The RISKS Digest
Volume 26 Issue 40

Friday, 1st April 2011

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Appleplexy, Anyone?
Facebook introduces `enemies list' feature
Mark Thorson
Introducing Gmail Paper
Not an April Fool's case: Samsung Swansong becomes a Duck Call
The April Fool Turing Test
Rob Slade
Some risk-related issues after the earthquake
Chiaki Ishikawa
Speaking of the US radiation detectors, cough, cough
Danny Burstein
Railway signaling glitch strands commuters
Alex Farlie
Docklands 2009 rail accident report
Alex Farlie
Major UK Internet Outage
Martin Ward
Comodo compromise
FBI unable to break a code, asks for public help
Danny Burstein
India: system failure impedes voting on a constitutional amendment
A Girl's Nude Photo, and Altered Lives
Jan Hoffman via Monty Solomon
Info on RISKS (comp.risks)

Appleplexy, Anyone?

Peter G Neumann <>
01 Apr 2011 00:20:11 -0000

In a fascinating article in *The New York Times* Sunday News of the Week in
Review, 27 Mar 2011, Ben Zimmer (chairman of the American Dialect Society's
new-words committee) noted that Microsoft is suing Apple and Apple is suing
Amazon (over the use of `app store' and `Appstore', respectively).  Facebook
has filed trademarks on words like `like', `wall;, `poke', `face', and
`book'.  I think the whole thing is app-alling.

But the wurst is yet to come.  I never sausage nonsense until I heard of the
formation of new company whose prospectus promises to remove undesired apps
and e-mail/Web-visible promotions for those apps from your sight.  This
company has the rather absurdly concatenated name of

which presumably wants to be known as GOOMBYA. for short.  Perhaps GOOMBYA
can figure out how to get all the silly trademarks out of *my* face.

PGN (for a better wor(l)d)

Facebook introduces `enemies list' feature

Mark Thorson <>
1 Apr 2011 1:02:03 -0800

PALO ALTO, CA—Facebook today announced availability of a new feature, the
enemies list.  "This is the single most requested feature from our customer
base, and we always respond to our customers," said company spokesman Ronald
Ziegler.  "It's based on the old proverb, 'The enemy of my enemy is my
friend'," he added.  "When two people add the same third party to their
enemies lists, they automatically become Facebook friends."  In response to
a question, Ziegler said there is no corresponding function to automatically
add the friends of enemies to a user's enemies list.

Introducing Gmail Paper

Fri, 1 Apr 2011 13:18:23 +0800

"It's paper, plain and easy. I sometimes find myself wondering: what
will Google think of next? Cardboard?"

  [The Google website talks about automagically printing other stuff on the
  back of the page in red, bold, 36-point type, for your convenience.  PGN]

Not an April Fool's case: Samsung Swansong becomes a Duck Call

"Peter G. Neumann" <>
Wed, 30 Mar 2011 16:49:29 PDT

Risks of believing what you read?

1. Samsung reportedly admits installing keylogger software on their computers

2. Samsung "keylogger" believed to be false positive

    "Samsung has issued a statement saying that the finding is false. The
     statement says the software used to detect the keylogger, VIPRE, can
     be fooled by Microsoft's Live Application multi-language support
     folder.  This has been confirmed at F-Secure and two other
     publications, here and here.  Still no explanation for why Samsung
     originally confirmed the keylogger's existence to Hassan ... "

  [This is a true story.  But beware of the first three items in this
  issue.  PGN]

The April Fool Turing Test

Rob Slade <>
Tue, 29 Mar 2011 17:51:26 -0800

  [Jerken Westin and colleagues in Sweden have developed a variant of the
  famous Turing Test, removing the computer in the loop.  “It bears some
  relationship to the Wizard-of-Oz experiments and involves placing several
  experimental participants in a symmetrical paradox.''  This is a rather
  fascinating probe not only of subjects' gullibility but also of
  experimenters being fooled.  It's worth a look, and very timely.  PGN]

Some risk-related issues after the earthquake

"ISHIKAWA, Chiaki" <>
Sat, 26 Mar 2011 20:26:56 +0900

Bank, time signal radio station, disappeared ID, and risk assessment

Two weeks after the big earthquake and subsequent tsunamis hit Japan,
I observed a few problems in the general media.

Mizuho Bank ATM total failure for the days after the earthquake (March 1).

According to the latest report, which is almost 10 days after the problem
appeared, the large queue of money transactions, which was caused by a large
number of donations to an account for a relief efforts to help the stricken
in the earthquake and tsunami ravaged area seems to be the culprit.  There
was a mention of the maximum limit of a queue for an account was not set
appropriately, or something.

