precedence: bulk Subject: Risks Digest 25.35 RISKS-LIST: Risks-Forum Digest Monday 22 September 2008 Volume 25 : Issue 35 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can be found at Contents: Sydney road tunnel closed by computer 'glitch' (John Colville) DC Primary votes don't add up... even with a fudge factor (David Lesher) Hurricane Ike (Les Denham) Hacker claims Palin e-mail hacked via password reset (Rob McCool) Re: Wall Street; where nothing can go worng wrogn wrgno.... (Martin Ward) Re: Risks of financial systems too complex ,,, (Jim Horning) Re: Risks of not using check digits (Erling Kristiansen, Paul van Keep) Re: capability creep on red-light cameras (Paul Wallich) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 23 Sep 2008 08:39:12 +1000 (EST) From: "John Colville" Subject: Sydney road tunnel closed by computer 'glitch' The M5 East tunnel is a 4-km tunnel on a major motorway leading into Sydney. On 22 Sep 2008 the tunnel was closed for 2 3/4 hours starting at about 0900, due to the failure of a backup computer. It caused serious disruption to traffic in that area of Sydney. "... the tunnel had to be closed to traffic because its safety equipment was disabled when the computer system was down." [``It is the sixth time the $800 million project has been shut since it opened in late 2001.'' Previous failures included a different "computer glitch" in Feb 2002; lighting systems failed 11 months later; a "combined power failure" occurred in Mar 2004; the CCTV system failed in Dec 2004; and another computer crash caused as five-hour closure on 25 Jun 2008. PGN] The company which operates the tunnel has now agreed to a have a staff member on duty at all times. http://www.smh.com.au/news/national/oh-baby-m5-tunnel-takes-its-toll/2008/09/22/1221935513625.html?page=fullpage#contentSwap1 John Colville, Faculty of Engineering & IT; University of Technology, Sydney Honorary Associate + 61 2 9514 1854 colville@it.uts.edu.au ------------------------------ Date: Mon, 22 Sep 2008 16:17:32 -0400 (EDT) From: "David Lesher" Subject: DC Primary votes don't add up... even with a fudge factor Nikita Stewart and Elissa Silverman, *The Washington Post*, 22 Sep 2008; B01 As District officials continue to investigate errors in the early vote tallies from the Sept. 9 primary, one number stands out: 1,542. That number appeared in the category for "overvotes" in 13 separate races when the D.C. Board of Elections and Ethics released early results on election night. But those votes inexplicably vanished shortly after midnight, when officials posted what they identified as corrected results. ... The elections board initially blamed the discrepancies on a single defective computer memory cartridge at the Precinct 141 polling site on U Street NW in the Dupont Circle area. Sequoia has said the cartridge was not defective and suggested that tabulation errors might have been triggered by workers or by a static or electrical discharge. [The article goes on about problems within Board, including the fact the CTO does not have a claimed BS degree, and the ExDir's departure.] Static discharge? At least they are not saying swamp gas was to blame. [I was going to reference this to a past voting Risks post, but there are so many to choose from...] ------------------------------ Date: Mon, 22 Sep 2008 16:03:36 -0500 From: Les Denham Subject: Hurricane Ike Along with about 4 million other residents of this area, I experienced Ike ten days ago. And am still experiencing it. Many of the problems are computer related. The first problem was that my home DSL service stopped when Ike was still 200 miles away (Friday evening). I suspect that my phone service stopped about the same time. Shortly afterwards, my electricity stopped. On Saturday afternoon, after the winds died down, I found I had phone service, but still no electricity. I tried to get my DSL working by plugging the DSL modem into a UPS which still had some charge, but that didn't work. A little later, the phone service stopped working. And the cell phone service. Next morning, I tried the phone, and it worked. Later in the day, when the electricity came on, I tried my DSL, and it worked. In my email, I found a message from my ISP apologizing for the interruption in service: the co-location site had the backup generator for the servers function correctly, but the backup generator for the air conditioning failed to start. Of course, this did not matter to me, because at the time I had neither power, nor internet, nor phone. By evening, the phone and the internet had stopped working again, but I had found that by walking about a mile from the house I could get a cell phone signal. On one of these walks I saw an AT&T truck and flagged the driver down. I asked what the problem was: we had power, and damage in my subdivision was minimal. He explained that each subdivision had a remote unit or subexchange with its own battery backup, which was charged from the exchange -- and the exchange was still running on backup generators, which did not have enough reserve to power all the subexchanges. By Monday afternoon, AT&T had their act together, and I had a landline, DSL, and cell phone signal. For me, the most significant point of failure appeared to be that AT&T has engineered their backup power supplies to only cope with about twelve hours of power failure. With hurricane Ike, we had over 90% failure of electricity supply to the fourth largest city in the U.S.A. The first repairs were not completed for about 24 hours; it was a week before 50% of power was restored; and ten days later we still have over 30% of electricity customers without power. Les Denham, Vice President, Interactive Interpretation & Training, Inc. 1500 Citywest, Suite 800, Houston, TX 77042, U.S.A. 1-713.840.3326 ------------------------------ Date: Sun, 21 Sep 2008 22:38:16 -0700 (PDT) From: Rob McCool Subject: Hacker claims Palin e-mail hacked via password reset http://blog.wired.com/27bstroke6/2008/09/palin-e-mail-ha.html This blog entry refers to an anonymous hacker who claims to have been the one behind the widely publicized breach of VP candidate Sarah Palin's Yahoo e-mail account. The interesting part is that the claimed attack was not based on a weak password, but instead based on a weak password-reset mechanism. The hacker claimed that with a