RISKS-LIST: Risks-Forum Digest Tuesday 23 December 2003 Volume 23 : Issue 09 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://www.risks.org as http://catless.ncl.ac.uk/Risks/23.09.html The current issue can be found at http://www.csl.sri.com/users/risko/risks.txt Contents: Rotorouted New Year's greeting? (PGN) Loss of bus braking due to nearby illegally modified transceivers (Chiaki Ishikawa) "Openness" in Government (Identity withheld by request) GuineTel seeks ways of clamping down on scam fraud (Patrick O'Beirne) AOL now filtering based on whether they like embedded URLs (Stever Robbins) Guilt by technology (Dawn Cohen) Murphy's Law (Mark Brader) Important article on origins of Murphy's Law (Doug Mink) Re: Railroad accident results from deactivated crossing gates (Geoff Kuenning) Re: Proper understanding of "The Human Factor" (Merlyn Kline) Poor writing is the problem, not PowerPoint (Paul A.S. Ward) Re: Diebold ATMs & Nachi worm; you ain't seen nuttin' yet! (Richard I Cook) Re: Diebold ATMs hit by Nachi worm (Tim Panton) Re: Voter information up for grabs (David E. Ross) Re: Online issue of civil claims (Robin Crorie) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 23 Dec 2003 14:07:42 PST From: "Peter G. Neumann" <neumann@private> Subject: Rotorouted New Year's greeting? Yesterday I decided to schedule in advance our annual home sewer cleanout derootification for 8 Jan 2004, to get the first call in the morning on the day that our yearly guarantee expires. The dispatcher assured me that would be fine and that they would call the day before to confirm. An hour later I received a call from the plumber saying that he would arrive in 10 minutes, and apologizing for taking so long! You probably guessed what happened. The dispatcher put the order in for 8 Jan assuming that their scheduling system would infer 2004. But the system coerced the year to 2003, and it was treated as an urgent request (that had not been filled in 11.5 months). Happy New Year! ------------------------------ Date: Sun, 21 Dec 2003 09:51:41 +0900 From: Chiaki <ishikawa@private> Subject: Loss of bus braking due to nearby illegally modified transceivers It has been reported widely in the Japanese press that electromagnetic interference caused by illegally modified transceivers on trucks is suspected of causing two accidents by disabling the braking system of commuter buses. Mitsubishi Fuso Truck & Bus Corporation announced that two models of its buses are adversely affected by high-powered EMI from short distance and its braking system may not function properly under such conditions. Specifically, its breaking system that detects the wheel-locking condition falsely triggers due to the EMI and thus the brake doesn't work as intended. Two accidents were reported last year where the bus drivers reported that the brake suddenly stopped working. However, after the police investigation, no visible malfunction was found. The manufacturer continued investigation and found that high-powered radio signals emitted by a nearby transceiver (illegally modified and thus 1,000-10,000 as strong as permitted by law for such transceivers) can interfere with its braking control unit, resulting in false information that the wheels locked due to braking. Upon this false information, it seems (my interpretation from what I read various reports) that the control unit decided to release the brakes, and thus caused unintended loss of braking. It is not known whether such illegally modified transceivers were present nearby in two accident cases. But in other two instances where loss of braking was observed, the bus drivers saw suspicious trucks nearby. The company could reproduce the condition in live experiments, and it will refit the 2200+ cars by replacing the control unit, sensors, pipes, circuit harness, etc. I think the company should be commended for its continued investigation after the accidents. I have personally noticed voices of presumably truck drivers whose transceiver must have been modified to generate enormous amount of power from my audio equipment over the years. (Remember the CB radio craze of 1970's?) But this is the first time such strong emission is linked to real-world accidents. [I don't think so. We had CB interference knocking out cruise controls long ago. PGN] The warning that I see and hear on airplanes during landing and take off is no longer a remote worry. I should be glad that most air runways seem to have enough distance from the nearby highway. As we depend on computers and sensors for better control of *everything* such as cars, home appliances, the malfunctions due to external EMI must be considered carefully, but I suspect that only the military agencies who have tried to harden the fighter planes and such against the EMI caused by nuclear blasts have the technical knowhow or mentality to cope with such problems caused by unusually and possibly illegally high-powered EMI. (Yes, I know that the FCC regulations and similar usually protect the ordinary home appliances against the run-of-the-mill EMI from computers, etc. However, I doubt that electronic home appliance makers are ready to tackle the above the normal, high-powered emission caused by illegally modified transceivers. And they are a real threat along busy traffic route today. I hate to see various home appliances behave erratically every