Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: RISKS List Owner (riskocsl.sri.com)
Date: Tue Sep 01 2009 - 10:51:13 CDT
RISKS-LIST: Risks-Forum Digest Tuesday 1 September 2009 Volume 25 : Issue 77
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at
UK Chinook helicopters grounded for *years* due to software problems
DNA Evidence Can Be Fabricated, Scientists Show (Monty Solomon)
Computer-driven class schedules (David Lesher)
Computer to blame for man's fiery death (Gene Wirchenko)
RFI isn't all harmless: turns on oven (David Lesher)
Pepper-spray ATMs (Jeremy Epstein)
The VA erroneously informs over a thousand vets of fatal diagnosis
ROTC Computer Files Found in the Public Domain (Monty Solomon)
Hackers break into police computer as sting backfires (Andrew Pam)
3 Indicted in Theft of 130 Million Card Numbers (Monty Solomon)
AT&T unable to protect Kevin Mitnick's account (David Magda)
Swiss Data Protection orders Google Streetview offline (Peter Houppermans)
Canadian model gets Google to unmask nasty blogger (Simon Avery via PGN)
Cannot print on Tuesdays! (Phil Colbourn)
GSM's A5/1 cipher being brute forced (David Magda)
The Pirate Bay Returns With Guns Blazing (jidanni)
Bad questions for account retrieval (Jeremy Epstein)
Take only pictures *we* like (David Lesher)
Re: Kentucky election fraud indictments (Drew Dean)
Stephen Albin. The Art of Software Architecture (David Schneider)
Abridged info on RISKS (comp.risks)
Date: Tue, 25 Aug 2009 12:45:56 -0400 (EDT)
From: danny burstein <dannybpanix.com>
Subject: UK Chinook helicopters grounded for *years* due to software problems
[UK news sources: UK bought Boeing helicopters, figured they'd
save money by designing their own software...]
When the [Boeing] Chinooks were delivered in 2001 at a cost of 259 million
[British pounds] - the [software] codes would have pushed the price to over
300 million - they could not be certified because of the lack of software.
They could be flown but pilots were barred from taking the controls in
cloudy conditions or at low altitude. .... While all the discussions were
going on the Chinooks had been idle in their hangars. Between 2001 and 2007
the helicopters had to be inspected once a week and moved out of the hangars
every two years for more detailed checks, at a total cost of 560,000
Rest, with links to related stories and lots of interesting reader comments):
Date: Wed, 19 Aug 2009 00:10:08 -0400
From: Monty Solomon <montyroscom.com>
Subject: DNA Evidence Can Be Fabricated, Scientists Show
Scientists in Israel have demonstrated that it is possible to fabricate DNA
evidence, undermining the credibility of what has been considered the gold
standard of proof in criminal cases. The scientists fabricated blood and
saliva samples containing DNA from a person other than the donor of the
blood and saliva. They also showed that if they had access to a DNA profile
in a database, they could construct a sample of DNA to match that profile
without obtaining any tissue from that person. "You can just engineer a
crime scene," said Dan Frumkin, lead author of the paper, which has been
published online by the journal Forensic Science International:
Genetics. "Any biology undergraduate could perform this." [Source: Andrew
Pollack, *The New York Times*, 18 Aug 2009; PGN-ed]
Date: Thu, 27 Aug 2009 18:41:32 -0400 (EDT)
From: "David Lesher" <wb8fozpanix.com>
Subject: Computer-driven class schedules
[would Ferris Bueller get the week off?]
Prince Georges [MD] Public Schools $4.1 million SchoolMax student scheduling
system has left thousands of its high school students with no schedules, and
thus no classes.
Those students have spent the first few days of school sitting in the gym,
cafeteria, or other holding areas.
While the number of still-unscheduled students has fallen from the first
day's 8000 [of 41,000 total] to roughly 2000, that does not include those in
the wrong classes; including one where administrators have, in effect,
randomly assigned students to any available class.
The saga sounds oh so familiar to RISK regulars; a big changeover, no manual
fallback scheme, approaching deadlines, with complaints about inadequate
training, and big increases in the time needed [from ~10 minutes to 45 per
student!] for core tasks.
But SchoolMax is not a new creation, nor are these issues. It was deployed
for 300,000 in the Los Angeles Unified School District, and Richmond County,
Georgia had similar issues in 2004.
