The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 27

Friday 31 December 2010


Snowstorm plus phone problems beset fliers
Chase/McMahon via Monty Solomon
US pilot 'probed over YouTube videos of airport lapses'
Amos Shapir
Car immobilisers easily circumvented by crafty carjackers
Gabe Goldberg
New drug law will track more prescriptions
Favot/Hailey via Monty Solomon
Is reading wife's e-mail a crime? Rochester Hills man faces trial
L.L Brasier via Monty Solomon
Flaws in Tor anonymizer network
Lauren Weinstein
Banks' Reaction to Broken-Chip-and-PIN is Broken
Peter Bernard Ladkin
The Gawker hack: how a million passwords were lost
Joseph Bonneau via Monty Solomon
Gawker tech boss admits site security was crap
Gabe Goldberg
Why You May Want to Avoid Non-ASCII Characters in Your Passwords
FJohn Reinke
When it comes to the cloud, fight it... or join it?
Jeremy Epstein
Re: WikiLeaks
Amos Shapir
Cryptographers Chosen to Duke It Out in Final Fight
ACM technews
RISKS of reusing ID numbers
Geoff Kuenning
$15 phone, 3 minutes all that's needed to eavesdrop on GSM call
Jon Borland via Monty Solomon
Re: A Pinpoint Beam Strays Invisibly, Harming Instead of Healing
Hal Murray
Re: Radiation Machines Overdosing Again
Stanley F. Quayle
Barry Gold
Re: FCC Acts to Preserve Internet Freedom and Openness
Michael Smith
Re: Google Maps vs. USPS in Wisconsin
Everett W. Howe
WikiLeaks, Secrets, and Lies - and a new book!
Simon Chesterman
Info on RISKS (comp.risks)

Snowstorm plus phone problems beset fliers

Monty Solomon <>
Wed, 29 Dec 2010 12:24:39 -0500

Katie Johnston Chase and Alexa McMahon, Phone jam-ups stymie fliers;
Airlines unable to handle calls after snowstorm, *The Boston Globe*,
29 Dec 2010  [typo fixed in archive]

As airlines were scrambling to get flight schedules back to normal
yesterday, stranded travelers were struggling to reach them, sometimes being
left on hold for more than an hour - or worse, disconnected from the call.

Cali Archon of Portsmouth, N.H., tried calling JetBlue Airways for four
hours yesterday morning to rebook her 15-year-old daughter's flight to Fort
Lauderdale, Fla. But each time, after about five minutes of recorded
messages, the system told her: "Please try back at a later time. We are
doing the best we can to manage our call volumes at this time. This call
will end now.''

And then it did. ...

US pilot 'probed over YouTube videos of airport lapses'

Amos Shapir <>
Sun, 26 Dec 2010 16:46:12 +0200

This is a classical tale of Shoot the Messenger.  As we all know, TSA's
security is perfect; anyone claiming otherwise is therefore a Terrorist and
would be treated as such.

Full story at (i.a.):

Car immobilisers easily circumvented by crafty carjackers

Gabe Goldberg <>
Sat, 25 Dec 2010 11:06:17 -0500

Nothing weaker than 128-bit AES is considered sufficient protection for
e-commerce transactions, but car manufacturers are still using proprietary
40-bit and 48-bit encryptions protocols that are vulnerable to brute force
attacks. Worse still, one unnamed manufacturer used the Vehicle
Identification Number (VIN) as the "secret" key for the immobiliser.

New drug law will track more prescriptions (Favot/Hailey)

Monty Solomon <>
Thu, 30 Dec 2010 15:14:15 -0500

[Source: Sarah Favot and Caroline Hailey, New drug law will track more
prescriptions, *MetroWest Daily News*, 26 Dec 2010; long item PGN-ed]

Massachusetts residents face a new routine when they pick up certain
prescription drugs at the pharmacy on 1 Jan 2011.  Under a law passed last
summer, they will have to show a driver's license or another approved ID
before the druggist can give them prescriptions ranging from addictive
opiates to certain medicines for diarrhea. Their purchases will be recorded
in a massive database that will include their names, addresses and the kinds
and amount of pills they take.

The goal of the law is to combat the growing problem of prescription drug
abuse, particularly among teens and young adults. According to one federal
survey, Massachusetts ranked 8th among those 18-to-25 who have used drugs
not prescribed to them.

Mass State Rep. Harriet Stanley: “This bill is a great example of how costs
increase without you realizing. We thought we had a grip, but we have to
re-look at it this session.''

