Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: RISKS List Owner (riskocsl.sri.com)
Date: Tue Oct 14 2008 - 14:51:35 CDT
RISKS-LIST: Risks-Forum Digest Tuesday 14 October 2008 Volume 25 : Issue 38
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at
Investigator: Computer likely caused Qantas plunge (Paul Saffo)
Qantas A330 accident (Martyn Thomas)
B-2 crash on takeoff (Ken Knowlton)
Illinois high-speed trains (Jon Hilkevitch via David Lawver)
D10T: National Debt Clock is out of digits (Mark Brader)
Passport RFID attack: missing validation (Aaron Emigh via PGN)
Missing hard drive "not encrypted" because it was "secure"
Russian researchers achieve 100-fold increase in WPA2 cracking speed
Defective news submission website (Steven M. Bellovin)
Risks of a new laptop (Nick Brown)
Researcher Liuba Belkin: Workers more prone to lie in e-mail (Monty Solomon)
Thomas Crown escape, revisited (Peter Houppermans)
Re: Sydney NS vs. Sydney NSW (Steve Schafer)
Oyster card hack details revealed (Gabe Goldberg)
Re: Remarkable -- United Airlines Stock (Russ Nelson)
Abridged info on RISKS (comp.risks)
Date: Tue, 14 Oct 2008 07:55:32 -0700
From: Paul Saffo <paulsaffo.com>
Subject: Investigator: Computer likely caused Qantas plunge
[Brings back memories of the early A320 accidents caused in part by a
stubborn fly-by-wire system... -p]
Investigator: Computer likely caused Qantas plunge
Rod McGuirk, Associated Press, 14 Oct 2008
A faulty computer unit likely caused a Qantas jetliner to experience two
terrifying midair plunges within minutes last week. More than 40 people
were injured when the Airbus A330-300 briefly nose-dived twice during a
flight from Singapore to the western Australian city of Perth last Tuesday.
Julian Walsh, chief air investigator at the Australian Transport Safety
Bureau, said an initial investigation indicated the cause was a computer
unit that detects through sensors the angle of the plane against the
airstream. He said one of the plane's three such units malfunctioned and
sent the wrong data to the main flight computers.
The flight data recorder indicated the plane, carrying 303 passengers and 10
crew, climbed about 200 feet from its cruising level of 37,000 feet and then
went into a nose-dive, dropping about 650 feet in 20 seconds, before
returning to cruising level, the safety bureau said last week. The sharp
drop was quickly followed by a second of about 400 feet in 16 seconds.
[The Air Data Inertial Reference Unit (ADIRU) was sending "erroneous,
spike" data to the Flight Control Primary Computers ("PRIM", comparable to
the A320's ELACs), which event disconnected the autopilot. A short while
later the ADIRU sent "very high, random, incorrect" values to the PRIM,
causing a pitch-down command. The same occurred again another short while
later. See the ASTB press release:
Incidentally, early suspicions centered on air turbulence, which were
incorrect. I have disregarded many of the earlier postings from RISKS
readers, but thank you for them. PGN]
The problem is the latest in a series of malfunctions and near-misses for
Australia's flagship carrier in recent weeks.
Australian authorities are still investigating an explosion aboard a Qantas
747-400 aircraft carrying 365 people over the South China Sea in July that
ripped a hole in the fuselage. That explosion caused rapid loss of pressure
in the passenger cabin but no one was injured.
Walsh said the French manufacturer Airbus had notified all operators of A330
and A340 aircraft, which are equipped with the same sensors, about how crews
should respond to such a malfunction. But aircraft are unlikely to be
grounded over a malfunction that had never happened before, he said. "It is
probably unlikely that there will be a recurrence, but obviously we won't
dismiss that," Walsh told reporters, saying they would investigate the
The faulty unit will be sent to the U.S. component manufacturer for testing,
he said. A report on the accident is to be released next month. Qantas said
the preliminary findings showed that the fault lay with the manufacturer
rather than the airline. "This is clearly a manufacturer's issue and we
will comply with the manufacturer's advice," the airline said in a
Date: Tue, 14 Oct 2008 14:44:11 +0100
From: Martyn Thomas <martynthomas-associates.co.uk>
Subject: Qantas A330 accident
The ATSB report raises a few questions:
* Why wasn't the fault in ADIRU 1 screened out by comparison with the other
* Why were "spikes" treated as valid input by the primary flight computers?
* Was the possibility of erroneous input to the primary flight computers
from the ADIRU considered in the hazard analysis? If so, with what result?
If not, why not?
