ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at
German driverless Transrapid maglev train crashes, killing 23
(Debora Weber-Wulff, Martin Virtel, Peter B. Ladkin)
SCADA Hacks (Al Macintyre)
Vancouver Int'l Airport locked down due to software glitch (Karl Klashinsky)
TIAA-CREF Payment Delays Because of New Computer System (Peter D. Junger)
DVD player, designed for usability? (Daniel P.B. Smith)
1,100 Laptops Missing From Commerce Department (Alan Sipress via PGN)
Home security system snafu (Ron Garret)
RISKS readers as election officials (Peter-Lawrence Montgomery)
Ron Rivest's ThreeBallot (PGN)
Identities lost in phishing (Gadi Evron)
22nd Annual Computer Security Applications Conference (Christoph Schuba)
Abridged info on RISKS (comp.risks)
Date: Sat, 23 Sep 2006 09:01:57 +0200
From: Debora Weber-Wulff <D.Webe...@fhtw-berlin.de>
Subject: German driverless Transrapid maglev train crashes, killing 23
On Friday, Sept. 22, 2006, the German magnetic levitation train Transrapid
(running along a 31,8 km long test loop in Emsland) slammed into a
maintenance car on the track while traveling at approx. 200 km/h.
Officials have been quick to assure that this was not a technical error --
although how they can know this before even all of the 23 dead had been
retrieved from the wreckage is an open question. The cause was quickly put
down to "human failure" -- but has not been elaborated on, probably because
Germany was in the process of trying to sell a second Transrapid to China.
Since the test loop is built on 4-meter high stilts and runs through a
wooded area, a maintenence car runs once in the morning to clean off leaves
and twigs that have gathered overnight and have detrimental effects on
The local fire departments did appear to have extra long ladders in order to
reach the track, but cranes were necessary in order to lift the maintenance
car off the flattened front part of the Transrapid train.
The train does not have a driver, who might have noticed something on the
track and hit the brakes. Officials say that it is impossible to detect
something like this, although I know that for rail-bound trains there are
actually detectors that will not signal a train to proceed unless the track
portion ahead is clear. [Perhaps they don't have signals, since only one
train runs on this track? My speculation - dww]
The train does not offer regular service, but rather takes tourists for a
fast trip. The passengers at the time of the accident are said to have been
workers for a subcontractor.
From the pictures it seems that some sort of slide construction helped
people get out of the (intact) back of the train (the blue things in one of
The Transrapid has been sold as a collision-free system, because it cannot
fall off the track (it wraps around), nothing can cross its path, and two
mag lev trains cannot physically use the same piece of track. The
maintenance car, however, was *not* maglev equipment. So we again have the
case of the system being logically fine if you stay inside the system, but
introducing one piece that is from a different context completely changes
Article (in German):
Pictures of the wreck:
Diagram of the track loop:
Pictures (with captions in German) explaining how maglev works:
[Two other reports follow, and provide some diversity of views, although
I have trimmed some of the duplications. PGN]
Date: Sat, 23 Sep 2006 11:11:35 +0200
From: "Martin Virtel" <virtel...@ftd.de>
Subject: German driverless Transrapid maglev train crashes, killing 23
The two workers on the maintenance vehicle saw things coming and jumped,
saving their lives.
The test track, which is used as a technology showcase and transports
curious tourists and potential customers of the technology, had been
approved for driverless operation only last year.
Right now after the accident, engineers assure us that In theory, maglev
technology is the safest transport in the world, because the propulsion is
done by magnets in the rail - two maglev vehicles on the same part of the
track would run in the same direction, so a crash between them is indeed
Apparently, nobody thought about non-maglev vehicles on the same track,
although these vehicles stick around for routine maintenance. Which is
really tragic, because railways, a 19th century technology, normally do have
the technology to ensure that only one vehicle is on a given part of the
track, and they used to have drivers on board as a fall-back.
And, of course, unspecified "human error" is cited as the most probable
cause for the accident, the second theory being a disruption of an
unspecified wireless communication system.
Date: Sat, 23 Sep 2006 09:06:58 +0200
From: "Peter B. Ladkin" <lad...@rvs.uni-bielefeld.de>
Subject: German driverless Transrapid maglev train crashes, killing 23
The International Herald Tribune (IHT) has a story by Mark Landler of the
NYT. Our local paper, the Neue Westfälische (NW) is running a story from
the Associated Press (AP).