time a truck with such a transceiver passes by. Or for that matter, a whole field filled with tiny sensors blown by a strong zap of an illegally modified transmitter. Illegal or not, such dangers are going to be real and may have wide-spread consequences in the future.) cf. The company web page: http://www.mitsubishi-fuso.com I found the reference to this topic in the Japanese web pages at above URL by following links, but am not sure if English pages have the reference. The Japanese report appears dated 15 Dec 2003, so the translation may have to wait for a few more days. ------------------------------ Date: Tue, 23 Dec 2003 12:09:00 -0500 From: [Identity withheld by request] Subject: "Openness" in Government A while ago California, with the help of MCI, implemented an Internet based system, DROS, by which gun dealers verify that purchasers are eligible to own a gun. While searching for information on this system, I happened across the following message http://caag.state.ca.us/firearms/mbw.htm which I found somewhat disturbing. However, looking further, I found the DROS users manual https://dros.vansis.wcom.com/wpsd/manual.pdf which tells the users to configure their Internet Explorer security settings as follows: The ActiveX controls and plug-ins to Enable are Download signed ActiveX controls Download unsigned ActiveX controls Initialize and script ActiveX controls not marked as safe Run ActiveX controls and plug-ins If these radio buttons are set to Prompt, you will be prompted each time you log into the application. Setting them to Enable is a time saving measure. Although it is only the gun dealers' machines that are at risk, and the DoJ system is hopefully secure, I'm not sure that I like the idea that their machines are so insecure. ------------------------------ Date: Sun, 21 Dec 2003 19:37:31 +0000 From: "Patrick O'Beirne" <mail2@private> Subject: GuineTel seeks ways of clamping down on scam fraud By Brian King, Balancing Act's News Update 188 (21 Dec 2003) http://www.balancingact-africa.com Phantom Calls In 2003, Terri Lockwood of Indianapolis, Indiana received a phone bill with hefty charges for calls to Guinea-Bissau, a West African country she had never heard of, and much less had reason to call. When she disputed the charges, the American operator AT&T told her that the calls were genuine, and that she or someone in her house must have called, or accessed an adult entertainment site on the Internet. The intruder was a program that had slipped unnoticed onto the family computer, and reconfigured the connection to dial a number in Guinea-Bissau (code 245). The number, however, does not officially exist. The national operator, the regulatory body, and the International Telecommunications Union all agree that the number dialed from Terri Lockwood¹s computer is not programmed within the territory of Guinea-Bissau. Communications infrastructure of the country, furthermore, could not conceivably support the graphic-intensive content production and broadcast of many adult entertainment sites. For the last few years the national operator Guine Telecom has been concerned with repairing basic telephony infrastructure damaged in a devastating civil war. At the beginning of this year Guine Telecom had no new cables to repair its network, no wires to install phones for clients, and approximately 50,000 people on waiting lists. This is not a company receiving revenue from a brisk adult entertainment business, legitimate or not, apparently conducted in its name. The History In 1989 the Government of Guinea-Bissau cemented a strategic partnership with Marconi (now part of the Portugal Telecom group) All international traffic to and from Guinea-Bissau would run through Marconi in Portugal. Marconi was also given the right to open and maintain bank accounts abroad in the name of Guine Telecom. Critics of the company say that management of the company became increasingly chaotic and untransparent. Around 1996 Portugal Telecom managers set up a bank of computers at the earth station to receive pornographic calls from abroad. The calls were received at Guine Telecom and were immediately transmitted back without entering the national network. The practice reportedly generated significant new traffic to Guinea-Bissau, and the added revenue funded new investments in infrastructure. On June 7, 1998 a failed coup d¹etat tipped the country into civil war; key infrastructure (such as the earth station) was destroyed and in the midst of it the bank of audiotext (read 'phone sex') computers. After their departure in 1998 Portugal Telecom began withholding settlement payments for international calls terminating in Guinea-Bissau, and has continued to do so. A journalist from the major Spanish newspaper El País confirmed a so-called ³epidemic² of calls to Guinea-Bissau from Spain, appearing on the bills of people who had no relationship with the country. In all these instances the Spanish operator Telefonica responded that the calls were genuine. Around the same time, a dissatisfied Spanish pornography consumer actually called Guine Telecom to complain about the service. Technical Director Malam Fati was alerted, and so discovered for himself the existence of a number of web pages advertising live pornographic video. The pages appear to be designed to target particular countries; all are linked to a home