Subject: RISKS DIGEST 14.41 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Wednesday 17 March 1993 Volume 14 : Issue 41 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Automated Teller Machine network problems in New Jersey (Joel A. Fine) ATM problems in California East Bay (Lin Zucconi) Buy IBM and get fired (Ross Anderson) [sci.crypt,alt.security] New meaning to "program blowing up"... (David Honig) No anonymity for Canon copiers? (Brad Mears) Re: Steve Jackson Games (PGN) Re: System Dynamics of Risks (John Mainwaring) Re: 'Untested' Risk Management System for Nuclear Power (Anthony Naggs, T. Kim Nguyen) Electronics on Aircraft (Rob Horn) International Card Fraud (Ralph Moonen) Re: Garage door burglaries (King) Re: Computer Controlled Parachutes (Robert Vernon) Yet another White House address (Paul Robinson) The RISKS Forum is a moderated digest discussing risks; comp.risks is its Usenet counterpart. Undigestifiers are available throughout the Internet, but not from RISKS. Contributions should be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with appropriate, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 14, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@cv.vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Wed, 17 Mar 93 12:47:12 -0800 From: Joel A. Fine Subject: Automated Teller Machine network problems in New Jersey According to CBS news, the national network of Automated Teller Machines went on the blink earlier today (3/17/93). Apparently EDS's main computer center in New Jersey was damaged in last week's blizzard, and the backup computer center was temporarily being occupied by companies forced out of the World Trade Center as a result of the bombing. What a nightmare, to be the administrator of a system like this, and to have to plan for the possibility of both a bombing and a blizzard. No wonder designing fail-safe computers is hard! - Joel Fine joel@cs.berkeley.edu [That is what contingency planning is all about! PGN] ------------------------------ Date: 16 Mar 1993 10:38:53 U From: "Lin Zucconi" Subject: ATM problems in California East Bay ``East Coast Storm Freezes Some [San Francisco] East Bay ATMs'' An article in the March 16, 1993 Livermore/San Ramon, CA "Valley Times" stated that a roof collapse in a Clinton NJ computer data center operated by EDS prevented many San Francisco East Bay residents from accessing their ATM accounts over the weekend. The article said that "the data center...provides the technological power that runs about 5,000 of the nation's 87,000 automatic teller machines, including dozens in the East Bay." By Monday afternoon, EDS hadn't restored full power to its ATM network leaving local bankers scrambling for ATM alternatives. EDS has a back up system but it is being used by other financial companies that suffered outages as a result of the Feb. 26 bombing of the World Trade Center. Quote from Larry Kurmel, executive director for the California Bankers Association: "You tend to take these things [operating ATMs] for granted until something like this happens. Then you realize these [ATM] systems are subject to random events." Lin Zucconi zucconi@llnl.gov ------------------------------ Date: 12 Mar 93 15:51:24 GMT From: rja14@cl.cam.ac.uk (Ross Anderson) Subject: Buy IBM and get fired Newsgroups: sci.crypt,alt.security The press in Britain this morning has been full of stories about Taurus. This was a share dealing system in which the London stock exchange and local institutions had invested some 400 million pounds (600 million dollars). It didn't work and a review showed that there was no reasonable prospect of it working; it seems that it just got too complex to cope with. It has now been written off and the chief executive of the stock exchange `resigned' today. A fair bit of the previous press criticism centred on the security, which was designed by IBM and was apparently rather difficult to manage. As far as one can tell from the press reports, it used their `common cryptographic architecture' of 4753s for central control, DES cards in PS/2's for terminal security, and smartcards for personal key management. Coopers and Lybrand, the systems integrators, have also got a fair bit of stick (they sponsored Eurocrypt 91, or so I seem to recall). It will be interesting to see if this marks a turning point for bankers' attitude to crypto technology. Up to now, it has been hard to sell things like formal methods or elliptic curves to men in suits, as DES in steel boxes was what they were comfortable with. Future systems however may well use public key algorithms, and maybe even electronic wallets which distribute the security processing entirely into smartcards. In that case, expect further entertainment, as some of the complexity will be pushed into the settlement process, or the arbitration system, or the key management mechanism; and the lack of relevant systems experience will exact its pound of flesh in one way or another. Our head of department remarked that such fiascos can be compared to the civil engineering disasters of the nineteenth century such as the collapse of the Tay bridge. Civil engineers eventually got their act together, but there was a long learning process in which they worked out how to structure their approach to large problems and combine the maths with the project management in a way that worked. Watch this space! Ross ------------------------------ Date: Wed, 10 Mar 93 21:07:31 -0800 From: David Honig Subject: new meaning to "program blowing up"... >From the Fall 1992 issue of Intervue, the Intergraph customer newsletter: Next time Mohammed A. Salameh is trying to find