The IHT says it was traveling about 200kph. The NW says about 180kph.
The IHT is reporting 25 dead and 10 seriously injured. The NW is reporting
23 dead and 10 seriously injured.
The IHT says that "The authorities declined to speculate on the cause,
though experts on maglev technology said it appeared to have been caused by
a communications breakdown rather than a flaw in the technology." The AP
quotes the state lawyer involved saying "it is probably the result of human
error." The AP also says that the state justice department and the operating
company IABG are assuming it is human error.
It astonishes me that some authorities are willing to speculate in public on
the root cause of the crash only a day after it has happened.
The NW said that [my translation] "according to the state legal department,
the Transrapid can only travel [on its test track] when the maintenance
vehicle has left the track. The maintenance workers confirm this by
telephone. it is open [that is, it has not been determined PBL] why the
train controller gave permission for the train to proceed."
So let me join in, but without speculating. Any collision between two rail
vehicles demonstrates that the means of ensuring that two vehicles are not
in the same place at the same time is inadequate. The reason I can say this
is because it is an analytic statement: a collision happened, therefore the
means of hindering collisions was inadequate. (The classic example of an
analytic statement is that a bachelor is an unmarried man.)
On a single-vehicle short track, one imagines there are lots of economical
ways of checking that the track is free which do not involve merely
telephone calls. People obviously thought that what they had was
adequate. Turns out it wasn't. (Remember: this is an analytic statement.)
Date: Wed, 13 Sep 2006 23:44:20 -0500
From: Al Macintyre <macwh...@sigecom.net>
Subject: SCADA Hacks
* Alan Paller, director of research at the SANS Institute, and
* Eric Byres, director of industrial cyber security at Symantec,
on some topics of interest to us.
SCADA (supervisory control and data acquisition) systems, essential to the
nation's critical infrastructure, have been hacked.
What's happening today is that terrorists are using cybercrime to get the
money to buy the bombs to blow people up. They are not using cyberattacks
against physical things. There have been cases where SCADA systems that run
power plants, were taken over, but the crime was about financial extortion.
SCADA systems are becoming more vulnerable to cyber attack because obscure
operating systems are being replaced with Windows connected to corporate
networks, that are vulnerable to breaches. The GAO did a great report on
this in 2004. http://www.gao.gov/new.items/d04354.pdf
Then there is the military statement that the Chinese downloaded 10-20
terabytes of sensitive information from NIPRNet.
What the government is doing is producing mountains to reports whose only
function is to gather dust. The best thing that can be done with them is
pile in front of government buildings as protection against a car bomb.
Date: Mon, 25 Sep 2006 10:01:42 -0700
From: Karl Klashinsky <kl...@cisco.com>
Subject: Vancouver Int'l Airport locked down due to software glitch
On 17 Sep 2006, Vancouver International Airport was locked down for several
hours because a security guard noticed what appeared to be an explosive on
an X-ray screen. The bag in question could not be located in the screening
area, so the decision was made to re-screen all passengers in the waiting
The "lock down" procedure also required many flights that had just taken off
to return to Vancouver so that all passengers could be re-screened.
As it turns out, the bag was not found because it did not exist. The image
seen by the guard was from training software installed on the screening
machine. The image in question should have appeared only during a training
exercise, according to a spokesperson from Canadian Air Transport Security
Authority (CATSA). Furthermore:
"They're investigating how that feature of the tool got inadvertently
activated. And while they're doing that investigation, they've deactivated
the tool itself."
None of the basic facts here will be a surprise to RISKers. However, one
thought crossing my mind is whether the training software was executed as a
prank, and if so, how (i.e., I have no idea whether it's possible to
interact with the screening machines remotely). But if a "false positive"
image could be inserted into a live, in-service screening machine, then it's
possible that a "false negative" could also be inserted.
