Subject: RISKS DIGEST 18.25 RISKS-LIST: Risks-Forum Digest Friday 12 July 1996 Volume 18 : Issue 25 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** Contents: Western U.S. power blackout (PGN) Recent west-coast power outage and thoughts on the power grid (Nicholas C. Weaver) Massive cell-phone identifier interception (PGN) 56-Bit Encryption Is Vulnerable, Says Zimmermann (Edupage) John Munden is acquitted at last! (Ross Anderson) Risks of Computers In Automobiles (George Beuselinck) Re: DoD and IRS tax systems (Todd B SanMillan) "Microsoft apologizes for *offensive* thesaurus errors" (PGN) Microsoft mail, bane of mailing list software (Joe A. Dellinger) Re: More AOL censorship (MarkAYoung) ABRIDGED info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 4 Jul 96 6:13:41 PDT From: "Peter G. Neumann" Subject: Western U.S. power blackout More than a dozen states including California, Oregon, Washington, Utah, Nevada, Wyoming, Arizona, reported power outages on 2 July 1996. At least 11 separate power plants "inexplicably were knocked off line". The problem appears to have originated at a 1500-megawatt intertie at the California-Oregon border. Later in the day, plants in Rock Springs, Wyoming, and along the Colorado river also went off line. [Source: Reuters item, *The Boston Globe*, 3 July 1996, p.3] On the following day, parts of Idaho were again blacked out. Perry Gruber, spokesman for the Bonneville Power Administration in Portland, Oregon, said, "We can rule out sabotage. We can rule out UFOs. I think we can rule out computer hackers." Utility officials said it may take as long as a week to find the cause(s). [Source: Associated Press item, *The Boston Globe*, 4 July 1996., p.4] [Jerry Saltzer, who was in Idaho, remarked to me that what was most striking was the sheer confusion in reports of what might have been the cause. "AP reported without comment that eleven generating plants shut down simultaneously, with the apparent implication that some kind of widespread conspiracy was involved. Idaho Power said the problem originated in California, but its system autoshut down completely and had to go through a "Black Start". Oregon's main power company said it was a problem on the Pacific Northwest Intertie. Colorado's power company said the problem originated in their system but they didn't understand what it was. Idaho Power said it had nothing to do with the hot weather and unusual load from air conditioning. Oregon said it was caused by the hot weather and unusual load from air conditioning. Three days later they still didn't have any consensus on what had happened. Impressive disarray--one has the feeling that they don't talk to one another. With this much lack of communication, I'm not sure they should be allowed to interconnect, either." JHS] ------------------------------ Date: Wed, 3 Jul 1996 12:56:00 -0700 From: "Nicholas C. Weaver" Subject: Recent west-coast power outage and thoughts on the power grid [...] At least 1.5 million customers were affected by sporadic outages. Apparently an instability in the power grid caused these problems. (It is interesting how sporadic these outages were. In Berkeley, our power wasn't interrupted, yet portions of the Bay Area subway system (BART) were without power). Other contributors can no doubt explain better then I can how such instabilities occur, but I would rather address a more frightening thought: Can such instabilities be deliberately introduced? Could someone actively sabotage the power-grid in this way? This outage didn't cause much damage. After all, it was during the day and hot and miserable, so a few million people were simply made uncomfortable. But what would happen to LA if a California wide blackout occurred at say, 11pm on Dec. 31st? One might also wonder if other portions of our energy infrastructure are similarly vulnerable to attack? nweaver@cs.berkeley.edu http://www.cs.berkeley.edu/~nweaver [The answer to your first and third questions is unfortunately YES, and transcend the energy infrastructure. The Senate Governmental Affairs Committee Permanent Subcommittee on Investigations, chaired by Senator Nunn, has been holding hearings that include this very topic. My testimony from 25 June is available for FTP (in PostScript form only at the moment) from ftp.csl.sri.com in the file pub/neumannSenate.PS . PGN] ------------------------------ Date: Thu, 4 Jul 96 8:13:41 PDT From: "Peter G. Neumann" Subject: Massive cell-phone identifier interception Two people in Brooklyn