few searches in Google and some information (Palin's birthday) from Wikipedia, along with some guesses of phrasing, he was able to gain access to her email account. ------------------------------ Date: Mon, 22 Sep 2008 12:32:52 +0100 From: Martin Ward Subject: Re: Wall Street; where nothing can go worng wrogn wrgno.... A lot of the comments in RISKS-25.34 seem to imply that the people running the financial firms were stupid and/or careless in not doing a correct risk analysis. These people are not stupid or careless, merely greedy, unscrupulous and irresponsible. They did a careful risk analysis all right, and then made the decision to deliberately feed false information into the computer models and deliberately create massively complex financial instruments. Their risk analysis looked like this: Success: My company hands off the package before it blows up. My company makes a massive profit and I end up fabulously wealthy. (Other companies make massive losses and have to be bailed out by the government, but that is incidental). Failure: My company ends up holding the package when it blows up. My company makes a massive loss and ends up having to be bailed out by the government. I end up extremely wealthy. After careful consideration of all the risks and benefits, I decide to go ahead! In an ideal world, the risk analysis would look like this: Success: My company hands off the package before it blows up. My company makes a massive profit and I become fabulously wealthy. Other companies make massive losses and have to be bailed out by the government. My company, and all the others, gets investigated and I end up bankrupt and jailed for many years. Failure: My company ends up holding the package when it blows up. My company makes a massive loss and ends up having to be bailed out by the government. I become extremely wealthy. My company, and all the others, gets investigated and I end up bankrupt and jailed for many years. Quote: "There was a willful designing of the systems to measure the risks in a certain way that would not necessarily pick up all the right risks" If an engineer, for personal gain, willfully designed (say) a sewage monitoring system so that it did not pick up the right risks, and as a result thousands of homes were flooded with sewage and destroyed, that engineer would (I hope) end up in jail. But in the financial world, people can get away with doing much more damage, for personal gain, with no personal risk to themselves. martin@gkc.org.uk http://www.cse.dmu.ac.uk/~mward/ G.K.Chesterton web site: http://www.cse.dmu.ac.uk/~mward/gkc/ ------------------------------ Date: Sun, 21 Sep 2008 23:27:33 -0700 From: "Jim Horning" Subject: Re: Risks of financial systems too complex ,,, (Smith, RISKS-25.34) I thoroughly agree with Daniel's main point, but let's not blame computers too much. This is the result of financial creativity driven by greed, both of which have been around for quite a bit longer than computers. Many of the securities at the heart of the 1929 market crash were very nearly as complex as those you describe. See, for example, John Kenneth Galbraith's insightful 1955 book, The Great Crash 1929 (http://www.amazon.com/Great-Crash-1929-Kenneth-Galbraith/dp/0395859999/). An ironic side note is the role of Goldman Sachs in some of the most highly-leveraged creations. [And PLEASE read Jim's very insightful blog all the way to the end: http://horning.blogspot.com/2008/09/economy-is-fundamentally-sound.html PGN] ------------------------------ Date: Mon, 22 Sep 2008 20:13:48 +0200 From: Erling Kristiansen Subject: Re: Risks of not using check digits (Re: Douglass, RISKS-25.34) It is not correct that Dutch bank account numbers do not use check digits. I have an account with ABN-AMRO, and I just did the check: I changed one digit of an otherwise correct number. (I was prepared to accept the risk of sending 1 cent to the wrong recipient.) The transaction was rejected by the on-line banking service. According to one source I found (in Dutch): http://cgi.dit.nl/bank.cgi the check is that a specified weighted sum of the 9 digits must be divisible by 11. There is one exception: The Postbank. Postbank account numbers don't even have a fixed length, very short (3-4 digits) numbers typically being given to major charities and other high-profile customers. There is no intrinsic check of validity, as far as I know. The Postbank is supposed to check the name of the recipient, but I have positive evidence that this does not always happen, even for a rather large transaction. ------------------------------ Date: Mon, 22 Sep 2008 14:16:03 +0200 From: Paul van Keep Subject: Re: Risks of not using check digits (Re: Douglass, R 25.34) ... The 9-(and 10-)number system has an 11-test that ensures a sparse usage of the available number space. The formula is pretty simple: The total of 9 times digit1 plus 8 times digit2 etc. should be divisible by 11. The account number 123456789 for instance is a valid number. [Note: Paul's formulation of the formula is for the nine-digit number system, where digit9 is the unit's digit. The extension to ten digits is more obvious with the equivalent mathematical formula given on the wiki below, using the sum from i=0 (to N=9 or 10) of the ith digit times i+1, where the right-most digit is the i=0th digit. (Elf is 11 in Dutch, and does not imply a mischievous creature carrying out the arithmetic.) PGN] See the Dutch Wikipedia entry for a more complete description: http://nl.wikipedia.org/wiki/Elfproef ------------------------------ Date: Sun, 21 Sep 2008 20:45:38 -0400 From: Paul Wallich Subject: Re: Capability creep on red-light cameras (Ashworth, RISKS-25.34) > Jay R. Ashworth" writes: > And remember: if that database exists, your wife's divorce attorney will be > able to subpoena it. If that were the only problem. If that database exists, your employer, your employer's competitors and the stores you shop at will be buying soft-realtime access to it. ------------------------------ Date: Thu, 29 May 2008 07:53:46 -0900 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request@csl.sri.com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact . => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: for browsing, or .ps for printing ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 25.35 ************************