I don't know the practice in banking industry, but it seems that Mizho
collects all such transactions (specifically money transfer from ATM and
otherwise) and tries to clear the work queue during the evening.  But
according to some reports, the queue could not be cleared fast enough before
next day's operation began.

Inquiring mind wants to know why it was only Mizuho which experienced the
problem (other banks with accounts for such donations have not had similar
problems so far), and how the software behaves when the limit is reached.
Are all those overflowing jobs simply not processed and carried over for the
processing on the next evening? To me, it seems there were issues when such
overflow occurred, but no clear explanation is not given yet. Risks and
other mailing lists will benefit from such technically detailed report.

I should mention that Mizuho took an unusual step of handing money to those
who claimed to have received the money from someone into their account, and
the money was not yet in their account. The maximum amount was 100,000 YEN
per person.  There were some abuses (those who moved from one branch to the
other, and took out such money multiple times) and so it was be a mess

* One of the two radio stations that emit Japan Standard Time signal stopped
  operating: the station is within 20 kilometers area (evacuation area) from
  the Fukushima Daiichi nuclear power plant.

Ever since the evacuation was announced, and the staff (2-4 people) left,
the station stopped transmitting the signal.  I suppose that the operator
didn't want to possibly incorrect timing signal in the absence.

There are watches (including wrist watches) that can sync with the signal.
CASIO, Seiko, Citizen and other makers of such clocks receive more than a
dozen inquiries a day now. (I noticed something strange was going on with my
watch that syncs at midnight, but that happens when the radio signal is not
reachable due to indoor condition and didn't think much about it.)

The other station in the western part of Japan is in operation, but most
heavily populated area, namely Tokyo and its surrounding area, is not
covered well by the signal from that station.

Seismographs installed in mountain range and such uses the clock to sync the
internal clock. The agency responsible for such instruments have resorted to
use the wire signal for supplying the time information. Hmm, another risk of
not so well tested software module and the somewhat unknown delay caused by
wire transmission?

* In some towns, ones birth record's, and everything one may need for
  identification purposes were washed away.  Banks and other financial
  institutions were asked to open an account without identification
  information. (Usually, to prevent the cases of money laundering, etc., one
  is required to produce a valid ID or two.)

* The problem at the nuclear power station, or risk assessment in general.

By now, the security analysts all over the world, especially the people in
physical security must be looking hard at what goes on at Fukushima Daiichi
nuclear power station.

I just would like to point out this. In risk assessment, one usually uses
the expected (in the sense of statistics, or probability theory) value of
risk using whatever numerical (or multi-dimensional value if necessary by
incorporating some ideas of "order") to assess the risk.

In general, with a suitable such measure-scale,

P: Space of all possible situations and the p(e), a probability of event e,
happening.  E(x) : Expected value of x of a risk index in all possible
situations sometimes written as <x>.  c : some threshold to decide whether
the risk can be taken considering the merit.

 E(x) < c

If E(x) exceeds 'c', then the risk is too large to accept.

I had wondered whether this approach would be tenable in a situation where
the danger is beyond human scale: for example, contamination of waste
disposal may persist for a few generation at least (exceeding the life time
of an ordinary person) many times.  Nuclear waste management is such a
situation, and nuclear power plant is also such a case. Unintended release
of radio active material must be tackled by a few generations. You have to
ask the future generations whom you will never see before your death to take
care of the consequences.

Some geologists say the type of tsunami that caused the havoc was known to
have devastated the area about 1000 years ago (this was confirmed by old
historical record, and, more importantly, the sediment sample analysis
conducted in the region. In one city, Sendai, a petition was handed into the
city office based on this discovery to change the evacuation plan or build a
safer shelter in an elevated place, etc.)  So such a big tsunami was
expected in today's scientific knowledge. (It probably was not when
Fukushima Daiichi was built.)

I wonder in some extreme situation like this, instead of the usual expected
value of a risk index, one may want to use the Max(x), i.e., maximally
possible risk that can arise.

We say, if the maximum is within acceptable value, then we can take the
risk, but if not, then we don't want to take the risk.

OK:  Max (x) < c
NG        c  < Max (x)

I had wanted to explain this notion to some people, but prevailing textbooks
simply use the expected value without thinking much.

(I thought I posted something about the use of maximum risk for assessment,
instead of the expected value, but it was not posted, I am afraid. If I had,
I was a good fortune teller.)

