The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 51

Monday 1 August 2011

Contents

China train crash explanation raises more public doubts
Jim Reisert
Study Faults Approval Process for Medical Devices
Barry Meier
Counterfeit driver's licenses
Ashley Halsey III
High-rolling gamblers are exploiting a quirk in Cash WinFall
Jim Reisert
FaceBook + Facial Recognition software = Increase Privacy Risks
Steven J Klein
"FaceBook Founder's Sister says Kill Internet Anonymity" + Counterarguments
Lauren Weinstein
Remote access to cars, water plants, etc.
Dennis Fisher
Risks of verbose automated e-mail
Paul Wallich
Google+ and Names
Gene Wirchenko
Re: Don't throw away Grandma's wind-up desk clock
Ted Lee
Re: Patient alleges Tufts breached privacy
Chris D.
Re: Empowering Evil Through Search and Surveillance
Chris D.
Re: The British Phone Hacking Scandal
Chris D.
Info on RISKS (comp.risks)

China train crash explanation raises more public doubts

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Sat, 30 Jul 2011 10:26:14 -0600

Wang Xiuqiong, Wang Yaguang and Chen Yongrong, Xinhua, 29 Jul 2011

An explanation by railway authorities for last Saturday's deadly high-speed
train crash has raised even more public doubts about what had actually
happened to the accident and to the government investigation itself.

A high-speed train rammed into a stalled train near the city of Wenzhou in
east China's Zhejiang Province on Saturday, leaving 40 people dead and 191
injured. The accident was caused by "serious design flaws" in railway
signaling equipment, an official from the Shanghai Railway Bureau said
Thursday morning.  A lightning strike triggered the malfunction, which
resulted in a green alert light failing to turn red, leaving railway
personnel unaware of the stalled train ...

The *Beijing Youth Daily* newspaper posed several as-yet unanswered
questions in a Friday report on the accident. "Why was such seriously flawed
equipment in use for nearly two years without being detected?  Why was it
installed in as many as 76 rail stations across the country? Are there other
problems with the railway apart from equipment flaws?" the report asked.

http://news.xinhuanet.com/english2010/china/2011-07/29/c_131018337.htm

Jim Reisert AD1C, <jjreisert@alum.mit.edu>, http://www.ad1c.us


Study Faults Approval Process for Medical Devices (Barry Meier)

"Peter G. Neumann" <neumann@csl.sri.com>
Sun, 31 Jul 2011 20:03:13 PDT

  [Source: Barry Meier, Study Faults Approval Process for Medical Devices,
  *The New York Times*, 29 Jul 2011; PGN-ed; thanks to dkross.]
http://www.nytimes.com/2011/07/30/business/study-calls-approval-process-for-medical-devices-flawed.html?_r=1&ref=todayspaper

`If you want to make sure that a product is safe and effective, you have to
start by asking the question whether it is safe and effective.''

The government's system for regulating many medical devices like artificial
hips should be abandoned and replaced because it fails to examine their
safety and effectiveness before sale, according to a report released Friday
by one of the nation's top scientific groups.  The report's unequivocal
recommendation to scrap the current system was unexpected, and it unleashed
reactions ranging from outright rejection by industry officials, an embrace
by patient groups and seeming disbelief from federal regulators, who had
commissioned the review.  The report by the Institute of Medicine follows
several recalls of medical devices in recent years, like one involving
so-called metal-on-metal hip replacements used in thousands of patients,
crippling some of them. In its report, the panel found that existing rules
used to approve many devices were never intended to play the critical role
of screening out dangerous or ineffective products.  The panel urged the
Food and Drug Administration to devise a new approval system for so-called
moderate-risk devices—a category that now includes artificial hips,
external heart defibrillators and hospital pumps—concluding that the
current one was not fixable.  “If you want to make sure that a product is
safe and effective, you have to start by asking the question whether it is
safe and effective,'' said William Vodra, a member of the 12-person panel
assembled by the Institute of Medicine and a lawyer who has worked closely
with device producers.  ...

The panel also concluded in its report that the F.D.A. should act quickly to
determine whether artificial joints, like hips, which are currently approved
through the 510(k) process, should have to undergo the type of rigorous
scrutiny that high-risk devices now go through before sale. In other
recommendations, the report urged the F.D.A. to quickly tighten the way it
tracked the performance of devices once they are on the market, and said the
agency needed to move more rapidly to stop the sales of harmful ones.

In many ways, the report is a rebuke to the medical device industry and its
allies, who have been waging a campaign over the last year to dispute the
need for any new regulations.

