The RISKS Digest
Volume 25 Issue 98

Thursday, 1st April 2010

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


The 2010 Census as of April 1
Rebecca Mercuri
Silver Iodide Can Seed Cloud Computing
Clouding Men's Minds
Cecelia Kang via PGN
CalJOBS Security is a Mess
Tony Lima
Why Won't USPS Let Me File This Complaint?
Jim Reisert
Incorrect software change to emergency ambulance call-handling system may have resulted in hundreds of deaths
Bruce Horrocks
Ohioans are dunned for long-paid fines (
Peter Zilahy Ingerman
User-friendly speed cameras in Belgium
Peter Houppermans
Academic Paper in China Sets Off Alarms in U.S.
Water-treatment computer: No, not the Three Stooges, but close
Jeremy Epstein
3.3 million student-loan records pilfered
Gene Wirchenko
Old-fashioned computer risks, Re: 3.3 million student-loan data
Jeremy Epstein
High-tech copy machines a gold mine for data thieves
David Hollman
Survey: Millions of users open spam e-mails, click on links
Dancho Danchev via Monty Solomon
Plain Dealer sparks ethical debate by unmasking anonymous poster
Ferdinand Reinke
In Bid to Sway Sales, Cameras Track Shoppers
Stephanie Rosenbloom via Monty Solomon
TJX Hacker Sentenced
Gene Wirchenko
USENIX Health Security and Privacy Workshop due 9 Apr 2010
Kevin Fu
GameSec 2010: Conference on Decision and Game Theory for Security
Albert Levi
Info on RISKS (comp.risks)

The 2010 Census as of April 1

"R. Mercuri" <>
Thu, 1 Apr 2010 00:31:56 -0500

  [Rebecca suggested this in response to Thomas Friedman's article
  supporting IRV in *The New York Times*, 24 Mar 2010.  PGN]

I was recently reading the FairVote (an Instant Runoff Voting advocacy
group) newsletter where the Census is mentioned, and OF COURSE, one should
note (though the author didn't) that it is STILL done on PAPER, not on the
Internet. I sure hope that continues.

Anyway, it caused me to try to think of an IRV analogy to the Census --
perhaps filers would instead list the number of people they'd LIKE to have
living in their homes on April 1, rather than the actual number of people
that ARE living there. So people who are getting divorced would say 1, and
people who are on the verge of giving birth would say 2 (or 9 if they are an
octomom), and people who are about to die would say 0, and so on. It would
be really interesting trying to figure out how to count that up
accurately. And of course, since the computers would be doing advanced fuzzy
math to determine the population for the subsequent gerrymandering, the
software algorithms would be far too complex for anyone to ever check (also
because they'd be written by some contractor who would decide that the code
is a proprietary trade secret). After the results come out, we'd
miraculously discover that Omaha Nebraska (gee, I wonder why it's *that*
particular city) would be entitled to 25 members of Congress.

Hmmm....maybe that *is* what's going on (or if not, I'm sure some folks with
deep pockets of cash would love to make it happen).

Rebecca Mercuri

Silver Iodide Can Seed Cloud Computing

"Peter G. Neumann" <>
Thu, 1 Apr 2010 01:23:45 GMT

At a rump session at the annual meeting of the American Chemical Society in
San Francisco last week, A. Poulter Geist, a physical chemist with a
remarkably strong background in both mathematics and computer science,
claimed that silver iodide (which has been used for many years to seed
potential rain clouds, albeit with considerable dispute as to its actual
effectiveness) could also be used to seed random-number generators used in
cryptographic key generation and hash coding, to provide better security in
cloud computing and cloud data-storage.  Perhaps somewhat simplistically, he
also suggested that the literal string "silver iodide" might even be used as
a public key in identity-based and attribute-based encryption, greatly
simplifying key management.  However, he rather explicitly ceded
responsibility for the clouds in cloud computing itself.