Anyway, my prayer for the people hit by tsunami and survivors.

Speaking of the US radiation detectors, cough, cough

Danny Burstein <>
Sun, 27 Mar 2011 00:09:24 -0400 (EDT)

Garance Burke and Noaki Schwartz,
Gaps in US radiation monitoring system revealed,
Associated Press, 26 Mar 2011
[Long article truncated for RISKS.  PGN]

SAN FRANCISCO - Parts of America's radiation alert network have been out of
order during Japan's nuclear crisis, raising concerns among some lawmakers
about whether the system could safeguard the country in a future disaster.
Federal officials say the system of sensors has helped them to validate the
impact of nuclear fallout from the overheated Fukushima reactor, and in turn
alert local governments and the public. They say no dangerous levels of
radiation have reached U.S. shores.

In California, home to two seaside nuclear plants located close to
earthquake fault lines, federal authorities said four of the 11 stationary
monitors were offline for repairs or maintenance last week. The
Environmental Protection Agency said the machines operate outdoors
year-round and periodically need maintenance, but did not fix them until a
few days after low levels of radiation began drifting toward the mainland
U.S.  About 20 monitors out of 124 nationwide were out of service earlier
this week, including units in Harlingen, Tex. and Buffalo, N.Y. on Friday,
according to the EPA.

Gaps in the system—as well as the delays in fixing monitors in some of
Southern California's most populated areas—have helped to prompt hearings
and inquiries in Washington and Sacramento.  "Because the monitoring system
... plays such a critical role in protecting the health and safety of the
American people, we will examine how well our current monitoring system has
performed in the aftermath of the tragic situation in Japan," said
Sen. Barbara Boxer, a California Democrat who chairs the U.S. Senate
Environment and Public Works Committee, which plans a hearing in the coming
weeks on nuclear safety.

EPA officials said the program effectively safeguarded the country against a
threat that did not materialize. They said they put portable monitors in
place as backups and repaired the permanent ones in Los Angeles, San
Bernardino, San Diego last weekend.  [...]

Railway signaling glitch strands commuters

Alex Farlie <>
Sun, 27 Mar 2011 02:48:06 +0100

The reason I am mentioning this is an apparent claim by Network Rail (who
are the entity with responsibility for the UK rail networks infrastructure.)
that a glitch in software based signaling was involved..

  [Given the age of parts of the rail network isn't that surprising...]

Docklands 2009 rail accident report

Alex Farlie <>
Sun, 27 Mar 2011 03:02:21 +0100

The Rail Accident Branch report in relation to an incident on the Docklands
Light Railway back in 2009 notes that, although the primary causes were not
software related, the DLR is a computer based signaling system (and parts
of it were considered in the investigation it seems).

Major UK Internet Outage

Martin Ward <>
Tue, 29 Mar 2011 12:36:38 +0100

At about 02:00 on 11 Jan 2011, something went wrong with BT's planned
maintenance within their core network. By 02:15, a significant number of
21CN (24Mbps and FTTC) ADSL connections were down.

My information on what happened and how the situation was resolved is mainly
from my own observations plus the limited information released by my ISP
( All ISPs have to operate under NDAs (Non-Disclosure
Agreements) with BT Wholesale: which means that the information they can
give out is very limited.  BT Wholesale themselves refuse to talk to
customers directly.  So there is no means for the ordinary customer to find
out accurate information: BT won't tell them and their ISP is not allowed to
tell them.  The NDA also prevents ISPs from giving BT contact details to
their customers.

BT still owns the "last mile" phone lines and equipment for most of the UK,
so they are a single point of failure for ALL ISPs for most of the
fixed-line Internet access in the UK.  It's really important that they get
it right since they provide wholesale Internet access to all the other ISPs.
If you get poor service from them, switching ISPs won't help.  Perhaps they
cynically look at it from the other side: they don't need to bother too hard
about getting it right, because customers have nowhere else to go?  BT are
in the unusual position that one part of the company (BT Wholesale) operates
as a monopoly over most of the country, selling wholesale Internet access to
ISPs: including BT's own retail division and their competitors.  Of course,
BT Wholesale is not allowed to give special treatment to BT's retail

At 02:00, something went wrong with BT's planned maintenance, causing a
large number of customers to lose Internet access.  Fast's network
monitoring detected the outage in a matter of seconds.  They contacted BT
and escalated the issue to the highest level of support.

By 06:00 Fast had added a message to their status page and a recorded
message on their support line.

By 08:30, BT engineers were "working to restore normal service".

By 09:40 BT could confirm that the problem was on their network, and were
still "working to restore normal service".

