Subject: RISKS DIGEST 13.44 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Monday 27 April 1992 Volume 13 : Issue 44 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: An "Own Goal" by the RAF (Brian Randell) Risks of a modern weatherman (Bear Giles) Standard deviation in LOTUS 1-2-3?! (Lord Wodehouse) Ralph Nader/Cable TV/Information Networks (Ralph Nader and Jim Donahue) Re: Tax on computer media (Mark Seecof) Tracking by Cellular Phone (Brian Kush) Re: Admissibility of video tapes (Craig R. Smilovitz) Voice mail security (Richard Dickson) Re: Bugging Phone Calls (Jay Denebeim) Re: Tapping Bill (Allen Smith) Re: FBI and telephones (Bob Frankston) Puzzle-box patent abandoned (Ross Williams) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 13, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Thu, 23 Apr 1992 09:28:16 +0000 From: Brian.Randell@newcastle.ac.uk Subject: An "Own Goal" by the RAF The following is quoted in its entirety, from the 23 Apr 1992 issue of The Independent, a "quality" UK National Newspaper. Its discussion of how an Royal Air Force Sea Harrier managed to bomb a Royal Navy aircraft carrier is entirely speculative, offering either a computer malfunction, or failure by the pilot to press a button as likely causes. However I find the statement that "offset" bombing practice relies on a simple button press to ensure that the ship towing the target does not itself become the target both interesting and worrying, if true. Brian Randell `ARK ROYAL' WAS BOMBED BY RAF HARRIER PILOT By Christopher Bellamy, Defence Correspondent The Royal Navy launched an inquiry yesterday into how a Royal Air Force pilot bombed its most modern carrier, Ark Royal, on Monday, missing the intended target by 500 yards. Navy sources said that one of the two RAF pilots flying with the Royal Navy during the exercise had applied to transfer to the senior service. It is not clear if the incident will affect that move. The Ministry of Defence said such an accident had never happened before but refused to speculate how the Sea Harrier 1 from Ark Royal missed the target towed behind the ship and, according to the MoD, put the bomb through the flight deck. Six sailors were hurt, one seriously, and five were still in the Royal Naval Hospital Haslar, Portsmouth, yesterday. However, it is almost certain that the plane was practising an attack using the "offset" procedure. It is possible that the RAF pilot of the Navy plane failed to press the button to switch from a reference point - the carrier - to the target. "Offset" is used where the target may be difficult to see, but its position relative to a clear reference point is known. The practice bomb has the same flight characteristics as a real one but carries only a small explosive charge to mark where it lands. The charge exploded inside the carrier, starting a small fire. Under the offset procedure, the plane's computers make the calculations needed to adjust the bomb's trajectory from the "false" target to the real one. The Sea Harrier pilot lines up on the ship from about five miles and 250 feet above the water. Flying towards the ship he then tells the computer to attack the "splash target", towed 500 to 1,000 yards behind, while still flying at the ship. The attack must be carried out from the beam, or the computer software will automatically prevent bomb release. At the optimum height, speed and distance the computer tells the pilot to pull up and release the bomb. Paul Beaver, publisher of Jane's Defence Weekly, said: "It does rely on the pilot to press the button to switch from the mock target to the real one." On Monday, the button may not have been pressed or the computer may have malfunctioned, and the bomb went into the reference point - Ark Royal - instead of into the target. The practice bomb hit the carrier about one third of the way aft of the ski-jump and slightly to port, reportedly penetrating the flight deck and exploding in the mess deck below. But Mr. Beaver said he was "very surprised" to hear the bomb had penetrated the flight deck. At that trajectory, he said, it was more likely to have bounced off - unless it went into the ship's side. [Computing Laboratory, The University, Newcastle upon Tyne, NE1 7RU, UK Brian.Randell@newcastle.ac.uk +44 91 222 7923 FAX = +44 91 222 8232] ------------------------------ Date: Wed, 22 Apr 1992 12:54:15 -0600 From: Bear Giles Subject: Risks of a modern weatherman (From the bulletin board down the hall...) Network Wind Profiler Severely Damaged A wind profiler in OAR's Wind Profiler Demonstration Network (WPDN) was severely damaged by several shot-gun blasts late last week. On March 28, just before sunrise, two men and one woman were pheasant hunting in southern Nebraska [and] came across the McCook wind profiler and mistook it for an alien spacecraft. Frightened, they fired a number of shots damaging the profiler antenna and the electronics shed. Furthermore, a Forecast Systems Lab (FSL) technician who was in the shed conducting routine system checks was taken hostage by the hunters. After being held captive for nearly two hours, the technician's partner arrived and explained to the hunters what the profiler really was. The hunters then fled and so far, they have not been apprehended by law enforcement officials. Profiler damage is estimated at $150,000. - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - A profiler (developed in the