Subject: RISKS DIGEST 14.38 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Sunday 7 March 1993 Volume 14 : Issue 38 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: 6th Int'l Computer Security and Virus Conf (Richard W. Lefkon) Problem with PLC Software (Lin Zucconi) Mass electronic scanning of UK int'l telexes from London (James Faircliffe) `Untested' Risk Management System for Nuclear Power Stations (Anthony Naggs) Re: Evacuation plan, generators fail in WTC blast (Scott E. Preece) Re: Where to buy emerg. stairwell lightbulbs? (Joel Kolstad) Re: Does Publisher's Clearinghouse Use InfoAm? (Karl Kraft) Re: Smells like Green Spirit... (Barry Salkin) Re: The White House Communication Project (Joseph T Chew, Randall Davis) Clinton/Gore technology policy (Bill Gardner)J Cellular Phreaks & Code Dudes [`WIRED'] (John Stoffel) The RISKS Forum is a moderated digest discussing risks; comp.risks is its Usenet counterpart. Undigestifiers are available throughout the Internet, but not from RISKS. Contributions should be relevant, sound, in good taste good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with appropriate, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 14, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@cv.vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Thu, 4 Mar 1993 12:52:02 -0800 From: Richard W. Lefkon Subject: 6th Int'l Computer Security and Virus Conf SIXTH INTERNATIONAL COMPUTER SECURITY & VIRUS CONFERENCE and Exposition sponsored by DPMA Fin.Ind.Chapter in cooperation with ACM-SIGSAC, BCS, CMA, COS, EDPAAph, ISSAny, NUInyla, IEEE Computer Society Box 894 Wall Street Station, NY NY 10268 (800) 835-2246 x190 FINANCIAL FIRMS OPEN MEETING THURSDAY ON TRADE CENTER RECOVERY To address the technical side of network and computer terrorism recovery while information systems personnel are interested, a special public forum of industry leaders has been scheduled for next Thursday March 11, entitled, "Trade Center Crisis Recovery." The in-depth panel will include eight industry representatives - from four affected financial firms that successfully resumed business after Friday's disaster, and four suppliers that helped them. The panel will be housed in next week's Sixth International Computer Security & Virus Conference at the Madison Square Garden Ramada, co-sponsored by the eight computing and networking societies. With damage estimates already in the multi-billions, Sally Meglathery, Elec- tronic Security Head for the New York Stock Exchange and a scheduled panelist, warns financial data keepers: "Review [your] restart recovery procedures to be sure that you have adequate backup to recover from an attack." Other than state and federal offices, the main corporations inhabiting the famed skyscraper are indeed banks (First Boston, Sumitomo, Dai-ichi), brokers (Dean Witter, Shearson, Salomon, Mocatta and the Commodities Exchange) and insurance companies (Hartford and Guy Carpenter). Each type will send a representative, as will some service firms. William Houston, Eastern Region Head for Comdisco Data Recovery, notes that "This is the second time in three years an electrical disaster has completely shut down" the famed twin skyscraper. His firm helped rescue the computer, networking and "back office" operations of two dozen downtown firms in response to the August 13, 1990, electrical substation fire. "We have some major customers in the Towers," notes Houston, "and while pre- serving their anonymity I intend to plainly tell the Thursday audience just what worked this time and what didn't." Michael Gomoll, an executive with competitor CHI/COR Information Management, says the terrorist act will have three key results: "Direct loss of revenues, effects on global markets and businesses, and concerns of the business insurance profession." Ironically, CHI/COR, a firm specializing in disaster recovery, was itself assaulted by the crippling Chicago flood of April 13, 1992. As part of his presentation, Gomoll intends to explain how cable conduits played an important role in both disasters. Last fall, the conference now hosting this "Trade Center Crisis Recovery" roundtable, received what now seem prophetic words in its greeting from Mayor David Dinkins: "As the telecommunications capital of the world . . . we are also extraordinarily susceptible to the various abuses of this technology." Another irony has to do with the "Meet the Experts" reception at the Empire State Building Observatory following the forum. In previous years, the hosting conference has had its skyline reception at Top of The World, located within the Trade Center. That spot will not open this month. also extraordinarily susceptible to the various abuses of this technology." ------------------------------ Date: 3 Mar 1993 16:50:50 U From: "Lin Zucconi" Subject: Problem with PLC Software People using Modicon 984 Series programmable controllers with Graysoft Programmable Logic Controller (PLC) software Version 3.21 are advised to contact Graysoft (414) 357-7500 to receive the latest version (3.50) of the software. A bug in Version 3.21 can corrupt a controller's logic and cause equipment to operate erratically. PLCs are frequently used in safety-related applications. Users often assume that if their "logic" is correct then