So who's not learning here: SchoolMax, the school systems clients, or their
Class Chaos Persists at Prince George's High Schools
Date: Thu, 27 Aug 2009 19:03:19 -0700
From: Gene Wirchenko <genewocis.net>
Subject: Computer to blame for man's fiery death
A Laptop computer that burst into flames after being left on a couch is to
blame for a Vancouver man's death, prompting a public warning from the
British Columbia Coroners Service not to leave the devices on soft
furniture. [Source: *The Daily News*, Kamloops, British Columbia, Canada,
27 Aug 2009, A4 PGN-ed]:
Date: Tue, 18 Aug 2009 23:28:08 -0400 (EDT)
From: "David Lesher" <wb8fozpanix.com>
Subject: RFI isn't all harmless: turns on oven
RFI is usually an annoyance but seldom harmful. Here's an exception.
A UPI article of 18 Aug reports:
Andrei Melnikov said his Maytag Magic Chef stove beeps and turn its broiler
onto the highest setting if his phone, which he has had for about three
years, receives an incoming call while within two feet of the appliance,
WABC-TV, New York, reported Tuesday. ... He said the stove is currently
unplugged and Maytag has agreed to send a repair crew to get to the bottom
of the problem.
GSM cell phones are noted for causing audible RFI in other receivers
nearby. Looks like some Maytag ranges are equally vulnerable.
[Also reported by David Hollman and by Kevin Connolly, who added, ``Here
in Ireland the electrical regulations require a wall switch to isolate the
mains supply to a cooker when not in use. It is good advice to use it.''
Date: Wed, 26 Aug 2009 10:44:01 -0400
From: Jeremy Epstein <jeremy.j.epsteingmail.com>
Subject: Pepper-spray ATMs
Haven't seen this in RISKS - I first heard about it on NPR's Wait Wait
(waitwait.npr.org) as part of their truth-is-weirder-than-fiction contest,
so was initially skeptical, but it appears to be true. Seems that some
South African ATMs are equipped with pepper spray to (under software
control) spray anyone who tampers with the machines. According to the (UK)
Guardian, "the technology uses cameras to detect people tampering with the
card slots. Another machine then ejects pepper spray to stun the culprit
while police response teams race to the scene." The Guardian report says
that three servicing technicians were hit while (legitimately) repairing the
It doesn't take a rocket scientist to figure out that when there's software
involved, there's opportunities for it to go wrong. And as someone on a
blog pointed out, this technology can also be used by the bad guys - get the
ATM to trigger on a legitimate customer, and while the customer is
incapacitated, take their ATM card and whatever other valuables they have.
(and many others, which all seem to use pretty much the same text)
Date: Thu, 27 Aug 2009 14:26:30 -0700 (PDT)
From: Rob McCool <robmrobm.com>
Subject: The VA erroneously informs over a thousand vets of fatal diagnosis
Through a data maintenance error, the Veteran's Affairs department recently sent out automated letters to as many as 1200 veterans that they had the fatal neurological disorder known as Lou Gehrig's disease.
A diagnostic code was chosen many years ago for "unknown neurological
disorder". That itself is an example of the often problematic
"miscellaneous" hole in most categorization systems. Some things simply defy
categorization. Later, the diagnostic code was expanded to include Lou
Still later, the VA decided to make Lou Gehrig's disease a service-connected
disability. So they sent the automated letters to inform affected vets that
benefits were available. Up to 1200 people were erroneously informed of
this and the office is getting more than 50 calls a day from veterans in an
Date: Sat, 22 Aug 2009 02:04:00 -0400
From: Monty Solomon <montyroscom.com>
Subject: ROTC Computer Files Found in the Public Domain
Art Jahnke, Technology error exposes personal information, BU News,
20 Aug 2009
A file transfer program erroneously installed on a server in an Army Reserve
Officers' Training Corps (ROTC) office at Boston University inadvertently
exposed personal information about thousands of people affiliated with the
program. University officials say the compromised computer was taken
off-line when the breach was identified on July 28; they are working with
the U.S. Army Cadet Command to contact every person whose information was
placed at risk.
The incident involved information on 6,675 people, say University
administrators, 406 of whom are affiliated with BU. Officials believe
the rest come from ROTC branches around the country. ...
Date: Tue, 18 Aug 2009 14:30:49 +0930
From: Andrew Pam <andrewsericyb.com.au>
Subject: Hackers break into police computer as sting backfires
"An Australian Federal Police boast, on the ABC's Four Corners program
last night, about officers breaking up an underground hacker forum, has
backfired after hackers broke into a federal police computer system.
Security consultants say police appear to have been using the computer
as a honeypot to collect information on members of the forum but the
scheme came undone after the officers forgot to set a password."
