Subject: RISKS DIGEST 15.24 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 9 November 1993 Volume 15 : Issue 24 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Smart Houses? No Thanks! (Jim Brown) Ada, a standard no more? (Luis Fernandes) Pets & data communication (Bruce Clement) Orange County DACS outage (Matt Holdrege) Review of Bruce Sterling's Hacker Crackdown (Peter B Ladkin) Alvin and Heidi Toffler's War and Anti-War (Jeffrey D. Young) Re: Car owners confused with gun owners (Martin Minow) Software control problems in Block 40 F-16s (Peter B Ladkin) Investment program turns into doomsday machine (Rogier Wolff) Re: Notice of Fire Hazard with Dell Notebook Computers (Don Porges) Internet Security (William Hugh Murray) Stupid language games (Richard Schroeppel) Networking on the Network (Richard Schroeppel) Anonymous postings (anonymous? No, Daniel Lieber) Properties of Anonymizing Service (Anthony E. Siegman) Risk-happy drivers foil anti-lock brakes (Dyane Bruce) The RISKS Forum is a moderated digest discussing risks; comp.risks is its USENET counterpart. Undigestifiers are available throughout the Internet, but not from RISKS. Contributions should be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to risks@csl.sri.com, with appropriate, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. PLEASE SEND REQUESTS FOR SUBSCRIPTIONS, archive problems, and other information to risks-request@csl.sri.com (not automated). BITNET users may subscribe via your favorite LISTSERV: "SUBSCRIBE RISKS". Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 15, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. There are also alternative repositories, such as bitftp@pucc.Princeton.EDU . If you are interested in receiving RISKS via fax, please send E-mail to risks-fax@vortex.com, phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for information regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; instead, as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Tue, 9 Nov 1993 14:04:18 From: jbrown@umi.com (Jim Brown) Subject: Smart Houses? No Thanks! While listening to a recent Marketplace Radio spot on Smart Houses I became, at first amused, then alarmed, by what is now possible with smart houses. ( A smart house has an electronic control center that can be operated locally or remotely.) Access to the smart house control center is though an ID/PIN setup. The amusing features (to me anyway) are having the 'house voice' reply to simple questions. Alarming features were setting lighting, temperature, and other security features - even remotely over the phone! I can't think of something more intimidating that having some hacker/cracker take control of the electronic controls of my house! What are these designers thinking who make these houses? Do they assume that an ID/PID setup is secure enough? And why on earth do they allow remote access via telephone- a very non-secure medium? No smart house for me. Jim Brown, 300 N. Zeeb Rd. Ann Arbor, MI 48106 (USA) (313) 761-4700 x3227 jbrown@umi.com ------------------------------ Date: Sun, 7 Nov 93 11:54:33 EST From: elf@ee.ryerson.ca (luis fernandes) Subject: Ada, a standard no more? >From the October 11, 1993 issue of "Aviation Week & Space Technology": The use of Ada as the standard Defense Dept. computer language should be rethought, the head of the Air Force Electronic System Center told an audience recently. "The Defence Department lost power years ago on computer development, but some don't realize it", Lt. General Gordon E. Fornell told the Society of Experimental Test Pilots. Instead of insisting on Ada, the best software for the task would be used-- and that software should be commercially available. "There are great dollar values out there", Fornell said. "It's obviously time for a little rethinking about Ada, and it's getting to the 'just do it' point". ------------------------------ Date: Mon Nov 08 16:32:24 1993 From: frey@alfheim.actrix.gen.nz (Bruce Clement) Subject: Pets & data communication This happened tonight while I was reading RISKS. I noticed that the lights on my modem were behaving strangely & switched the uucico program to the foreground. It was reporting a string of "NO DIALTONE" responses. Picking up the study's phone, I found it to be dead. The extension in the lounge was also dead. In a corner of the bedroom, I have the basestation for my Panasonic cordless phone (which can also act as a speaker phone) which was off hook, and presumably had been off hook long enough for the exchange to "notice". As I had used the study's phone since arriving home, how