building where I work) is a phase-array radar which "looks" nearly straight up. The basic model can determine wind direction and speed from the ground to about 50 mb (around 20km, at a guess); a recently developed enhancement can also determine air temperature up to the tropopause. They are used in a manner similar to weather balloons, but provided hourly summaries instead of 12-hour reports. (They operate continuously, but the data is rather noisy). I've never seen an actual profiler on the ground, but the models and artist's conceptions show a flat rectangular grid. Coworkers describe it as a "construction junkyard", or "flat pipes" held about 4 ft above the ground. Of course, those of us in the mountains have a very low opinion of plains-dwellers. Several meteorologists on a "storm chase" last year reported on Kansan walking up to them (on the side of the road) and asking "Is that a tornado?" What he thought the large funnel cloud a few miles away was, if not a tornado, nobody has every figured out... Bear Giles bear@fsl.noaa.gov [Yes -- the "fsl" is for Forecast Systems Lab] National Oceanic & Atmospheric Adminstration / Boulder Labs ------------------------------ Date: 23 Apr 92 15:51:00 BST From: Lord Wodehouse Subject: Standard deviation in LOTUS 1-2-3 ?! My company has just sent out in an internal magazine a comment about the @std function in LOTUS 1-2-3. From this I gather that the @std function in both version 2.2 and 3.1 uses the number in the sample (n) and not the number in the sample - 1 (n-1). Version 3.1 has a second macro to use the correct value. Version 2.2 manual comments that the @std should only be used on large samples. The comment in our magazine defines small samples as less than 30. Two things arise from this. 1) Just how much work has been done by people using 1-2-3, who have not realized the "error", and 2) why have two versions of the macro, when the correct one works for all samples. (my guess is that if the original incorrect version was changed, users would worry about the different answers obtained after the change, even though the answers would now be "correct".) Moral: You should never trust blindly answers from any statistical package on a computer, unless you know the formula used by the package. Lord John - The Programming Peer ------------------------------ Date: Mon, 27 Apr 92 07:08 GMT From: "Essential Information, Inc." <0002633455@mcimail.com> Subject: Ralph Nader/Cable TV/Information Networks From: Ralph Nader, Washington, DC Date: April 16, 1992 Summary: Your help is needed to secure an amendment to pending cable television legislation. The amendment would create a mechanism to organize local Cable Consumer Action Groups (CCAGs) to represent the interests of consumers directly before regulatory and legislative bodies. This proposal is an innovative way to create countervailing power to some of the large corporate interests that control our information infrastructure, and it is a model that is highly relevant for users of voice and data network services. Readers are asked to sign a letter to Congress supporting this amendment. Action is needed very soon. Respond to Jim Donahue, Teledemocracy Project (Internet: 0002633455@mcimail.com) Dear citizen: As you may know, congress is currently considering cable television legislation. Every television consumer should be concerned about the outcome of this legislation, and particularly citizens who are concerned about the future of information technologies. The current fiasco with the cable industry is an important example of the management of information technologies for the benefit of a few corporate monopolists at the expense of the many. Today nearly all americans are confronted with a monopoly provider of cable video signals, who not only has total control over what you can receive, but also what you pay. Over the next 15 years we will see a rapid convergence of information technologies. Soon it will be possible to transmit voice, data, and video signals over the same fiber optic telecommunications infrastructure. The fight over who will control the content of information that flows over that infrastructure, and how it will be priced, will define who can send and who can receive information in digital form. As the use of modern technologies increasingly makes it easier to meter the consumption of information products and services, the gaps between the information rich and information poor will continue to grow. The current battle over the regulation of the cable television industry is an important step in a more general battle over the control of our information infrastructure. This is a battle over power and wealth, and also over democratic values, competition, and enlightenment. Will we harness our great new information technologies to promote a diversity of sources of information, or will these technologies be used primarily as vehicles for narrowly focused commercial interests, exercising monopoly power? CABLE CONSUMER ACTION GROUPS (CCAG) AS COUNTERVAILING POWER A number of consumer groups have asked Congress to adopt an innovative proposal to help cable television subscribers organize to represent their interests. Notices describing local Cable Consumer Action Groups (CCAGs), which would be independent and democratically controlled local organizations, would be placed in the cable companies billings. The notices describe the purposes and goals of the