NY (Abraham Romy and Irina Bashkavich) were charged with stealing over 80,000 cellular phone numbers, along with corresponding identifying serial numbers and personal identification numbers, using a scanner (digital data interceptor) from their 14th-floor windowsill above the Belt Parkway in Brooklyn. Police seized two handguns, six computers, 43 cellular phones, and the scanner. Cellular-phone fraud reportedly amounts to losses of $1.5 million per day. [Source: An Associated Press item in *The New York Times*, 3 July 1996, p. B4] ------------------------------ Date: Sun, 30 Jun 1996 18:01:43 -0400 (EDT) From: Edupage Editors Subject: 56-Bit Encryption Is Vulnerable, Says Zimmermann (Edupage) Philip Zimmermann, creator of Pretty Good Privacy encryption software, testified before a Senate subcommittee that, based on a 1993 presentation by Michael Wiener of Northern Telecom, it would be possible to build a machine for $1 million that could crack a message encrypted with the Data Encryption Standard and a 56-bit key in an average of 3.5 hours. A more powerful machine, costing about $10 million, could do it in 21 minutes, and a $100 million machine could bring the time down to two minutes. Zimmermann's testimony contradicted a recent statement by U.S. Attorney General Janet Reno that even with a "top of the line supercomputer, decoding a 56-bit key would take over a year and the evidence would be long gone." At issue is whether the U.S. should permit the general-license export of 56-bit encryption products. (BNA Daily Report for Executives 27 Jun 1996, A5, in Edupage, 30 June 1996) ------------------------------ Date: Mon, 08 Jul 1996 18:26:10 +0100 From: Ross Anderson Subject: John Munden is acquitted at last! At twenty past two today, John Munden walked free from Bury Crown Court. This resolved a serious miscarriage of justice, and ended an ordeal for John and his family that has lasted almost four years. In a judgment loaded with significance for the evidential value of cryptography and secure systems generally, His Honour Justice John Turner, sitting with two assessors, said that `when a case turns on computers or similar equipment then, as a matter of common justice, the defence must have access to test and see whether there is anything making the computers fallible'. In the absence of such access, the court would not allow any evidence emanating from computers. As a result of this ruling, the prosecution was not in a position to proceed, and John Munden was acquitted. John was one of our local policemen, stationed at Bottisham in the Cambridge fenland, with nineteen years' service and a number of commendations. His ordeal started in September 1992 when he returned from holiday in Greece and found his account at the Halifax empty. He complained and was told that since the Halifax had confidence in the security of its computer system, he must be mistaken or lying. When he persisted, the Halifax reported him to the police complaints authority for attempted fraud; and in a trial whose verdict caused great surprise, he was convicted at Mildenhall Magistrates' Court on the 12th February 1994. I told the story of this trial in a post to comp.risks (see number 15.54 or get ftp.cl.cam.ac.uk/users/rja14/post.munden1). It turned out that almost none of the Halifax's `unresolved' transactions were investigated; they had no security manager or formal quality assurance programme; they had never heard of ITSEC; PIN encryption was done in software on their mainframe rather than using the industry-standard encryption hardware, and their technical manager persisted in claiming (despite being challenged) that their system programmers were unable to get at the keys. Having heard all this, I closed my own account at the Halifax forthwith and moved my money somewhere I hope is safer. But their worships saw fit to convict John of attempted fraud - which made the national papers. An appeal was lodged, but just before it was due to be heard - in December 1994 - the prosecution handed us a lengthy `expert' report by the Halifax's accountants claiming that their systems were secure. This was confused, even over basic cryptology, but it was a fat and glossy book written by a `big six' firm with complete access to the Halifax's systems - so it might have made an impression on the court. We therefore applied for, and got, an adjournment and an order giving me - as the defence expert witness - `access to the Halifax Building Society's computer systems, records and