this extension could be "off hook" was a mystery, which was not solved until I walked over to it & discovered /dev/pet (my rat) hiding behind the phone. Why is the on/off button on a phone sufficiently sensitive to be tripped by 310 gramme rat walking over it? Oh, yes, what's the risk? If I hadn't diagnosed the problem, UseNet wouldn't have been able to get to the computer, and as I wouldn't have been able to phone for pizza, the rat would have had to eat lab block again :-) Bruce Clement (frey@alfheim.actrix.gen.nz) ------------------------------ Date: Tue, 09 Nov 1993 14:38:41 -0800 (PST) From: Urban Surfer Subject: Orange County DACS outage About 6 weeks ago, I posted in the Telecom Digest an account of the DACS outage in Orange County, CA. I received several queries for more information. It seems that a lot of people were disturbed to learn about the potential points of failure on a DACS as well as the bug we experienced. I recently took a tour of the affected CO and met with the switch and DACS administrators to ask further questions. At this point, they believe that they have fully addressed all software & procedural issues with the DACS IV. They also stated that the software patches they applied have been propagated throughout the entire Bell network. Pac Bell, as required by law, filed a report of the outage to the FCC. This is a public document. I'm not sure what the normal method is for obtaining that document, but I know there is one. For those who need to know now, I received a copy by fax, retyped it put it up for anonymous FTP on DCV4KD.PHS.COM under DACS.OUTAGE. Matt Holdrege matt@phs.com MH235 ------------------------------ Date: 9 Nov 93 00:03:13 GMT (Tue) From: Dr Peter B Ladkin Subject: Interesting book review --- Bruce Sterling's Hacker Crackdown The adjective may be chosen to modify either. Ian Stewart is a mathematician who writes wonderfully well, as readers may see by looking at his review, in the London Review of Books 15 (21) of 4 November 1993, of Bruce Sterling's `The Hacker Crackdown: Law and Disorder on the Electronic Frontier', Eric Raymond's edition of `The New Hacker's Dictionary', and Bryan Clough and Paul Mungo's `Approaching Zero, Data Crime and the Computer Underworld'. (I had wondered what Clough had been doing since he retired from soccer). Stewart refers to various incidents, such as the 15 Jan 1990 4ESS problems, the stoned virus, the Internet worm (but when will people stop deprecating Eric by implication?), and the Secret Service crackdown on Steve Jackson games and `Knight Lightning'. Stewart's closing sentence: `"Approaching Zero" shows that we have a lot to fear from the activities of those (few) hackers who are genuinely malevolent. "The Hacker Crackdown" suggests that we have just as much to fear from programming errors - and that American citizens have far more to fear from their Secret Service.' Peter Ladkin ------------------------------ Date: Sun, 7 Nov 93 20:18 EST From: "Jeffrey D. Young" <0004784090@mcimail.com> Subject: War and Anti-War (by Alvin and Heidi Toffler) >From the authors of "Future Shock" (1970), "The Third Wave" (1980), and "Power Shift" (1990), "War and Anti-War" (1993) looks at the way we make war and peace now and in the 21st century. The Tofflers propose that as we move from an industrial society to an information society, changes in the way we make wealth will be reflected by changes in the way we make war (and hopefully peace). Many of the concerns noted by Winn Schwartau in "Terminal Compromise" are echoed in "War and Anti-War", as well as some new concerns with more dire consequences. War and Anti-War: Survival at the Dawn of the 21st Century by Alvin and Heidi Toffler Little, Brown and Company 1993 ISBN 0-316-85024-1 ------------------------------ Date: Tue, 9 Nov 93 10:43:42 -0800 From: Martin Minow Subject: re: Car owners confused with gun owners (Hawthorne, RISKS-15.22) Brian Hawthorne's description of a problem his wife had when she received a request to renew her firearm license because "someone loaded a tape containing the list of car owners who needed to renew their automobile registration instead of the list of gun owners needing to renew their carry permits" reminded me of a made for tv movie that was shown in Sweden in the mid-1970's. Its premise was that the government computer that processed driving licenses was also processing hunting licenses [timesharing] and, because of "thought transference" between the two programs, the civil status of one Holger Swensson was changed from "married" to "elk." Well, this was a problem, but one without a simple