[RISKS] Risks Digest 25.80

From: RISKS List Owner <risko_at_private>
Date: Fri, 9 Oct 2009 21:54:01 PDT
RISKS-LIST: Risks-Forum Digest  Friday 9 October 2009  Volume 25 : Issue 80

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/25.80.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
The computers did it -- differently (Wendell Cochran)
Lobstermen Get Wrong Number for a Hot Line (Ian Austen via PGN)
Swine flu brings down Kaiser Permanente servers (Tony Lima)
Restricted manual on avoiding leaking sensitive data is leaked (Mark Thorson)
Subject: Mass. Blue Cross physicians' personal info on stolen laptop (Kay Lazar
  via Monty Solomon)
Airline status display follies (Steven Bellovin)
For Washington Metro, it's the appearance of risk (Jeremy Epstein)
Man forged 12,500 pounds worth of train tickets (Mark Brader)
System diversity helps in power control system (Jeremy Epstein)
How Hackers Snatch Real-Time Security ID Numbers (Saul Hansell via
  Monty Solomon)
Perils of password reuse plus password security hall of shame (Jonathan Kamens)
WordPress inadvertent disclosure bug (Jonathan Kamens)
The risks of being cute, Re: Complex Machinery: a parody (Donald Norman, PGN,
  Bluejay)
Re: Snow Leopard: A gigabyte by any other name (Phil Hobbs)
Re: South Africa's Telkom: For the Birds or Not For the Birds (Richard Botting)
Re: Software never fails, people decide that it does (Paul Robinson)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 2 Oct 2009 10:16:31 -0700
From: Wendell Cochran <atrypa_at_private>
Subject: The computers did it -- differently

Airbus's A380 megajet is now two years behind schedule, reports
*BusinessWeek*, which goes on to say 'Use of incompatible programs takes the
rap, but behind that is a management team cobbled together from formerly
separate companies.'
http://www.businessweek.com/globalbiz/content/oct2006/gb20061005_846432.htm

------------------------------

Date: Fri, 9 Oct 2009 20:35:35 PDT
From: "Peter G. Neumann" <neumann_at_private>
Subject: Lobstermen Get Wrong Number for a Hot Line

The Canadian government announced a stimulus program for their lobster
fishery, with a toll-free number that embarrassingly had an incorrect area
code, resulting in solicitations for "nasty girls".  The president of the
Prince Edward Island Fisherman's Association put a reverse spin on the
situation: "Maybe it would have been good if the people calling the sex line
would have heard the fishing issues, giving them a bit of an education."
[Source: Ian Austen, *The New York Times*, 28 Sep 2009, National Edition, B5]

------------------------------

Date: Fri, 09 Oct 2009 09:36:19 -0700
From: Tony Lima <tony.lima_at_private>
Subject: Swine flu brings down Kaiser Permanente servers

Moday morning my wife was trying to log in to her Kaiser online account.
The server was obviously very busy; her login attempts failed repeatedly
with timeouts.  The new items on the Kaiser home page were two links to H1N1
information.  These appeared to be the cause of the problem.  The links
could have been placed on the members' home page, available only after
logging in.

RISK: making information available to the general public instead of members
only can lead to server overload. - Tony Lima (who, by the way, is otherwise
quite happy with Kaiser)

Prof. Tony Lima, Dept. of Economics, CSU, East Bay, tony.lima_at_private
http://www.cbe.csueastbay.edu/~alima  (510) 885-3889

------------------------------

Date: Mon, 05 Oct 2009 13:35:15 -0700
From: Mark Thorson <eee_at_private>
Subject: Restricted manual on avoiding leaking sensitive data is leaked

UK's Ministry of Defense 3-volume guide to avoiding leakage of sensitive
data, itself a restricted document, has been leaked.
http://www.dailymail.co.uk/news/article-1218315

------------------------------

Date: Sat, 3 Oct 2009 20:06:06 -0400
From: Monty Solomon <monty_at_private>
Subject: Mass. Blue Cross physicians' personal info on stolen laptop (Kay Lazar)

Blue Cross physicians warned of data breach;
Stolen laptop had doctors' tax IDs

The largest health insurer in Massachusetts is warning roughly 39,000
physicians and other health care providers in the state that personal
information, including Social Security numbers, may have been compromised
after a laptop containing the data was stolen in August from an employee of
the Blue Cross and Blue Shield Association's national headquarters in
Chicago.