page at www.sexhotel.com. The pages offer 'free' access to live pornographic video without requiring credit card information. Interested viewers need only to call a number on the screen (dialing instructions from each country are included), to receive a password. These access numbers bear the (245) international code, but the regional codes are not assigned within the territory of Guinea-Bissau. For the rest of this story, go to: http://www.balancingact-africa.com Patrick O'Beirne, Systems Modelling Ltd., Gorey, Co. Wexford, Ireland. +353 55 22294 ------------------------------ Date: Fri, 19 Dec 2003 12:02:41 -0500 From: Stever Robbins <stever@private> Subject: AOL now filtering based on whether they like embedded URLs I just got this bounce message. I was mailing a friend of mine the URL of a MOVEON.ORG Web site that's asking people to rate TV ads on effectiveness, etc., at conveying the downside of GW Bush's policies. AOL won't even deliver the message. Apparently, since the URL has generated complaints (presumably from Bush supporters or current Govt. employees), I'm not even allowed to tell AOL users about it. RISKS: AOL can decide they don't like a particular URL, for instance, of a topic or candidate or public opinion poll that they disapprove of, and voila -- several million people now can't even be told about that page! In this particular case, it's hard to imagine who would complain about it other than people trying to get the page banned because it doesn't agree with their political views. The offending URL (which I highly recommend) is double-u, double-u, double-u, bush in 30 seconds dot org. > ----- The following addresses had permanent fatal errors ----- ><....@aol.com> > (reason: 554 TRANSACTION FAILED: (HVU:B1) The URL contained in your > email to AOL members has generated a high volume of complaints.?? Per our > Unsolic) ------------------------------ Date: Tue, 23 Dec 2003 09:28:47 -0500 From: "Dawn Cohen" <COHEND@private> Subject: Guilt by technology A friend was inspired by his sister, who just got an MP3 player installed in her car. He wanted to do the same. He called the Mercedes dealer that he normally goes to, and asked if they could fit his car up with an MP3 player. He was politely informed that they could not. Undaunted, he asked whether an MP3 player could be installed if he was willing to put in a whole new stereo system. The gentleman on the line patiently explained that No, Mercedes does not make MP3 players available in any of their cars, new or old. As he put it, "MP3s are for people who download music. People who buy Mercedes cars can afford to buy their music." ------------------------------ Date: Tue, 23 Dec 2003 00:51:11 -0000 From: msb@private (Mark Brader) Subject: Murphy's Law (Re: ...the Human Factor, Ladkin, RISKS-23.08) > The classic statement of the "Bubba factor" position is a comment made > in 1949 by Edsel Murphy ... Um, the Edsel was a *different* classic failure. Edward Murphy's exact words have been forgotten, and credit for the term "Murphy's Law" is now disputed. For a full investigation, or at least as good a one as we're likely to see after so many years, see: http://www.improb.com/airchives/paperair/volume9/v9i5/murphy/murphy0.html and the four pages linked from it (or substitute 1 through 4 for the 0). Mark Brader, Toronto, msb@private ------------------------------ Date: Tue, 23 Dec 2003 14:22:49 -0500 From: Doug Mink <dmink@private> Subject: Important article on origins of Murphy's Law (Re: Ladkin, R-23.08) > The classic statement of the "Bubba factor" position is a > comment made in 1949 by Edsel Murphy, ... I have seen numerous references to Edsel Murphy as the originator of the famous law, but this was the first reference with more details. "Edsel" seemed to me to be too uncommon to be associated with both a humorous failure of an automobile (and the scion of major manufacturing family) and a humorously successful law, so I looked into the matter on the Web. After several unsuccessful searches, I hit the jackpot with Nick Spark's article, "The Fastest Man on Earth", on the September/October Annals of Improbable Research, and available on their web site, HOT A.I.R. http://www.improb.com/airchives/paperair/volume9/v9i5/murphy/murphy0.html It gives a very good history of the relationship between Colonel John Paul Stapp (once the Fastest Man of the title), Project MX981, Captain *Edward* Murphy, and the famous Law, and is must reading for RISKS readers who daily do battle with the consequences of Murphy's Law. Doug Mink, Smithsonian Astrophysical Observatory ------------------------------ Date: Tue, 23 Dec 2003 00:15:36 -0800 (PST) From: Geoff Kuenning <geoff@private> Subject: Re: Railroad accident results from deactivated crossing gates A friend once told me that in the Great Plains there are many accidents of this sort each year. Most crossings are completely unguarded, and at night a train on an unlit level crossing is almost completely invisible. The friend pointed out that the cure is both trivial and cheap: all railroad cars should be required to have reflectors (or reflective paint) on the sides. But it would cost a lot of money (in aggregate, though very little per $100K car) and thus the railroads have steadfastly resisted the passage of any such regulation. Meanwhile, people continue to die. The funny thing is, that reflective