group and solicit funds for membership. The CCAG would be required to reimburse the cable company for the incremental costs of inserting the notice in the bill, so the cost would not be a burden to the cable company or its subscribers. These local subscriber consumer groups would then monitor the policies and practices of the cable company, and represent consumer interests in regulatory and legislative proceedings and with the cable companies directly. The cable industry is extremely active politically, contributing millions of dollars to candidates for political office and spending millions more in lobbying activities before legislative and regulatory bodies. In the absence of something like the CCAG, important public policy issues are debated in an extremely unbalanced way. The CCAG is a modest but important step in addressing a very corrupt system that regularly tramples on the rights and interests of consumers. Among the groups that have endorsed this proposal are: Center for Media Education Consumer Federation of America New York City Commissioner of Consumer Affairs Public Citizen Teledemocracy Project U.S. Public Interest Research Group HAS IT BEEN TRIED BEFORE? This proposal is based on the highly successful Citizen Utility Board (CUB) model, which has represented ratepayers in several states. The most successful CUB, in Illinois, has 170,000 members; its advocacy has saved consumers some $2 billion over the past several years. Other CUBs exist in Wisconsin, Oregon and San Diego. We want to see this innovation used nation wide in the cable television industry. (Of course, it may well be a model that has applications to other telecommunications issues.) WHAT YOU CAN DO The CCAG proposal was included in H.R. 4850, but was deleted by a voice vote (in contrast to a recorded vote) in the House Subcommittee on Telecommunications and Finance. The bill is now in the full Energy and Commerce Committee, where committee supporters will seek to restore the provision through an amendment. We are asking you to send us an email message giving permission to use your name in a letter to Congress supporting this amendment. If you are willing to do so send the following information to the Teledemocracy Project (internet: 0002633455@mcimail.com, or fax 202-234-5176). Name: Title: (optional) Affiliation: (optional) Address: City and State: (important, for obvious reasons) telephone: (for verification) email address: optional Thank you very much for your help on this. Sincerely, Ralph Nader [A copy of the letter follows:] Chairman Edward Markey Subcommittee on Telecommunications and Finance Committee on Energy and Commerce Washington, D.C. 20515 Dear Chairman Markey: We are writing to support your "consumer representation" amendment to H.R. 4850, the cable re-regulation bill. It is imperative that new cable legislation provide a mechanism that gives consumers a stronger voice in regulatory and legislative debates. This amendment is ideal because it brings citizens into the regulatory process at no cost to the government or the cable industry. Who in Congress can deny the unfairness of a system where the owners of cable monopolies can use subscriber revenues for lobbying purposes while consumers are left powerless and unrepresented? This is only a small step toward curbing the monopolistic power of the cable television industry. We urge the House Energy and Commerce Committee to include your consumer representation amendment in the cable bill. Sincerely, ... [For more information, contact: Jim Donahue, Teledemocracy Project, voice: 202/387-8030, fax: 202/234-5176, Internet: 0002633455@mcimail.com] [For a an email copy of the amendment contact Jim Donahue (internet: 0002633455@mcimail.com).] ------------------------------ Date: Wed, 22 Apr 92 10:22:42 -0700 From: Mark Seecof Subject: Re: Tax on computer media (RISKS-13.43) A tax on clarinet reeds would hit only musicians and reed makers (and indirectly music fans); a tax on gasoline hits just about everyone. A tax on computer media, ostensibly aimed at music consumers, would come to hit everyone because of the simple fact that computers are spreading through society faster than a nasty joke through a frat house. A tax on computer media will soon be as general a tax as one on gasoline. I don't think there's any RISK to computer users in such a tax, except at the same level as the risk to automobile users in a fuel tax. The tax is objectionable because it's a general tax for the specific benefit of an unworthy few; and because the legislators responsible for it perhaps do not understand the full effect of the proposed law. The only REAL problem is that uneducated people are yet unaware of the fact that while 1/4" audio tape and IBM 5081 punch cards were distinctly different, in the modern digitally-recorded computer-processed "information age" it is impossible to distinguish between musical and textual and graphical storage media. At worst, tax avoidance schemes based upon artificially differentiating music media and computer media would add some cost, a little less than the tax itself would, to computer media, and generally reduce the economic efficiency of all digital technology industries. Mark Seecof ------------------------------ Date: Fri, 24 Apr 92 08:00:45 PDT From: "Brian Kush" Subject: Tracking by Cellular Phone Yesterday while driving through GA, my Cellular Phone rang. Since I was roaming I was not