Is reading wife's e-mail a crime? Rochester Hills man faces trial

Monty Solomon <>
Wed, 29 Dec 2010 02:08:15 -0500

[Source: L.L. BRASIER, *Free Press*, 26 Dec 2010]

A Rochester Hills man faces up to 5 years in prison—for reading his
wife's e-mail.  Oakland County prosecutors, relying on a Michigan statute
typically used to prosecute crimes such as identity theft or stealing trade
secrets, have charged Leon Walker, 33, with a felony after he logged onto a
laptop in the home he shared with his wife, Clara Walker.  Using her
password, he accessed her Gmail account and learned she was having an
affair. He now is facing a Feb. 7 trial. She filed for divorce, which was
finalized earlier this month.

Legal experts say it's the first time the statute has been used in a
domestic case, and it might be hard to prove ...

Flaws in Tor anonymizer network

Lauren Weinstein <>
Tue, 28 Dec 2010 07:57:03 -0800

  [Network Neutrality Squad]  (ars technica)

Banks' Reaction to Broken-Chip-and-PIN is Broken

Peter Bernard Ladkin <>
Tue, 28 Dec 2010 13:27:48 +0100

The UK Card Association, which represents organisations who offer
financial-card transactions in the UK, has written to the University of
Cambridge, ,
asking it not to publish on the WWW some work by Omar Choudary on breaking
the Chip-and-PIN protocol used on most bank cards debit cards, and credit
cards. Reported in The Independent newspaper:
and on Ross Anderson's Security Group blog . Choudary's short blog post describing
his work is at

The public knowledge that Chip-and-PIN is broken is almost a year old. It
was reported in German trade publications at the beginning of February 2010,
for example
(in German). The original work won a Best Paper award at the IEEE Symposium
on Security and Privacy in May 2010.

Apparently the banks have had about a year to fix a broken protocol and
haven't managed to promulgate one. So now their associations are writing to
people to ask them not to publish. That process has been known to be broken
for far longer than Chip-and-PIN.

On the other hand, maybe the banks shouldn't worry too much about word
getting around. I received in October a letter from American Express saying
that, with their new cards issued in January 2011, rather than just
signature on a transaction, they are introducing Chip-and-PIN "so you are
better protected from card abuse". Hadn't they heard?

Peter Bernard Ladkin, Causalis Limited and University of Bielefeld

The Gawker hack: how a million passwords were lost (Joseph Bonneau)

Monty Solomon <>
Sun, 26 Dec 2010 11:54:14 -0500

Joseph Bonneau, Lightbluetouchpaper, 15 Dec 2010

Almost a year to the date after the landmark RockYou password hack, we have
seen another large password breach, this time of Gawker Media. While an
order of magnitude smaller, it's still probably the second largest public
compromise of a website's password file, and in many ways it's a more
interesting case than RockYou. The story quickly made it to the mainstream
press, but the reported details are vague and often wrong. I've obtained a
copy of the data (which remains generally available, though Gawker is
attempting to block listing of the torrent files) so I'll try to clarify the
details of the leak and Gawker's password implementation (gleaned mostly
from the readme file provided with the leaked data and from reverse
engineering MySQL dumps). I'll discuss the actual password dataset in a
future post.  ...

Gawker tech boss admits site security was crap

Gabe Goldberg <>
Sat, 25 Dec 2010 11:09:26 -0500

Gawker Media plans to overhaul its web infrastructure and require employees
to use two-factor authentication when accessing sensitive documents stored
online, following an embarrassing attack that completely rooted the
publisher's servers.

Why You May Want to Avoid Non-ASCII Characters in Your Passwords

"fj@rcc" <>
Thu, 30 Dec 2010 19:17:27 -0500

I think these folks misunderstand the concept of "security". The clout comes
from "three strikes and your locked out". Who cares what character the User
uses? And, limiting its length, specifying a character set, limiting the
character set, or creating other hurdles is down right dumb. Especially when
teamed up with an unlimited number of mistakes.  More and more people are
relying of "password memorize-ers" like Roboform, Keypass, or
LastPass. Seriously, when are folks going to realize how "Julius Caesar-ish"
passwords alone are. Argh!

