RISKS-LIST: Risks-Forum Digest Thursday 1 June 2006 Volume 24 : Issue 30 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/24.30.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: EU blocks US access to flight data (Duane Thompson) Computer outage hits Montana state government (Paul Goble) Irish ATM pays double; ethical dilemma (Gerard McCarry) $8 million for self-parking charge (Geoff Kuenning) China fielding cyberattack units (Peter Gregory) College Door Ajar for Online Criminals (Lynn Doan via PGN) Computer c*ck-up finds e-r-e-c-t-i-o-n hard to handle (Nick Rothwell) Why the Democratic Ethic of the World Wide Web May Be About to End (Adam Cohen via Monty Solomon) Risks of Dishonest Hosting Providers (Roger Strong) Nationwide's Website Refuses Customer Feedback (Chris Brady) Black Frog: next generation botnet. No generation spam fighting (Gadi Evron) Symantec Denies 'Highly Severe' Antivirus Flaw (Ed Sutherland via PGN) Re: NASA's DART spacecraft smashes into satellite (Robert P Schaefer) Re: National Weather Center ... Bad Data (Amos Shapir) Re: Comcast outage and backup (Craig Partridge) Re: Cellphones (Les Denham) Re: Google Captcha (Thomas Insel) Re: Over-reliance on satellite navigation (Matt Roberds) Re: Man Gets $218 Trillion Phone Bill (Marc Auslander, Andrew Klossner, Scott Peterson) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 30 May 2006 06:08:51 -0700 (PDT) From: Duane Thompson <dst@private> Subject: EU blocks US access to flight data Good for the EU! It seems that the EU will protect my privacy better than the U.S. will. "The EU's highest court today blocked an agreement to give the US information about transatlantic air passengers. The European court of justice ruling said the US did not provide adequate protection for air passengers' privacy. ..." Guardian Unlimited, more at: http://www.guardian.co.uk/eu/story/0,,1786002,00.html ------------------------------ Date: Wed, 31 May 2006 08:30:38 -0600 From: "Paul Goble" <pg@private> Subject: Computer outage hits Montana state government A hardware failure immobilized Montana state government from 1:30am on 22 May 2006 until 2:00am the next day. The hardware failure affected the "vast majority of services and computers" including things such as the state Justice Department, drivers licences and wildlife permits. Apparently key services such as law enforcement were affected at first but were "rerouted." Dawn Pizzini of the Information Technology Services Division is quoted as saying, "We would have never assumed that that many components in that piece of equipment would fail." http://edition.cnn.com/2006/TECH/05/23/computer.outage.ap/ http://www.helenair.com/articles/2006/05/24/montana/a08052406_01.txt Paul Goble <pg@private> ------------------------------ Date: Tue, 30 May 2006 21:57:25 -0400 From: "Gerard McCarry" <gmccarry@private> Subject: Irish ATM pays double; ethical dilemma The risk of taking advantage of a glitch http://news.bbc.co.uk/2/hi/uk_news/northern_ireland/5019012.stm ------------------------------ Date: 23 May 2006 14:29:53 -0700 From: Geoff Kuenning <geoff@private> Subject: $8 million for self-parking charge A humor column in today's *LA Times* featured a photograph of a self-pay parking kiosk with a mis-set date of 16 May 1943, showing an amount due of $8,082,022.84. Sanity checking, you ask? Not bloody likely. An auxiliary display shows the fee in larger characters; it reads 8.1E+6. When you have an programmer so clueless as to calculate money values in floating point, there is little hope for subtleties like sanity checking. As a side point, I'm fascinated that things like parking kiosks now use chips powerful enough to have floating-point support, at least as a library. A 4-bitter would be adequate for the task, though it's not clear to me that this particular programmer could have written the code needed to compute the fee on a 4-bit machine. Geoff Kuenning geoff@private http://www.cs.hmc.edu/~geoff/ ------------------------------ Date: Tue, 30 May 2006 15:07:24 -0700 (PDT) From: Peter Gregory <petergregory@private> Subject: China fielding cyberattack units >From the nation that enjoys U.S. Most Favored Nation trade status, and a permanent member of the WTO... China is stepping up its information warfare and computer network attack capabilities, according to a Department of Defense (DoD) report released last week. The Chinese People's Liberation Army (PLA) is developing information warfare reserve and militia units and has begun incorporating them into broader exercises and training. Also, China is developing the ability to launch preemptive attacks against enemy computer networks in a crisis, according to the document, ``Annual Report to Congress: Military Power of the People's Republic of China 2006.'' The Chinese approach centers on using civilian computer expertise and equipment to enhance PLA operations, the DoD report states. Report: http://www.defenselink.mil/pubs/china.html [Source: *Federal Computer Week*, 25 May 2006] http://www.fcw.com/article94650−05−25−06−Web ------------------------------ Date: Tue, 30 May 2006 10:55:33 PDT From: "Peter G. Neumann" <neumann@private> Subject: College Door Ajar for Online