The CBC story shortly after the incident, describing the lock down:
And the recent story describing the cause:
[Also noted by Robert Israel, UBC, Vancouver]
Date: Mon, 25 Sep 2006 14:34:00 -0400
From: "Peter D. Junger" <jun...@samsara.law.cwru.edu>
Subject: TIAA-CREF Payment Delays Because of New Computer System
On 6 Sep I faxed the paperwork to TIAA-CREF requesting a withdrawal from my
retirement account expecting that it might take as long as a week before the
money was wired to my account. It is now 25 Sep and I am still waiting.
I have spoken to several consultants about this problem. The first just
said that it should not have taken that long and that he would see if he
could get it expedited. The next consultant was more forthcoming and said
that the delay was caused by the fact that TIAA-CREF was installing a new
computer system. (I had earlier been told in another context that the old
system was written in COBOL back in the 1960s.)
Later consultants told me that as a University's account is transferred to
the new system, withdrawal applications from retirees from that University
have to be processed manually, rather than by the computer system. That
strongly suggests that as more and more accounts are transferred to the new
system the delays will get longer and longer.
There apparently has been no public announcement of this problem. (At least
I found nothing in a Google search.) When I mentioned this to one of the
consultants, she said that information that there was going to be a
switch-over to a new system was sent to account holders last year, but, when
I pointed out to her that that announcement said nothing about delays, she
said that she did not believe that they had been anticipated.
When I asked what happened to people who couldn't make a mortgage payment or
something like that I was told by one of the consultants that TIAA-CREF was
reimbursing people who had to pay late charges because of the delay. He
didn't say what they did for people whose credit reports were damaged or
those who lost a deal because they could not come up with a down payment in
time or something like that.
One of consultants also told me that it might be six months before the
switch-over to the new system was complete.
The consultants, who were all very considerate, all said that they had no
contact the people responsible for the actual processing of the withdrawal
Date: Mon, 25 Sep 2006 21:06:13 -0400
From: "Daniel P. B. Smith" <usene...@dpbsmith.com>
Subject: DVD player, designed for usability?
Look at the button layout on this portable DVD player.
In case it still isn't clear--it sure wasn't clear to me--the northeast
button navigates east; the southeast button navigates south; the southwest
button navigates west; and the northwest button navigates north. The
silkscreened little arrows _next to_ each button are apparently intended to
convey this, and to help you ignore the engraved little arrows in the
An awful lot of modern user interface design seems to me to amount to
printing little silkscreened arrows next to buttons that were hopelessly
misplaced to begin with.
[This of course might reminds us of John Denver's final flight, in which
he thought he had run out of gas on one tank and tried to switch tanks.
The lever positions were UP for both tanks off, RIGHT for the left tank,
and DOWN for the right tank. PGN]
Date: Fri, 22 Sep 2006 16:11:04 PDT
From: "Peter G. Neumann" <neu...@csl.sri.com>
Subject: 1,100 Laptops Missing From Commerce Department
More than 1,100 laptop computers have vanished from the Department of
Commerce since 2001, including nearly 250 from the Census Bureau containing
personal information. This was revealed in response to a request from the
U.S. House Committee on Government Reform, which is surveying 17 federal
departments about such losses. Of the 10 thus far responding, Commerce is
"by far the most egregious." This leaves questions about the 7 departments
that have not responded! [Source: Alan Sipress, *The Washington Post*, 22
Sep 2006; PGN-ed]
Date: Sun, 24 Sep 2006 11:26:22 -0700
From: Ron Garret <r...@flownet.com>
Subject: Home security system snafu
I swear I am not making this up.
Today I got a call from the company that monitors our home security system.
They said that they had received a trouble report from our system. But our
panel said everything was hunky-dory. All the self- tests were normal, and
the sensor in question was operating properly.
This is not the first time this has happened, so I decided to escalate.
Long story short: the only plausible theory that anyone has been able to
come up with is that somewhere in the country another security system has
mistakenly been programmed with our ID code (the ID codes are assigned and
programmed manually) and it is THAT system that is calling in the trouble
reports. The central monitoring system uses the self-reported ID codes to
identify the system calling in, not caller-id. Therefore (assuming this
theory is correct) there is no way to know where the system with the
duplicate ID actually is.
