precedence: bulk Subject: Risks Digest 25.75 RISKS-LIST: Risks-Forum Digest Thursday 6 August 2009 Volume 25 : Issue 75 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can be found at Contents: Software never fails, people decide that it does (Paul Robinson) Seven water mains break due to computer glitch (Joseph Lorenzo Hall) Stock Traders Find Speed Pays, in Milliseconds (Charles Duhigg via Monty Solomon) GPS typo saves couple? (Joel Baskin) How To Hijack 'Every iPhone In The World' (Andy Greenberg via Monty Solomon) 10 ways your voice and data can be spied on (Gene Wirchenko) The NSA Is still Listening to You (jidanni) Beware of Outdated E-mail Addresses (Gene Wirchenko) Funniest security faux pas this week (Ron LaPedis) You think Adobe bug reports are tough to submit... (Michael Albaugh) Re: Risks of hierarchical map displays (Leonard Finegold, Gavin Treadgold, Gene Wirchenko) Industrial object-oriented language made void-safe (Bertrand Meyer) Ari Juels, Tetraktys, a `cryptographic thriller' (Ben Rothke via PGN) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 26 Jul 2009 18:17:14 -0700 (PDT) From: Paul Robinson Subject: Software never fails, people decide that it does There was an article [1] on Slashdot saying how Software Engineering and Computer Science are two different things. It also refers to an article [2] on Dr. Dobbs Journal that says that Software Engineering will never be a rigorous, formal discipline. Which is true. The statement that software engineering - which is a mislabel - cannot be a rigorous, formal system is so obvious that it might as well be one of those things we never think about until we have to and when we do think about it it's intuitively obvious. Consider what will happen when you die, there are only three possibilities: You exist after you die and you like the results; you exist after you die and you do not like the results; you do not exist after you die. All three possibilities are equally valid since we have no evidence of any of them. If as it turns out, that when you die you cease to exist, it is not something you need to worry about. Now, the thought probably terrifies you - it used to terrify me, too - until you realize something: if you cease to exist, you will know nothing. You'll never know that you don't exist. So consider the conditions of the existence of software. Software is always perfect and is always the same, it never changes. It does not rot, rust, age, get moldy, crumble, break, shatter or fail. It never needs maintenance, lubrication, cleaning, sharpening, polishing, repair or replacement. As long as the hardware that copies it makes identical copies, it is perfect and always will be perfect, except for the extremely rare and unusual case of deterioration of the storage media due to cosmic ray damage. Which can be detected by mathematical algorithm, in which case, if there is another source, another perfect copy can be made and it's right back where it was. Software is never defective and can never be defective other than the case I've given of the rare possibility of cosmic-ray damage to media or hardware failure in copying, and thus it never needs change, modification or updating. Every year, every country makes changes to its tax laws. Any software which must comply with those new changes has to be changed according to the decisions of tax accountants and lawyers as to what is needed to be in compliance. If you have a cellular network and want to add new features, you have to modify the software - in the switches, the handsets, the gateways, and/or all of these - to be able to enable them to offer new features. In both cases the software needs updating. Both statements are true, but you might ask how they can be when they appear to be conflicting. They're not, and I'll explain why. Any software package, from a 1-line APL function to a 20 million-line COBOL behemoth application suite that runs a trillion dollar bank, large insurance company or government agency, only requires maintenance or change because in someone's subjective opinion it needs a change. A bridge needs replacement when it collapses or when it is beyond its useful life; a building needs replacement under the same circumstances. A piece of metal furniture needs replacement when its structure rusts into dust, fails or is unable to support a load due to metal fatigue. These are objective facts, either the structure is usable or it isn't. An engineer can determine by experience and judgment that the structure is at its lifespan limit or can point to signs of physical rust, deterioration, or structure failure indicators that prove their opinion. Any declaration that a software package needs updating, change, or replacement is strictly based upon the subjective opinion of someone saying that it needs the work. All software change is the result of some person's opinion that the change needs to be made and have no basis in reality except their opinion. Their opinion is correct if you agree with them or if