Criminals Hackers discover that universities are rich in personal data and easier prey than banks. Since January, at least 845,000 people have had sensitive information jeopardized in 29 security failures at colleges nationwide. ... [Source: Lynn Doan, *Los Angeles Times*, 30 May 2006] http://www.latimes.com/technology/la-me-hacks30may30,0,1085392.story?coll=la-home-headlines ------------------------------ Date: Tue, 30 May 2006 17:40:52 +0100 From: Nick Rothwell <nick@private> Subject: Computer c*ck-up finds e-r-e-c-t-i-o-n hard to handle Two e-mail messages objecting to a home extension failed to reach a council planning department because their computer system blocked the word "e-r-e-c-t-i-o-n". Commercial lawyer Ray Kennedy, from Middleton, Greater Manchester, claims he sent three e-mails to Rochdale council complaining about his neighbour's plans. But the first two messages failed to reach the planning department because the software on the town hall's computer system deemed them offensive. When his third e-mail, containing the same word, somehow squeezed through, it was too late. A planning officer told Mr Kennedy that his next-door neighbour's proposals had already been given the go ahead. [Source: *The Guardian* online, 30 May 2006; slightly PGN-ed to avoid filtering] http://society.guardian.co.uk/localgovt/story/0,,1786189,00.html ------------------------------ Date: Tue, 30 May 2006 00:21:10 -0400 From: Monty Solomon <monty@private> Subject: Why the Democratic Ethic of the World Wide Web May Be About to End (Adam Cohen) Editorial Observer Why the Democratic Ethic of the World Wide Web May Be About to End The World Wide Web is the most democratic mass medium there has ever been. Freedom of the press, as the saying goes, belongs only to those who own one. Radio and television are controlled by those rich enough to buy a broadcast license. But anyone with an Internet-connected computer can reach out to a potential audience of billions. This democratic Web did not just happen. Sir Tim Berners-Lee, the British computer scientist who invented the Web in 1989, envisioned a platform on which everyone in the world could communicate on an equal basis. But his vision is being threatened by telecommunications and cable companies, and other Internet service providers, that want to impose a new system of fees that could create a hierarchy of Web sites. Major corporate sites would be able to pay the new fees, while little-guy sites could be shut out. ... [Source: Adam Cohen, *The New York Times*, 28 May 2006] http://www.nytimes.com/2006/05/28/opinion/28sun3.html?ex=1306468800&en=cd83b09b58c721a6&ei=5090 ------------------------------ Date: Fri, 26 May 2006 15:52:38 -0500 From: "Roger Strong (Computers)" <rogers@private> Subject: Risks of Dishonest Hosting Providers Slashdot has a thread on Identifying and Avoiding Dishonest Hosting Providers: http://ask.slashdot.org/askslashdot/06/05/26/0034248.shtml One story that stood out: "One place I looked at promised backup power. Then when I asked to see it, they explained that they only had the fittings and a contract for a backup generator that would be delivered in a couple of hours. Given that they are in San Francisco, that's a stupid plan, my-nurse-only-lets-me-use-a-spoon stupid; in an earthquake, their provider wouldn't have enough generators and probably wouldn't be able to deliver them anyhow." Lesson learned: If your business depends on it being available, go tour the facilities. Verify that the generators, switching and back systems and redundant data pipes exist, and occasionally get tested. ------------------------------ Date: Wed, 31 May 2006 10:51:48 +0100 (BST) From: Chris Brady <chrisjbrady@private> Subject: Nationwide's Website Refuses Customer Feedback Wishing to report a number of different phishing emails sent to Nationwide Building Society (UK) customers, including myself, I searched their website for a) an email address, &/or b) a feedback form. The urgency was to alert the technical team to get the false websites closed down. BUT there was NO contact email address on their website - not one. However I found a customer information request form but and a website feedback form. I duly completed both of these, including a cut & paste of the text of the offending emails, but with both when I clicked 'Submit query' I got the response 'Page Not Found.' I wonder how Nationwide stays in business when it can't even get a couple of feedback forms working. This is not the first company I've had similar problems with. It seems that few companies with a website presence actually want feedback from customers. CJB. ------------------------------ Date: Thu, 25 May 2006 03:42:41 -0500 (CDT) From: Gadi Evron <ge@private> Subject: Black Frog: next generation botnet. No generation spam fighting Black Frog - a new effort to continue the SO-CALLED Blue Security fight against spammers. A botnet, a crime, a stupid idea that I wish would have worked. http://news.google.com/news?q=black+frog Blue Frog by Blue Security was a good effort. Why? Because they wanted to "get spammers back". They withstood tremendous Distributed Denial of Service (DDoS) attacks and abuse reports, getting