Subject: RISKS DIGEST 14.39 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 9 March 1993 Volume 14 : Issue 39 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Bruce Nuclear Plant - Potential Safety Problem (David Levan) Steve Jackson Games/Secret Service wrapup (Eric Haines) `Interrupt' by Toni Dwiggins (PGN) Short Course on Software Safety? (Nancy Leveson) Ohio student database under legal attack (Tim McBrayer) Royal Bank client cards (Mich Kabay [2]) Political -> Personal risks (WTC/NYC) (Stephen Tihor) Re: World Trade Center blast (Frank Caggiano, Jay Elinsky, Chaz Heritage) The RISKS Forum is a moderated digest discussing risks; comp.risks is its Usenet counterpart. Undigestifiers are available throughout the Internet, but not from RISKS. Contributions should be relevant, sound, in good taste good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with appropriate, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 14, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@cv.vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Mon, 8 Mar 93 13:54:20 EST From: ac401@freenet.carleton.ca (David Levan) Subject: Bruce Nuclear Plant - Potential Safety Problem Article From Ottawa Citizen, March 8, 1993 by Canadian Press. Ontario Hydro Cites Safety Reasons For Reducing Power Production At Bruce Nuclear Plant Power production has been reduced at Ontario Hydro's largest electrical generator so that engineers can solve a potential safety problem, a utility spokesman said Sunday. Hydro began 'derating' the units at the Bruce nuclear plant to 60 per cent Friday after learning the safety margin in the event of a reactor accident was slimmer than expected, said Tony Tidbury manager of reactor safety. 'This is not a problem in the reactor right now,' said Tidbury. 'It would only change in the event of an extremely, unlikely accident,' would be a huge leak of heavy water - which cools the reactor's radioactive fuel, Tidbury said. The Lake Huron nuclear plant produces about 20 per cent of Ontario's electricity but Hydro spokesman Geoff McCaffery said the cut shouldn't be a problem." David Levan, DLSF Systems Inc., 189 Knudson Drive, Kanata, Ontario Canada K2K 2C3 ac401@freenet.carleton.ca (613) 592-8188, fax (613) 592-2617 ------------------------------ Date: Tue, 9 Mar 93 10:25:35 -0500 From: Eric Haines Subject: Steve Jackson Games/Secret Service wrapup [Eric Haines, erich@eye.com, sent me a Houston Chronicle article by Joe Abernathy, a sometime contributor to RISKS, which Eric found in the electronic mail magazine "Desperado" ("no, it's not a magazine about hacking"). "There can be justice in the world, after all..." EH. I cannot include the long copyrighted article here, but have excerpted from the beginning, as follows. It's a good article. Alas, no date. But Joe may still be available at Joe.Abernathy@houston.chron.com if you want to dig up the whole thing. Also, see RISKS-9.95,96;10.01,ff. for the earlier history. PGN] Steve Jackson Games/Secret Service wrapup By JOE ABERNATHY Copyright 1993, Houston Chronicle [no date given] AUSTIN -- An electronic civil rights case against the Secret Service closed Thursday with a clear statement by federal District Judge Sam Sparks that the Service failed to conduct a proper investigation in a notorious computer crime crackdown, and went too far in retaining custody of seized equipment. The judge's formal findings in the complex case, which will likely set new legal precedents, won't be returned until later. [...] The judge's rebuke apparently convinced the Department of Justice to close its defense after calling only ... one of the several government witnesses on hand. "The Secret Service didn't do a good job in this case. We know no investigation took place. Nobody ever gave any concern as to whether (legal) statutes were involved. We know there was damage," Sparks said in weighing damages. The lawsuit, brought by Steve Jackson Games of Austin, said that the seizure of three computers violated the Privacy Protection Act, which provides First Amendment protections against seizing a publisher's works in progress. The lawsuit further said that since one of the computers was being used to run a bulletin board system containing private electronic mail, the seizure violated the Electronic Communications Privacy Act in regards to the 388 callers of the Illuminati BBS. The testimony described by Joe was rather strange. Agents testified that there was no criminal connection, they were not even trained in the Privacy Protection Act, and it took them only an hour to discover the true nature of the situation. The Electronic Frontier Foundation spent over $200,000 bringing this case to trial. The legal ramifications are considerable. Perhaps someone from EFF will contribute an analysis to RISKS, although many EFFers (and I) are at Computers, Freedom, and Privacy 93 this week. Don't hold your breath, but perhaps we need to wait for the