The breach involves "tens of thousands'' of physicians nationwide, although
the precise number is unclear, according to a national Blue Cross-Blue
Shield spokesman. Thirty-nine affiliates feed information about providers
into a database maintained by the association's national headquarters.

Massachusetts doctors were not notified by letter until yesterday, because
state Blue Cross-Blue Shield officials said they did not at first know what
kind of data were on the stolen laptop. They said the data did not contain
any information about patients or personal health records.

[Source: Kay Lazar, *The Boston Globe*, 3 Oct 2009]
http://www.boston.com/news/local/massachusetts/articles/2009/10/03/blue_cross_physicians_warned_of_data_breach/

------------------------------

Date: Fri, 9 Oct 2009 22:53:47 -0400
From: Steven Bellovin <smb_at_private>
Subject: Airline status display follies

Flying -- more precisely, checking flight status -- is a wonderful way to
learn how not to design systems.

I was scheduled to fly from Pittsburgh to Newark; my flight was scheduled to
depart at 6:22pm.  That itself is probably a case of letting precision
exceed accuracy; indeed, the departure board at the airport showed a
scheduled departure time of 6:25pm.  Other flights, though, did have times
like 6:29 or 7:31 shown; admittedly, those were from different airlines.
But why would my airline show one time on its schedule and web status, and
another at the airport?

When I got to the airport, around 4:00, I saw that the 3:15 flight hadn't
left yet: "delayed", no time shown.  I went to the gate, but saw neither a
plane nor a gate agent.  Odd, especially since the web showed that the
incoming flight had indeed arrived in Pittsburgh on time.  When someone
eventually showed up, I asked if I could still get on the 3:15 flight.  "Oh,
that left a long time ago."  I asked why it was still on the displays.  He
immediately got on his radio to ask that it be deleted.  The status displays
aren't database-driven?

I checked my flight again; it showed as on time.  It showed as on time even
when the inbound plane was running 1.5 hours late.  Well, not quite; the
inbound plane was listed as departing 1.5 hours late, but arriving on time,
only four minutes after it was supposed to leave Newark.  Hmm, no sanity
checks in that display.

And my flight?  Even after the inbound flight departed, 2.25 hours late, it
still showed an on-time departure, about 1.5 hours after the web claimed the
inbound equipment will arrive.  Note that the web site actually has a link
to the inbound flight's status, so some database *knew* which plane was
involved.  And the airport display?  It showed the flight as "delayed", but
still with a departure time that wa earlier than the plan's arrival time.

The gate agent told me never to trust the web site.  I forbore to point to
the airport displays, because at that point one of her colleagues was
wondering why their information showed that the inbound plane was still
taxiing at Newark, well after it should have been in the air.  She replied
"maybe someone forgot to enter the update".

I arrived home about two hours late, musing about systems design.

Steve Bellovin, http://www.cs.columbia.edu/~smb

------------------------------

Date: Sun, 27 Sep 2009 16:09:41 -0400
From: Jeremy Epstein <jeremy.j.epstein_at_private>
Subject: For Washington Metro, it's the appearance of risk

After the deadly Metro train crash in June, the Washington Metro system
reconfigured trains so that the older ("1000 series") train cars were no
longer at the ends of trains, where they were in the deadly crash.  The
idea, as described at the time, was to put them in the middle of the train,
since the newer cars have greater survivability in a crash.

The problem is, there was no engineering to support this hypothesis.
According to the WashPost, it was a pure PR move, and in fact Metro doesn't
know if the move made the trains safer or less safe.  They were mostly
concerned about the appearance of doing something to address risk, lest the
public (and the localities that fund Metro) decide that the lack of action
meant Metro didn't care.

The RISK is that when something that looks to the public like an engineering
action has no engineering basis, we may get results that are
counterproductive.

There's minimal direct computer risk in this particular action, although
other postings have noted computer and technology risks elsewhere in the
Metro system.

http://www.washingtonpost.com/wp-dyn/content/article/2009/09/26/AR2009092602684.html?hpid=topnews

------------------------------

Date: Sat,  3 Oct 2009 05:46:49 -0400 (EDT)
From: msb_at_private (Mark Brader)
Subject: Man forged 12,500 pounds worth of train tickets

Jonathan Moore of Hove, England, described as an "IT expert", has been
sentenced for using a computer to forge 12,472 pounds worth of train tickets
that he used for his daily commute to London.  The ongoing fraud was
eventually detected by a ticket inspector who noticed that Moore's ticket
was not quite the right color.  Designs for over 70 tickets were found on
his laptop.