kicked from ISP after ISP. They withstood the entire antispam and security community and industry saying they are bad. The road to heaven is filled with good intentions. Their's was golden, but they got to hell, quite literally, non-the-less. They did not hurt any spammer (okay, maybe one), as their attacks reaches servers spammers already moved from, domains spammers already dumped for the sake of thousands of other bulk-registered throw-away domains and so on. Their attacks did reach hacked machines which hosted other sites. Their attacks reached ISP's with other users and their attacks hurt the Internet as well as these other legitimate targets. Blue Security also got a lot of PR, good and bad, but they were not here first. Lycos Europe with their "make love not spam" effort was. ISP's globally null-routed that service, as it was indeed, much like Blue Security's, a DDoS tool by the use of a botnet. A botnet in this case being numerous computers controlled from a centralized point to launch, say, an attack. Lycos Europe soon realized their mistake and took their service off the air. Blue Security had 5 Millions USD of VC money to burn, so they stayed. Even if they did reach spammers with their attacks (which they didn't), they would still hurt so many others with the attacks, and the Internet itself. When Blue Security came under attack they themselves said how DDoS attacks are bad, and their fallout hurts so much more than just their designated target. That said, who is to determine said target? When Blue Security went down, some of us made a bet as to when two bored guys sitting and planning their millions in some cafe would show up, with Blue Security's business plan minus the DDoS factor. Well - they just did. Thing is, a P2P network is just as easy to DDoS. It has centralized points. It is, indeed, a botnet. I want to kick spammer behind too, but all I would accomplish by helping these guys is performing illegal attacks and hurting the Internet as well as innocent bystanders. This business model will not last. It will get PR, but it will not be alone. 10 other efforts just such as this will follow. Now that Black Frog made their appearance - sooner rather than later. How long is this journey of folly going to continue? Any service provider which hosts them is as guilty of the illegal DDoS attacks as anyone who signs up with them. The way to kick spammer behinds is to, plain and simple, put them in jail. I.e., change the economics. Make it more risky and less cost-effective for them Bad Guys to spam. I will keep updating about this latest useless harmful project on the blog where this is written, http://blogs.securiteam.com. Stop Black Frog Now. ------------------------------ Date: Sat, 27 May 2006 10:52:50 PDT From: "Peter G. Neumann" <neumann@private> Subject: Symantec Denies 'Highly Severe' Antivirus Flaw Could Symantec's antivirus software guarding company, as well as government computers include a backdoor allowing hackers access to corporate data? The flaw could impact users of Symantec AntiVirus Corporate Edition 10.0 and Symantec Client Security 3, according to eEye: the security vulnerability can "compromise affected systems, allowing for the execution of malicious code with system level access" and requires no user interaction. [Source: Ed Sutherland, *Internet News*, 26 May 2006; PGN-ed] http://www.internetnews.com/security/article.php/3609501 [A subsequent report on 31 May indicates that Symantec has fixed the problem. PGN] ------------------------------ Date: Tue, 30 May 2006 11:25:48 -0400 From: "Schaefer, Robert P \(US SSA\)" <robert.p.schaefer@private> Subject: Re: NASA's DART spacecraft smashes into satellite (RISKS-24.29) An article titled "Multiple Errors Cause DART Rendezvous Mission Mishap", *Space News*, 22 May 2006, states that the 70-page NASA report on this mishap will not be released because it contains sensitive material protected by ITAR. ITAR restrictions may also have been a contributing cause, i.e., people who should have talked to each other about technical issues/misunderstandings were prevented from talking to each other by law. ------------------------------ Date: Mon, 29 May 2006 18:01:20 +0300 From: "Amos Shapir" <amos083@private> Subject: Re: National Weather Center ... Bad Data (Kamen, RISKS-24.29) Ever since the day weather observations were fed by phone or telex (5 bits per character, no parity bits or CRC) to weather centers where maps were drawn by hand, professional weather people have developed an almost instinctive ability to spot weird data, and ignore it when analyzing weather maps. Based on their experience, they could even make an educated guess about the possible correct values of bad data. But letting some AI algorithm smooth out such data blips may be Risky. What if weather conditions did change abruptly? While stationed in a desert observation post in a previous life, I sometimes had to explain to a bewildered Air Force colonel that yes, the temperature here did rise by 10 C over the past half hour, and yes, the wind is 60 knots with zero visibility due to a sandstorm. Now try to explain that to a data-bot! Nowadays there are many more situations in which