in your opinion you can't disagree with their opinion. They may be correct that because of errors in how the software performs its desired function, need for new function, or need for changes in existing function, the software needs change, replacement or updating, but they can only be "correct" because it is considered that in someone's opinion they agree with their opinion that the change is needed. But the claim by someone that a software package needs change, updating or replacement is, and always will be, a subjective opinion based on nothing more than "because I say so." (1) http://tech.slashdot.org/story/09/06/06/0210229 (2) http://www.ddj.com/architect/217701907 ------------------------------ Date: Tue, 28 Jul 2009 19:32:16 -0400 From: Joseph Lorenzo Hall Subject: Seven water mains break due to computer glitch http://www.nj.com/news/index.ssf/2009/07/seven_water_mains_break_in_jer.html Jersey City is my hometown during my visiting postdoc at Princeton's CITP. From the story: Seven water mains broke in the Jersey City Heights today -- the result of a computer glitch that caused a false low pressure reading and kicked on pumps at a United Water facility, officials said. Due to low water pressure in the Heights following the ruptures, fire officials posted four water tanker trucks at two locations in the area for use in the event of a fire, Fire Director Armando Roman said. [...]" Pretty serious consequences from this glitch, no doubt... and a mighty efficient way to mess up fire response. And I can attest with video evidence that the water was indeed brown: http://www.flickr.com/photos/joebeone/3766791608/ UC Berkeley/Princeton http://josephhall.org/ ------------------------------ Date: Fri, 24 Jul 2009 22:40:44 -0400 From: Monty Solomon Subject: Stock Traders Find Speed Pays, in Milliseconds Charles Duhigg, *The New York Times*, 14 Jul 2009 It is the hot new thing on Wall Street, a way for a handful of traders to master the stock market, peek at investors' orders and, critics say, even subtly manipulate share prices. It is called high-frequency trading - and it is suddenly one of the most talked-about and mysterious forces in the markets. Powerful computers, some housed right next to the machines that drive marketplaces like the New York Stock Exchange, enable high-frequency traders to transmit millions of orders at lightning speed and, their detractors contend, reap billions at everyone else's expense. These systems are so fast they can outsmart or outrun other investors, humans and computers alike. And after growing in the shadows for years, they are generating lots of talk. Nearly everyone on Wall Street is wondering how hedge funds and large banks like Goldman Sachs are making so much money so soon after the financial system nearly collapsed. High-frequency trading is one answer. And when a former Goldman Sachs programmer was accused this month of stealing secret computer codes - software that a federal prosecutor said could "manipulate markets in unfair ways" - it only added to the mystery. Goldman acknowledges that it profits from high-frequency trading, but disputes that it has an unfair advantage. Yet high-frequency specialists clearly have an edge over typical traders, let alone ordinary investors. The Securities and Exchange Commission says it is examining certain aspects of the strategy. ... http://www.nytimes.com/2009/07/24/business/24trading.html ------------------------------ Date: Tue, 28 Jul 2009 13:17:58 -0700 From: Joel Baskin Subject: GPS typo saves couple? A Swedish couple touring in Italy drove to Carpi instead of Capri due to a typo. Who knows if they would have tried to drive to the intended island -- so this may have saved them. :) This is just another case of user error -- but should GPS systems check spelling, and if so how? Could there be a database of places with similar names within defined distances? Extended metadata would be of use -- but effort would increase quite quickly for several reasons. http://news.bbc.co.uk/2/hi/europe/8173308.stm [Also noted by Rick Moen in the *San Francisco Chronicle* and by Gene Wirchenko. PGN] ------------------------------ Date: Wed, 29 Jul 2009 08:14:30 -0400 From: Monty Solomon Subject: How To Hijack 'Every iPhone In The World' Andy Greenberg, 28 Jul 2009 On Thursday, two researchers plan to reveal an unpatched iPhone bug that could virally infect phones via SMS. If you receive a text message on your iPhone any time after Thursday afternoon containing only a single square character, Charlie Miller would suggest you turn the device off. Quickly. That small cipher will likely be your only warning that someone has taken advantage of a bug that Miller and his fellow cybersecurity researcher Collin Mulliner plan to publicize Thursday at the Black Hat cybersecurity conference in Las Vegas. Using a flaw they've found in the iPhone's handling of text messages, the researchers say they'll demonstrate how to send a series of mostly invisible SMS bursts that can give a