According to the customer services director at the train operating company,
"It is a tribute to our quick-witted staff that this thief was caught out.
Fare dodgers are robbing the rail industry of 400 million pounds a year."

http://news.bbc.co.uk/2/hi/uk_news/england/sussex/8287111.stm
http://www.timesonline.co.uk/tol/news/uk/crime/article6858680.ece

------------------------------

Date: Fri, 2 Oct 2009 08:51:54 -0400
From: Jeremy Epstein <jeremy.j.epstein_at_private>
Subject: System diversity helps in power control system

*The Inquirer* reports that a virus infestation in the electrical grid
control room of Integral Energy (Australia) was controlled by replacing the
Windows-based control consoles with the development systems that run Linux.
The SCADA systems themselves run Solaris, and the control consoles only are
used as X Window displays, so the replacement didn't require reprogramming.

This appears to be a case where diversity of implementations and plug
compatibility (Windows + X replaced by Linux + X) allowed greater resilience
than either alone.  However, the fact that the SCADA systems run Solaris is
of scant comfort - while perhaps not as strewn with viruses as Windows, it's
still not risk-free.

http://www.theinquirer.net/inquirer/news/1556944/linux-saves-aussie-electricity

------------------------------

Date: Thu, 1 Oct 2009 08:27:02 -0400
From: Monty Solomon <monty_at_private>
Subject: How Hackers Snatch Real-Time Security ID Numbers (Saul Hansell)

[From Saul Hansell's blog, *The New York Times*, 20 Aug 2009]

The world's savviest hackers are on to the "real-time Web" and using it to
devilish effect. The real-time Web is the fire hose of information coming
from services like Twitter. The latest generation of Trojans - nasty little
programs that hacking gangs use to burrow onto your computer - sends a
Twitter-like stream of updates about everything you do back to their
controllers, many of whom, researchers say, are in Eastern Europe. Trojans
used to just accumulate secret diaries of your Web surfing and periodically
sent the results on to the hacker.

The security world first spotted these new attacks last year. I ran into it
again while reporting an article in Thursday's Times about a lawsuit meant
to help track down the perpetrators of these attacks.

By going real time, hackers now can get around some of the roadblocks that
companies have put in their way. Most significantly, they are now undeterred
by systems that create temporary passwords, such as RSA's SecurID system,
which involves a small gadget that displays a six-digit number that changes
every minute based on a complex formula.

If your computer is infected, the Trojan zaps your temporary password back
to the waiting hacker who immediately uses it to log onto your
account. Sometimes, the hacker logs on from his own computer, probably using
tricks to hide its location. Other times, the Trojan allows the hacker to
control your computer, opening a browser session that you can't see. ...

http://bits.blogs.nytimes.com/2009/08/20/how-hackers-snatch-real-time-security-id-numbers/

------------------------------

Date: Tue, 6 Oct 2009 10:09:06 -0400
From: Jonathan Kamens <jik_at_private>
Subject: Perils of password reuse plus password security hall of shame

Years ago, I developed the bad habit of using the same "medium-security
password" on lots of different Web sites.  I first started doing this around
a decade ago, when Web site data breaches were far less frequent and far
less professionally executed than they are now.  Still, that's a bad excuse
for forming a bad habit, which it took a real kick in the pants to get me to
break.

That kick in the pants came a couple of weeks ago, when I inadvertently
posted my password to my blog for the world to see (more on that under
separate cover).  After realizing what had happened, I spent every available
moment for several days logging into ten years' worth of Web sites, many of
which I haven't used in a long, long time but still had personal information
about me stored on them, and changing my password on all of them.

This prompted me to write two articles on my blog which may be of interest
to RISKS readers:

* In http://blog.kamens.brookline.ma.us/~jik/wordpress/300pw, I discuss why
password reuse is a bad idea (the fact that I had to spend days changing my
password on over 300 Web sites is only one of many reasons) and offer advice
on how to avoid it without having to remember different, random password for
hundreds of Web sites.

* My marathon password-changing journey gave me the opportunity to look at
how well passwords are secured at a large number of Web sites in many
different application domains.  In
http://blog.kamens.brookline.ma.us/~jik/wordpress/pwshame, I've published my
"Password Security Hall of Shame" of the sites I encountered with poor
password security.

I am interested in hearing feedback from others about these articles so that
I can make them better.  In particular, I'd love to add other noteworthy
pieces of advice to my article about managing the seemingly inevitable
juggernaut of Web passwords, and I'd also like to add to the Hall of Shame
any other sites with poor password security of which people are aware.
Please feel free to post comments on my blog or email me.