professional people are taken "out of the loop", and data untouched by humans ends up being presented to lay people, including decision makers, who use it without being aware of its origin and quality. This is a known Risk, and seems to be unavoidable. In that case, it's better that these people be presented with raw data and be able to spot errors (like Ben Kamen did), than automatically processed data which might hide irregularities. When analyzing weather data, such irregularities are exactly what you don't want to miss! ------------------------------ Date: Tue, 30 May 2006 16:39:05 -0400 From: Craig Partridge <craig@private> Subject: Re: Comcast outage and backup (Duncan, RISKS-24.29) > The Risk for Comcast? Never assume your backup generator will be there > when you need it. Test, test, test for power outages before they happen. I just wanted to point out that testing the backup system regularly does not ensure it works. When we did the NRC study on the Internet's performance on 9/11, I was surprised to learn that ISPs find that their backup power systems fail about 1 time in 10. (ref: "The Internet Under Crisis Conditions", p. 24, note 2). This is from ISPs that test regularly (e.g. once a month) and the number comes from their experiences with the tests (that is, in one test in ten, the backup system system doesn't pick up cleanly). So the challenges are more subtle. How should an ISP invest in and plan for the recovery process for that 1 time in 10 outage? Designing that process right is hard. Example, one ISP I know had a policy of *NOT* allowing systems personnel into their facility immediately after the rare case of power loss and then being restored to key systems. Because power loss was such a rare event, the ISP used this experience as a chance to audit installation procedures that were supposed to ensure that everything system "just came up" when power was restored -- they'd often find a system did not just come up. craig@private or craig@private ------------------------------ Date: Thu, 04 May 2006 00:42:18 GMT From: Les Denham <les@private> Subject: Re: Cellphones (RISKS-24.27) > The results: Inattentiveness caused by drivers using a > cell phone, applying makeup, and being distracted from the > road -- all caught on videotape -- cause nearly 80 percent > of crashes and 65 percent of near-crashes ... That's an interesting conclusion. Cellphones have gone from a rare luxury to ubiquitous in the last ten years. Yet over the same time period, automobile accidents have declined steadily: from 1994 to 2004 the fatality rate per 100 million miles has gone from 1.73 to 1.44, and the injury rate from 139 to 94. For cars (which are the most common vehicles) the numbers for fatal crashes went from 2.07 to 1.57, injury crashes from 191 to 123, and property-only crashes from 351 to 260 over the same period. (all statistics from http://www-nrd.nhtsa.dot.gov/pdf/nrd-30/NCSA/TSFAnn/TSF2004.pdf ) I'd say the claim that cellphones are one of the major causes of traffic accidents fails the basic test of common sense. My guess -- based on personal observation -- is that the same idiots who cause accidents by being distracted in other ways are the ones who cause accidents involving cellphone use. If, for example, a study finds 50% of accidents involve cellphones, that statistic is meaningless without a measurement of the proportion of drivers using cellphones. In Houston, where I live, informal observation suggests about 50% of drivers in rush hour traffic are using cellphones, and that doesn't count the ones using hands-free devices, or the ones with tinted windows. ------------------------------ Date: Thu, 11 May 2006 15:39:10 -0700 (PDT) From: Thomas Insel <tinsel@private> Subject: Re: Google Captcha (Johnson, RISKS-24.28) > It would be interesting to find out the back story on this problem and why > the "solution" is so broken for users of the search service. It's not generally deployed -- Google does this defensively when they see excessive traffic from a particular source address or network. Causes could include a virus such as MyDoom or an aggressive script. I suspect that it's "broken" because they want to annoy you into fixing whatever's triggering the message. ------------------------------ Date: Sat, 27 May 2006 02:48:56 +0000 From: mroberds@private Subject: Re: Over-reliance on satellite navigation (Schwarz, RISKS-24.29) >The North East Ambulance Service is equipped with satellite navigation >[which] isn't fully informed on roads too narrow for the ambulance model. It is probably more cost-effective to modify the navigation software, but perhaps they should buy some narrower ambulances, especially if they are already aware of streets that are too narrow for their current vehicles. http://www.neambulance.nhs.uk/CommercialServices/Index/Index.htm shows a technician working on an ambulance that appears to be based on a Mercedes-Benz van that is sold as a Dodge or Freightliner "Sprinter" in the US. It appears that the cab is stock, but the ambulance box is wider than the stock van body. http://www.cornermotors.com/images/sprinter_dimensions.jpg shows that the width of a US-model Sprinter, excluding the external mirrors, is