operational procedures'. We tried for nine months to enforce this but got nowhere. We complained, and an order was made by the judge that all prosecution computer evidence be barred from the appeal. The Crown Prosecution Service nonetheless refused to throw in the towel, and they tried to present output such as bank statements when the appeal was finally heard today. However, the judge would have none of it. Many thanks to all those who helped, and especially to guys like Brian Randell, Chuck Pfleeger and John Bull who wrote in to the Chief Constable and pointed out that the original judgment was patently absurd. It was largely due to their letters that John was suspended from the force rather than sacked. For the computer security community, the moral is obvious: if you are designing a system whose functions include providing evidence, it had better be able to withstand hostile review. This is understood by designers of forensic systems, and the value of hostile review is also well known to the military and the utilities. But with one or two exceptions - such as SET - the banks are just not on the same planet, and the risk to them should be clear! Ross ------------------------------ Date: Thu, 11 Jul 1996 19:43:01 -0400 From: George Beuselinck Subject: Risks of Computers In Automobiles Just got this in from a friend at Microsoft: DETROIT - General Motors Corp. said Tuesday it is recalling about 292,860 Pontiacs, Oldsmobiles and Buicks from the 1996 and 1997 model years because of an engine software problem that could result in a fire. The cars are the 1996 Pontiac Bonneville, Oldsmobile Ninety Eight and Eighty Eight, Buick Park Avenue, LeSabre, Riviera and Regal, and some 1997 Buick Le Sabres. GM said a faulty engine system sequence can cause a backfire during start-up. That can result in a cracked intake manifold, which in some instances could erupt in a fire. With the proliferation of computer technology into automobiles, it had to happen sooner or later... George Beuselinck georgeb@mhv.net ------------------------------ Date: 2 Jul 1996 15:03:43 -0700 From: bain@crl.com (Todd B SanMillan) Subject: Re: DoD and IRS tax systems (Wexelblat, RISKS-18.23) My special note: I am also a tax-and-spend liberal, and in addition I have a background in the rules of logic and am a native speaker of English. >>The initiative referred to above is in the "Subcommittee Mark" of the >>proposed next year's budget. It's just a House Subcommittee so it's not >>law, but it's a bad idea in my mind, even to consider it seriously. Is the >>Department of Star Wars and the $700 toilet seat really so excellent a >>contracting agency that they are the clear choice to handle IRS business? > Typical attack based upon ignorance. First it is the Department of >Defense. Are we really supposed to believe that the original poster was "ignorant" of this point? To me, the original poster was obviously employing "rhetoric", a common argumentative technique that adds nothing to the logical argument, merely makes a more forceful emotional appeal. It appears to have worked in this case. > I don't know the full details of the proposal. It is also a weak argument to accuse the poster of ignorance, then admit your own ignorance. Next we get 2 (somewhat conflicting) explanations of "the $700 toilet seat", from 2 different posters, one of which explains that "in fact it was in the $600 range." I'm sorry, but this makes little difference to the weight of the argument. At $600 a seat, it still needs explaining, a point that the poster recognizes by offering an explanation. The RISKS? Employing emotional, rhetorical arguments while condemming them in the other side of the argument does little to help your side and keeps the noise level high. ------------------------------ Date: Mon, 8 Jul 96 7:32:44 PDT From: "Peter G. Neumann" Subject: "Microsoft apologizes for *offensive* thesaurus errors" Microsoft Mexico has an on-line Spanish-language thesaurus that has caused quite a stir. For example, the word "Indian" was equated with "man-eater" and "savage"; "Western" with "Aryan", "white", and "civilized"; "lesbian" with "pervert" and "depraved person". Microsoft Mexico has apologized, and is rushing in a language expert from their software development center in Ireland. [Source: *The Boston Globe*, 6 July 1996, p.58.] ------------------------------ Date: Sat, 6 Jul 1996 16:18:56 -0500 From: jdellinger@amoco.com (Joe A. Dellinger) Subject: Microsoft mail, bane of mailing list software I maintain