I pointed out to them that if this theory is correct then the system with
the duplicate ID code is essentially useless, and that if and when the
owners of that system learn this they may not be too happy about having paid
their monthly fees for essentially no value whatsoever. If a burglar ever
breaks into that house (wherever it is) it will appear to the monitoring
office that someone has broken into OUR house. The police will be
dispatched to our house and we'll be charged for a false alarm. Meanwhile
the real burglars will be happily unmolested in some unknown and unknowable
location. Furthermore, if a burglar ever breaks into OUR house through the
location corresponding to the (evidently) faulty sensor on the house with
the duplicate ID they might be tempted to write this off as just the faulty
sensor acting up and not call the police.
Even the possibility that such events might result in (it seems to me,
IANAL) easily winnable lawsuits now that the company has been made aware of
the problem has not motivated them to find a solution as far as I can tell.
Date: Fri, 22 Sep 2006 06:48:33 +0200 (MEST)
Subject: RISKS readers as election officials (Re: Lesher, RISKS-24.43)
I'm a mathematician in Microsoft's Cryptography group. On September 19,
during the Washington State primary, I was a King County (Seattle area)
election judge. This seemed a good use of my expiring vacation hours.
The pay is about $115 for working about 6 am - 9:30 pm, with a one-hour
lunch break and two 15-minute breaks. A four-hour pre-election training
session is also reimbursed. This is more than I've received for equivalent
The polling station where I was assigned is supposed to have 14 workers, but
only 9 had been recruited. Some of us doubled up to do two precincts. I
brought a copy of Avi Rubin's report, but most other judges weren't
For those voting in person, this was the first time they could choose
electronic voting (AVU, Accessible Voting Unit) or paper ballots. I was
across the room from the (one) AVU but understood you touched the screen to
pick a candidate. Supposedly it could (slowly) read the ballot aloud in
English or Chinese, for those who are visually disabled. A printed copy of
your ballot passed under a glass -- you had to affirm that the choices
printed there are correct before casting your ballot.
If a voter chose AVU, I (as judge) needed to fill in a form with the voter's
name and precinct information. Another judge types this precinct
information into the AVU so the voter gets a proper ballot.
Paper ballots could be marked (fill in an oval) and dropped in an Accuvote
machine, which checked for consistency (e.g., don't vote for two candidates
for same office) and tallied the votes. Before opening the polls, we needed
to check that all tallies were zero. The end-of-day counts were printed on
the same roll of adding-machine tape. Ballots with a write-in candidate
automatically went into a separate cannister beneath the Accuvote machine,
so they could be separated at days' end. The County will recount all paper
ballots by hand in 4% of the polling places.
The Accuvote machine also checked that a political party (Democratic or
Republican) had been declared. Some voters deliberately declined this, not
voting for partisan offices. The inspector (= chief judge) had to unlock
the Accuvote machine and tell it to allow this ballot.
Many King County voters vote absentee, and there are plans to go fully
absentee around 2008. The voter lists supplied To election judges omit
absentee voters. The precincts at this polling place had a combined 1500 or
so registered non-absentee voters, of which about 250 chose paper ballots
and 30 chose AVU (30% turnout. I heard those who used the AVU liked it.
There were about 60 absentee ballots dropped off at this polling place.
Occasionally multiple members of a neighborhood would show up together, and
there would be a wait in the line for that precinct. But delays were short
-- having only nine workers wasn't so bad after all).
My usual polling place is elsewhere, and I could not access it during voting
hours. I cast a provisional ballot, where my name is outside an envelope
and the ballot inside. Provisional ballots must be paper. I was able to
cast a vote on many judges as well as state legislators, US Senator, and a
county tax, but not for US Representative, because my residence is in
another congressional district. Several voters who walked in, claiming they
had not received their absentee ballot (and were not on our lists), were
allowed to vote provisionally.
At the end of the day, many items to be returned to the county were
delivered by the inspector, who needed an accomplice of the opposite
political party. There were three bags supplied for these items, but it was
hard to fit everything in. Some items, such as the privacy booths used by
paper voters, were left behind for the county to pick up later.
King County election procedures came under criticism in 2004-2005, while the
2004 gubernatorial election results were being challenged. I saw no severe
anomalies Tuesday. A technician stopped by during the morning, to check
that things were going well.