judge? PGN ------------------------------ Date: Tue, 9 Mar 93 16:14:33 PST From: "Peter G. Neumann" Subject: `Interrupt' by Toni Dwiggins Toni Dwiggins, Interrupt, Tor Books, Tom Doherty Associates, 317pp., 1993, ISBN 0-312-85345-9, only in hardcover at present, US$19.95. A terrorist whose computer handle is `Interrupt' plots to take down the public switched telephone network. For telephone system techies and lovers of good techno-mysteries, this is a well-written and compelling book that you will find intriguing. There are lots of good plot twists. A marvelous first novel by Toni Dwiggins, it is well written and well researched. ------------------------------ Date: Tue, 09 Mar 93 09:49:58 -0800 From: Nancy Leveson Subject: Short Course on Software Safety? I am trying to assess the potential interest in my teaching a short course (a week or less) on software safety at the University of California, Irvine this summer. Topics could include basic system safety principles, management of safety-critical software projects, human error and the design of the human-machine interface, system and software hazard analysis, software engineering practices for safety-critical systems (software requirements analysis, design for safety, and verification of safety), and risk assessment. Would such a course interest you? Which of the above topics would be of the most importance to you? Nancy Leveson nancy@ics.uci.edu [Please reply directly to Nancy, not to RISKS. We do not normally run prospecti for courses. However, this potential offering is so closely related to the charter of the Risks Forum that it seems essential to include it. Besides, Nancy has been a subscriber from volume 1 number 1 on and carries our entire akashic record in her head. PGN] ------------------------------ Date: 08 Mar 1993 10:47:02 -0500 (EST) From: tmcbraye@thor.ece.uc.EDU (Tim McBrayer) Subject: Ohio student database under legal attack An article, entitled "School files: Dangerous data?" appeared as the headline article in the 8 March 1993 _Cincinnati_Enquirer_. It discusses Ohio's Education Management Information System (EMIS), used to store demographic, attendance, program, summer school, achievement and proficiency testing, and post-graduation records of all public school attendees in Ohio. The complete set of data to be recorded was listed. This includes family income information, reason for leaving school (transferred schools, drug abuse, pregnancy, etc.), and extracurricular activities (including those not(!) related with school, such as 4-H or Scouting). Information is indexed either off of a Social Security number (a RISK in itself), or off of a school district-supplied ID number. Students switching school districts and not using their SSN will have a new number assigned to them. Students with multiple ID numbers, I assume, are cross-indexed--but the article was unclear on this point. The EMIS system was proposed in 1989 and set to begin operation in July, 1991. The legality of the system was challenged that month by a Cincinnati-area school district (Princeton), and EMIS was declared illegal on Jan. 9, 1992. The Ohio legislature then passed a law (House Bill 437) on April 30, 1992, nullifying the previous ruling. A new suit, filed by Princeton and others, was filed Oct. 2, 1992, accusing the state of violating federal privacy laws. This suit is up for decision in Hamilton County Common Pleas court this month. Several of the well-known RISKS of large databases were brought up in the article, which are quoted below. "Reliability is just one of the concerns about EMIS that led Princeton City School District to sue the state. 'Our concern is that kids do make mistakes, and here's a record that never disappears.' said Richard Denoyer, Princeton superintendent. 'If a kid drinks a beer, that could be in there forever. 'You used to give your Social Security number on your check at the grocery store,' Denoyer said. 'People don't do that anymore. They know that (with the number) you can get into where you shop, what you buy, even how much money you have in the bank.'" (...) "Some say any number that can identify a student is too much. 'There's this whole industry of data brokers and private eyes who make a living obtaining (personal) information,' said Evan Hendricks, editor and publisher of _Privacy_Times_, a newsletter on privacy issues. If they want it badly enough, they're not above bribing an employee or impersonating a school official to get it, he said. 'That information isn't available if there's no name attached.' 'When you've got that much information linked together, that increases the risk,' the ACLU's Goldman said. 