a mailing list using the old "listproc" package. Unfortunately, Microsoft Mail users cannot subscribe, unsubscribe, etc, except by manually sending e-mail to me. Microsoft mail (at least the way they are using it) inserts a blank line at the front of the message, then some special microsoft mail headers, and only THEN includes the text being mailed. The trouble is the list processor sees the Microsoft mail fields as the start of the message and aborts (since those aren't legal listproc commands) without reading further. Another mailing list I subscribe to has been repeatedly "mail bombed" by microsoft mail. If a "microsoft mail server" in the path to a recipient goes down, the list address gets bombarded with error messages. The error messages then get echoed back out to the entire list and create additional error messages. The problem appears to be that "Microsoft mail" error messages don't conform to the mail protocols the list processor expects to see flagging error messages, and so are not rejected by the mailing list software. One other annoying incident occurred on the mailing list I maintain (unrelated to microsoft mail this time!). Someone on the list decided to edit their "name" to be extremely long, like so: From: canadian_fellow@canadian_university.ca (His name followed by a very long diatribe against French nuclear testing in the Pacific here, all on one line!) The list processor software overflowed the field and truncated his diatribe. Most of the sites receiving the broadcast then barfed with various nasty error messages because of the mismatched parenthesis, causing a flood of error messages to come back to me as the list maintainer. ------------------------------ Date: 7 Jul 1996 23:56:32 -0400 From: markayoung@aol.com (MarkAYoung) Subject: Re: More AOL censorship (Reid, RISKS-18.23) >This clinches it. AOL customers do not pay to receive e-mail and never have AOL customers have a monthly allotment of time in many areas, including MAIL and newsgroups, and have to pay for connect time beyond their allotment. The standard plan has a 5-hour monthly allotment with $2.95/hr beyond that. The same is currently true for CompuServe, too. Therefore lots of spamming _will_ cost AOL customers money if they reach their 5-hour montly allotment. --Mark A. Young, MarkAYoung@aol.com ------------------------------ Date: 18 March 1996 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: ABRIDGED info on RISKS (comp.risks) The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. [...] DIRECT REQUESTS to (majordomo) with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] INFO [for unabridged version of RISKS information] CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, nonrepetitious, and without caveats on distribution. Diversity is welcome, but not personal attacks. [...] ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Particularly relevant contributions may be adapted for the RISKS sections of issues of ACM SIGSOFT Software Engineering Notes or SIGSAC Review. * Submissions: By submitting an item that is accepted for publication in RISKS, the author grants permission for unlimited public distribution and redistribution in electronic or other form. * Reuse: Blanket permission is hereby granted for reuse of all materials in RISKS, under the following conditions. All redistributed items must include the Risks-Forum masthead line. All reuse must be accompanied by the following statement: Reused without explicit authorization under blanket permission granted for all Risks-Forum Digest materials. The author(s), the RISKS moderator, and the ACM have no connection with this reuse. As a courtesy, reusers of individual items (as opposed to forwardings of entire issues) should notify the authors, and should pay particular attention to any subsequent corrections. RISKS ARCHIVES: "ftp ftp.sri.comlogin anonymous[YourNetAddress] cd risks or cwd risks, depending on your particular FTP. [...] [Back issues are in the subdirectory corresponding to the volume number.] Individual issues can be accessed using a URL of the form http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] ftp://ftp.sri.com/risks The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS PRIVACY: For info on the PRIVACY Forum Digest and Computer PRIVACY Digest, see the unabridged INFO file at RISKS-Request (send one-line message INFO to risks-request@CSL.sri.com as noted above). ------------------------------ End of RISKS-FORUM Digest 18.25 ************************