either 76.2" (1935 mm) or 78.6" (1996 mm) depending on load capacity. By contrast, ambulances based on a stock Volkswagen Transporter, with a stock body width of 68.9" (1750 mm), have been successfully used in Europe. Matt Roberds <mroberds@private> [For those of you who relish the risks of overly long vehicles, as opposed to overly wide vehicles, this one is quite amusing. http://www.travelingtiger.com/tiensblog/2006/05/beached-suv-limo.html PGN] ------------------------------ Date: Sat, 27 May 2006 10:33:16 -0400 From: Marc Auslander <marcslists@private> Subject: Re: Man Gets $218 Trillion Phone Bill (Gold, RISKS-24.29) "... I'm not impressed with the proposed representation. There is *no* advantage to representing things in decimal. ..." In fact, there are serious practical programming advantages to decimal arithmetic in commercial programming. This is because the laws and customs related to rounding are stated in decimal terms. You can of course always get the right answer in binary, but it involves carefully scaling each number to the correct decimal precision so the rounding is correct. For example, many procedures need to be correctly rounded to the nearest mil, that is 1/1000 of a dollar. In binary, you need to represent amounts in mils to get the rounding right, then convert back to dollars and cents or dollars and mils for other purposes. In decimal, it all just works, of course. [Some similar comments from Dik Winter. PGN] ------------------------------ Date: Sun, 28 May 2006 21:26:38 -0700 From: Andrew Klossner <andrew@private> Subject: Re: Man Gets $218 Trillion Phone Bill (Gold, RISKS-24.29) > There is *no* advantage to representing things in decimal. The advantage is that, when the system rounds or truncates values, it will do so in the way that customers expect. Rounding 0.142 dollars to 0.14 will surprise nobody. > Say you advertise a rate of, say 2.75%, compounded daily. That means you > need to divide .0275 by 365. Never. Such accounts are compounded daily but credited monthly, when the calculation is (balance * 0.257) / 12, rounded to the nearest cent. The rules of financial arithmetic have been codified for hundreds of years. They cannot be implemented using fixed binary notation. Arbitrary-precision arithmetic is completely impractical in data processing. ------------------------------ Date: Fri, 26 May 2006 14:08:21 -0700 From: Scott Peterson <scottp4@private> Subject: Re: Man Gets $218 Trillion Phone Bill (Gold, RISKS-24.29) At 11:30 AM 5/26/2006, Barry Gold <barrydgold@private> wrote I think you're expressing opinions in without nearly enough information about the environment. For example, if this happened in a COBOL program running on an IBM mainframe your comments would be completely wrong because of the way data is typically stored and because of the way that these computers most efficiently perform arithmetic. > In *any* fixed representation, there will be limits -- a largest (and > smallest) possible exponent, the maximum number of fractional bits/digits > that can be represented. And that's the job of a competent programmer. To make sure that the fields involved are large enough to hold any possible data. > The result is an infinitely long repeating fraction, regardless whether > you express it in decimal or in binary. So? Pi is an infinite number but I can do calculations involving it with sufficient accuracy for my needs when I round it to 3 or 4 decimal places. I could care less what the rest is. > Decimal only provides an advantage if you are dividing by 5 or 10, which > produces a finite fraction in decimal notation but an infinite one in > binary. To me, this is so much gibberish. I think this simply shows unfamiliarity with how various computers work. Using IBM mainframes as an example, they do very efficient arithmetic in what's called packed decimal and that's a very common format for storing numbers. It's not as fast as binary, but when you add in the conversion factors it's generally faster. Floating point arithmetic is slower by orders of magnitude when you include the conversion overhead. > If you want to represent numbers without loss of either significance > (overflow) or precision (rounding error), you can use any of several > package, you can write in Franz Lisp, which allows arbitrary-sized numbers > as a built-in type. So your solution is to rewrite the program in an obscure language on a different platform. I think there would be easier, less expensive solutions. ------------------------------ Date: 2 Oct 2005 (LAST-MODIFIED) From: RISKS-request@private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request@private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe@private or risks-unsubscribe@private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact <Lindsay.Marshall@private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks@private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks [subdirectory i for earlier volume i] <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing ------------------------------ End of RISKS-FORUM Digest 24.30 ************************
This archive was generated by hypermail 2.1.3 : Thu Jun 01 2006 - 14:41:12 PDT