F.John Reinke, Kendall Park, NJ 08824,

> It does not affect most of our users - If you are not using non-Latin
> characters for your password, there is nothing to do (see wikipedia
> <>for more information on the characters
> that are not affected - US-ASCII).*If you do use characters that are
> non-Latin, you should reset your password to ensure it is updated to fully
> support these special characters.*

> Tom also notes that, to help address the problem, "when a person logs
> in with a non-ascii char in password, we prompt them to reset." Read
> up for more details at Gawker Tech.

When it comes to the cloud, fight it... or join it?

Jeremy Epstein <>
Thu, 23 Dec 2010 09:39:23 -0500

The US Veterans Administration has discovered that its employees in at least
9 hospitals were using commercial providers like Google and Yahoo to store
and share patient information in calendars and other documents, in violation
of VA policies.  The VA CIO says this shows that they need to make more
cloud services available to employees, lest the employees bypass official
systems in favor of commercial systems which do not have the same level of
protection.  (Let's ignore for a moment the assumption that VA systems *are*
any more secure.)

I'm ambivalent about this - on the one hand, just because the service is
available commercially doesn't mean that it should be provided to everyone
in an organization like a VA hospital.  On the other hand, it's pretty clear
that people will bypass security systems if they don't provide adequate
capabilities.  So the security organization is in a difficult position of
what to provide.

There seems a pretty clear parallel to multilevel secure systems—if it's
too hard to move data from classified to unclassified systems, people will
figure out ways around it (cf Wikileaks).  But does that mean we should
allow easy interconnection and data movement?

Re: WikiLeaks (RISKS-26.25)

Amos Shapir <>
Tue, 21 Dec 2010 17:57:25 +0200

> PGN: The resilience of WikiLeaks despite attempts to shut it down is a
> testament to the extreme difficulty governments face in their attempts to
> control the Internet.]

Unfortunately, rejoicing (in this article as well as the previous one about
the inclusion of email within 4th Amendment protection) is premature.  IMHO
the WikiLeaks affair only shows that authorities had not caught up with the
Internet yet; but considering China as a case in point, the future looks
rather bleak.

Just as it is now impossible to drive a car legally on public roads anywhere
in the world without having registered both the vehicle and driver with the
authorities first, the situation in cyberspace is going to gravitate towards
the same level of control.  We all connect through a rather small number of
ISP's, all of whom depend on governments in many ways, and must obey local
laws and regulations.

Once legislators and regulators catch up, sites like WikiLeaks would suffer
the same fate as women driving in Saudi Arabia.  I'm afraid that this is
going to happen sooner than anyone dares to predict.

  [I don't think I was rejoicing!  However, i think the WikiLeaks situation
  has enormous impacts all around—on the government security policies
  relying on untrustworthy systems, overclassification, etc., and on
  ubiquitous losses of personal privacy for everyone else, for starters.
  The problems exposed here are literally enormous.  PGN]

Cryptographers Chosen to Duke It Out in Final Fight

Wed, 15 Dec 2010 11:28:17 -0500

ACM TechNews, Wednesday, December 15, 2010
Read the TechNews Online at:
This service may be reproduced for internal distribution.

  [RISKS is sponsored by ACM, and therefore I consider RISKS internal to our
  subscribers.  Please treat this accordingly.  PGN]

ACM TechNews; Wednesday, December 15, 2010
Sponsored by

TheOfficialACM Twitter

Cryptographers Chosen to Duke It Out in Final Fight
New Scientist (12/13/10) Celeste Biever

The U.S. National Institute of Standards and Technology (NIST) has selected
five Secure Hash Algorithm (SHA-3) entrants as finalists for its competition
to find a replacement for the gold-standard security algorithm.  The
finalists include BLAKE, devised by a team led by Jean-Philippe Aumasson of
the Swiss company Nagravision, and Skein, which is the work of computer
security expert and blogger Bruce Schneier.  "We picked five finalists that
seemed to have the best combination of confidence in the security of the
algorithm and their performance on a wide range of platforms" such as
desktop computers and servers, says NIST's William Burr.  "We wanted a set
of finalists that were different internally, so that a new attack would be
less likely to damage all of them, just as biological diversity makes it
less likely that a single disease can wipe out all the members of a
species."  The finalists incorporate new design ideas that have arisen in
recent years.  The Keccak algorithm from a team led by STMicroelectronics'
Guido Bertoni uses a novel idea called sponge hash construction to produce a
final string of 1s and 0s.  The teams have until Jan. 16, 2011, to tweak
their algorithms, then an international community of cryptanalysts will
spend a year looking for weaknesses.  NIST will pick a winner in 2012.