they are ok and forget that the underlying logic is implemented with software which may not be correct. Lin Zucconi zucconi@llnl.gov ------------------------------ Date: Fri, 26 Feb 93 17:30:55 From: James Faircliffe Subject: Mass electronic scanning of UK international telexes from London [Originally in Computer Privacy Digest Sat, Volume 2 : Issue: 021, 27 Feb 93, contact comp-privacy-request@PICA.ARMY.MIL. PGN] A few months ago, a well-respected British TV documentary show (might have been 'World in Action') discovered that all out-going telexes from the Uk were electronically scanned by British Telecom (the main phone company) personnel, supervised by the security services. Direct scanning by the security services would have been illegal. They were looking for words like 'terrorist' & 'bomb', but the civil liberties implications are far-reaching. Obviously, this could affect the privacy of American telexes to the U.K. J.F. Faircliffe. i_userid_4@uk.ac.uclan.p1 ------------------------------ Date: Thu, 4 Mar 93 13:10 GMT From: Anthony Naggs Subject: `Untested' Risk Management System for Nuclear Power Stations Headline: Sacked expert fears nuclear safety risk Byline: Paul Brown, Environment Correspondent (The Guardian, 4 March 1993) A computer system created to make Britain's nuclear reactors safer could fail at a vital moment because it has not been tested properly, according to the man who designed it. Bob Hodson-Smith, who has been sacked by a company commissioned by Nuclear Electric to design a back-up safety system for nuclear power station controllers, says the system might not perform adequately at precisely the moment it was needed because "bugs" had not been removed from the programming. He has expressed his fears to Nuclear Electric, the state owned company that runs [all commercial] nuclear power stations in England and Wales. It is understood that the company is seriously concerned at the implications. The firm which sacked him, Active Business Services (ABS), of Sheffield, has described his fears as irrational. But Mr Hodson-Smith says: "I could no longer live with the fact that safety might be compromised and I had done nothing to warn anyone." The Safety Related Plant Status Monitoring System, as Nuclear Electric describes the system, has been in operation at a Magnox power station at Oldbury-on-Severn in Gloucestershire for aa year. Similar computer systems are being brought into operation at Dungeness A in Kent and Hinkley Point A in Somerset. Status, as the system was called, was designed to prevent the kind of accidents that occurred at Three Mile Island nuclear power station in the United States and the Piper Alpha oil platform disaster. In both cases shift workers faced with a breakdown in equipment switched to substitute systems, unaware that they had been taken out of service by a previous shift. Status was designed to prevent this happening. Staff log into the computer every item of safety-related equipment in the nuclear station, so operators can see at a glance whether it is in proper working order. Safety at nuclear stations relies on all vital equipment being duplicated at least twice so any defective equipment can be bypassed. Mr Hodson-Smith's alarm is based on the belief that the computer system might be relied on in times of emergency when "bugs" in the programming had not been removed. In memos he warned ABS that he was not satisfied the system was safe, and urged the company to inform Nuclear Electric of his fears. In a memo to ABS managing director, Paul Sellars, he said he was aware he would be "fired" if he published the information but "I am not prepared to present a false picture to Nuclear Electric. I believe that what is being done with the Status project is not morally tenable." Mr Hodson-Smith said he was not prepared to supply the newer Advanced Gas Cooled Reactor [AGR] (at) Hinkley Point B with a similar system unless Nuclear Electric were fully informed of the potential difficulties with Status at the other stations. He insisted that the system be thoroughly debugged, which could only be done by writing a technical manual explaining the system and cross-checking it. This had not been done. In a memo he said that if it was a computer system for a bank "it would be acceptable to stick together a functionally complete version, install it and hope it was right. If it failed then it can be fixed as required. However, it is simply not acceptable to do this for a nuclear power station control room system related to safety." Mr Sellars, managing director of ABS, responded by suggesting that Mr Hodson-Smith consult a psychiatrist, Dr James Conway in Sheffield. Dr Conway's view of his patient was that "he exhibited symptoms of anxiety and overwhelming worry which would be understandable ... if his fears were well-founded. He believes there is little communication with the management at present." In a letter Mr Sellars told Mr Hodson-Smith that the Status system would not become fully operative until fully tested. "The company does recognise the nature and extent of its responsibilities." The company and Mr Hodson-Smith remained at loggerheads. He was subsequently dismissed, and has begun an action for unfair dismissal. Mr Sellars said: "Mr Hodson-Smith had a very good brain