  [Can we learn anything from this relating to computer systems being
  trustworthy and effective?  PGN]


Counterfeit driver's licenses (Ashley Halsey III)

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 1 Aug 2011 9:00:15 PDT

Ashley Halsey III, Latest counterfeit IDs are so good they're dangerous,
30 Jul 2011, http://wapo.st/nxiKY1 [Long item, PGN-ed]

When the fleeing motorcycle hit the curb, scraped past a utility pole and
hurled 20-year-old Craig Eney to his death, a bogus South Carolina driver's
license was in the hip pocket of his jeans.  He spent the final hours of his
life trading on that phony license to buy shots for his buddies at two
downtown Annapolis bars, places so popular among underage drinkers that
bouncers are stationed outside to check everyone's ID.  Yet scores of young
people flash fake driver's licenses and waltz on by to the bar.

The days when faking driver's licenses was a cottage industry—often
practiced in college dorm rooms by a computer geek with a laminating machine
-- have given way to far more sophisticated and prolific practitioners who
operate outside the reach of U.S. law enforcement.  In an era when terrorism
and illegal immigration have transformed driver's licenses into
sophisticated mini-documents festooned with holograms and bar codes, beating
the system has never been easier.

Just wire money to the `Chinese guy' [a Chinese company that has created
thousands of bogus licenses in the U.S.]

To the naked eye—even the practiced eye of most bartenders and police
officers—the counterfeits look perfect. The photo and physical
description are real. So is the signature. The address may be, too. The
holograms are exact copies, and even the bar code can pass unsophisticated
scans.  ... The IDs have shown up in various states, each license carrying a
mysterious hidden tip-off in the bar code that points directly to the same
Chinese company.


High-rolling gamblers are exploiting a quirk in Cash WinFall

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Mon, 1 Aug 2011 14:05:58 -0600

and raking in huge profits

"For a few days about every three months, Cash WinFall may be the most
reliably lucrative lottery game in the country. Because of a quirk in the
rules, when the jackpot reaches roughly $2 million and no one wins, payoffs
for smaller prizes swell dramatically, which statisticians say practically
assures a profit to anyone who buys at least $100,000 worth of tickets."

http://www.boston.com/news/local/massachusetts/articles/2011/07/31/a_lottery_game_with_a_windfall_for_a_knowing_few/

Jim Reisert AD1C, <jjreisert@alum.mit.edu>, http://www.ad1c.us


FaceBook + Facial Recognition software = Increase Privacy Risks

Steven J Klein <steven@klein.us>
Mon, 1 Aug 2011 11:28:32 -0400

About one third of of people randomly photographed on the campus of Carnegie
Mellon University could later be identified by name using a combination of
FaceBook and pittpatt facial recognition software, according to professor
Alessandro Acquisti.  About 27% of those identified had enough information
on their FaceBook profiles (place and date of birth) to allow him to
correctly predict the first five digits of their Social Security numbers.

Excerpted from the CMU press release:

  In one experiment, Acquisti's team identified individuals on a popular
  online dating site where members protect their privacy through
  pseudonyms. In a second experiment, they identified students walking on
  campus—based on their profile photos on FaceBook. In a third
  experiment, the research team predicted personal interests and, in some
  cases, even the Social Security numbers of the students, beginning with
  only a photo of their faces.

  Carnegie Mellon researchers also built a smartphone application to
  demonstrate the ability of making the same sensitive inferences in
  real-time. In an example of "augmented reality," the application uses
  offline and online data to overlay personal and private information over
  the target's face on the device's screen.

More information is available in the *Wall Street Journal*.
http://blogs.wsj.com/digits/2011/08/01/tech-today-using-facebook-and-facial-recognition-to-id-random-people/

As if the above isn't sufficiently disturbing on its own, Google just
purchased pittpatt, the developer of the facial recognition used for this
experiment.

Steven J Klein (248) 968-7622


"FaceBook Founder's Sister says Kill Internet Anonymity" + Counterarguments

Lauren Weinstein <lauren@vortex.com>
Wed, 27 Jul 2011 15:47:30 -0700

  [From Network Neutrality Squad]

"FaceBook Founder's Sister says Kill Internet Anonymity" + Counterarguments
http://j.mp/pX8PJ9  (This message on Google+)
http://j.mp/p5WiHd  (Gawker)

  "I think anonymity on the Internet has to go away.  People behave a lot
  better when they have their real names down.  I think people hide behind
  anonymity and they feel like they can say whatever they want behind closed
  doors." —Randi Zuckerberg, FaceBook's marketing director

 - - -

Counterarguments: "Real Names, Guilt, Self-Censorship, and the Identity War":
http://j.mp/poYMC0 (Lauren's Blog)

Addendum: I've received many positive comments related to my suggestion that
we consider an "escrow" system for holding people's "real names" in certain
situations, so that they would not normally be publicly viewable.  As I've
noted, we're talking here about innocent, good players in this case, not
"bad guy" users who will find a way to subvert any system.  I should add
that this escrowing arrangement could be through a separate, trusted,
third-party organization, to eliminate concerns that one company could
unilaterally later decide to change the way they were handling these names.

Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren
People For Internet Responsibility: http://www.pfir.org
 - Network Neutrality Squad: http://www.nnsquad.org  http://lauren.vortex.com
 - PRIVACY Forum: http://www.vortex.com  +1 (818) 225-2800
Google+: http://vortex.com/g+lauren Twitter: https://twitter.com/laurenweinstein


Remote access to cars, water plants, etc. (Dennis Fisher)

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 28 Jul 2011 15:59:22 PDT

http://threatpost.com/en_us/blogs/wide-range-gsm-modules-scada-systems-vulnerable-remote-control-072711

Dennis Fisher, Wide Range of GSM Modules, SCADA Systems Vulnerable to Remote
Control, *ThreatPost.com*, 27 Jul 2011 [Thanks to Jeremy Epstein]

If you think your car is safe and secure sitting in your driveway at night
with its fancy alarm system enabled, Don Bailey has some bad news for you:
he can unlock it and turn it on. Whenever he wants. From the other side of
the country.  Bailey, a senior security consultant at iSEC Partners known
for his work on hacking GSM and embedded systems, has found a method that
enables him to not only identify certain kinds of GSM modules over the
mobile network, but also to tell him exactly where they're located via GPS
coordinates. He also discovered that he could send his own commands to the
modules and essentially have them do whatever he likes.

Bailey will demonstrate his attack next week at Black Hat, showing a video
of him remotely unlocking and starting a vehicle without the key in the
ignition.  "I had been doing some research on this GPS locator called the
Zoombak and I figured out that it's basically just a microcontroller with a
baseband," Bailey said. "So I devised a method for finding these things over
the GSM network and started sending them messages. I can send it an SMS
message and get it to upload data to a random IP address, tell it to send me
its GPS location every so often, whatever I want."

Bailey used a variety of methods to fingerprint the devices over the GSM
network, building on work that he and Nick DePetrillo had done
previously. He knew that the Zoombak, for example, was only on the T-Mobile
network and that the billing address for the phone number associated with
the devices was the company's, not each individual owner's. Those numbers
all show up as unknown in the caller ID database, which reduced the number
of possibilities for the device he's trying to find by a lot. Eventually, he
found that he could identify GSM devices with a success rate of about 86
percent.

Interestingly, the same architecture that's used in the Zoombak is also used
in a wide range of other devices, including car security systems, security
systems at water treatment facilities and in industrial control systems, as
well. That means that the same weaknesses also affect all of those systems,
making them susceptible to simple attacks that are quite easy to implement,
Bailey said.  "This is not technologically advanced. The fact is, you can
own these kinds of systems in under a couple of hours," he said. "It's easy.
There's no confidentiality or integrity built into the systems. We shouldn't
have the equivalent of SQL injection in hardware, and that's what this
is. That's the danger. It shouldn't be possible for any fly-by-night
12-year-old to do this."

Bailey has been working on the project for some time, along with his
colleague Matt Solnik, also of iSEC. After discovering the weakness of the
architecture used in the GSM modules, the pair started looking around for
other systems to hack that had the same poor security design.  It didn't
take long for them to have their hands full.

"I knew this was in car alarms, so I went and bought one and within two
hours of purchasing the device, we had it owned," he said. "Not only is the
architecture ubiquitous, no one understands that the module is so weak in
its inherent design that I can completely own not just that device, but all
the devices attached to it. There are lots of places that security and
integrity could have been introduced, but they're not.  And it's mostly
because of money."

Bailey said that as he and Solnik got down into the weeds on their research,
they discovered that the auto makers and alarm-manufacturers--which he and
Solnik are not naming yet--didn't even try to make it difficult to reverse
engineer the systems.

"They didn't even go so far as obfuscating the kinds of chips they use as
the microcontrollers," Bailey said. "I literally just opened the box and it
said it was XYZ chip and in two minutes I had the data sheet and I knew what
ports to tap and what to do."