RISKS of reusing ID numbers

Geoff Kuenning <>
Sun, 12 Dec 2010 00:14:16 +1300

I recently (a few days ago) purchased an item from the Apple Store as a
Christmas present.  Quite soon, I received an e-mail telling me that it had
been shipped and giving a 9-digit tracking number.

I immediately clicked on the appropriate link, only to learn that my item
had apparently been shipped from Dubai on September 16th and delivered to
Sofia on September 21st.

Hmmm...that didn't seem quite right.

24 hours later, the same Web page listed the tracking number twice,
giving both the Dubai shipment and my own.

With a billion numbers to choose from, WHY are they recycling them so
quickly?  Do they have a clumsy auto-generation algorithm?  If so, the
RISKS are additional and glaringly obvious.

    Geoff Kuenning

$15 phone, 3 minutes all that's needed to eavesdrop on GSM call

Monty Solomon <>
Wed, 29 Dec 2010 16:39:31 -0500
  (Jon Borland)

[Source: Jon Borland,]

Speaking at the Chaos Computer Club (CCC) Congress in Berlin on Tuesday, a
pair of researchers demonstrated a start-to-finish means of eavesdropping on
encrypted GSM cellphone calls and text messages, using only four sub-$15
telephones as network "sniffers," a laptop computer, and a variety of open
source software.

While such capabilities have long been available to law enforcement with the
resources to buy a powerful network-sniffing device for more than $50,000
(remember The Wire?), the pieced-together hack takes advantage of security
flaws and shortcuts in the GSM network operators' technology and operations
to put the power within the reach of almost any motivated tech-savvy
programmer. ...

Re: A Pinpoint Beam Strays Invisibly, Harming Instead of Healing

Hal Murray <>
Tue, 28 Dec 2010 21:51:42 -0800

Re: Radiation Machines Overdosing Again (Ladkin, RISKS-26.26)

The initial accident report offered few details, except to say that an
unidentified hospital had administered radiation overdoses to three patients
during identical medical procedures.

It was not until many months later that the full import of what had happened
in the hospital last year began to surface in urgent nationwide warnings,
which advised doctors to be extra vigilant when using a particular device
that delivers high-intensity, pinpoint radiation to vulnerable parts of the

Re: Radiation Machines Overdosing Again (Ladkin, RISKS-26.26)

"Stanley F. Quayle" <>
Thu, 30 Dec 2010 14:10:27 -0500

> To adopt the de facto standard set by the aviation industry, that some set
> party is deemed liable (in aviation: the airline) and pays compensation?

It might work differently elsewhere, but here in the USA, the "standard"
is to sue everyone: the manufacturer, the airline, the FAA, the pilots,
all the way down to the mechanics that last touched the airplane.

> Isn't it about time that professional engineering bodies took a public stand
> that such events are avoidable and should be avoided?

Most engineering bodies have a code of ethics that includes something
similar to:

  Engineers, in the fulfillment of their professional duties, shall:
  Hold paramount the safety, health, and welfare of the public.

These devices may not have been created by licensed professional engineers.
Most states in the USA allow design and manufacture of equipment without a
license, as long is it not something like a bridge, dam, or road.  (This is
called the "industrial exemption".)

Stanley F. Quayle, P.E. N8SQ  Quayle Consulting Inc.  +1 614-868-1363
8572 North Spring Ct., Pickerington, OH  43147  USA

Re: Radiation Machines Overdosing Again (Ladkin, RISKS-26.26)

Barry Gold <>
Wed, 29 Dec 2010 22:24:53 -0800

> What is there about medical accidents which lets everyone be comparatively
> so complacent about them compared with other walks of life such as
> transportation?

Well, there are a couple of differences.

1. When an airliner crashes, it kills many people.  Big splashy headlines.
That's why the terrorists keep trying for airliners.  They could blow up a
bus, but a bus holds, what? 40 people?  Even a 737 holds 130 people.  A
mid-sized craft like the DC-8 holds over 250, and the 747 can seat over 500.
When there is "operator error" on a medical device, it kills one person.
All told, maybe a dozen people die before the normal checks built into our
hospital & clinic system(*) detect that something is wrong and take
countermeasures: replacing the device, special warnings, whatever it takes.

So a medical device failure just isn't as exciting as an airliner crashing.