The pilots deserve credit for their prompt recovery.
Martyn Thomas CBE FREng http://www.thomas-associates.co.uk
Date: Mon, 13 Oct 2008 16:28:36 EDT
From: Ken Knowlton <KCKnowltonaol.com>
Subject: B-2 crash on takeoff (Bob Charette, Re: RISKS-25.19)
[Bob Charette's item amplifies what was summarized in Paul Saffo's item in
RISKS-25.19, and is included here for archival purposes. Bob is a
well-known authority on risk analysis, but has not been a regular RISKS
Bad Data into Computers Caused B-2 Crash
Posted to *IEEE Spectrum* online by Robert Charette on June 9, 2008 5:00 AM
The US Air Force reported that the February crash on take-off of the $1.4
billion B-2 stealth bomber called the Spirit of Kansas was caused by
moisture interfering with the operations of 3 of the aircraft's 24 air
pressure sensors. The sensors were all on the port side of the aircraft. The
moisture problem was found to skew the data being fed into the aircraft's
flight control computers.
According to news reports, "The aircraft crew believed the bomber had
reached the takeoff speed of 140 knots when in reality it was traveling ten
knots slower and rotated for takeoff. The misfunction also meant that the
sensors showed the plane to be in a nose down position, causing it to
command a high level of pitch, around 30 degrees. This, combined with the
low takeoff speed, caused the aircraft to stall and veer to the left."
The pilot and co-pilot ejected successfully, although the co-pilot was hurt.
What the Air Force noted was that the crash could have prevented by more
effective risk communications.
Again, according to the story, "The vulnerability of the sensors to moisture
was first detected by air crews and maintenance staff in 2006, at which time
it was discovered that turning on the 500 degree pitot heat prior to sensor
calibration would evaporate the water and cause a return to normal readings.
However, this was never formally noted and so the pilots of the aircraft
were unaware of the potential problem or its solution."
In fact, another B-2 had to abort a takeoff at the same base because of the
same problem apparently last year, but the pilots of the B-2 that crashed
hadn't been briefed about it.
On a personal side, the B-2 belong to the 509th bomb wing, my old outfit. I
was an avionics tech back in the early 1970s, and I find it strange that the
problems with the sensors were not logged, nor that when an abort happened,
the causes were not formally briefed. I also find it interesting that the
information about heating the pitot at the very least wasn't informally
spread among the very small B-2 pilot community. If memory serves me
correctly, the problem back when I was in the Air Force was that pilots
complained about everything - even if a system worked as designed but didn't
work the way they wanted it to - on their aircraft during after-flight
debriefs, which were all noted, filed, cataloged and analyzed. No issue was
too small not to make note of.
Date: Thu, 2 Oct 2008 15:41:46 -0500
From: David Lawver <dlawverdoit.wisc.edu>
Subject: Illinois high-speed trains
Jon Hilkevitch, *Chicago Tribune*, 1 Oct 2008
Improvement in train-control mechanisms on the corridor through Illinois to
St. Louis will give Amtrak engineers precise information in the locomotive
cab that reinforces what the signals along the tracks are saying and
indicates track conditions ahead. For instance, sensors indicating that
gates and warning lights are operating properly at railroad crossings and no
vehicles are blocking the tracks will enable approaching trains to maintain
top speeds through the crossings, officials said.
The system is considered fail-safe, even at high speeds. If an engineer
violates the signals, the system will stop the train. The new signal system
is being installed on about 25 miles of track, from Joliet to Mazonia, to
improve the safety and reliability of passenger service, according to the
Federal Railroad Administration.
The improved technology will also boost train speeds from 79 m.p.h. to 110
mph on sections of 118 miles of track between Mazonia and Ridgely, near
[And we know this fail-safe system is implemented by computers, of course,
so we all feel reassured that Nothing Can Go Wrong.]
Full article at:
David Lawver, UW-Madison DoIT/SNCC-SM Operational Process Coordinator
1-608/262-8159 3108 CS&S dlawverdoit.wisc.edu
Date: Wed, 8 Oct 2008 13:21:09 -0400 (EDT)
From: msbvex.net (Mark Brader)
Subject: D10T: National Debt Clock is out of digits
[Search Google News for "debt clock".]
In a sign of the times, the National Debt Clock in New York has run out of
digits to record the growing figure. The government's current debt at
about 10.2 trillion dollars. The organisation that runs the sign said it
plans to update it next year by adding two digits to make it capable of
tracking debt up to a quadrillion dollars.