hacker complete power over any of the smart phone's functions. That includes dialing the phone, visiting Web sites, turning on the device's camera and microphone and, most importantly, sending more text messages to further propagate a mass-gadget hijacking. ... http://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html ------------------------------ Date: Tue, 28 Jul 2009 10:55:12 -0700 From: Gene Wirchenko Subject: 10 ways your voice and data can be spied on 1. Wireless keyboard eavesdropping 2. Wired keyboard eavesdropping 3. Laptop eavesdropping via lasers 4. Commercial keyloggers 5. Cell phones as remotely activated bugs 6. Cell phone SIM card compromise 7. Law enforcement wiretapping based on voice print 8. Remote capture of computer data 9. Cable TV as an exploitable network 10. Cell phone monitoring Some of these ways have been covered in RISKS before. Item 9 caught my eye: Commercially available software claims to capture cell phone conversations and texting. Attackers need to get physical access to the phone to upload the software that enables this. http://www.itbusiness.ca/it/client/en/CDN/News.asp?sub=true&id=54027 ------------------------------ Date: Thu, 23 Jul 2009 10:31:34 +0800 From: jidanni@jidanni.org Subject: The NSA Is still Listening to You This summer, on a remote stretch of desert in central Utah, the National Security Agency will begin work on a massive, 1 million-square-foot data warehouse. Costing more than $1.5 billion, the highly secret facility is designed to house upward of trillions of intercepted phone calls, e-mail messages, Internet searches and other communications intercepted by the agency as part of its expansive eavesdropping operations. The NSA is also completing work on another data warehouse, this one in San Antonio, Texas, which will be nearly the size of the Alamodome. http://informationclearinghouse.info/article23125.htm ------------------------------ Date: Fri, 24 Jul 2009 11:41:27 -0700 From: Gene Wirchenko Subject: Beware of Outdated E-mail Addresses Twitter hack illustrates danger of chained exploits http://www.infoworld.com/d/security-central/twitter-hack-illustrates-danger-chained-exploits-535?source=IFWNLE_nlt_daily_2009-07-24 The article discusses a few attacks. The one that struck me as interesting is the one at the bottom of page one and top of page two. "The second example of a chained exploit is even more intriguing. In this case, a malicious hacker broke in to one or more Twitter employees' e-mail accounts, then publicly posted both personal and company confidential information. The hacker accomplished this feat after discovering that a Twitter employee used Gmail and that a request for a new password for the account would be sent to the employee's Hotmail account. However, the employee had not used the Hotmail account in a very long time, so their Hotmail address was available for anyone to adopt. The hacker registered for the Hotmail address and had Gmail send a password reset for the Twitter employee's Gmail account to what was now the hacker's Hotmail account. With the new password, the hacker gained access to the Twitter employee's Gmail account. Using information found in the employee's e-mail, the hacker was able to acquire personal information about the employee and data to exploit Twitter's own network. TechCrunch has an excellent step-by-step account of the hack." The TechCrunch link referred to is full of yummy technical details. ------------------------------ Date: Wed, 22 Jul 2009 17:01:31 -0700 From: Ron LaPedis Subject: Funniest security faux pas this week According to the About Us blurb on their web site, "The Payment Card Industry (PCI) Knowledge Base (www.KnowPCI.com ) is the largest an independent research community focused on the security of payment and related financial and personal data. Our registered membership includes approximately 2000 persons, including retailers, hoteliers, academics, bankers, payment processors, PCI assessors (QSAs), providers of payment systems and security technologists." Yet when I registered on the site, their confirmation e-mail contained my username and password in clear text. I think we already know the RISKS in that, no? FOLLOW UP: An e-mail to the founder of the organization resulted in him asking the webmistress to remove the password from the confirmation e-mail which she did within the hour. Now THAT is service! Ron LaPedis, MBCP, MBCI, CISSP-ISSAP, ISSMP +1 415 939 8887 Seacliff Partners International, LLC http://seacliffpartners.com Business Continuity & Security Advisors ------------------------------ Date: Wed, 22 Jul 2009 14:37:33 -0700 From: Michael Albaugh Subject: You think Adobe bug reports are tough to submit... Gene Wirchenko should be glad he was only trying to report a bug. (RISKS Digest 25.74). When I upgraded to PageMaker7 (Yes, that long ago, they may have reformed by now), I got porn-spam within 15 minutes of entering "my e-mail address" into their online registration. Yes, it was one I created for