'This would just be a huge challenge (to hackers): ''Let's look at Johnny's grades.'' ' A couple of other interesting RISKS-related comments in the article were: "...over 50% of the requests (into the FBI's criminal database--TJM) are non-law enforcement, typically from employers and licensing boards." "This information (driver's license records) is now a public record and state governments are bringing in a hefty revenue selling mailing lists." The article also mentions a similar system in Texas, and says the Texas system has not been challenged on privacy grounds. Tim McBrayer, Computer Architecture Design Laboratory, University of Cincinnati tmcbraye@thor.ece.uc.edu (513) 556-0904 ------------------------------ Date: 08 Mar 93 07:12:17 EST From: "Mich Kabay / JINBU Corp." <75300.3232@compuserve.com> Subject: Royal Bank client cards A report in the Monday, 8 March 93 Globe and Mail newspaper Report on Business by John Partridge raises questions about privacy and security: "Numbers the Royal doesn't keep secret." According to the report, the Royal Bank of Canada sometimes allows its market-research firms to have not only the names, addresses, telephone numbers, sex, and age of selected customers but also their client-card numbers. Critics argue that releasing these card numbers could lead to fraud; e.g., criminals with knowledge of the numbers etc. could fraudulently obtain new "replacement" cards and enter new personal identification numbers (PINs) at the customer's home bank. Defenders argue that the likelihood of success of such ploys is negligible. Royal Bank spokesperson Denise Curran is quoted as saying that the Bank supplies card numbers because they include coded information such as "geographic indicators" that help the market researchers cross-tabulate results. However, four other major Canadian banks refuse to provide client-card numbers to market research firms. The Consumers' Association of Canada objects to all banks' providing outsiders with customer information of any kind without the client's permission. The Royal Bank argues that because its market research is for its own internal use, it does not need to ask for such permission. Michel E. Kabay, Ph.D., Director of Education, National Computer Security Association ------------------------------ Date: 09 Mar 93 08:14:39 EST From: "Mich Kabay / JINBU Corp." <75300.3232@compuserve.com> Subject: Royal Bank Client Cards John Partridge reports in the Globe and Mail newspaper's Report on Business for Tue 9 Mar 93, that the Royal Bank of Canada has cancelled its practice of releasing client card numbers to its market research firms. Tony Webb, senior vice-president of personal financial services, said, "No doubt must be allowed to remain in the minds of our customers." Jacqueline Singh, VP of marketing, said, "...there are other ways ... to get the geographic data ... for them [the researchers] but also keep client numbers confidential." She added, "Our feeling is that if there is one more piece of information we can keep confidential, then we absolutely should and must." ------------------------------ Date: 08 Mar 1993 14:35:58 -0400 (EDT) From: Stephen Tihor Subject: Political->Personal risks (WTC/NYC) Readers from outside the NY area should be aware that the World Trade Center was built and is operated by the Port Authority of New York and New Jersey. This bi-state agency has some surprising powers to ignore local and even many state laws and regulations. The building grossly violates local NYC building and fire codes. This is not without some advantages. The city building codes mandate specific practices which have high labor costs during construction and prevent the use of many modern construction techniques even good ones. It is unclear if the WTC could have been built under traditional codes at all. Of course the safety systems used, while not to code might have have adequate "diversity" in location and conduit routing to survive. The basic structural design seems to have stood up quite well. But there are a number of cases where the ability to ignore local code resulted in bad choices. For example self-contained battery operated trickle-charged lighting systems in halls and emergency stairs are present in also evey other large building. The NYC Fire Department has repeatedly stated that they would not be able to properly respond to a fire above the tenth floor given the building's design. (Inadequate high pressure feed system, lack of separately routed conduits for external power supplies to the fire fighting substations throughout the building etc. ------------------------------ Date: Tue, 9 Mar 93 11:07:11 EST From: frank@rnl.com Subject: Re: World Trade Center blast In regards to the bombing at the World Trade Center, the news reports and comments made at the various news briefings seem to indicate that the emergency lighting was run off the backup generators only, there were no batteries in the emergency lights in the stairwells. Among the reasons given was the high cost of maintainance of the batteries. Something which has been troubling me since the bombing and that I haven't seen discussed anywhere was the vulnerability of the broadcasting system. The World Trade Center