[Mark added subsequently:]
Say, if this is the first time this has happened, does that make it 1D10T? :-)
Date: Sat, 11 Oct 2008 19:31:26 PDT
From: "Peter G. Neumann" <neumanncsl.sri.com>
Subject: Passport RFID attack: missing validation (Aaron Emigh)
[Aaron Emigh sent me an article that discusses generally the issue of
the absence of validation of 35 out of 45 countries' public keys used
to validate data in RFID passport chips.
(Note: The PKD participants' list  lists only nine participants:
Australia, Canada, Germany, Japan, New Zealand, Singapore, Korea, the UK,
and the USA. Either the reported number is incorrect, or another country
has begun participating since the list was published in April of this
The ICAO seems to understand the issue; the PKD's 2007 report  states
"The business case for validating ePassports is compelling: border control
authorities can confirm that the document held by the traveler: was issued
by a bona fide authority, has not been subsequently altered, is not a copy."
In the ICAO PKD Procedures , it says (section 7.2): "The Country Signing
CA Certificate (Ccsca) must be disseminated by the Participant prior to
eMRTD [electronic machine readable travel document] issuance." So it does
seem that this was understood, and that the way to enable validation of
ePassport data is to participate in the PKD.
The article implies that Secunet Golden Reader accepts self-signed certs
from countries that have not filed a Ccsca, and that this data could be
accepted by border patrol agents. It would obviously seem a better choice
to force border personnel to validate the printed documents, where they
presumably have some expertise in rejecting fraudulent credentials, in lieu
of accepting any digital data that can't be validated. Does anyone know
whether there are processes that capture a requirement for manual review for
non-PKD-participating countries' passports? I don't have a copy of ICAO
Date: Mon, 13 Oct 2008 22:57:34 +0100
From: John Carlyle-Clarke <johnwormdrive.net>
Subject: Missing hard drive "not encrypted" because it was "secure"
This form of story is becoming depressingly familiar at the moment in the UK
to the point where numbness is setting in.
"Up to 1.7m people's data missing. A missing computer hard drive may
have contained details of 1.7 million people who had enquired about
joining the armed forces, the government has said."
What made this story stand out for me was a quote in it from EDS, via Bob
Ainsworth, the government minister with responsibility. They said:
"EDS assesses that it is unlikely that the device was encrypted because it
was stored within a secure site that exceeded the standards necessary for
To paraphrase: there was no way this could go missing, so we didn't bother
to encrypt it.
Date: Sun, 12 Oct 2008 18:21:47 -0400
From: Monty Solomon <montyroscom.com>
Subject: Russian researchers achieve 100-fold increase in WPA2 cracking speed
Russian security company Elcomsoft posted a press release on 12 Oct 2008
detailing a new method to crack WPA and WPA2 keys:
With the latest version of Elcomsoft Distributed Password Recovery, it is
now possible to crack WPA and WPA2 protection on Wi-Fi networks up to 100
times quicker with the use of massively parallel computational power of
the newest NVIDIA chips. Elcomsoft Distributed Password Recovery only
needs a few packets intercepted in order to perform the attack. ...
Date: Mon, 6 Oct 2008 10:31:22 -0400
From: "Steven M. Bellovin" <smbcs.columbia.edu>
Subject: Defective news submission website
My department is hosting a distinguished lecturer, so I went to the
university web site for submitting important campus news items. I described
the talk and the speaker, clicked submit -- and was presented with a request
to log in with my university login and password. A bit odd, I thought, but
perhaps not unreasonable -- maybe only faculty can submit news items. So I
logged in -- and got a web form for administering database access control
lists and tables...
This would be Just Another Buggy Web site, but there's one final detail
that elevates this incident to a classic: the distinguished lecturer is
Steve Bellovin, http://www.cs.columbia.edu/~smb
[Very amusing. My talk was given one-half hour after Steve sent that
message, on Integrity of Elections. I suppose examples of voting machines
(and ATMs) showing a blue screen of death or an operating system login
prompt would also tickle Steve's fancy. PGN]
Date: Thu, 9 Oct 2008 13:36:02 +0200
From: Nick Brown <Nick.BROWNcoe.int>
Subject: Risks of a new laptop
I've just received a flyer from Dell which, among other things, describes a
whole range of new services for which I can sign up when I buy a new PC.
1. "Recovering your data". For 60 Euros, during 3 years, Dell will "help me
recover my data following flood, fire, or other incident". No indication
is given of how likely this is to by physically possible, nor exactly how
much effort Dell will put into this before declaring my disk to be dead.
I'll still be making my own backups, thanks.