Date: Mon, 25 Sep 2006 15:25:01 PDT
From: "Peter G. Neumann" <neu...@csl.sri.com>
Subject: Ron Rivest's ThreeBallot
If you have not yet seen Ron Rivest's latest offering, this one is essential
reading: a three-part paper ballot that satisfies privacy and integrity
while avoiding vote selling and eschewing cryptography. Very clever, very
cute. Cheers! PGN
Date: Mon, 18 Sep 2006 06:57:16 -0500 (CDT)
From: Gadi Evron <g...@linuxbox.org>
Subject: Identities lost in phishing
As I often comment, it is funny to me (not really but hold on) when people
scream about this or that organization losing a laptop with 20K
identities. What's 20K?
Obviously that is important, and speaks volumes of corporate security and of
privacy issues. Still, it is insignificant in a laughable fashion when
compared to what's being stolen daily online.
Every day, millions of online identities and website credentials are
lost. Millions. Every day.
This is done through trojan horses which are spread (bots, worm fashion)
among an immense online population. There are thousands of new variants to
these bots coming out every month dedicated specifically as a targeted
attack on online financial institutions.
These attacks target the financial online sites (banking, eCommerce, etc.)
not by attacking them directly on the macro level, but rather by multiple
micro-level attacks against their users, en-masse.
These trojan horses (bots) are so advanced, the utilize rootkit technology,
and when the user surfs to an HTTPS site, use man-in-the-middle attacks on
the machine itself to steal his or her credentials.
These credentials in turn are sent to the remote attackers for further
A lot of money is lost this way. This is a world-wide problem, but it is
especially apparent (as the bad guys utilize the data more and more) in, but
not limited to, the UK and Europe. In the US this is a growing trend, but
it is mostly ignored by the defenders (most are not aware of it) as regular
primitive "e-mail phishing" is still the most apparent threat there. This is
largely due to US banks still mostly using username and password
E-mail phishing is important and a large threat, but it is doomed to death
(it will still be here 10 years from now, like Nigerian scams are here
today, but as a specific threat it will diminish into obscurity.
Phishing today should become the root in a tree called Online Financial
Fraud or eFraud. That, friends, is not going away whether in blogs, trojan
horses, e-mail or your cell phone.
These trojan horse attacks, as they are located on the user's machine
itself, are not stopped by 2-factor authentication, etc. There are things
that can be done, but when the security problem is on a remote machine not
under the, say, bank's control, there is not much they can do with their
current confidence risk assessment systems.
There are solutions, but these are to be discussed another time. It is
obvious that one of the biggest problems facing banks, and ESPECIALLY
eCommerce sites (without the physical-space presence) is how to establish
reputation systems that will provide with a technological risk assesment
confidence decision as to how safe it is to work with a remote user.
The web channel is the cheapest and most effective in banking today, and
banks will not want to lose it.
We (Alan Solomon and myself) cover some of the market involving this
technology and how it works in a recent paper we published in the Virus
Bulletin September edition:
Date: Sat, 23 Sep 2006 16:32:25 -0400
From: ACSAC Distribution Manager <distri...@acsac.org>
Subject: 22nd Annual Computer Security Applications Conference
22nd Annual Computer Security Applications Conference (ACSAC 2006)
December 11-15, 2006 - Miami Beach, FL
We would like to invite you to attend this year's ACSAC conference in Miami
Beach, FL. We have again created an exciting program organized in three
tracks, featuring invited speakers, peer-reviewed technical papers, case
studies, tutorials, a workshop, a works in progress session, panels, and
plenty opportunity to mingle and network with your colleagues from around
The advance program is posted and registration is now open:
The deadline for securing the early registration discount and hotel room
discounts is November 13, 2006.
Dr. Christoph Schuba, 2006 ACSAC program chair Christop...@GMail.COM
Date: 2 Oct 2005 (LAST-MODIFIED)
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman web interface can
be used directly to subscribe and unsubscribe:
Alternatively, to subscribe or unsubscribe via e-mail to mailman your
FROM: address, send a message to
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-s...@csl.sri.com or risks-un...@csl.sri.com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
The full info file may appear now and then in RISKS issues.
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users should contact <Lindsay....@newcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string "notsp" at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks [subdirectory i for earlier volume i]
<http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
End of RISKS-FORUM Digest 24.44