  [Poulter may be a distant relative of Tom "Doc" Poulter, director of the
  eponymous lab at SRI that still exists today.  On the other hand, I note
  that a "poltergeist" is known for unexplained rappings, and cloud
  computing is likely to need wrappers in the sky — which thus far have
  been easily compromised.  PGN]

Clouding Men's Minds (Cecelia Kang)

"Peter G. Neumann" <>
Sat, 27 Mar 2010 14:00:06 PDT

Behind Facebook, Gmail, and the Bing search engine is a multibillion-dollar
shift in technology that users don't see and Washington doesn't quite know
how to handle: cloud computing, the hosting of data on remote servers that
can be tapped from any computer connected to the Web. ... [Source: Cecelia
Kang, Washington debates Cloud Computing, *The Washington Post*, 26 Mar
2010; PGN-ed.  For you old-timers, the subject line refers to The Shadow.]

CalJOBS Security is a Mess

Tony Lima <>
Tue, 30 Mar 2010 15:12:41 -0700

There are major problems with the CalJOBS website, specifically the
security system.  Quite a bit of this will sound all too familiar to RISKS

The Employment Development Department (EDD) of the state of California runs
a website for job seekers and employers called CalJOBS.  A recent security
upgrade, however, has made it impossible for at least one user (me) to log
in at all.

The new website requires a user name and password.  There are restrictions
on both the name and password.  The user name must be 6 to 11 alphanumeric
characters.  So far so good.  The password must be 6 to 8 characters.  Only
after you enter the password (twice) and the answers to your two security
questions (see below) do you see this:

**Password must contain 3 of the following 4 items:
1) capital letters A-Z,
2) lowercase letters a-z,
3) numbers 0-9,
4) special characters ! # $ % ? + - _ @ **

Then you are asked for the answers to two security questions.  I have no
idea who made up these questions, but they are just plain bizarre.  Two
examples: "What was your childhood nickname?" and "On what street is your
favorite restaurant located?"  (The complete lists, as well as other screen
shots, are available at my blog

Even worse, as you fill in the answers to the questions, they are blacked
out.  You can't see any of the characters you type, but you do have to
answer each security question twice. You're out of luck if you manage to
make the same typo twice.  (Screen capture available on blog.)

If you make a mistake, you're really out of luck.  The website instructs
you to call EDD at (800) 758-0398.  If there are any human beings behind the
voicemail, I haven't found them yet.

To top it all off, when I tried to submit a bug report on the EDD website, I
consistently got a message saying my message included illegal characters.  I
swear, all the characters were legal.

No wonder the state unemployment rate is still in double digits.

Tony Lima Associates, Los Altos, CA, USA 1-650-243-1286

Why Won't USPS Let Me File This Complaint?

Jim Reisert AD1C <>
Tue, 30 Mar 2010 15:59:43 -0600

  "According to Sarah, she attempted to file the below note using's
  complaint form, but was told it could not be accepted because it contains
  a prohibited word. But neither she nor we can figure out what that word
  may be."

I'd like to say the risk here is being forced to complain to the USPS using
a snail-mail (i.e. USPS) method instead of their website.

Jim Reisert AD1C <>,

Incorrect software change to emergency ambulance call-handling

Bruce Horrocks <>
Tue, 30 Mar 2010 01:00:01 +0100
         system may have resulted in hundreds of deaths

UK call centers dealing with emergency ambulance calls use software to
automate the prioritization of calls. Over a decade ago, a change was
requested to downgrade the severity of incidents involving a fall of 10ft or
more. The change was 'literally' implemented with the consequence that all
incidents involving a fall were downgraded, irrespective of the severity of
other symptoms.

The error came to light when a woman who had fallen 12ft, was unconscious
and had breathing difficulties died after being left to wait because
priority was given to a drunk who had collapsed on the street.

It's not clear from the article whether the change was incorrectly
implemented or exactly as requested.

The risk is that requirements used to generate safety related software must
be as rigorously checked as the software.