expecting a call. When I answered it, it was a recording welcoming me to Bell South Mobility and offered instructions on using there service. I have had this happen before and did not think anything about it. Though today I started to think. If the cellular phone company could sense that I had come into there area, they could track my movements all over the country on a carrier by carrier basis. They might even be able to track me with in a city/area by which antenna was picking up my signal. Right now the risk is rather low, but its something to think about. Brian Kush, Sales Consultant, Oracle Express, Eastern Region, 412.262.5200 vmail: 412.269.3518 pager: 800-SKY-PAGE PIN# 5773865 ------------------------------ Date: Thu, 23 Apr 92 14:53:23 EDT From: craig.smilovitz@spd.analog.com (Craig R. Smilovitz) Subject: Re: Admissibility of video tapes There seems to be a strange idea that has been floating around in some of the recent postings on comp.risks: namely, that video tape records of your actions necessarily belong to you and their use in a trial as evidence is an invasion of your privacy. Events that happen in public places are public knowledge and not private. While recordings (video or otherwise) can not necessarily be used for profit by a third party, they are public and may be distributed and used as evidence. Anyone is allowed to see and to tell about what they see in a public place (such as the street corner on which Rodney King was assaulted). That retelling may include using aids such as a video tape. Things get somewhat more interesting when talking about a camera mounted somewhere and run without an operator. Then the viewing analogy does not hold as well. In those cases, judging by common practice, there may be some principle in the law dealing with the likelihood of knowing that you are witnessed. When there are people standing nearby, you know that likelihood is great. Locations that have video-tape surveillance tend to have signs advising patrons of that fact. Hope this is of some help when talking about privacy and videotape. Of course, the definition of a public place can get muddy but in the case of the Rodney King beating video this is not an issue. Craig Smilovitz ------------------------------ Date: Fri, 24 Apr 1992 08:43 EST From: DICKSON@krdc.int.alcan.ca Subject: Voice-mail security I request you assistance with collecting some information regarding the problem of voice-mail security. I have noticed some previous comms in the risks board re this subject and I would like to collect further info regarding risks of these systems. Are call loggers a problem when you give your password to a mail retreival system form a hotel or an office. Is there a hacker market for this info? Finally how prevelant is this problem in various parts of the world? How can we protect ourselves from these problems? Thank you in anticipation. Responses please to the following address: Richard Dickson ( DICKSON@KRDC.INT.ALCAN.CA ) N.B. this is a server address and not the address of the phone system in question. So if there are any abusers out there, you'll get no hints from me ! ------------------------------ Date: Sun, 26 Apr 92 12:21:44 EDT From: Jay@deepthot.cary.nc.us (Jay Denebeim) Subject: Re: Bugging Phone Calls (RISKS-13.43) The main thing that bothers me about this bill is, why is it needed? I work for a major vendor of central office switching equipment, and I see absolutely no reason to enact such a law. At the CO/PBX hosting the line it will always be possible to 'listen' to any of the terminals off that line. This is required for ensuring the equipment is working. I cannot concieve a system where this would not be a requirement. Looking at the proposed law that was reproduced in a previous issue of RISKS, it appears that what they are asking for is the ability to capture the bit stream from any terminal. No more, no less, it specifically excluded the any responsibility for the telco to unencrypt anything fed to the terminal. The bit stream from any terminal is available at the CO. It has to be, otherwise it would not be possible to identify which terminal to route the return bit stream to. Jay Denebeim UUCP: duke!wolves!deepthot!jay jay@deepthot.cary.nc.us BBS:(919)-460-7430 VOICE:(919)-460-6934 ------------------------------ Date: Fri, 24 Apr 1992 10:23 EST From: ALLENS@earlham.bitnet Subject: Re: Tapping Bill ... >8 "(2) 'communication' means any wire or electronic >9 communication, as defined in subsection 2510(1) and >10 2510 (12), of Title 18, United States Code; This definition means, unless the other laws cited are such as to modify this interpretation, that they could technically demand that all BBSes, etc. set themselves up so that they could be tapped without their knowledge or consent, and can be fined for not complying with this regulation. I suspect how this might be used would be for the BBS to be informed of this "responsibility" after the FBI/Secret Service/whatever thinks they're doing something they shouldn't (which they might extend to legitimate political activity such as pro-drug-legalization), thus causing them to have massive amounts of fines to pay off. -Allen ------------------------------ Date: Wed 22 Apr 1992 14:52 -0500 From: Subject: Re: FBI and telephones (RISKS-13.41) I'm surprised that there has been little mention of traffic analysis. Even if the conversations are encrypted, information about who