGN]

Jeffrey Hunker: Failure of US cybersecurity policy, what to do

"Peter G. Neumann" <>
Fri, 10 Sep 2010 8:15:42 PDT

  [Jacket blurb]

Jeffrey Hunker, Creeping Failure: How We Broke the Internet and What We Can
Do to Fix It, McClelland, 2010

Like the burgeoning cities of the early Industrial Revolution, the Internet
is teeming with energy but also with new and previously unimagined dangers,
and lacking the technical and political infrastructure to deal with these
problems. In a world where change of our own making has led to unexpected
consequences, why have we failed, at our own peril, to address these

In *Creeping Failure: How We Broke the Internet and What We Can Do to Fix It
*, Hunker, drawing on his experience as a top expert in information
security, provides an entertaining and lucid account of the threats facing
the Internet, discusses the failure of the national cyber security policies
of the US, Canada, and the G-7, and puts forward thought provoking and
revolutionary proposals for how we could fix it. Hunker illustrates how
cyber security is an issue for everyone, and outlines new roles for
government and the private sector in devising a solution.

Hunker takes a close look at the 'creeping failures' that have kept us in a
state of cyber insecurity: how and why they happened, and most crucially how
they can be fixed. And he arrives at some stunning conclusions about the
dramatic measures that we will need to accomplish this.

*Creeping Failure* is a must read for anyone interested in current affairs
and the Internet because, in describing the challenges facing the cyber
world, it also describes the challenges and trade-offs we all face in
contemporary society.

Please report problems with the web pages to the maintainer