Date: Fri, 28 Aug 2009 23:38:49 -0400
From: Monty Solomon <montyroscom.com>
Subject: 3 Indicted in Theft of 130 Million Card Numbers
On 24 Aug 2009, Albert Gonzalez was indicted along with two unspecified
Russian conspirators. Charges included theft of 130 million credit and
debit card numbers from late 2006 to early 2008 from various sources --
Heartland Payment Systems, 7-Eleven, Hannaford Brothers, and others. Some
of those numbers were sold online and used in identity frauds. Gonzalez is
already waiting trial for previous cases involving T.J. Maxx (in
Massachusetts) and the Dave & Buster restaurant chain (in New York).
[Source: Brad Stone, *The New York Times*, 18 Aug 2009; PGN-ed]
Date: Thu, 20 Aug 2009 11:15:24 -0400 (EDT)
From: "David Magda" <dmagdaee.ryerson.ca>
Subject: AT&T unable to protect Kevin Mitnick's account
It's a good thing that most people are not as "high profile" as Kevin
Mitnick, as otherwise their phone records would be practically public
> Over the past month, both HostedHere.net, his longtime webhost, and AT&T,
> his cellular provider since he was released from prison more than nine
> years ago, have told him they no longer want him as a customer. The
> reason: his status as a celebrity hacker makes his accounts too hard to
> defend against the legions of script kiddies who regularly attack them.
Of course the rest of AT&T customers' accounts are probably not better
protected and just as vulnerable. If Mr. Mitnick does change providers, I'm
curious to know if they'll do any better than AT&T has.
[Also noted by David Lesher. PGN]
Date: Sat, 22 Aug 2009 15:28:52 +0200
From: Peter Houppermans <peterhouppermans.com>
Subject: Swiss Data Protection orders Google Streetview offline
The risk of not living up to your promises when you do mass surveillance:
the Swiss newspaper NZZ reports today that the Swiss office for Data
Protection (http://www.edoeb.admin.ch) has asked Google to immediately shut
down the Swiss part of Google Streetview because it does not meet Data
Protection standards - the masking of license plates and faces is
insufficient. The (German language) article is at
I can attest to that, I had a quick browse of a place I know, and the
promised masking of faces was in quite a few cases simply absent..
The Swiss Data Protection office doesn't consider the "you can opt out if
you want" approach as acceptable, a point I can only agree with when it
comes to privacy. I've read through a Q&A
(http://preview.tinyurl.com/muor75, no English version available) with
Google provided answers, and that contains a few classics:
(a) people would know in advance where the cars would be, "so they could act
accordingly" - a fantastic idea to move your obligation to the people you're
surveilling ("just go and hide if you don't like it")
(b) you can always have your picture removed - which only requires you to
remember where exactly you saw the camera car, several months later.
It appears Google has also offered to remove house images if so required. I
think that's a bit much, but from what I've seen so far it would be a good
idea if they would at least obscure windows. The resolution of the images
is in some cases sufficient to make out what's INSIDE houses close to the
But hey, according to Google they should have had their curtains drawn when
Google came filming.
English translation available at http://preview.tinyurl.com/m3vokf.
Date: Thu, 20 Aug 2009 15:59:02 PDT
From: "Peter G. Neumann" <neumanncsl.sri.com>
Subject: Canadian model gets Google to unmask nasty blogger
Legal ruling will force Internet search giant to reveal identify of
blogger who posted derogatory comments about Liskula Cohen.
[Source: Simon Avery, *Globe and Mail*, 20 Aug 2009]
Date: Sun, 16 Aug 2009 11:27:21 +1000
From: phil colbourn <philcolbourngmail.com>
Subject: Cannot print on Tuesdays!
Today I came across an interesting bug mentioned on a blog. The problem was
that printing for some people failed occasionally. Later someone noted that
his Wife had been complaining that she couldn't print on Tuesdays!
In reading through the bug report people were initially claiming that it
must be an OpenOffice bug since all other applications printed fine. Others
noted that it comes and goes. One user found a solution: To remove and purge
the system of OpenOffice and re-install (any easy task on Ubuntu). He
reported on a Thursday that this fixed his printing problem.
Two weeks later he reported (on a Tuesday) that his solution did not work
after-all. Nearly 4 months later the Wife of a Ubuntu hacker complained that
OpenOffice would not print on Tuesdays. I can imagine the scenario:
Wife: Steve, the printer will not work on Tuesdays.
Steve: That's the printer's day off - Of course it will not print on Tuesdays.
Wife: No, I'm serious! I can not print from OpenOffice on Tuesdays.
Steve: (Unbelieving..) Ok... Show me.
Wife: I can't show you.