As easy as this was for Bailey and Solnik to exploit, it will be equally
difficult for manufacturers to fix.

"This is infrastructure and it's going to be there for a long time. It's
going to take them forever to alter this in a way that I can't fingerprint,"
he said.


Risks of verbose automated e-mail

Paul Wallich <pw@panix.com>
Thu, 28 Jul 2011 10:02:03 -0400

(This is a sort of interacting-systems risk.)

The other day I was getting ready to go to the next town to pick someone up
at the airport when they called to let me know their flight (on Jetblue)
might be delayed. So I went to the company's web site to sign up for their
automated flight-status notification.

The choices were between voice message and e-mail, my mobile does not do
voicemail well, and the area around the airport doesn't have much wifi
coverage. So I entered my phone's SMS-gateway address and was quite proud of
myself for the workaround.

Until I got the first message, complete with GUID and corporate
identification, congratulating me on having subscribed to the automated
notification system for Flig. And there it ended. Which flight I was being
notified about or what had become of the schedule had been truncated by the
SMS gateway. Subsequent messages were similarly uninformative. (I finally
texted the traveler: "text me when you get off the plane, we may be a bit
late".)

Seems to me, with the widespread use of SMS gateways (almost all of my
texted conversations involve one person on a phone and the other at a PC),
that anyone designing an automated e-mail system like Jetblue's should take
care to get the essential information into the first 140 characters and let
the branding and GUID trail off the back. Because if you do it the other way
round, a lot of people will still be reminded of your company name, but not
in a good way.


Google+ and Names

Gene Wirchenko <genew@ocis.net>
Fri, 29 Jul 2011 11:04:56 -0700

There has been a big commotion over real names with Google+ with accounts
being terminated.

I wonder what they would do about me.  My passport does not have my name on
it.  I wanted it in the name "Gene Wirchenko" which is the form of my name
(full form: "Eugene Michael Wirchenko") that I use.  It got messed up on the
passport as "Gene Eugene Michael Wirchenko" with no indication that any of
the names were of different statuses.


Re: Don't throw away Grandma's wind-up desk clock (RISKS-26.49)

Ted Lee <TMPLee@MR.Net>
Tue, 26 Jul 2011 14:06:45 -0500

I've seen that report before and wonder if there simply isn't some lousy
reporting going on.  (Rarely have I seen the press report accurately on
anything I know about—always makes me wonder how they are doing on
everything else!)  As I understand the current system, if, say, the
frequency is slow by some number of cycles over some period, they will speed
it up that number of cycles the next period, so it will average out to zero.
It sounds to me like the only change proposed is lengthening out the period
as well, perhaps, as allowing the error to accumulate further before it is
corrected.

This particular sentence in the referenced article especially makes me
wonder if the press version is anything close to accurate: "If the grid
averages just over 60 cycles a second, clocks that rely on the grid will
gain 14 seconds per day, according to the company's presentation."  Umm, how
much is "just over"?


Re: Patient alleges Tufts breached privacy (RISKS-26.49)

"Chris D." <e767pmk@yahoo.co.uk>
Thu, 28 Jul 2011 18:41:55 +0100

> A patient has sued Tufts Medical Center and a primary care doctor there,
> alleging that documents including her medical history were sent to a fax
> machine at her workplace without her consent.

A friend who worked in an NHS hospital a couple of years ago complained that
she spent ages filling out lots of forms relating to patients, which were
then sent by fax.  I asked why she didn't use e-mail like everyone else, and
she said that this was not allowed due to "not meeting requirements for
patient confidentiality"...  Presumably a secure web server would be better,
to give password protection *and* an audit trail to see who had accessed
what, but as another friend in IT remarked, this would need $$$$s in set-up
and running costs for hardware and an administrator.


Re: Empowering Evil Through Search and Surveillance: Why Corporate

"Chris D." <e767pmk@yahoo.co.uk>
Thu, 28 Jul 2011 18:41:55 +0100
  Ethics Matter (Weinstein, RISKS-26.49)

> Yes, questions of ethics and business are complex, and different situations
> may be easily confused.

Indeed.  One approach is to look at it from the other direction; if
Microsoft and Cisco *didn't* deal with China, would this benefit Chinese
people in general?  I have no idea, but (without attempting to defend anyone
or take sides here) I suspect not.  I'd also venture to suggest that many
people outside the US are more concerned with the ups and downs of everyday
living than the ideals of "life, liberty, and the pursuit of happiness" --
just getting reliable Internet access at an affordable cost would be quite
an achievement.