------------------------------

Date: Tue, 6 Oct 2009 10:17:54 -0400
From: "Jonathan Kamens" <jik_at_private>
Subject: WordPress inadvertent disclosure bug

There is a bug in the current version of the WordPress blogging platform
(and probably in all versions since 2.8.0) which can cause hidden text to be
inadvertently published in a blog entry without the user's knowledge.

In a nutshell, sometimes when text is pasted into the WordPress WYSIWYG
editor, an invisible copy of the text is pasted into the editor without the
user's knowledge.  This invisible text is published along with the blog
entry, and although it is not visible on the user's blog, it is visible to
search engines and to syndicators which strip HTML style attributes.

The exact conditions under which the bug occurs are not yet known.

This is not a terribly serious security hole as these things ago, but it is
real and needs to be addressed.  Unfortunately, the maintainers of WordPress
do not seem to be taking it particularly seriously; despite having been
notified about the issue over a week ago, they have not yet acknowledged
that it has security implications or committed to fixing it.

I've posted more details about the issue on my blog at
http://blog.kamens.brookline.ma.us/~jik/wordpress/wpbug.

------------------------------

Date: Fri, 25 Sep 2009 20:08:14 -0700
From: Donald Norman <don_at_private>
Subject: The risks of being cute, Re: Complex Machinery: a parody (RISKS-25.79)

You know, it's fun to be cute or to pun, but not when it causes the RISKS
digest to mislead and misinform.

When two otherwise intelligent people, K C Knowlton and our esteemed
moderator decide to be cute, they should check the facts first. Taking lines
out of context is bad. Writing about something of which you know nothing is
worse.

Both Knowlton and Neumann decided to have fun with the poor little Rhode
Island School of Design (RISD) and its new president, John Maeda.  John was
quoted in a Lexus ad of all places saying "the more complex the design, the
simpler the interface will be."  Sounds right to me! Alas, not to our
esteemed commentators.

RISD is one of the world's best conventional design schools. Many of us in
the design community are delighted that John has taken over: he will take it
out of "conventional".  John Maeda is from the MIT Media Lab and one of he
world's best designers with a best-selling book entitled "Simplicity."  But
our esteemed commentators couldn't resist stating that his quote meant
oversimplification and reduction to absurdity.  Shame on both of you. You
read a message in the quotation that was not there.

The trick in design is to get it just right: neither too simple nor too
complicated. Moreover,  I have argued that complexity is good -- it is
complicated that is bad. Simplicity does not mean simple-minded. Maeda has
made this point many times in his professional writing and talks.

The real quote is that of Einstein who said that everything should be as
simple as possible, but no simpler.  It is the "but no simpler" part of the
quote that people forget, but it is the most important.

Simplicity needs to be context sensitive. The average driver needs a very
simple control for the auto. The skilled driver wants more control, so a bit
less simplification. And the technicians need to be able to get into the
guts of the stuff, so they need even less simplification. Yes, he more
complex the underling machinery, the more sophisticated the interface design
has to be to tame that complexity so it is at just the right level for
whatever person is using it at the moment.  Making something easy to use and
understand often requires increased complexity beneath the surface to make
that posible. Hence, the fact that the human interface code takes up a
considerable portion of the code base of any software system.

These are issues Maeda and RISD do understand.  Different people have
different needs.  The real story requires a book (and John has written one).
Look folks, don't make up RISKS that do not exist. we have enough real ones
to cope with.

Don't take isolated quotations out of context. And please don't write about
topics in which you are not expert.

Don Norman, Nielsen Norman Group, Northwestern University, and KAIST (S. Korea)
don_at_private  www.jnd.org/

------------------------------

Date: Wed, 30 Sep 2009 17:12:14 PDT
From: "Peter G. Neumann" <neumann_at_private>
Subject: The risks of being cute, Re: Complex Machinery: a parody (RISKS-25.80)

Don, I think you have overreacted, and even misunderstood my comments.  And
you evidently do not believe in causal logic in English.  "The more complex
the design, the simpler the interface will be." implies a causality: If a
design is more complex, it follows that the interface will inherently be
simpler.  That is sheer and utter nonsense.  Ken was undoubtedly reacting to
the reality that complex systems often have inappropriately over-complex
interfaces.  On the other hand, if Maeda had said, "If a design must
inherently be more complex (because of the intrinsic complexity of the
requirements -- for example, management of fault tolerance and safety and
survivability usually adds significantly more complexity), the interface had
very well better be simple." then I would have been comfortable.  Actually,
I have high respect for Maeda and RISD, and would prefer to think that he
was misquoted by the typically nontechnically savvy admen-istrators.  PGN]