solution. Unfortunately, the local social welfare department cannot help elks. The situation became worse as time went on and hunting season quickly approached. Finally, a sympathetic bureaucrat hit upon the best solution: he found the one place where Holger would be safe and, in the last scene, you saw him spread his sleeping bag out in the Stockholm Zoo. Kafka and Ionesco would have enjoyed this. [and made Rhinockwurst? PGN] Martin Minow minow@apple.com ------------------------------ Date: 7 Nov 93 18:02:31 GMT (Sun) From: Dr Peter B Ladkin Subject: Software control problems in Block 40 F-16s Here is an example of a problem which has been partly attributed to software control of fly-by-wire aircraft. With aircraft, many factors usually contribute to a problem or an accident. That is, many factors are usually jointly necessary for a problem to occur, and no factor is itself sufficient. So partial attribution is the highest grade of causal involvement that one should normally expect. Block-40 F-16's with the heavier wing-tip mounted AMRAAM AIM-120A's can endure 2g, 4-5Hz oscillations at the wingtips which caused problems severe enough (e.g. instruments could not be read in the cockpit) that a 550kt speed limit (TAS or IAS not stated) was imposed. This is to be lifted, since a fix has been found. `Lockheed is developing new digital flight-control software for Block 40 F-16s. Use of the software will end restrictions which limit the aircraft to 550kt (1,000 km/h) when armed with [the AIM 120A's]. [....]' (Flight International, 3-9 Nov,p18). `Investigation work by the test team has revealed that oscillations of between 4-5Hz, induced by the missile at the wing tip, are exacerbated by the flight control system, which effectively over-reacts to inputs from the aircraft's rate gyros. The USAF is evaluating modifications to the flight-control laws...' (Flight International, 20-26 Oct, p21). `The test team believes that the phenomenon can be traced to the larger size and weight of the AIM-120A, combined with the improved, four-channel digital flight control system, as well as structural differences of the heavier Block 40 aircraft.' (Flight International, 3-9-Nov, p18). This latter article interviewed Lt. Col. John Armor, one of the test pilots `working on the program'. So, we can assume this is an `official' attribution of cause that includes the flight control system (whether software or hardware seems to me to matter less - it's the specification and the computational behavior that are under question), since it came direct from a member of the USAF. Peter Ladkin ------------------------------ Date: Mon, 8 Nov 1993 18:14:41 +0100 (MET) From: wolff@liberator.et.tudelft.nl (Rogier Wolff) Subject: Investment program turns into doomsday machine (v.d. Meulen, -15.21) As a (very small scale) stockholder I'd like to make a few observations, corrections and additions. > The investment fund Groeigarant put the "Black Box" out of order. It was > designed by Ton Jongbloed, former president of Staal Bankiers, to advise > investors. He claimed on long term it would be twice as profitable as > investing in public loans. However the expert system EIS (Electronic > Investment Sector) proved to be a "doomsday machine". Only by disconnecting > it from the mains larger damage could be averted. The system was never wired directly into the stockmarket. There has always been a sanity check of the programs output. > Roughly, the principle of the program was: buy when prices go down, sell > when prices go up. The principle is based on the assumption that a stockmarket price is an actual value, plus some added noise. They want to buy when is less than zero, and they want to sell when the value is larger than zero. The program EIS works by calculating an estimate of the "actual value", and based on that it will know an estimate of the . > Therefore, EIS issued orders to sell only. It sold almost all > the stocks Groeigarant had, and would have sold even more. The latter would > have led to a very risky situation. Selling stocks not available can lead > to severe losses when forced to deliver (and having to buy at even higher > prices). Contrary to other investment funds, Groeigarant changes rapidly between having 90+ % of the capital in stocks to having less than 10% in stocks. Contrary to their original aim ("Groeigarant is a fund that will invest in stocks available at the Dutch stock exchange"), they currently also invest at the options exchange. > Groeigarant says it will base its future investments on fundamental and > technical analysis of the stock