Ohioans are dunned for long-paid fines

Peter Zilahy Ingerman <>
Wed, 31 Mar 2010 14:48:27 -0400

Some motorists are complaining that old traffic fines they already paid to
one Ohio county are coming back to haunt them.  About 1,000 people have
contacted officials in southeast Ohio's Hocking County this week to say
they've heard from a collection agency about tickets already resolved, in
some cases as far back as 20 years ago.  Municipal Court Clerk Michele Bell
said Tuesday that a glitch that occurred in 1999, when the court changed
data systems. The problem surfaced amid the county's ongoing efforts to
recover outstanding debts and bolster its budget.  About 10,000
debt-collection letters went out last week. Bell says she's not sure how
many were sent by mistake and how many went to people who still owe money.

User-friendly speed cameras in Belgium

Peter Houppermans <>
Sun, 28 Mar 2010 15:29:16 +0200

A Belgian Flemish MP (Jurgen Verstrepen) opened an interesting can of worms:
he publicly asked why speed cameras weren't better protected.  It turns out
that every camera has the electricity supply cabinet right next to it, which
is totally standard - and that standardisation includes the key (which you
can buy legally for about EUR 14).

It gets better: opening the cabinet and killing the power to the camera does
not get you in trouble with the law as there is no actual damage.  It so
also won't signal the police, which it would do in case of damage.

All of this was reported in the Belgian press today.  Given the popularity
of speed cameras in general I suspect Monday will start with a run on those
keys, and end with not a single static camera left operational.  I'm not
entirely sure that was the original intention..

Academic Paper in China Sets Off Alarms in U.S.

"Peter G. Neumann" <>
Sun, 28 Mar 2010 9:55:04 PDT

Larry M. Wortzel, in a hearing of the U.S. House Foreign Affairs Committee
on 10 Mar 2010: "Chinese researchers at the Institute of Systems Engineering
of Dalian University of Technology published a paper on how to attack a
small U.S. power grid sub-network in a way that would cause a cascading
failure of the entire U.S."

  [Source: John Markoff and David Barboza, *The New York Times*, 20 Mar
  2010.  The NYTimes article is nicely nuanced, and discusses a very complex
  issue.  It deserves your reading.  The graduate-student Chinese author,
  Wang Jianwei, claims he was trying to find ways to enhance the stability
  of power grids, not trying to bring down the grid.  But it should be no
  surprise to RISKS readers that vulnerabilities exist!  PGN]

Water-treatment computer: No, not the Three Stooges, but close

Jeremy Epstein <>
Mon, 29 Mar 2010 12:26:27 -0400

The theft of a computer from the Molalla Oregon water treatment facility is
being considered a federal crime by authorities.  Someone broke into the
water plant on 27 Mar 2010 through a back window and stole the computer,
which was what kept the plant working on auto pilot, with remote monitoring
of water pumps and reservoir and chlorine levels.  Water service was not
affected, as the plant could still be operated manually.  The next day, the
computer was found in a nearby pond.  City officials said it's destroyed,
but a technician is trying to salvage the hard drive and the costly
programming on it.  [Source: Fox 12,, 26 Mar2010; PGN-ed]

  [So let's see, the single computer that controls their water system is in
  a loosely controlled building, and there's no real-time or offline backup
  system.  Certainly a less scary attack from the cyber perspective, and
  hard to do from China or on a large scale, but no less effective!  JE]

Jeremy Epstein, Senior Computer Scientist, SRI International
1100 Wilson Blvd, Suite 2800, Arlington VA  22209, 703-247-8708

3.3 million student-loan records pilfered (Jeremy Kirk)

Gene Wirchenko <>
Tue, 30 Mar 2010 12:37:33 -0700

Confidential data on students applying for loans including names, addresses,
birth dates and Social Security numbers has been stolen, according to a
non-profit company that helps with student loan financing.  [Source: Jeremy
Kirk, *IT Business*, 30 Mar 2010.]

Selected quotes:

"Data on 3.3 million borrowers was stolen from a nonprofit company that
helps with student loan financing.