2. "Tracking down your stolen laptop" (55 Euros). If, during the first 3
years, my laptop is stolen and connected to the Internet, "its location
can be determined" and "local law enforcement agencies will help you get
it back". I'd be interested in seeing Dell's worldwide agreement with
"local law enforcement agencies", and what the penalty clauses are if said
agencies fail to return my laptop. I'd also be interested to know what
other mechanisms Dell has planned to track where my laptop was used
*before* I reported it stolen. Naturally, we will be assured that "strict
safeguards are in place to stop this happening". (I'd be interested to
know how this works... do they use some form of ID built into the CPU, or
is there an open port on the firewall, or are the MAC addresses of the
network cards - Ethernet and WiFi - piggybacked into network packets in
3. (The best one) "Formatting your data remotely" (70 Euros). Note that I'm
translating from French here; what I presume they mean is "formatting your
disk [partitions] remotely", not some service whereby they right-justify
your paragraphs for you. The description of the service is breathtaking:
"Dell can remotely format (sic) your sensitive data if your PC is lost or
stolen. Your critical data will not fall into the wrong hands".
Wow. So if I buy this service (and probably, even more worryingly, if I
don't), my Dell laptop will have software on it which will listen for a
message from the mother ship which will tell it to "format the data".
The RISKs are beyond enumeration, but let's start with:
- If your PC is stolen and the thief is sufficiently clever to backup
the data before connecting it to the Internet, then not only does she
have all your data, but you might naively think she doesn't.
- If the guy I met at the airport last week, to whom I lent my laptop
for a minute so he could check his webmail after we swapped business
cards, happened to note the service tag of the PC, and it turns out that
he works for a rival company, he will likely have all the info he needs
to ensure that I have a very bad day.
- If Joe in Cincinnati calls Dell to say his laptop has been stolen, and
his serial tag is off by one from mine, and someone presses the wrong
key in the mother ship, how much is Dell's liability for my data?
However, all (data) may not be lost. Because Dell also offers:
4. "Certified data destruction" (18 Euros). When the time comes to get a
new PC, Dell will take my old one and guarantee the secure destruction of
all the data on the hard drive, and recycle its components. So apparently
a simple format (remote or otherwise) isn't enough to keep your data out
of the hands of the bad guys. I'm confused. I would also be very
interested to have a list of people who are so serious about the need for
their data to be securely destroyed, that they are prepared to pay in
advance for it. I wonder if a disgruntled former call-center employee
might sell me that data? No, surely not. And the people in charge of
actually destroying the data wouldn't take a copy, either.
Nick Brown, Strasbourg, France.
Date: Fri, 10 Oct 2008 08:48:03 -0400
From: Monty Solomon <montyroscom.com>
Subject: Researcher Liuba Belkin: Workers more prone to lie in e-mail
In two studies co-authored by Lehigh's Liuba Belkin, people using e-mail
lied almost 50 percent more often than those using pen-and-paper. Workers
are significantly more likely to lie in e-mail messages than in traditional
pen-and-paper communications, according to two new studies co-authored by
Lehigh's Liuba Belkin.
More surprising is that people actually feel justified when lying using
e-mail, the studies show. "There is a growing concern in the workplace over
e-mail communications, and it comes down to trust," says Belkin, an
assistant professor of management in the College of Business and
Economics. "You're not afforded the luxury of seeing non-verbal and
behavioral cues over e-mail. And in an organizational context, that leaves a
lot of room for misinterpretation and, as we saw in our study, intentional
The results of the studies are reported in the paper, "Being Honest Online:
The Finer Points of Lying in Online Ultimatum Bargaining." Belkin and her
co-authors-Terri Kurtzberg of Rutgers University and Charles Naquin of
DePaul University-presented their findings at the annual meeting of the
Academy of Management held in August. ...
Date: Fri, 3 Oct 2008 13:26:43 +0200 (CEST)
From: Peter Houppermans <peterhouppermans.com>
Subject: Thomas Crown escape, revisited
A crafty bank robber in America made a Thomas Crown style escape from the
scene of his crime by recruiting a crowd of unsuspecting identically-dressed
accomplices on the Internet. King5.com reports that the well-organised
villain struck as an armoured van was picking up cash from the a Bank of
America branch in Monroe, Washington. Wearing a dust mask, safety goggles,
dayglo vest and a blue shirt, he pepper-sprayed a security guard and grabbed
a bag of cash before fleeing briskly.