paint could be used for some very valuable advertising... Geoff Kuenning geoff@private http://www.cs.hmc.edu/~geoff/ [Ah, another nice low-tech solution. PGN] ------------------------------ Date: Fri, 19 Dec 2003 10:28:27 -0000 From: "Merlyn Kline" <merlyn@private> Subject: Re: Proper understanding of "The Human Factor" (Norman, R-23.07) > No wonder we continue to have problems. It is this attitude of developers > that cause the very problems they complain about. Isn't this a bit reversed? Yes, developers complain that they must devote more effort than they would like to ensuring that their software works in the face of operator-generated adversity. But in making that complaint they are recognising the requirement. And it *is* a requirement. As if to underline all this, what is the very next story in the digest I am responding to?... > A homeland officer who read the first prank e-mail but did not note the > April Fools reference, and did not read the second e-mail, processed > paperwork that authorized the detainee's release from a county jail on 2 > Apr. Could a system have been devised that would have prevented that? Could such a system have been embodied in the administrative software that is (presumably) used to run these processes? ------------------------------ Date: Tue, 23 Dec 2003 05:13:55 +0000 (UTC) From: pasward@private (Paul A.S. Ward) Subject: Poor writing is the problem, not PowerPoint (Garfinkel, Re: R-23.08) > the problem is that many engineers are simply poor verbal communicators. Without disagreeing with the above statement (Heaven knows, I've read enough poorly-worded documents by students to be firmly convinced of this point), I would argue that PowerPoint, and moreso WYSIWYG systems, are a contributing factor. Specifically, WYSIWYG systems lead to a focus by the user on appearance, not on structure or content. ------------------------------ Date: Tue, 23 Dec 2003 06:04:56 -0600 From: Richard I Cook <ri-cook@private> Subject: Re: Diebold ATMs & Nachi worm; you ain't seen nuttin' yet! (R-23.04) Steve Summit wrote in RISKS-23.04 about "several Diebold Automatic Teller machines...built atop Windows XP Embedded...infected by the "Nachi" worm last August and his concern about "critical functions [being]implemented using less-than-rugged components such as "consumer grade" operating systems." It is interesting that, even at this rather advanced stage, we have so little 'feel' for the ways in which creating large, dependent socio-technical systems creates new -- and often startlingly large -- vulnerabilities. To describe an operating system as "consumer grade" implies that there are real alternatives available. But there are few such alternatives. New applications depend on the rich feature sets found in large operating systems and the problems with security and reliability of these are well known, albeit not well understood. A good deal of this seems to me to be related to version control and maintenance activities and the corrosive nature of the cost equation -- we have these systems, after all, because they are cheaper, not because they are more reliable! ATMs are IMHO small potatoes. The U.S. Institute of Medicine has just released "Patient Safety: Achieving a New Standard for Care" (http://www.iom.edu/report.asp?id=16663) which continues the IOM's theme of making safety through the creation of higher orders of computing systems -- basically an everything-is-connected-to-everything sort of model in which the entire process of healthcare delivery is mediated using computers in networks -- by outlining the needs for standards for data communications between systems. The rosy future is a world where your physician (or some robotic analog) 'writes' a prescription into a computer and there is nothing human in the way until the pill pops into your open mouth. Comparatively little attention has been paid to what the actual operating characteristics of a system composed of 106 Windows machines of 10^3 or 10^4 configurations running 10^8 to 10^9 lines of code might be. I foresee an era when this trend is reversed and we deliberately uncouple systems into smaller, isolated subsystems; where software change is deliberately retarded in the hope of achieving stability; where end-to-end automated processes are broken apart and human intermediaries inserted in an effort to produce robust behavior of the larger entity; and where security and privacy issues drive large parts of the healthcare system completely 'off-line' so as to make them 'invisible'. Because healthcare reimbursement from Federal and insurance sources will be tied directly into on-line record keeping and so-called "quality measurement" computing, portions of healthcare delivery will be paid for out-of-pocket, essentially dividing the system into the "white" (visible, regulated, tabulated, on-line) system and the "black" (off-line, cash-and-carry, AMFYOYO) system. In addition, you may find springing up a cottage industry of configurators, people capable of making your small, independent, unconnected, archaic, but quite useful computer nets working without connecting them to the larger world. "Burning chrome" here we come! ------------------------------ Date: Fri, 19 Dec 2003 9:00:00 0000 From: Tim Panton <tpanton@private> Subject: Re: Diebold ATMs hit by Nachi worm (Dean, RISKS-23.07) Drew Dean describes the