but his behaviour has become irrational. He was not involved in the commercial area. He had become impossible to manage." Mr Sellars said there were no bugs in the system, which was being fully tested. Technical manuals on how the system was constructed were being written and would be provided to Nuclear Electric. Mr Hodson-Smith has sent papers detailing his fears to the three nuclear stations involved and Nuclear Electric is studying them. Nuclear Electric emphasised that the computer system had not yet been fully integrated into the control system for the reactors. Safety had therefore not been compromised. Nuclear Electric said that the system was a management tool for checking equipment. In the case of an emergency the reactor would be shutdown automatically, independently of the Status system. [A few of the risks covered: reliability of risk management systems; risk of bringing a system into disrepute by the actions of disruptive staff; risk of using a system for a year before full testing and manuals are complete; ... Anthony Naggs, Software/Electronics Engineer, PO Box 1080, Peacehaven, East Sussex BN10 8PZ UK +44 273 589701 amn@vms.brighton.ac.uk ------------------------------ Date: Thu, 4 Mar 93 14:20:50 -0600 From: preece@urbana.mcd.mot.com (Scott E. Preece) Subject: Re: Evacuation plan, generators fail in World Trade Center blast | [An old story, eh? Security is almost always considered | too expensive until AFTER the disaster... PGN] Now let's be fair. How many other buildings got the same advice and have not been bombed? What is the expected benefit, over all major buildings, of ensuring against an event with probability x? In any case, what difference would it have made? It would made the evacuation a little smoother and less traumatic, but I doubt it would have saved any lives or gotten the buildings re-opened any sooner. Managers are always paid to decide how much risk is acceptable when weighed against how much expense. There is always some level of disaster against which you are not protected (suppose it had been a nuclear device). Maybe their decision was rotten and they just lucked out in not having a much larger loss of life; on the other hand, maybe their decision was pretty good and they had really bad luck in the placement of the bomb coupled with really good luck in not having any coincident problems to raise the death count. I don't know enough to know whether they acted correctly; I doubt that either the author of the note or the moderator know, either. scott preece, motorola/mcg urbana design center, 1101 e. university, urbana, il 61801 uunet!uiucuxc!udc!preece preece@urbana.mcd.mot.com 217-384-8589 ------------------------------ Date: Tue, 2 Mar 93 15:45:18 cst From: kolstad@cae.wisc.edu (Joel Kolstad) Subject: Re: Where to buy emerg. stairwell lightbulbs? (Carlson, RISKS-14.37) >Help keep my building from suffering from 'World Trade Center Syndrome' >(lack of emergency lighting)... Point me in the right direction please! From the news I've seen, I got the impression that the emergency lighting was controlled by a central computer somewhere, although each separate light/battery pack had a little bit of intelligence of its own. However, whoever programmed the emergency light microbrains had a panic routine that just sat around trying to re-establish contact with the main controller if the main controller had blown up. But apparently it skipped the programmer's mind that, if the main controller had blown up, it just might be a good idea to turn on the emergency lights. Does anybody know if this is true? If so, it's some really poor programming! Perhaps comp.risks would be a good place to take this. ---Joel Kolstad ------------------------------ Date: Thu, 4 Mar 93 12:01:56 -0800 From: karl@ensuing.com (Karl Kraft) Subject: Re: Does Publisher's Clearinghouse Use InfoAm? (Beckman, RISKS-14.37) More likely, they use a service called National Change of Address. A well-known company will (for a fee), update a mailing list to reflect any changes in address in the last three years. The well-known company? The United States Postal Service. Karl Kraft karl@ensuing.com ------------------------------ Date: Fri, 5 Mar 93 09:39:26 GMT From: bsalkin@nyx.cs.du.edu (Barry Salkin) Subject: Re: Smells like Green Spirit... (Sorensen, RISKS-14.37) > A patient in Manchester Royal Infirmary in England was found unconscious > after she mixed up the nurse's call button with the one to give herself more > painkiller and pressed the latter button impatiently for several minutes. It is usual practice with Patient Controlled Analgesia (PCA) to have a lockout on the syringe driver, so that the patient cannot give themselves repeated doses without sufficient time between them. This not only prevents overdoses, but also means one bolus (dose) of painkiller has time to act before the patient is able to give themselves another dose, so that if the first dose is effective, the second, later, dose will not be administered by the patient. However, if the syringe driver wasn't set up with the time lockout ..... Barry. bsalkin@nyx.cs.du.edu or zchag12@ucl.ac.uk ------------------------------ Date: Fri, 5 Mar 93 08:09:15 PST From: jtchew@Csa3.LBL.Gov (Joseph T Chew) Subject: Re: The White House Communication Project (RISKS 