has most of the antennae for the New York area. On the day of the bombing I was home with my kids who were watching TV at the time. All the stations except a local PBS station, ch.21, which broadcasts from here on Long Island and ch 2, CBS, which kept a backup antenna on the Empire State Building were knock off the air and most weren't back on until much later that night. I couldn't help but think about all the years of watching those emergency broadcast messages and wondering how they figured to keep broadcasting through an emergency with no backup broadcast facilities. As a side note it was interesting to see what ch 2, the CBS station did with their one time New York monopoly. They kept to there regular schedule, The Wizard of Oz aired unopposed. Actually given the events of the day it wasn't such a poor choice. I wonder if they got to increase there advertisement rates for the night? Frank Caggiano, R.N. Limited, Stony Brook N.Y. fcaggian@rnl.com ..!uupsi!itpd4!frank ------------------------------ Date: Mon, 8 Mar 93 11:25:50 EST From: "Jay Elinsky" Subject: Re: Evacuation plan, generators fail in World Trade Center blast In RISKS-14.38, Scott Preece suggests that the impact of the World Trade Center bombing would not have been significantly reduced if the Port Authority had acted on a study that showed the garage to be vulnerable to a car bomb. He also suggests that neither I nor the moderator know enough to question the Port Authority's decisions. Well, I read the newspaper. The blast and its aftereffects have been covered very extensively in the local press. I've drawn the following conclusion: If the basement levels had contained only parking, plus the structural components needed to keep the buildings sitting on top, then the situation would be very different. Evacuation would have taken place in lighted, clear stairwells rather than pitch-dark, smoke-filled stairwells, and hundreds of smoke inhalation injuries would have been avoided. Most of the people who were killed, Port Authority employees who were in offices or a lunchroom on the garage level, would have been elsewhere and would still be alive. The job of getting the buildings ready for reoccupancy would be simplified, because the air-conditioning plant wouldn't be buried under rubble. I DON'T know how much it would have cost to retrofit the buildings to move everything out of the basement. Jay Elinsky, IBM T.J. Watson Research Center, Yorktown Heights, NY ------------------------------ Date: Tue, 9 Mar 1993 08:29:15 PST From: chaz_heritage.wgc1@rx.xerox.com Subject: Emergency lighting: intelligent? Why? (Kolstad, RISKS-14.38) In RISKS-14.38 Joel Kolstad writes: >...emergency lighting... controlled by a central computer ... each separate light... pack had a little bit of intelligence of its own... the emergency light microbrains had a panic routine...trying to re-establish contact with the main controller if the main controller had blown up...if the main controller had blown up, it just might be a good idea to turn on the emergency lights< Non-maintained emergency lighting normally consists per unit of a lamp, a battery stack, a changeover relay and, in most cases, a trickle-charger for the batteries. Supply current keeps the relay in the 'charge batteries; lamp off' position. If it (or the relay's coil or connections) fails, the relay's spring carries the contacts to the 'lamp on' position. Restoration of supply current returns the unit to the 'charge batteries; lamp off' state. The device's control system is therefore, within the usual limits, fail-safe. I cannot imagine any good reason to replace this old, tested, cheap and reliable system, in which each unit is independent of the others, with something interconnected and allegedly 'intelligent', particularly since the latter seems in the WTC's case (if the above allegation is true) to have neatly evaded the fail-safe principle. >...it's some really poor programming!< Safety equipment should not, IMHO, ever require 'programming'. Its operation should be based on simple principles of physics (preferably basic mechanics), and upon as few of them at once as is possible, and its condition and readiness should be easily subjected to inspection at any time. Otherwise it eventually ceases to be safety equipment at all, and becomes another hazard. Most of the basic safety devices (e.g. Otis' elevator safety mechanism, Fermi's gravity control-rods or Westinghouse's vacuum brake) were invented long ago and cannot now be 'improved' by the addition of 'features' since any added complication can only reduce reliability, their most desirable characteristic. Adding the wild variable of 'programming' seems most unlikely ever to benefit anyone except the programmer and salesfolk involved. I wonder how many airpeople would buy a computer-controlled parachute... Mystified, Chaz ------------------------------ End of RISKS-FORUM Digest 14.39 ************************