tendency of 'security professionals' to focus on their specialty and not on the what might be called the "bigger picture". It seems to me that there are two ways to fix this problem. The first is to spread the awareness of security in the programming community, de-specializing it and making it a core competence expected from designers. (we have made a small step here in this direction by making risks compulsory reading for all software engineers) The second way is for managers to incorporate computer security into their analysis of business risks when developing or adopting a new product (again de-mystifying it). As an aside, I don't quite buy Drew Dean's analysis of the ATM situation. ATMs require frequent human intervention, to fill them with cash. This puts them in a different category from fully autonomous systems, like weather stations or unmanned space craft, where being able to force an upload of patches without onsite intervention is clearly "a good thing". I think the thing that shocks me about the ATM story is the reliance on stock protocols with apparently no more security than I apply to my desktop systems. I mean, why not configure it to only accept signed updates, or only updates from a shortlist of ip addresses? Yes, the world is a messy place, but I think I like the emerging computing monoculture even less. ------------------------------ Date: Fri, 19 Dec 2003 07:52:32 -0800 From: "David E. Ross" <david@private> Subject: Re: Voter information up for grabs Selling voter information to candidates is a very old situation. And it's not necessarily bad. (The lists are sold and not given away only because of the cost of printing them; the same is true of lists sold in electronic form.) Early on, the lists were available to anyone. With the increased concern about privacy, they are now available only to legitimate candidates and campaign committees. When I ran for local school board in the late 1970s and through the 1980s, I bought voter lists from the Registrar of Voters for 25c a page. That allowed me to focus my door-to-door campaign on homes where actual voters lived. In a neighboring city, a city council candidate used her list to challenge illegally registered voters, individuals who registered from their business addresses (inside the city) instead of their residential addresses (outside the city, some in a different county) as required by California election law. Only persons who registered within the city were eligible to vote in the city council election. Some business owners perceived her as anti-business and wanted to vote against her. (She won anyway, served several terms, and is now in the State Legislature.) At each election, the lists are posted outside the polling places for public inspection. Anyone can review these lists and write down (or photograph) their contents. I can drive to the county recorder's office. There, I can review the lists of property owners and the assessed values of their homes. I can browse through all the recordings of liens, quit-claims, and title changes. Some of those recordings also include wills and other declaratory statements. The point is: Some records of personal information are indeed public. They have been public in paper form for over a century. The fact that they are now public in electronic form is not necessarily bad. Bad uses of these data occurred before computers, and bad uses occur now. Laws against those bad uses may be older than the computer. While I am very concerned about privacy (and upset about the new federal law that invalidates the stronger California privacy law), I feel that privacy concerns should not eliminate the public availability of what have traditionally been public records. David E. Ross <http://www.rossde.com/> ------------------------------ Date: Fri, 19 Dec 2003 16:33:46 +0000 From: Robin.Crorie at cheshire.pnn.police.uk Subject: Re: Online issue of civil claims (RISKS-23.06) You are still referring to this service as new...?? Actually, "Money Claim Online" is not at all a new service - I've used it twice in the last couple of years, first issuing a summons with it on 22 Feb 2002. Whilst the potential risks are worthy of examination, those relating to potential use of the service whilst masquerading as a third party need to take into account the fact that there are *no identity checks whatsoever* when using the existing paper-based system. To my knowledge, there haven't been any related high-profile issues regarding this service yet, over this two-year period. I won't even *dare* mention ID cards... oops I just did... :-) ------------------------------ Date: 7 Oct 2003 (LAST-MODIFIED) From: RISKS-request@private Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to <risks-request@private> with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@private . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address <x@y>" ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .UK users should contact <Lindsay.Marshall@private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@private with meaningful SUBJECT: line. *** NEW: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: http://www.sri.com/risks http://www.risks.org redirects you to the Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 23.09 ************************
This archive was generated by hypermail 2b30 : Tue Dec 23 2003 - 15:36:16 PST