Steve: (Rolling eyes..) Why?
Wife: It's Wednesday!
Steve: (Nods. He says slowly...) Right.
The problem seemed to be tracked down to a program called 'file'. This *NIX
utility uses patterns to detect file types. eg. if the file starts with '%!'
followed by 'PS-Adobe-' then it is a PostScript file. It seems that
OpenOffice writes the date to the postscript file. On Tuesdays it takes the
form of %%CreationDate: (Tue MMM D hh:mm:...)
An error in the pattern for an Erlang JAM file meant that 'Tue' in the
PostScript file was being recognised as an Erlang JAM file and so,
presumably, it was not being sent to the printer.
The Erlang JAM file pattern is:
4 string Tue Jan 22 14:32:44 MET 1991 Erlang JAM file - version 4.2
It should have been
4 string Tue\ Jan\ 22\ 14:32:44\ MET\ 1991 Erlang JAM file - version 4.2
With the large number of files types that this program attempts to match
(over 1600) it is not surprising that errors are made in the patterns, but
also the order of matching could mean that false positives are common. In
this case, an Erlang JAM file was matched before the PostScript match
Reported as this bug:
Later made a duplicate to this bug:
Date: Tue, 25 Aug 2009 21:41:43 -0400
From: David Magda <dmagdaee.ryerson.ca>
Subject: GSM's A5/1 cipher being brute forced
Looks like the GSM folks may want to think about upgrading to a better
> It will take 80 high-performance computers about three months to do
> a brute force attack on A5/1 and create a large look-up table that
> will serve as the code book, said Nohl, who announced the project at
> the Hacking at Random conference in the Netherlands 10 days ago.
> Using the code book, anyone could get the encryption key for any GSM
> call, SMS message, or other communication encrypted with A5/1 and
> listen to the call or read the data in the clear. [...]
> Carriers should upgrade the encryption or move voice services to 3G,
> which has much stronger encryption, [Karsten] Nohl said.
Is there any reason why future mobile standards shouldn't just use AES?
Given that most governments can tap phone calls for lawful purposes once the
signal hits the tower, what possible use would there be to having a weak
cipher for radio transmissions?
Date: Thu, 27 Aug 2009 01:10:45 +0800
Subject: The Pirate Bay Returns With Guns Blazing
When The Pirate Bay was shut down by the authorities yesterday many believed
that this was the end for the Internet's largest BitTorrent tracker.
A mere three hours after it went offline the site reappeared from a
The Pirate Bay team released the following statement, adapted from
Churchill's famous "We Shall Fight On the Beaches" speech.
"We have, ourselves, full confidence that if all do their duty, if nothing
is neglected, and if the best arrangements are made, as they are being made,
we shall prove ourselves once more able to defend our Internets..."
Date: Thu, 20 Aug 2009 19:31:02 -0400
From: Jeremy Epstein <jeremy.j.epsteingmail.com>
Subject: Bad questions for account retrieval
A recent study  showed that the "security questions" used for recovering
account access tend to be easily guessable, even by strangers, and the
answers are almost as frequently forgotten by the account owner. As pointed
out in that article, it's important in choosing questions that they have
relatively unchanging answers, or else customers will be unable to recall
the answer a year or two down the road when they're needed. That's of
course why questions like birthplace and mother's maiden name are "good"
from the memory perspective, even though they're bad from the security
So the other day I was helping my son apply for a student credit card at
Citibank, and was somewhat amused that the following were the *only*
questions allowed (I think you had to have answers to three of them):
(A) Best friend's last name
(B) Pet's name
(C) Favorite teacher's last name
(D) Last 4 digits of friend/relative phone #
(A) might be mined from Facebook or a similar page (a large fraction of
people will probably list their spouse's name!), if it's not their spouse,
for many people this will change over time. (*)  notes that "best
childhood friend" is frequently forgotten and fairly easily guessed; "best
friend" is both easily guessed and subject to change. As noted in , (B)
is easily guessed (although less likely to change than (A)). (C) is likely
to change over time. (D) has the disadvantages of the person changing, as
well as choosing which phone number (cell/home/work); also many of the
college students who are the target of this application don't know their
friends' phone numbers since they're all programmed into cell phone memory.
And their implementation of (E) doesn't allow you to put in a hint, but the
answer is limited to 10 characters.
The risk? In the move to trying to improve the security of backup
questions, even big companies can miss the point....
 "It's no secret: Measuring the security and reliability of
authentication via 'secret' questions", Stuart Schechter, A.J. Bernheim
Brush, and Serge Egelman, 2009 IEEE Symposium on Research in Security and
(*) For some people, the spouse's name will also change over time, but
that's outside the scope of this note.