a parking place for his van, he should use BombCAD... --------begin article----------- MANCHESTER, England. Royal Ordnance Security Services is using a new software package, BombCAD, as the basis for assessing the security level of a site and predicting the effects of an explosion within or outside a structure. BombCAD was developed using MicroStation PC CAD software to produce sophisticated #D models of the structure under analysis. If a building was designed using CAD, BombCAD is able to use the original database containing information on the overall site and building construction to produce a computer model. [...] Using Intergraph's modeling capabilities, Royal Ordnance can create credible scenarios for any property or installation and determine the likely effects of an explosion, in terms of structural damage and human injury. The range of effects of each simulated explosion is displayed graphically on the 3D model and reproduced as supporting evidence in a written report. According to Andrew Quinn of Royal Ordnance, "We've already carried out studies for four clients: two for risk assessment, one for the design of a new building, and the fourth for modification of an existing structure. Most clients, for obvious reasons, do not wish to be identified. However, one example that is public knowledge is Manchester Airport. We carried out a number of 'what-if' scenarios and were able to provide the airport information on evacuation routes, risk areas, and general safety programs." ------------------------------ Date: Tue, 16 Mar 1993 14:17:53 -0600 (CST) From: bmears@gothamcity.jsc.nasa.gov (Brad Mears [I-Net]) Subject: No anonymity for Canon copiers? The most recent issue of Popular Science had a small sidebar concerning new copier technologies that are being used to combat counterfeiting. According to Canon, their new color copiers include two mechanisms to prevent people from copying currency. The first is rather innocuous - the copier can recognize many different currencies and will print a blank image rather than a fake bill. No obvious risks here. The second mechanism is a bit more threatening. According to the story, which I quote without permission - "Each copier embeds a code into the copied image, which is impossible to see. A special scanner extracts the code and a computer program then furnishes the copier's serial number, allowing identification of the registered purchaser of the machine." As a means to combat counterfeiters this may be very useful. Unfortunately, it is also useful for tracking down people who report government waste, publishers of underground newsletters, and others who may have a legitimate need to remain anonymous. Plus, it seems a bit too much like the Eastern bloc countries who used to require registration of typewriters. Brad Mears bmears@gothamcity.jsc.nasa.gov ------------------------------ Date: Wed, 17 Mar 93 14:45:48 PST From: "Peter G. Neumann" Subject: Re: Steve Jackson Games This morning's news notes that Steve Jackson Games was awarded $50,000. [See RISKS-14.39 for the Rest of the Story.] ------------------------------ Date: Wed, 17 Mar 1993 15:56:00 +0000 From: "John (J.G.) Mainwaring" Subject: Re: System Dynamics of Risks (Yurman, RISKS-14.40) I found that the posting by Dan Yurman on the perception of risks really helped clarify some issues. I had not previously encountered the phrase "level of dread" in risk analysis, and it seems particularly useful. In statistical analysis, death in a car accident seems to be an atomic concept, so we focus on what will save the most lives. In every day experience, death in car accidents happens both often enough and seldom enough that we become somewhat hardened to the possibility. Death by fire in a car accident happens less often, but summons such a level of dread that we see it differently; we feel that "nobody should have to die that way". We are likely to respond "irrationally" and demand that cars be made safe from fire even if spending the same amount of money in some other way would save more lives. However, the point that "Some systems, once built, represent such significant investments that it is nearly impossible to walk away from them regardless of risks. [Senge - Yesterday's solutions are today's problems.]" does not seem to be borne out by: "Example, nuclear waste resulting from the balance of terror associated with nuclear weapons." I would say that "nuclear waste ..." has become such a risk that we cannot walk away from it, whatever the cost. Perhaps the point would be better made as "Coal, oil and nuclear powered electricity generating plants represent such an important investment that it would be nearly impossible to walk away from them regardless of the risks they present". As he argues so well later on, nuclear waste disposal has become a very unpopular topic because of its association with nuclear weapons. We have no investment in existing stockpiles of waste, and it would be easy to just say that no one has room for it in their back yard, we'll just ignore the problem. In this case, informed recognition of the risk has led to an understanding that we must continue to invest in solutions to the existing problems, even though it might seem cheaper to just walk away from them. ------------------------------ Date: Wed, 10 Mar 93 12:15 GMT From: Anthony Naggs Subject: Re: 'Untested' Risk Management System for Nuclear Power Stations Following up on my previous posting, The Guardian today (10 March 1993) published a letter from George Jenkins, (Generation Director at Nuclear Electric), commenting on the article thus: The headline "sacked expert fears nuclear