The theft occurred on 20 or 21 Mar 2010 from the headquarters of Educational
Credit Management Corp. (ECMC), which services loans when student borrowers
enter bankruptcy. The data was contained on portable media, said the
organization, which is a dedicated guaranty agency for Virginia, Oregon and

The data included names, addresses, birth dates and Social Security numbers
but no financial information such as credit card numbers or bank account
data, ECMC said in a news release."

"ECMC didn't say whether the data taken was encrypted."

  [On that last bit, why not?  For that much data, should it not be a given
  that it would have been encrypted?]

Old-fashioned computer risks, Re: 3.3 million student-loan data

Jeremy Epstein <>
Sat, 27 Mar 2010 10:16:24 -0400

In the wake of many data breaches, let's not forget the old fashioned kind.
Information on 3.3 million college students with loans through ECMC was
stolen in a burglary of the ECMC offices in Minnesota.  It's not clear from
the report whether the thieves targeted the storage device (described as
"portable media with personally identifiable information"), or whether that
was incidental to a theft of other equipment.

The Risk?  Assuming that all data thefts are cyberthefts!

High-tech copy machines a gold mine for data thieves

David Hollman <>
Tue, 30 Mar 2010 13:21:42 +0100

"..businesses are completely unaware of the potential information security
breach when the office photocopier is replaced. They think the copier is
just headed for a junkyard but, in most cases, when the machine goes, so
does sensitive data that have been stored on the copier's hard drive for
years. ...  Of the dozens of multi-purpose copiers [he] has cleaned out in
the past two years, he has seen hundreds of scanned documents that would be
considered confidential."

Other points:

* Many copiers are networked, allowing for another way of accessing
  unprotected data * Employees use work copiers for personal business and
  you'd expect to find all kinds of sensitive personal information as well
  as company information.

The risk seems to be the fact that many/most people wouldn't realize that a
computer is part of an everyday device like a copier, coupled with the fact
that said device gets to read all kinds of sensitive things.

I wonder if there are other cases where both of those things are true...?
Web-enabled TV boxes perhaps?  Surely there are other examples.

Survey: Millions of users open spam e-mails, click on links

Monty Solomon <>
Thu, 25 Mar 2010 23:32:53 -0400

Dancho Danchev, Survey: Millions of users open spam e-mails, click on links,
ZDNet, 25 Mar 2010

How many users access spam e-mails, click on the links found within, and
open attachments intentionally? Why are they doing it, and who are they
holding responsible for the spread of malware and spam in general, in
between conveniently excluding themselves?

A newly released survey from the Messaging Anti-Abuse Working Group (MAAWG),
summarizing the results of the group's second year survey of e-mail security
practices, offers an interesting insight into the various interactions end
users tend to have with spam e-mails.

Key findings of the survey:

Nearly half of those who have accessed spam (46%) have done so intentionally
- to unsubscribe, out of curiosity, or out of interest in the products or
services being offered.

Four in ten (43%) say that they have opened an e-mail that they suspected
was spam.

Among those who have opened a suspicious e-mail, over half (57%) say they
have done so because they weren't sure it was spam and one third (33%) say
they have done so by accident.

Canadian users are those most likely to avoid posting their e-mail address
online (46%).  Those in the U.S., Canada and Germany are most likely to set
up separate e-mail addresses in order to avoid receiving spam.

Many users do not typically flag or report spam or fraudulent e-mail.

When it comes to stopping the spread of viruses, fraudulent e-mail, spyware
and spam, e-mail users are most likely to hold ISPs and ESPs (65%) and
anti-virus software companies (54%) responsible.

Less than half of users (48%) hold themselves personally responsible
for stopping these threats.   ...