Date: Sun, 23 Aug 2009 15:14:51 -0400 (EDT)
From: "David Lesher" <wb8fozpanix.com>
Subject: Take only pictures *we* like
Ever vigilant against terrorism, the LAPD gets specific instructions:
A Suspicious Activity Report (SAR) is a report used to document any
reported or observed activity, or any criminal act or attempted
criminal act, which an officer believes may reveal a nexus to foreign
or domestic terrorism. The information reported in a SAR may be the
result of observations or investigations by police officers, or may be
reported to them by private parties. Incidents which shall be reported
on a SAR are as follows: [...]
Takes pictures or video footage (with no apparent aesthetic value, i.e.,
camera angles, security equipment, security personnel, traffic lights,
building entrances, etc.).
There are so many fallacies here I don't know where to start.
a) People taking pictures is a terrorism problem. Well, sure, but so is
driving on freeways, and buying BBQ grill fuel, and....
b) But only *some* takers may be terrorists. Jack and Jill Instamatic,
suspect; All Kinda Productions, of course not -- terrorists can't be part of
our economic base. [Err... What BETTER way to hide an attack then fake up a
movie over same, and hire off-duty cops for security?]
c) LAPD's finest's esthetic value judgment is up to the task of
differentiating between terrorism and turkeys. Err, I've seen their HQ
building; and besides, not even the Hollywood power barons manage that task
well - witness this summer's flops such as GI Joe.
d) But NO DOUBT, the database from those SAR's shall be used both to
harass/arrest Jack & Jill's associates, and the fact that data came from a
computer renders it irreproachable. Garbage In, Garbage Out *still* does no
good and much ill.
Date: Mon, 17 Aug 2009 11:54:48 -0700
From: Drew Dean <ddeancsl.sri.com>
Subject: Re: Kentucky election fraud indictments (RISKS-25.76)
On Aug 15, 2009, at 3:26 PM, RISKS List Owner wrote:
> In the November 2009 election in Kentucky, there was a serious discrepancy
I must say, electronic voting systems have become quite advanced if
they can commit fraud in future elections! :-)
[My goof. The indictment actually covered the 2002, 2004, and 2006
elections. Ray Gardner noted that the elections affected by the ES&S user
interface exploit were just 2004 and 2006. The county didn't get those
machines until 2003. The 2002 fraud was apparently of another sort.
And I am neither prescient nor postscient. PGN]
Date: Thu, 20 Aug 2009 13:03:42 -0400
From: David Schneider <pdhq.acm.org>
Subject: Stephen Albin. The Art of Software Architecture
The Art of Software Architecture: Design Methods and Techniques
August 2009 ACM Featured Online Book for Professional Members
The ACM Featured Online Book Program focuses on books in the ACM Collection
that are highly used and highly reviewed. A different book will be featured
in each newsletter. This issue features a title from our Books24x7
Stephen Albin. The Art of Software Architecture: Design Methods and Techniques
This book synthesizes and distills information so that the practicing
software architect, and especially the beginning software architect, can
fill in the gaps in their understanding of software architecture design.
This innovative book uncovers all the steps readers should follow in order
to build successful software and systems. With the help of numerous
examples, Albin clearly shows how to incorporate Java, XML, SOAP, ebXML, and
BizTalk when designing true distributed business systems. The book not only
teaches how to easily integrate design patterns into software design, but
also documents all architectures in UML and presents code in either Java or
Bernard Kuc of Computing Reviews said "Albin presents extensive coverage of
the current state of the art in software architecture. Throughout the book,
he remains focused on software architecture. He does not give in to the
temptation of going deeper into software engineering and design, an area
already well covered elsewhere, and hence achieves coverage of a wide
breadth of material in relatively few pages."
One Amazon reviewer, who rated the book 5 stars, said the book as "This book
uses real world examples and practical advice coupled with academic rigor.
It provided tremendously helpful insights into how I can improve the efforts
of my team."
We are always looking for feedback and recommendations on our book offerings.
If you know of a book you would like ACM to consider offering, please email
me at Schneiderhq.acm.org.
David Schneider, Education Manager, Association for Computing Machinery
Date: Thu, 29 May 2008 07:53:46 -0900
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribecsl.sri.com or risks-unsubscribecsl.sri.com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
The full info file may appear now and then in RISKS issues.
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users should contact <Lindsay.Marshallnewcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risksCSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string "notsp" at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
<http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
End of RISKS-FORUM Digest 25.77