this specific purpose. When I tried to report this, I found that abuse@adobe.com did not apparently exist. postmaster@adobe.com would not accept my e-mail either. The website kindly directed me to send a registered letter to some lawyers in Los Angeles, at a post-office box. I found it simpler to delete the account, as it had served its purpose. I also chose at that point to never again buy from Adobe. ------------------------------ Date: Wed, 22 Jul 2009 18:20:12 -0400 From: Leonard Finegold Subject: Re: Risks of hierarchical map displays (Wallich, RISKS-25.74) Where was this, and what was the GPS? Sympathy. Have experienced just this for Cathedral Valley, UT (beautifully deserted). GPS = Garmin Nuvi 350. Had happily driven around the dirt roads, using the GPS. Afterwards, I wanted to check another route in and out, and found just what you did. PS. Could you just have stopped on the road, presumably no-one around? ------------------------------ Date: Thu, 23 Jul 2009 12:14:31 +1200 From: Gavin Treadgold Subject: Re: Risks of hierarchical map displays (Wallich, RISKS-25.74) I am most familiar with Garmin handheld and auto GPS units, but this probably applies to other brands as well. Under Settings > Maps, there usually exists an option entitled Map Detail. By default on Garmins, it is set to Normal. It also has options such as Least Detail, Less Detail, More Detail and Most Detail. If you increase the level of detail, you will see the roads that exist lower in the hierarchy at a wider zoom level - which is probably what Paul was attempting to achieve. E.g. roads that previously may on have been shown at the say a 500m scale (as set by the map developer) now become visible up to say 1.2km or 2km scales. A number of units also offer more granular control of what layers are visible up to what zoom level. This works well in the countryside, but can be a real problem in cities with dense road networks as the map display takes longer to redraw, and when it has redrawn it becomes too cluttered to be readable. It is certainly possible to force the display of more roads at higher zoom levels, once again, the risk is actually user awareness of the features of the device they are using, and how to customise their device to achieve the desired display. Gavin, Immediate Past President of the NZ Recreational GPS Society http://www.gps.org.nz/ ------------------------------ Date: Wed, 22 Jul 2009 18:14:40 -0700 From: Gene Wirchenko Subject: Re: Risks of hierarchical map displays (Wallich, RISKS-25.74) Paul Wallich wrote "I wonder whether such hierarchical displays contribute to some of the GPS-aided navigation debacles that sometimes grace this publication -- a driver may have some idea that they're going the wrong way, but their display doesn't offer enough information to plan a new route easily, and the psychological pressure to keep moving forward can increase as conditions get worse." I have similar problems with Google Maps. I frequently look up locations mentioned in articles that I read. Sometimes, even after zooming out as far as I can, I still do not know where the location that I am looking at is. In another case, the urban, residential location indicated was a bit off from the actual location. Normally, this would not be of much consequence, but in this case, between the two locations was a deep gully. ------------------------------ Date: Sun, 26 Jul 2009 23:57:43 +0200 From: "Bertrand Meyer" Subject: Industrial object-oriented language made void-safe Re: Tony Hoare: "Null References: The Billion Dollar Mistake" In January-February there was a discussion on comp.risks on the risks of null references, following the publication of a talk abstract by Tony Hoare (http://qconlondon.com/london-2009/presentation/Null+References:+The+Billion +Dollar+Mistake). For the past five years we have been working at making Eiffel completely void-safe ("void" being the same as "null"). Part of the significance of this work is that we are not dealing with an experimental design but with an existing industrial language and millions of lines of code that cannot just be discarded. The mechanism was included in the ECMA/ISO standard for Eiffel, but a full implementation required upgrading the libraries, providing a migration path for existing code, and refining the mechanism. With the release of EiffelStudio 6.4 in June, the language is entirely void-safe. Our recent paper "Avoid a Void: The eradication of null dereferencing" describes the challenges of void safety, the design of the Eiffel mechanism, and the difficulties encountered in making it practical. It is available at http://se.ethz.ch/~meyer/publications/hoare/void-safety.pdf. Bertrand Meyer, Eiffel Software http://www.eiffel.com ETH Zurich http://se.ethz.ch/~meyer ------------------------------ Date: Wed, 29 Jul 2009 13:11:36 PDT From: "Peter G. Neumann" Subject: Ari Juels, Tetraktys, a `cryptographic thriller' Ari Juels, Tetraktys, Emerald Bay Books, 2009, 351 pages, ISBN 978-0982283707 Reviewed by