  [A fool and his password are soon parted.  PGN]

Plain Dealer sparks ethical debate by unmasking anonymous poster

reinke ferdinand <>
Sat, 27 Mar 2010 09:18:36 -0400

Plain Dealer sparks ethical debate by unmasking anonymous poster
By Henry J. Gomez, *The Plain Dealer*, 26 Mar 2010

  By unmasking an anonymous poster at its companion website, The Cleveland
  Plain Dealer finds itself in an ethical quandary, stirring a debate that
  balances the public's need to know against the privacy concerns of online

  The newspaper traced the identity of `lawmiss' after someone using that
  moniker left a comment about the mental state of a relative of reporter
  Jim Ewinger. The comment was removed for violating's
  community rules, which do not allow personal attacks.

  Users are required to register with a valid e-mail address before posting
  at Upon learning of the Ewinger issue Monday, an online
  editor looked up lawmiss's e-mail address, which like all others, is
  accessible through software used to post stories to the website.

  "It does raise the question of the wisdom and fairness of the newspaper
  using the registration system of the website for reporting purposes,"
  Steele said in a telephone interview.

  The newspaper's decisions could have a chilling effect on conversation at, said Rebecca Jeschke of the Electronic Frontier Foundation,
  an online privacy rights group.

  "I would think twice before participating in a message board where I had
  to give my e-mail address knowing that management could access it at any
  time," Jeschke said. "It seems appropriate in this case, but ... it's hard
  not to imagine scenarios where it's abused."

  Other news organizations already hide such information from their
  editorial staff, said Steve Yelvington, a strategist for Morris Digital
  Works, the online division of Morris Communications. The company runs 13
  daily newspapers in Florida, Georgia, Texas and other states. "We are
  careful to firewall our business records from our journalists," Yelvington

Regardless of where one comes down on the issue of Internet privacy (IMHO
there ain't none), or how much should you trust anything on the inet (IMHO
zero trust), and technology in general (IMHO we give boobs the equivalent of
loaded guns and they are astonished when some one gets hurt), this was
completely preventable.

Use a "disposable" e-mail account!

Haven't these people ever heard of GMAIL? No invitation required now! You
can even use multiple ones! Ask any "child" who wants to break free from Mom
and Dad's supervision. That's without even getting "tricky" of using one of
the "disposable websites that create e-mail addresses that only work for a
very limited time; perfect for "e-mail validation" requirements. If Chinese
bloggers can hide form their oppressive regime, then we can conclude that
most of us who want "privacy" can figure out a way to do it. In this case,
the technology-naive are getting a very expensive education in "technology".

And, this wasn't even the government seeking to find out who made a nasty
comment. Wait till the Internet-using public says something the government
doesn't like. Such as "taxes are too high", "the <insert favorite government
agency> is inept, corrupt, or stupid", or quote Jefferson, Lysander Spooner,
or Sam Adams. Then, the proctology exam will begin.

Replies will be considered at or or

(How long before these e-mail address get a Nigerian "offer" letter? For the
totally clueless, these accounts are NOT real. Merely illustrations of the
above point.)

  [I hate to be an a-lawmiss-t (perhaps with a Boston accent?), but RISKS
  readers certainly realize by now that privacy risks in social computing
  are *huge*.  PGN]

In Bid to Sway Sales, Cameras Track Shoppers (Stephanie Rosenbloom)

Monty Solomon <>
Sat, 20 Mar 2010 16:51:57 -0400

The curvy mannequin piqued the interest of a couple of lanky teenage boys...
A father emerged from a store dragging his unruly young son by the scruff...
These scenes may seem like random shopping bloopers, but they are meaningful
to stores that are striving to engineer a better experience for the
consumer, and ultimately, higher sales for themselves. Such clips, retailers
say, can help them find solutions to problems in their stores - by
installing seating and activity areas to mollify children, for instance, or
by lowering shelves so merchandise is within easy reach.  Privacy advocates,
though, are troubled by the array of video cameras, motion detectors and
other sensors monitoring the nation's shopping aisles. ...
  [Stephanie Rosenbloom, *The New York Times*, 19 Mar 2010; PGN-ed]