14:37) Regarding Bill Clinton's electronic mail, Shellie Emmons asks, as reported here by David Daniels <0004381897@mcimail.com>: > (1) When you get thousands of messages a day, how do you > respond effectively? Same way you respond to thousands of letters or phone calls a day: delegate it to staff members who are trusted to (at least) winnow out whatever wheat there may be and respond to the chaff with a polite virtual form letter. There are 480 minutes in a working day; even assuming that our energetic Mr. C. puts in more than an 8-hour day, he clearly isn't going to give even a cursory acknowledgement, much less a thorough reading and thoughtful reply, to thousands of messages. If any good ideas are received, he could take a "That'll teach 'em to suck eggs!" approach: have the White House staff find some aide or advisory-panel opening and invite his tormentor to work toward analyzing and implementing the idea. Citizens who envision government policymakers as putting in a six-hour day in a brandy-and-cigars atmosphere will learn their lesson right quick. :) > (2) How do you make a public e-mail system inclusive > and accessible? Figure out how to ape Minitel in the context of our technological and cultural base? Ignore the problem entirely, given that the older means of communicating with the government will remain available? > (3) What would happen if e-mail became the primary > mode of(mediated) access to government? The Golden Age of Unix Nerds, that's for sure. :) Seriously, one needs some analysis of the modes currently used before this question can be answered. Again, perhaps the key would be to deliberately keep the older modes available: mail, irate phone calls to one's Congressperson, riding through the Rose Garden on horseback and shouting at the upstairs windows, whatnot. With all due respect to the people who are afraid of disenfranchising the computer-illiterate, I can't see the new medium drastically changing the way the government receives input, unless the individual representatives and staffers *choose* to ignore other forms of input, from letters to phone calls to lobbyists. The real RISK, of course, is that the President would discover Usenet News! :) Joe ------------------------------ Date: Thu, 4 Mar 93 19:57:21 est From: davis@ai.mit.edu (Randall Davis) Subject: Re: The White House Communication Project (Daniels, RISKS-14.37) >From: Shellie Emmons >I am currently involved in a research project that is trying to aid the >Clinton Administration in making effective use of computer-mediated >communication to stay "in touch" with the public. ... There are a number of confusions tangled up in this message; I'll summarize. Ms. Emmons is an undergraduate the UIUC who was asked by a professor to set up an email list for a research project. She posted a message about the project to three newsgroups (comp.human-factors, comp.society, comp.mail-misc), suggesting more by the description than is entirely correct, and called it "The White House Communication Project", even tho it has no official connection to the White House. The name of the project will be changed. Jack Gill is not the name of the White House person who is involved in efforts to get email running there. Any email that does go to an address used by Media Affairs Office of the White House is printed out and handed to the folks who handle ordinary White House mail; those folks add that letter to the other fifteen thousand (15,000) letters that the White House gets every day. Eventually someone may reply (via US Mail) to the message in exactly the manner that they reply to all of their hardcopy mail. There are a number of organizations trying to help the government use email, one of them is a consortium of researchers led by the MIT AI Lab. The original message above is of course an example of a computer risk: the ability to attract a considerable amount of attention and excitement in a very short period of time; the medium amplifies the message. Randall Davis, Associate Director, AI Lab ------------------------------ Date: Sun, 28 Feb 93 13:57:32 EST From: Bill Gardner Subject: Clinton/Gore technology policy This is a comment on the technology policy statement announced by Clinton and Gore on 2/22/93. The policy initiatives include the substance of the National High Performance Computer Technology Act that Gore had previously sponsored in the Senate (e.g., S. 1067 in the 101st Congress). Central to that act and the new initiative is the National Research and Education Network (NREN), a plan to increase the bandwidth of the internet and develop software for its utilization. I am concerned that the technology policy does not adequately address privacy or other concerns about the social implications of computing, including concerns raised by its proposed initiatives. In the hearings on the High Performance Computing Act, medical informatics was one of the applications envisioned for the NREN. It's also part of the Clinton technology policy. The (brief) discussion of medicine in the 2/22 statement is interesting: "This information infrastructure -- computers, computer data banks, fax machines, telephones, and video displays -- has as its lifeline a high-speed fiber-optic network capable of transmitting billions of bits of information in a second.... "The computing and networking technology that makes this possible is improving at an unprecedented rate, expanding both our imaginations for its use and its effectiveness. Through these technologies, a doctor who needs a second opinion could transmit a patient's entire medical record -- x-rays and ultrasound scans included -- to a colleague thousands of miles away, in less time than it takes to send a fax today." Well, imagine that ("Hey Sue, lookit chromosome 17 on this guy from the Farber! 