Ben Rothke Review from http://books.slashdot.org/story/09/07/29/1313201/Tetraktys "Imagine for a moment what his novels would read like if Dan Brown got his facts correct. The challenge Brown and similar authors face is to write a novel that is both compelling and faithful to the facts. In Tetraktys, author Ari Juels is able to weave an interesting and readable story, and stay faithful to the facts. While Brown seemingly lacks the scientific and academic background needed to write such fiction, Juels has a Ph.D. in computer science from Berkeley and is currently the Chief Scientist and director at RSA Laboratories, the research division of RSA Security." The book, which might be the world's first cryptographic thriller, tells the story of Ambrose Jerusalem, a gifted computer security expert, still haunted by his father's death, a few months shy of his doctorate, who has a beautiful and loving girlfriend, and a bright future ahead of him. This is until the government gets involved and Jerusalem's plans are put on hold when the NSA asks him to join them to track down a strange and disturbing series of computer breaches. Tetraktys, like similar thrillers, has its standard set of characters; from corrupt State Department and World Bank officials, a dashing protagonist with a long-suffering girlfriend, to mysterious and obscure terrorist groups. This terrorist group is in the book is comprised of followers of Pythagoras. As to the title, a tetraktys is a triangular figure of ten points arranged in four rows, with one, two, three, and four points in each row. It is a mystical symbol and was most important to the followers of Pythagoras. While mainly known as the creator of the Pythagorean theorem, Pythagoras of Samos was an influential Greek mathematician and founder of the religious movement of Pythagoreanism. Those wanting more information can watch a video about the symbol. As to the storyline, the NSA is trying to recruit Ambrose as they feel that the terrorists, who form a secret cult of followers of Pythagoras have broken the RSA public-key algorithm. Breaking RSA is something that is not expected for many decades, but if a revolution in factoring numbers were to occur sooner, RSA's demise could happen that much quicker. And if RSA was indeed broken by the antagonists, it would undermine the security of nearly every government and financial institution worldwide and create utter anarchy. A good part of the book centers on the cult of Pythagoras. Its followers believe that truth and reality can only be understood via their system of numbers. The NSA needs Jerusalem's assistance as he is one of the few people who have the mathematical, classical and philosophical background to help them. It is he who ultimately connects the dots that the Pythagoreans have left, which leads to the books dramatic conclusion. The book is a most enjoyable read and one is hard pressed to put it down once they start reading it. The reader gets a good understanding of who Pythagoras was and his worldview via Juels weaving of Pythagorean philosophy into the storyline. While the book is not autobiographical, there are many similarities between Ambrose Jerusalem and Ari Juels. From identical initials, to their lives in events in Berkeley and Cambridge, to RSA and more. For a first book of fiction, Tetraktys is a great read. As a novelist, Juels style approaches that of Umberto Eco, in that he weaves numerous areas of thought into an integrated story. Like Eco's works, Tetraktys has an arcane historical figure as part of it storyline, and an intricate plot that takes the reader on many, and some unexpected, turns. While not as complex and difficult to read as Eco, Tetraktys is a remarkable work of fiction for someone with a doctorate in computer science, not literature. The book though does have some gaps, but that could be expected for a first novel. The reader is never sure what the Pythagoreans are really after or why they have resurfaced, and one of the characters is killed, for reasons that are not apparent. Readers who want more information can visit the Tetraktys web site . As to the book's protagonist, Ambrose Jerusalem is to Juels what Jack Ryan is to Tom Clancy, meaning that his adventures are just beginning, and that is a good thing. For those interested in a cryptographic thriller, Tetraktys is an enjoyable read. The book interlaces Greek philosophy, mathematics, and modern crime into a cogent theme that is a compelling read. And if the exploits of Ambrose Jerusalem continue, we may have found the successor to Umberto Eco. Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know . ------------------------------ Date: Thu, 29 May 2008 07:53:46 -0900 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request@csl.sri.com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact . => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: for browsing, or .ps for printing ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 25.75 ************************