safety risk" (4 March) will have concerned some readers, and the prominent article underneath suggested that the Status computer system ". . . might be relied on in times of emergency when 'bugs' in the programming had not been removed." May I make three facts absolutely clear? First, the computer system in question is a stand-alone management information system. It is not connected to our reactor safety and control systems at all. Indeed, if you were to visit any of the nuclear plants where it is being tested (as your reporter was invited to do), you would see at a glance that it is not even located on the reactor operator's desk, and forms no part of his control process. Second, if it were to be removed, switched off, or even fail during operation, it would not have the slightest effect on reactor safety. The main reactor safety systems at all UK nuclear power stations are hardwired, and do not depend at all on computer software. Third, any such computer system is subject in any event to rigorous checking and validation, independent of its manufacturers. That's what we're doing. If it fails to meet our standards of reliability - among the highest in the world - then it will simply be rejected. Anthony Naggs, Software/Electronics Engineer, (and virus researcher) Phone: +44 273 589701 Email: amn@vms.brighton.ac.uk ------------------------------ Date: Wed, 10 Mar 1993 16:55:34 -0500 From: kim@jts.com (T. Kim Nguyen) Subject: Re: `Untested' Risk Management System for Nuclear Power (Naggs, 14.38) [A few of the risks covered: reliability of risk management systems; risk of bringing a system into disrepute by the actions of disruptive staff; risk of using a system for a year before full testing and manuals are complete; ...] Anthony Naggs, Software/Electronics Engineer, PO Box 1080, Peacehaven, East Sussex BN10 8PZ UK +44 273 589701 amn@vms.brighton.ac.uk [Naggs'] note at the end appears to be very biased against the whistle blower: "risk of bringing a system into disrepute by the actions of disruptive staff" is not quite the way I would have put it. The company is behaving much like NASA did when problems with the shuttle's O-rings were discovered: instead of fixing the problem, the company is attempting to discredit the safety-minded individual and is attempting to sweep the problem under the rug. Yes, the whistle blower may have been "disruptive", but only to the extent that he was forced to publicly announce the system's problems because of the management's refusal to acknowledge even the possibility of a problem existing. T. Kim Nguyen, Document Imaging Systems, JTS Computer Systems Ltd., Toronto kim@jts.com k.nguyen@ieee.org uunet.ca!jts.com!kim kim@watnow.uwaterloo.ca ------------------------------ Date: 11 Mar 1993 18:20:31 -0500 (EST) From: horn%temerity@leia.polaroid.com (rob horn) Subject: Electronics on Aircraft The FAA is opening an investigation into the risks of interference from portable electronic devices on airplanes. The previous investigation was 6 years ago, with the final report issued Sept 16, 1988. It concluded that the risk was small and that portable electronics could safely be used. The new investigation should issue an interim report in October and final report in July 1994. The reasons given for a new investigation are: 1) The number of devices in use has grown substantially. Some problem reports identified dozens of devices in use at the time of the problem. 2) The shrinking size and low-voltage electronics of modern avionics are potentially more vulnerable to EMI 3) Aircraft contain more composites. The previous examination was only for metal skinned aircraft. The metal provides substantial EMI protection. 4) There have been reports of interference from portable electronics. From the limited number of reports there is a clear and substantial danger from cellular phones. These have been determined to be the cause of one third of all suspected EMI. They are also the most dangerous. Despite the prohibition on use in flight, people are observed to use the phones during takeoff and landing. This is the worst time for interference because the aircraft is most sensitive to navigation and control interference at this time. The airlines may move more quickly. They are already authorized to impose any restrictions that they feel appropriate. Given the incident reports there is a potential that cellular phones may be prohibited from carry-on baggage (as are other hazardous materials). EMI problems should make software people feel right at home. It is like spaghetti code. Every single wire and conductor is an antenna and resonator. Every chip a potential transmitter. All of these interact with each other to add or cancel. To minimize EMI you want the sum effect to be the least efficient antenna/transmitter possible. Fortunately, this does not conflict with the real design goals and most of the wires are already very inefficient. The problem is tracking down the occasional exception that is transmitting too much noise. Rob Horn horn@temerity.polaroid.com ------------------------------ Date: Wed, 10 Mar 93 09:30 GMT From: rmoonen@ihlpl.att.com Subject: International Card Fraud [Ralph notes that this is not directly a COMPUTER RISK, but it is interesting anyway. PGN] This week German shops and gas-stations have banned Dutch customers who wish to pay with their credit card. In particular Euro-card users were duped by this. The reason was that a recent study by fraud-prevention units in the Netherlands noted a sharp increase in credit-card-fraud. Unsuspecting customers at German gas-stations got into trouble when the only means they had to pay was