market. Luckily, the consequences for the > fund have been kept to a minimum. Severe losses have been prevented. At the > moment the fund mainly possesses money, rather than stocks. I have noticed that over the last two years, the "sanity check" went from "sanity check" to "this is what we want the system to say, so that's what we'll make it say". They have been "forcing the system to say what they want" for about a year now. Another interesting thing: Since a few months they allow you to buy stock at the -*lowest*- price over a month (in hindsight :-)! Stock bought in this way can be sold again at the -*highest*- price. I could start this scam: I give them $1000 every month, and sell the equivalent amount of stock each month. This gives me a sure strategy to make money: Groeigarant stockprices go up and down enormously. They do make money on the transaction costs, but these are very likely to be less than the difference between highest and lowest value over a months time. The "management fee" that Groeigarant pays to the executives is interesting too: They calculate their return on investment (r.o.i) over a period of three months, subtract the r.o.i of the public loans and pay 25% of the result to the management. The funny thing is that even if the long-term return on investment is zero, the r.o.i. over a "small" period as three months can be higher, and they will pay. However there is no "reverse" rule, that goes into effect when the next three months the net result is negative. I have this theory, that the decision to buy or to sell can be made on the basis of the ratio between todays and yesterdays price. However the transformation function is fractal, and can only be determined by inspecting actual data. I therefore train the computer based on the stockmarket prices of the last few years. Next, if I feed the computer the same data that it was fed in the learning phase, it will perfectly predict when to sell, and when to buy stock. This only happens on the dataset that it was trained with. On any other dataset, it will more or less generate random buy and sell advices, and incurr transaction costs. This is more or less the effect what I have been suspecting in EIS since the beginning. Groeigarant denies that this is the case, and even claims that they didn't have the dataset: When they started they claimed enormous net results, that had been obtained on the last few years, but since the introduction (At least 3 years ago) they have exactly the same value right now as at the introduction. Roger. ------------------------------ Date: Tue, 9 Nov 93 18:59:46 EST From: porges@banshee.camb.inmet.com (Don Porges) Subject: Re: Fire Hazard with Dell Notebook Computers (Robillard, RISKS-15.23) > ... Dell will send you a shipping box overnight and will arrange for > next day delivery of your system to our repair facility. Assuming, that is, that 1-800-847-4171 really *is* Dell, and not a large-scale computer thief. Risks upon risks. ------------------------------ Date: 08 Nov 93 09:15:58 EST From: William Hugh Murray <75126.1722@compuserve.com> Subject: Internet Security (PGN, RISKS-15.23) >... By induction, virtually the entire net is at risk >sooner or later, by iterative closure [cloture?]. Beautifully and briefly argued. I agree completely and have so argued (see the Risks archives.) The bad news is that we are adding new target nodes to the network at a much faster rate than we are protecting with token-based one-time passwords. The situation is getting worse not better. If I wait until the good behavior of my neighbors reduces the risk of the net, I will wait a very long time. The good news is that I need not wait. I can remove my system from the target population for pennies per user per day. I can continue to enjoy the connectivity and economy of the net without the risk. I can do it unilaterally at the network, or even the computer, application layer. Connectivity, lowest price, security; pick any two. William Hugh Murray, Executive Consultant, 49 Locust Avenue, Suite 104; New Canaan, Connecticut 06840 1-0-ATT-0-700-WMURRAY; WHMurray@DOCKMASTER.NCSC.MIL ------------------------------ Date: Sun, 7 Nov 1993 17:28:11 MST From: "Richard Schroeppel" Subject: Stupid language games (Parnas, RISKS-15.22) Dave Parnas writes Pete Mellor wrote, "Prof. Cliff Jones of Manchester characterised the complexity of software in terms of the number of branch points ... Some peevish nits -- The first sentence of the Cliff Jones quote suggests that the number of paths through a piece of software is equal to, or perhaps proportional to, the number of branch