Re: The British Phone Hacking Scandal: A Brit Replies (RISKS-26.50)

"Chris D." <e767pmk@yahoo.co.uk>
Sat, 30 Jul 2011 23:29:56 +0100

(1) Like most Western countries, the UK government in recent years has been
spending money like it's going out of fashion, because it keeps voters
happy.  If/when the tax revenues fall short, just borrow the difference --
heck, governments have good credit ratings, and it will be someone else's
problem to pay it back.  Thus we end up with the government absorbing 40-50%
of GDP and having debts of around 100% of GDP.  Now that the Credit Crunch
has hit, the bills are still piling up, but the tax revenues are flat; some
countries are running out of credit, while attempts to reduce government
spending result in civil unrest and lost elections, and the stand-off
between Democrats and Republicans in Washington over raising the US's debt
ceiling is ongoing as I write.

The only thing that's kept the UK economy (and others) going for the last 10
years is individuals and the government spending borrowed money.  This gave
the illusion of prosperity and gave Gordon Brown lots of tax revenues, which
he spent on pleasing voters, then his brilliant move was to lose the
election in 2010, thus leaving the task of paying off his overdraft to
someone else (e.g. me).

(2) The UK-specific aspects are (a) what someone called "the over-developed
British sense of fair play", which values equality and `fairness' over what
works, and (b) there's a strong tradition that "the gentlemen in Whitehall
[= government officials] know best", so Brits are prepared to let the
government run their lives probably more than people in other countries.
Not sure about "elites" (or the Bullingdon Club—ever heard of "Tony's
cronies"?), but the problem is that most politicians enter politics straight
out of college, and can reach the highest positions in government without
any apparent talent apart from being good at politics, and without
experiencing the ups and downs of everyday life like us little people.
(Tony Blair used to hob-nob with rock stars, but to make him look cool and
hip, rather than to rub shoulders with the proletariat.)

The trouble with the NHS is that providing health care free on demand to
everyone was a mighty big ask in 1948, when people were grateful for
whatever they could get.  Over 60 years later, we have an ageing population,
huge improvements in medical science, and loads of new medications, which
all costs big $$$$s, plus people are more knowledgeable and have higher
expectations, thus giving rapidly- increasing demand but static tax
revenues.

In the case of education, in the Good Old Days there was the 11+ exam and
grammar/secondary modern set-up, with only about 10% of the population going
to university, giving a rigorous education system and degrees that actually
meant something.  The 11+ was deemed to be discriminatory and thus unfair,
so was abolished, while increasing the proportion of schoolchildren going to
university to 50% looks good but simply dilutes the value of a degree while
hugely increasing the cost of running universities, so young people spend
loads of money on degrees that aren't worth much, but they have to have one
because everyone else does.

And because this is caring sharing Britain, you don't have any choice.
There are very small and very expensive paid-for schooling and healthcare
sectors, otherwise you have to wait in line for whatever service the
government deigns to provide.  It's free, but if you want something else you
have no choice and you can't pay for it because that would be unfair and
discriminatory.

> But the daily printed word seems to have become much less trustworthy in
> the UK in a way in which, for example, the best newspapers elsewhere have
> not. There just seems to be something about the British press in which I
> suspect Murdoch&family to have significant influence over content.

Obviously newspapers have to sell what people want to buy, or they go out of
business.  Not (as far as I know) connected to Mr Murdoch is `The Daily
Telegraph', for an alternative view (http://www.telegraph.co.uk/).  Of
course the other aspect—and this *is* connected with RISKS—is that
people have access to more alternative sources of information on the
Internet now.

> Maybe it's time to form a new political party for those who work hard, pay
> their taxes, and expect them to go somewhere useful like health care, care
> of the elderly, education, effective oversight of finance and critical
> infrastructure, public transportation, and effective urban reinvigoration.

Indeed, but how far should governments go?  Obviously there has to be law &
order and defence, but loads of other nice things to have as well, and
however much governments spend, they can always spend more.  Problems are
(1) that government spending is inherently inefficient as politicians and
government officials are spending other people's money (taxes) on other
people, and (2) there's the risk of those relying on government funding (for
welfare or employment) having more votes than the tax payers.  As someone
said, a politician who robs Peter to pay Paul can usually rely on Paul's
vote.  The US (as I understand it) is more of a stand-on- your-own-two-feet
country, where the government doesn't help much but doesn't get in the way
too much either, thus giving huge inequalities, but a very dynamic,
innovative economy.

Chris Drewe, Essex County, UK (not a taxicab driver).

Please report problems with the web pages to the maintainer

Top