------------------------------

Date: Fri, 25 Sep 2009 19:20:43 -0400
From: Bluejay <bluejay_at_private>
Subject: The risks of being cute, Re: Complex Machinery: a parody (RISKS-25.79)

>[... ( ...But the secret of success is giving the appearance of
>simplicity that implicitly masks the inherent complexity.)  PGN]

I have a theory that the amount of complexity of a closed system remains
constant. For example, long ago computers were very complex to use and
maintain, but certainly by today's standard they were pretty simple.  Today,
computers have become so complex as to often defy understanding, but even my
86-year-old Dad can use one.

Bluejay Adametz, CFII, A&P, AA-5B N45210

------------------------------

Date: Thu, 01 Oct 2009 18:24:03 -0400
From: Phil Hobbs <pcdhSpamMeSenseless_at_private>
Subject: Re: Snow Leopard: A gigabyte by any other name (RISKS-25.78)

It's historical.

Disc drive specifications have been in decimal since the 1950s, whereas the
1024-byte kilobyte is from the 1970s.

------------------------------

Date: Fri, 02 Oct 2009 12:44:18 -0700
From: Richard Botting <rbotting_at_private>
Subject: Re: South Africa's Telkom: For the Birds or Not For the Birds

Gene Wirchenko reported on 11 Sep 2009 on the comparison of Pigeons and the
Internet to transmit data.  I am bothered by the confusion in the news item
between latency and bandwidth: "took one hour and eight minutes to fly the
80 km [...] with a data card strapped to his leg.  In that time, just two
per cent of the data was sent over the Internet."  Surely we should launch a
whole series of pigeons to calculate the bandwidth?

By the way, Rocky Mountain Adventures uses pigeons to send data sticks of
photos to their home base.  See
  http://odeo.com/episodes/25042064-Pigeon-Protocol-Finds-a-Practical-Purpose

------------------------------

Date: Wed, 30 Sep 2009 21:08:19 +0000 (GMT)
From: Paul Robinson <paul_at_paul-robinson.us>
Subject: Re: Software never fails, people decide that it does (Brydon, R-25.76)

> However, that does not inhibit someone other that the originator from
> making an informed and educated decision, based on engineering principles,
> that the product requires updating or replacing.

True, but technically you can't objectively prove it.  Point to a software
program and all you can really say is that these bits - which look like any
other bits - need replacing.  Or this code needs replacing because it needs
to perform a different function than it does or because the function is
wrong.  But there will be nothing there you can show that is quantitatively
different from anything else which would indicate evidence of the defect
other than you claiming there is one, which again, is going to be your
opinion and no more.

The possibility of failure in a software package can be no less deadly than
that of any other failure in a device or item under the same sort of usage
or operation, e.g., a software failure in a pacemaker can be as fatal as
having bad wiring.  Bad software in a car's engine could be as serious as a
stuck gas pedal or a failed brake pedal.  But where's the objective proof to
make the claim?  There really isn't any, it's just an opinion. Evidence of
failure that has happened is real and can be shown, but unlike rust on a
bridge, there nothing "there" to show where the failure point is in a piece
of software.  Again, all bits look alike, there are no obviously corroded or
"rusty" ones you can single out for repair or replacement.

The difference is that for the real world, we can point to and objectively
show the rust in a bridge, the corrosion in wiring, the break in a rubber
hose, the molecular discohesion in a framistat (the latter is a fictional
example for something that hasn't been invented yet, but we will someday
have and use.)  But inaccurate or incorrect functionality in a computer
program can only be shown by errors in some output or damage in something
else; the software has nothing intrinsic in and of itself to show that it is
in error or operates improperly except for, unfortunately, someone's opinion
that the software is wrong or inadequate.

------------------------------

Date: Thu, 29 May 2008 07:53:46 -0900
From: RISKS-request_at_private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.   The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request_at_private
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe_at_private or risks-unsubscribe_at_private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users should contact <Lindsay.Marshall_at_private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
 http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 25.80
************************
Received on Fri Oct 09 2009 - 21:54:01 PDT

This archive was generated by hypermail 2.2.0 : Fri Oct 09 2009 - 22:52:28 PDT