points. Subsequent sentences correct this impression, but there must be a better way to state the relationship. Nit2: The actual ratio of branch points to lines of code in my programs, and I suspect all readers of this message, is much less than 1/5, if function calls are excluded; and higher than 1/1, if function calls are included. Nit3: There's an implicit assumption in the Jones statement that the number of paths through the code is roughly exponential in the number of branch points. This depends entirely on the code, and need not be true: If I'm comparing two programs which generate reports, and one has 10000 lines and the other 100000 lines, it's perfectly possible that the larger program will require only ten times as much testing. The important questions are things like nesting depth, interlinked flow of control, interrupt handling, etc. Mere size is a weak indicator. Nit4: I can't tell without more context, but are any of Jones, Mellor, or Parnas endorsing the position that only exhaustive testing is appropriate? Nit5: What are we to mean by "exhaustive", anyway? If I have a 32bit computer, I can't even test the ADD instruction exhaustively, much less a program. [2^32 * 2^32 * 1 nsec = 600 years.] Let's talk about my carburetor: It is worth remembering that were Gottlieb Wilhelm Daimler still alive, he might remind us that the composition of the gasoline (petrol) is important. If we consider the number of possible different mixtures of hexane, heptane, and octane, and their isomers, we can't possibly conduct an exhaustive test. Noone should ever imply that a carburetor has been exhaustively tested. Can we please consider specific criticisms, rather than simply chanting "Big Is Ugly"? Rich Schroeppel rcs@cs.arizona.edu ------------------------------ Date: Sun, 7 Nov 1993 17:54:39 MST From: "Richard Schroeppel" Subject: NETWORKING ON THE NETWORK Phil Agre recently offered us advice on how to network for success. I didn't see any response to his message, so I thought I'd offer a different view. I wish to go on record as stating "I do not choose my friends based on their potential usefulness to my professional advancement. Even a little bit." Rich Schroeppel rcs@cs.arizona.edu ------------------------------ Date: Mon, 8 Nov 93 13:17:34 -0800 From: anonymous.poster@someplace.on.earth.I.think Subject: Anonymous postings This is in response to the dangers of anonymous postings as stated in RISKS-15.19. It is an interesting topic, but the idea of using a redirector for anonymous postings is not required. As this message demonstrates (from anonymous.poster@someplace.on.earth.I.think), it is very easy to send anonymous mail from locations without a trace. (The possibility of it being traced is there, but not likely.) In fact, this particular message is being routed courtesy of the recipient's machine (PGN- please verify). I will not disclose this method of anonymous mailings to requesters -- it is public information. I wish you all the best of luck in your security issues. And now for who I am... --Daniel Lieber, Systems Manager, _The Vanguard_ at Bentley College, Waltham, Mass. USA . ------------------------------ Date: Sun, 7 Nov 93 19:54:39 PST From: "Anthony E. Siegman" Subject: Properties of Anonymizing Service I was surprised to learn recently that if one replies to a message or newsgroup posting which has been anonymized by passing through the anon.penet.fi service, not only is your reply transmitted through to the original anonymous sender, but also you are assigned an anonymous code name and the connection between this code name and your real address is stored, presumably indefinitely, in the anonymizing service's files. You're not asked if you want this to happen, though you are informed it's been done. I have no clearly formulated objections to anonymizing services like this -- though they clearly cause certain problems -- but I'm not sure I like this policy. A user who deliberately sends a message or newsgroup posting through such a service presumably agrees to its rules. But an individual who replies to such a message or posting may not have any idea what " anon.penet.fi" really is -- in fact, someone replying to a newsgroup posting may not even note what machine it came from -- and may not want to be added to their records. To cite just one (perhaps far-fetched) risk, an anonymizing service might be used by bad guys to do some bad thing, causing law enforcement people to swoop in and seize records. Your name could then be found in those records, perhaps not clearly identified as a mere innocent "replier" rather than a deliberate