2. Harm should be balanced against good.  Let's say you have a choice: you
can build a device and get it out the door in 6 months, or you can adopt
standards equivalent to those used for EAL-7 in the security community, and
get it out five years from now.  How many people will die of cancer or other
treatable diseases during those 4.5 years?  If you kill 5 people with
accidental overdoses, and save 20, aren't you ahead?

[Yeah, I know, but what if I'm one of the 5?  True, but I never know in
advance whether I'll be one of the 5, or one of the 20.  Overall, I'll take
those odds when I have an otherwise fatal—or debilitating—disease.]


> Isn't it about time that professional engineering bodies took a public stand
> that such events are avoidable and should be avoided? That devices prone to
> accidents through "operator error" should be taken off the market and
> redesigned? To adopt the de facto standard set by the aviation industry,
> that some set party is deemed liable (in aviation: the airline) and pays
> compensation? (Obvious candidates here would be the manufacturer or the
> hospital; one would then leave it to the insurance industry to negotiate
> contributory payments from other parties, as insurance usually does.)

AFAIK that already happens.  You can bet that every one of the patients
killed (or injured) by an accidental overdose has received compensation, or
soon will.  Does it really make a difference if the initial payer is a
hospital/clinic whose employee "misused" the device, or the manufacturer.
Either way, the insurance industry will sort out who pays how much.

One thing to consider: it is impossible to make something foolproof, because
fools are so ingenious.  I'm reminded of a news story I read a couple of
decades back:

  A nuclear sub came limping into port with inadequate power.  Technicians
  came on board to see what was wrong, and found that one of the engines was
  installed upside down (and hence, wasn't producing much power, if any).
  Now... the engineers who designed the engine knew that it would be
  installed by average Navy seamen—which is to say, people with an IQ of
  around 100.  Not total dummies, but not especially smart either.  So they
  built it in the shape of a trapezoid: the top and bottom were of different
  widths.  And the space it was installed into was similarly shaped.

That didn't stop the installers.  When it wouldn't fit, they just used a
bigger hammer.

So yes, it would be nice if life-critical systems had better failure modes
and were less subject to operator error.  And in some cases, yes, the
manufacturer could and should have anticipated that and taken appropriate
steps to prevent it.

*But* nothing is ever perfect.  And the perfect is the enemy of the good.

Re: FCC Acts to Preserve Internet Freedom and Openness (R-26.20)

Michael Smith <>
Thu, 30 Dec 2010 12:22:16 +1100

One objection I have heard is that the FCC is overreaching its authority.
Once the precedent is set, we can expect many more internet regulations from
the FCC.

There seems to be an increase in the phenomenon of statutory bodies
unilaterally extending their powers to cover areas that are too contentious
for Congress to tackle.

Re: Google Maps vs. USPS in Wisconsin

"Everett W. Howe" <>
Wed, 29 Dec 2010 17:16:16 -0800

You can have all kinds of good clean fun looking to see what Google Maps
does with abbreviations.  For instance, the streets in the neighborhood just
south of

  Twin Trails Neighborhood Park, San Diego, CA

(Google maps link here: ) have Western-themed names, like

  Cayote Ave
  Sundance Ave
  Cavalry Ct
  Trail Dust Ave
  Old West Ave

and so forth.  But Google Maps thinks that all instances of the word "West" should be abbreviated, so "Old West Ave" is marked as "Old W Ave".

Everett Howe, Center for Communications Research, 4320 Westerra Court
San Diego, CA 92121

WikiLeaks, Secrets, and Lies - and a new book!

Simon Chesterman <>
Thu, Dec 2, 2010 at 10:24 PM

*One Nation Under Surveillance: A New Social Contract to Defend Freedom
Without Sacrificing Liberty* (Oxford University Press, 2011) examines what
limits—if any—should be placed on a government's efforts to spy on
its citizens in the name of national security.

The Web site also has links to two op-eds discussing current issues in the
debates over security, privacy, and the work of intelligence services.

The first, being distributed through *Project Syndicate*, considers the
recent WikiLeaks revelations. The perverse consequence of this guerrilla
transparency will in fact be greater secrecy, worse decision-making, and
less accountability in the United States and elsewhere.

The second, published in the global edition of the *New York Times*, looks
at the reviews of data protection laws in the United States and Europe
presently underway—and shows why privacy will lose out.

Simon Chesterman, Vice Dean (Graduate Studies), NUS Law School, Global
Professor & Director, NYU School of Law Singapore Programme, 469G Bukit
Timah Road, Singapore 259776

Please report problems with the web pages to the maintainer