their credit-cards. They could still withdraw cash from ATMs with their cards however. It's interesting that because of the easy ways to commit fraud with a credit card, now the Germans have decided the Dutch customers are the perpetrators. This case makes me think of the red-lining of phone-booths in inner-city areas with a high ethnic population. The phone company reasoned that as these areas showed a high calling-card abuse rate, they shouldn't be allowed to call certain countries. --Ralph ------------------------------ Date: Tue, 16 Mar 93 10:41:18 GMT From: king@ukulele.reasoning.com Subject: Re: Garage door burglaries (Payne, RISKS-14.40) >> An installer of automatic garage door openers has been arrested, pending >> being formally charged of burglary. This is not a particularly new risk. People have always been exposed when they hired locksmiths. Locksmiths must be licenced and bonded for this reason, in most states. Indeed, despite these precautions one hears about a case of locksmith burglary now and again. There are, however, two new features to the risk: * You can change the code easily. Most people can't hire a locksmith to change their lock and then change the key themselves. This change is in the customer's favor, but he needs to do it. * I would not be surprised to read about a burglary ring that builds a device to detect and record garage door opener codes. Jog around town wearing what appears to be a personal stereo while people are coming home from work in the evening, and when you get home read the tape, jot down your codes, and burgle away the next day. There are ways of dealing with this, such as time-dependent codes, but i don't expect to see them coming to a garage door near me anytime soon. ------------------------------ Date: Wed, 17 Mar 1993 18:38:38 +1000 From: Robert Vernon Subject: Re: Computer Controlled Parachutes (Heritage, RISKS-14.39) > I wonder how many air people would buy a computer-controlled parachute... In fact computer controlled parachute deployment is possible. Traditionally a parachutist manually deploys his main parachute. If that fails then he follows a set procedure to release the main and deploy the reserve parachute. Mains usually open but sometimes they don't, so every parachutist must be trained in reserve procedures. Yet over the years the most common reason for death has been to simply fail to deploy the reserve when needed. In a high stress situation some people just seem to forget all their training. So the Automatic Activation Device (AAD) was invented. These work on the rate of change of air-pressure. If you are descending too fast at a set height, then your parachute is deployed regardless. Note that an AAD is a backup only. You are not supposed to ever be low enough to need one and they should only fire if for some reason you don't or can't deploy. The mechanical models have always been regarded as too unreliable, too bulky and too expensive for experienced jumpers use so AADs have mostly been installed on student equipment. A new microcomputer controlled model called a Cypres answer most of the normal complaints. They are reliable, accurate, and small. And they have extra features like automatically adjusting for zero altitude. Until recently most experienced jumpers still refused to attach even this AAD to their own equipment. "No way will I risk it firing at the wrong time". Then last December a highly experienced (10000+ jumps) US jumper died when he was knocked unconscious in freefall. His rig had been given to him as demonstration gear and it had a Cypres installed. His last comment in the plane was supposed to be "I might have to wear it but they can't make me turn it on". After this death, the waiting list for a Cypres went from 2 weeks to 18 weeks and jumpers who wouldn't be seen dead with an AAD started talking seriously about installing one. The RISK: I'm not sure there is one. The Cypres sounds too good to be true. Anyone who has one won't die. Yet I keep feeling that that is the risk. They are supposed to be a backup but I am afraid that people will slowly put less emphasis on reserve procedures and rely on this device working. One day it won't and the jumper will not know what to do. There is a lot of discussion in the Skydiving community about this topic at the moment. Bob V! ------------------------------ Date: Wed, 17 Mar 1993 12:17:50 -0500 (EST) From: TDARCOS@MCIMAIL.COM Sender: Paul Robinson Subject: Yet another White House address To: Telecom Digest , Comp Privacy , Risks in computing , libernet@dartmouth.edu, MCI Mail announced yet another E-Mail address for messages to be sent to the White House. It stated in the note that messages sent to the address would be sent as paper mail to the White House via the USPS, rather than as E-Mail. The implication, since the usual charge for individual messages is 50c for the first 500 characters, that this could conceivably be something that the White House is paying for, since MCI Mail permits "autoforwarding" of a message sent to a mailbox to be sent to a fax number, another E-Mail address or a Paper Mail address. If MCI is doing this to encourage MCI Mail subscribers to send messages, then messages from users on Internet will almost certainly either bounce or not be sent. I encourage people on Internet to try sending a message to the address supplied by MCI Mail for messages to the White House to see what happens. I guess that's all I need to say. OH YES! You need the E-Mail address, don't you? :) 0005895485@MCIMAIL.COM Paul Robinson -- TDARCOS@MCIMAIL.COM ------------------------------ End of RISKS-FORUM Digest 14.41 ************************