user, leading to possible embarrassment or maybe worse. The proprietor of the anon.penet.fi service has not yet replied to my inquiries concerning this policy. --AES ------------------------------ Date: Sun, 7 Nov 1993 11:39:44 -0500 From: db@diana.ocunix.on.ca (Dyane Bruce) Subject: Risk-happy drivers foil anti-lock brakes >From the Ottawa Citizen Sunday Edition November 7, 1993 Risk-happy drivers foil anti-lock brakes by Brad Evenson, Citizen consumer writer Anti-lock brakes, hailed by car companies as a leap forward in auto safety, do not reduce the number of accidents, injuries or deaths on the road, says a U.S. research group. And a recent Transport Canada study may have unlocked the reason why: people like risk. Anti-lock brakes, standard equipment on a third of new vehicles sold in Canada, are designed to help drivers keep control on slippery roads. When a braking wheel loses traction, a sensor causes the brake to release and tighten rapidly many times, maintaining a grip on the road. Technically, the systems perform well. But they've yield no change in accident statistics. "The number of accidents, injuries and deaths has remained constant in models with ABS in the United States," says Brian O'Neill, head of the U.S. Insurance Institute for Highway Safety. The group compared automobiles equipped with anti-lock brakes with the same models produced in the previous year that didn't have them. There was no appreciable difference, says O'Neill. The Canadian experience is similar. In 1991, there were roughly 173,000 collisions involving 248,600 injuries and 3,684 deaths. Statistics for 1992, to be released this week, are expected to show a five-percent decline in accidents, but federal officials do not attribute the drop to anti-lock brakes. The RCMP is one of the country's largest auto buyers, but there has not been any reduction in damage to its 7,000-vehicle fleet since ABS- equipped models were introduced three years ago. About a third of its vehi- cles now have the brake systems. "In test, police drivers found they were able to manoeuvre more quickly," said RCMP spokesman Const. Tim Cogan. "But we haven't seen a difference in the number of accidents." This has baffled car manufacturers such as General Motors, which advertises anti-lock brakes as a safety feature -- a crash-avoidance system preferable to air bags. But a recent Canadian study offers an answer. At a test track in Blainville, Que., Transport Canada scientists divided 80 drivers into groups, testing their performance with anti-lock and ordinary brakes. "After having practised the emergency stopping manoeuvres with anti- lock brakes, drivers drove faster, had higher accelerations around a curve and stopped harder," a summary of the study said. "If drivers choose to drive faster because they know they have greater control, and if they choose to follow other vehicles more closely under slippery road conditions, then the safety benefit from anti-lock brakes might be reduced or lost completely." The theory explaining the results is called "risk homeostasis," and it also explains why people bungee jump or helicopter ski. "People like to maintain a constant level of risk," says Chris Wilson, director-general of road safety at Transport Canada. "When a situation gets safer, people like to increase the level of risk." Some authorities, however, scoff at the risk homeostasis theory. In the 1980s, GM sent a Detroit engineer to Canada to study whether drivers who wore seat belts drove recklessly " because they wouldn't get hurt in an accident," recalls Wilson of Transport Canada. The engineer took photographs of drivers along Hwy. 401 [A major high- way that runs through Toronto Ont. Canada db], checking seatbelt use against their driving habits. He found no evidence of the theory; people drove the same with seat belts on. While the evidence of improved safety with anti-lock brakes is scanty, the life-saving record of airbags, which inflate upon collision, is more abundant. "There is clear-cut, statistical proof the airbags improve your chances (of survival) in a collision," says the insurance institute's O'Neill. But car makers have resisted introducing airbags, complaining they are too expensive and don't help avoid accidents. "An accident avoidance system (such as anti-lock brakes) is obviously better than one that doesn't prevent accidents," says Chris Douglas, pro- duct spokesman for GM of Canada Ltd. Dyane Bruce, 29 Vanson Ave. Nepean On, K2E 6A9, 613-225-9920 db@diana.ocunix.on.ca ------------------------------ End of RISKS-FORUM Digest 15.24 ************************