Responding plods were hampered in their pursuit by the fact that a dozen
other dayglo-vested, masked, goggled and blue-shirted men had congregated in
the vicinity -- just as the legion of bowler-hatted suits assembled in New
York's Metropolitan Museum in the latest Thomas Crown film [to?] fatally
embugger the authorities' efforts to bracelet the eponymous billionaire
In this case, it appears that the anonymous miscreant recruited his
unsuspecting dupes on Craigslist. ...
[Source: The Register, 3 Oct 2008. The rest of the story is good too. PGN]
Date: Fri, 03 Oct 2008 09:41:06 -0400
From: Steve Schafer <stevefenestra.com>
Subject: Re: Sydney NS vs. Sydney NSW (25.36)
I live in Athens, Ohio. One of the local newspapers is the *Athens News*
(http://www.athensnews.com/). As it turns out, there is also an
English-language *Athens News* in the other Athens
Not surprisingly, electronic correspondence intended for one *Athens News*
sometimes ends up at the other. This happened in July, with a letter
mistakenly sent to our local *Athens News*. The editor decided to print it
This set off a chain of events that eventually led to a successful
trans-Atlantic resolution of the situation:
I am also reminded of when, several years ago, I was walking past the gates
at Dallas-Fort Worth International Airport, I noticed that American Airlines
flights to "San Jose CA" and "San Jose CR" were departing from adjacent
gates. The scheduled departure times were less than two hours apart.
Date: Tue, 07 Oct 2008 10:43:53 -0400
From: Gabe Goldberg <gabegabegold.com>
Subject: Oyster card hack details revealed (Re: RISKS-25.22,24)
The Oyster card is used on London's travel network. Details of how to hack
one of the world's most popular smartcards have been published online. The
research by Professor Bart Jacobs and colleagues at Radboud University in
Holland reveals a weakness in the widely used Mifare Classic RFID chip.
This is used in building entry systems and is embedded in the Oyster card
used on London's transport network. Publication of the research was delayed
by legal action taken by the chip's manufacturer.
Prof Jacobs and his team first identified the vulnerability in a research
paper that was due to be published in March 2008. However, the release of
the article was delayed after chip manufacturer NXP attempted to secure a
court injunction against its publication. The paper was finally released on
Monday at the European Symposium on Research in Computer Security (Esorics)
2008 security conference held in Malaga, Spain.
Sensitive data stored on the Mifare Classic chip is protected by a unique
number that acts as a key. When the chip, or a card bearing it, is placed
near a reader it transmits and receives information based on its key. The
security of the system depends on the key remaining secret. [Source: Peter
Date: October 1, 2008 8:27:02 PM EDT
From: Russ Nelson <nelsoncrynwr.com>
Subject: Re: Remarkable -- United Airlines Stock
[From Dave Farber's IP group. PGN]
> PGN wrote (see RISKS-25.37) : TheAustralian.news.com.au blames "Erroneous
> trades" routed to Nasdaq sent Google shares tumbling. Shares rebounded in
> after-hours trading to $413.06.
It's not necessarily erroneous trades. A number of stockholders will have a
stop on their shares, so that they automatically sell if the price drops
below a certain amount, typically 10% or whatever they think is outside the
normal day's range of stock trading.
Other people are interested in buying the stock once its price climbs out of
its normal range. There's a whole theory ("technical trading") which tries
to predict what is normal, and when a stock is going to exceed its normal
price range. They have set a limit on the price they're willing to buy.
When the price goes above that, they buy the stock.
Sometime mean people will buy a bunch of shares of a stock, then sell them
all at once. Depending on market conditions, they can depress the price of
the stock enough to hit people's stops, at which point they sell, which
drives the price down further, and further. The mean people then buy all
the stock back (which takes a lot of cash, obviously), which sends the price
of the stock zooming.
If they're lucky, again, they'll send the price up so high that they'll
start to hit limits, and more and more people will buy the stock. The mean
people are happy to sell the stock to them.
And when all of this winds down and the price returns to approximately its
original value, both the people with stops and limits are screwed and the
mean people make a lot of money. Sounds like NASDAQ saw that happen, and
undid it. Usually the effect is small and the mean people get away with it.
--my blog is at http://blog.russnelson.com
521 Pleasant Valley Rd. Potsdam, NY 13676-3213 +1 315-323-1241
IP Archives: https://www.listbox.com/member/archive/247/=now
Date: Thu, 29 May 2008 07:53:46 -0900
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribecsl.sri.com or risks-unsubscribecsl.sri.com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
The full info file may appear now and then in RISKS issues.
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users should contact <Lindsay.Marshallnewcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risksCSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string "notsp" at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
<http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
End of RISKS-FORUM Digest 25.38