20 bucks at 7 / 5 sez he's malignant in 5 years. Bet he hopes his insurer never sees this, har har."). Without having any expertise here, I find it plausible that network consults using computerized medical records would have many benefits for patients. But it's also clear that implementing a network-mediated record system that provided secure confidentiality would be a challenging engineering task. I mean social as well as computer engineering, it's the communication among people that is problematic here. I find much to like in the technology policy, so I would love to be proven wrong. Unfortunately, I see little evidence that privacy has sufficient priority in the current policy or the former High Performance Computing Act. I would appreciate hearing from others whether the policy adequately covers other aspects of socially responsible computing. The technology policy ought to include a statement of ethics concerning computerized information. I also believe that the NREN should follow the example of the NIH's Human Genome Project, which devotes 5% of its research budget to a program for studies of the Ethical, Legal, and Social Implications of human genetic research. William Gardner, Psychiatry Dept, School of Medicine, University of Pittsburgh Pittsburgh, PA 15213 412-681-1102 wpg@ethics.med.pitt.edu FAX:412-624-0901 ------------------------------ Date: Thu, 4 Mar 1993 18:15:08 -0500 From: John Stoffel Subject: Cellular Phreaks & Code Dudes I picked up the premiere issue of a new magazine called "Wired" which is trying to spread the word about the Digital Revolution. And editorial blurb from the inside page is repeated here: ============ WHY WIRED? Because the Digital Revolution is whipping though our lives like a Bengali typhoon - while the mainstream media is still groping for the snooze button. And because the computer "press" is too busy churning out the latest PCInfoComputingCorporateWorld iteration of its ad sales formula cum parts catalog to discuss the meaning or context of SOCIAL CHANGES SO PROFOUND their only parallel is probably the discovery of fire. There are a lot of magazines about technology. "Wired" is not one of them. "Wired" is about the most powerful people on the planet today - THE DIGITAL GENERATION. These are the people who not only foresaw how the merger of computers, telecommunications and the media is transforming life at the cusp of the millennium, they are making it happen. OUR FIRST INSTRUCTION TO OUR WRITERS: AMAZE US. Our second: We know a lot about digital technology, and we are bored with it. Tell us something we've never heard before, in a way we've never seen before. If it challenges our assumptions, so much the better. So why not now? Why "Wired"? Because in the age of information overload, THE ULTIMATE LUXURY IS MEANING AND CONTEXT. Or put another way, if you're looking for the soul of our new society in wild metamorphosis, our advice is simple. Get "Wired". -LR [jfs: Louis Rossetto] You can reach me at 415-904-0664 or lr@wired.com ================ Along with this they had an interesting article on "Cellular Phreaks and Code Dudes" by John Markoff (markoff@nyt.com), which discusses how the latest rage of Silicon Valley hackers is Cellular phones. He gives an example of how two phreaks hacked into an OKI 900 cellular phone and some of the features they discovered: o how to use it as a cellular scanner. o the manufacturer's interface so you can attach the phone to a portable computer. o one of the phreaks wrote some software to track other portable phones as they move from cell to cell, this allows him to display the approximate locations of each phone since he knows the geographical locations of each cell. o having the phone watch a specific number, and when that number is used, pick up and by using a simple sound activated recorder, you've made an instant bugging device! Maybe all the spies in Common Market who were worried about having point to point encryption on cellular phones didn't think of this trick? I found this article to be worth the cost of the magazine, as it ties in directly with RISKS readers here have been talking about. Now if it is this easy to hack this phone, how hard would it be to hack into the general cellular phone service machines, those that handle the passing of phones from cell to cell? The down side was the really annoying format, which seems to be "Techno-babble-obnoxious" with arbitrary changes in typeface, orientation, etc as you flip through pages. I felt that this detracted from the overall look of the information they were trying to present, making it harder to assimilate. I'd be interested in talking to anyone else who has read this magazine too. John ------------------------------ End of RISKS-FORUM Digest 14.38 ************************