TJX Culprits Sentenced

Gene Wirchenko <>
Mon, 29 Mar 2010 13:42:31 -0700

Albert Gonzalez, the hacker mastermind behind the TJX credit card scam, was
sentenced to two concurrent 20-year stints in prison — as his parents and
sister silently wept.  [Source: Nancy Weil, Family weeps as TJX hacker gets
20 years in slammer, 29 Mar 2010]

  [Christopher Scott, who had collected credit- and debit-card numbers used
  by Gonzalez, was sentenced to seven years and one day, according to an
  item on 29 Mar 2010 by Kim Zetter in  The TJX saga has been
  ongoing for quite a while, and is well covered in previous RISKS and by
  what your favorite search engines can find.  Too much to summarize here.

USENIX Health Security and Privacy Workshop due 9 Apr 2010

Kevin Fu <>
Tue, 30 Mar 2010 17:34:07 -0400

  [This item should be of particular interest to many RISKS readers.
  Perform an operation in the next week that creates two inspiring pages and
  send them in to HealthSec10.  Be sure to reflect on what you have learned
  over the years of reading RISKS!  PGN]

Call for Papers
1st USENIX Workshop on Health Security and Privacy (HealthSec '10)
Submissions deadline: April 9, 2010, 11:59 p.m. PDT

HealthSec '10 is intended as a forum for lively discussion of aggressively
innovative and potentially disruptive ideas on all aspects of medical and
health security and privacy. A fundamental goal of the workshop is to
promote cross-disciplinary interactions between fields, including, but not
limited to, technology, medicine, and policy. Surprising results and
thought-provoking ideas will be strongly favored; complete papers with
polished results in well-explored research areas are comparatively

Given the goals for HealthSec '10, the submission requirements are modest:
2-page papers that clearly espouse a position and that will promote
discussion. Position papers will be selected for their potential to
stimulate or catalyze further research and explorations of new directions,
as well as for their potential to spark productive discussions at the

Workshop topics are solicited in all areas relating to healthcare
information security and privacy, including:

* Security and privacy models for healthcare information systems
* Industrial experiences in healthcare information systems
* Deployment of open systems for secure and private use of healthcare
  information technology
* Security and privacy threats against and countermeasures for existing
  and future medical devices
* Regulatory and policy issues of healthcare information systems
* Privacy of medical records
* Usability issues in healthcare information systems
* Threat models for healthcare information systems

For more details on the submission process, please see the complete
Call for Papers at:

We look forward to receiving your submissions!

Kevin Fu, University of Massachusetts Amherst
Tadayoshi Kohno, University of Washington
Avi Rubin, Johns Hopkins University
HealthSec '10 Program Chairs

GameSec 2010: Conference on Decision and Game Theory for Security

Albert Levi <>
Mon, 22 Mar 2010 13:33:36 +0200

GameSec 2010, the inaugural Conference on Decision and Game Theory for
Security will take place on the campus of Technical University Berlin,
Germany, on November 22-23, 2010, under the sponsorships of Deutsche Telekom
Laboratories, Frauenhofer HHI and IEEE Control System Society.  The paper
submission deadline is May 15, 2010.

GameSec conference aims to bring together researchers who aim to establish a
theoretical foundation for making resource allocation decisions that balance
available capabilities and perceived security risks in a principled
manner. The conference focuses analytical models based on game, information,
communication, optimization, decision, and control theories that are applied
to diverse security topics. At the same time, the connection between
theoretical models and real world security problems are emphasized to
establish the important feedback loop between theory and practice. Observing
the scarcity of venues for researchers who try to develop a deeper
theoretical understanding of the underlying incentive and resource
allocation issues in security, we believe that GameSec will fill an
important void and serve as a distinguished forum of highest standards for
years to come.

For more information, please visit

Albert Levi, Sabanci University, Faculty of Engineering and Natural
Sciences, Orhanli, Tuzla TR-34956, Istanbul TURKEY   +90 (216) 483 9563

Please report problems with the web pages to the maintainer