By 10:40 BT's most senior engineers were working on the problem.

By 11:30 BT had finally realised that the problem was caused by their
planned maintenance work overnight, and started trying to work out how to
fix it.

By 12:27, Fast engineers had confirmed the cause of the problem, worked out
a fix, and told BT exactly what they had to do to fix it.

By 13:20 BT Operations finally started rebuilding the configuration on the
device that controls the tunnels between Fast's network and the BT
network. This was expected to take about 30 minutes.

By 14:00, twelve hours after the network went down, normal service finally
started being restored to customers.


When you carry out planned maintenance on a network device, should it not be
customary to check that the device is still working properly afterwords?

Regardless of the above, shouldn't BT have some automated monitoring process
running which checks that their network is healthy and pages an engineer as
soon as any significant problems are detected?

When I logged in that morning and noticed that the network was down, I
immediately checked my logs and found that it had gone down some time
between 02:00 and 02:15 that morning. As a long time comp.risks reader, my
first thought was that an upgrade had gone wrong (my second thought was "Why
didn't they notice?"). Why did it take BT over nine hours to figure out the
cause of the outage?  Why did they then need another ISP's engineers to tell
them exactly what they had to do to fix their own network?

Given that the fix took only 30 minutes to implement, why was it
over twelve hours before service was restored?

STRL Reader in Software Engineering and Royal Society Industry Fellow  Erdos number: 4

Comodo compromise

"Peter G. Neumann" <>
Thy, 31 Mar 2011 22:19:02 PDT

Comodo holds one of the master keys to the SSL X.509 Public Key
Infrastructure.  One of their affiliates has been compromised and nine rogue
certificates issued.  Browsing will get you lots of items on this case.

FBI unable to break a code, asks for public help

Danny Burstein <>
Wed, 30 Mar 2011 21:29:06 -0400 (EDT)

FBI: Help Us Crack This Code and Solve a Murder Case
Investigators Want Public to Help Unlock Code Linked
to 1999 Murder of St. Louis Man [ABC News]

The FBI is looking for a few beautiful minds to help solve a murder case. If
you think you have what it takes to crack a code that the best cryptanalysts
in the country have failed for 12 years to master, they'd like to hear from
you. ...  After 12 years of trying to untangle the cryptographic mess,
investigators from the FBI's Cryptanalysis and Racketeering Records Unit and
the American Cryptogram Association are throwing up their hands. ...

India: system failure impedes voting on a constitutional amendment

"Peter G. Neumann" <>
Sun, 27 Mar 2011 18:06:28 PDT

Prime minister Manmohan Singh's No vote in Rahya Sabha was cast as a Yes.
However, 169 intended Yes votes were recorded as only 149.  The amendment
was to rename Orissa to Odisha.  [Source: New Delhi, March 24, DH News
Service; PGN-ed]

A Girl's Nude Photo, and Altered Lives (Jan Hoffman)

Monty Solomon <>
Sun, 27 Mar 2011 23:37:28 -0500

Jan Hoffman, 26 Mar 2011

LACEY, Wash. - One day last winter Margarite posed naked before her bathroom
mirror, held up her cellphone and took a picture. Then she sent the
full-length frontal photo to Isaiah, her new boyfriend.  Both were in eighth
grade.  They broke up soon after. A few weeks later, Isaiah forwarded the
photo to another eighth-grade girl, once a friend of Margarite's.  Around 11
o'clock at night, that girl slapped a text message on it.

"Ho Alert!" she typed. "If you think this girl is a whore, then text this to
all your friends." Then she clicked open the long list of contacts on her
phone and pressed "send."

In less than 24 hours, the effect was as if Margarite, 14, had sauntered
naked down the hallways of the four middle schools in this racially and
economically diverse suburb of the state capital, Olympia. Hundreds,
possibly thousands, of students had received her photo and forwarded it.

In short order, students would be handcuffed and humiliated, parents
mortified and lessons learned at a harsh cost. Only then would the community
try to turn the fiasco into an opportunity to educate.

Around the country, law enforcement officials and educators are struggling
with how to confront minors who "sext," an imprecise term that refers to
sending sexual photos, videos or texts from one cellphone to another.

But adults face a hard truth. For teenagers, who have ready access to
technology and are growing up in a culture that celebrates body flaunting,
sexting is laughably easy, unremarkable and even compelling: the primary
reason teenagers sext is to look cool and sexy to someone they find
attractive.  Indeed, the photos can confer cachet. ...

Please report problems with the web pages to the maintainer