is calling whom can be very valuable. ------------------------------ Date: 23 Apr 92 15:50:55 GMT From: ross@spam.maths.adelaide.edu.au (Ross Williams) Subject: Puzzle-box patent abandoned Readers of risks may remember that in mid 1991 I posted a message describing a "puzzle-box" idea, for which I had lodged an Australian provisional patent. [See RISKS-12.06 and .07. PGN] The idea was to place some kind of hardware "puzzle" between computers and the safety-critical/trusted devices they control so as to reduce the likelihood of accidental activation in the case of a failure of the computer or the interface. To activate the critical device, the computer would have to send out a complicated sequence to "solve" the puzzle. The posting created quite a fuss for the following reasons: * People thought that it was covered by prior art. * People thought that it was too simple to be worthy of a patent. * People were concerned that it could be applied to software. * People thought that the idea would never work because of single point software vulnerabilities. Except for the last criticism, which was provably (by construction) incorrect, all of these criticisms were valid, although perhaps not as valid as many thought. I was mailed quite a lot of claimed examples of prior art, most of which held some similarity, but none of which hit the mark until I heard about a satellite that had been sent up in the 1980s which had exactly what I would call a puzzle box in the form of a linear shift register puzzle that was protecting a rocket motor (or something equally as important). I never managed to formally obtain the details of this example, but if it was true, it was bang on. As it happened, it didn't matter, as all the hate mail put me off the patenting idea anyway. Later on in the year I happened across a friend who said that he had been involved in a missile project some years ago that had used some sort of "puzzle box" in between a controller of some kind and a firing mechanism. Apparently, on occasions during lab tests, the computer was not able to fire the puzzle box, and so they would call in a technician who had a box with a bouncy switch that just happened to reliably generate the firing sequence... So much for protection! Anyway, there are three main points that I want to make. The first is that I have completely abandoned the puzzle box patent. My reasons: * I don't want to own a patent that most people seem to hate. * Although I have not formally checked it out, I have heard of at least one convincing prior art example (the satellite). The second point is that because my patent has been formally registered in Australia, and publicised, there can be no chance of anyone else successfully sustaining a similar patent. Even if the idea had never actually been written down previously, it is now definitely prior art. (Those who are paranoid about my intentions will be pleased to hear that the provisional patent application has now actually expired so I now can't resurrect the patent, even if I changed my mind). The third and by far the most important point, and the one likely to be of most interest to risks readers, is this. Despite the huge barrage of mail that I received claiming prior art, almost none of it was in safety critical applications. People claimed particular forms of protected memory, clock chips, even Unix passwords, as prior art, but very few people provided examples from trusted systems. One of the reasons why I lodged the patent in the first place was because I wanted to use the patent to draw attention to the puzzle box idea. I was involved in safety-critical systems for a year and a half, and during that time I didn't hear of any explicit puzzle box mechanism being used in any safety-critical system. Most of the systems that I saw attacked the interface problem using a battery of non-puzzle-box techniques such as output delay and sampling, multiple processors, and analog voting schemes. So my question is this: Are puzzle boxes a widely known and used technique in safety-critical applications, or are they not? If they ARE in use, then I am surprised because I haven't heard much of them, and in particular, they didn't turn up in the prior art barrage, even though the patent, and my presentation of it in comp.risks, was entirely directed towards safety-critical applications. If they are NOT in use then I think that it is important that the safety critical community become more aware of them, as they can provide a much needed extra layer of protection. My experience working in the field was that there was too much emphasis placed on the software, and not enough on simple physical checking systems or human procedures that could reduce the criticality of the software. It would seem a shame if my patent, defeated by hate mail and clock chips :-), does not impact on its intended safety-critical audience who are in a position to use puzzle boxes to save lives. If you agree, please join me in disseminating the idea in the safety-critical software community. The defunct patent, which describes the idea, is a 38K ASCII text file that can be retrieved by anonymous FTP from: Machine : sirius.itd.adelaide.edu.au [129.127.40.3] File : pub/compression/puzzlebox_provpatent My thanks go to all those who were involved last year, Ross Williams, ross@spam.adelaide.edu.au ------------------------------ End of RISKS-FORUM Digest 13.44 ************************