precedence: bulk Subject: Risks Digest 20.93 RISKS-LIST: Risks-Forum Digest Monday 3 July 2000 Volume 20 : Issue 93 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: Collapse of UK air-traffic control computer (Ulf Lindqvist) Sliced fiber-optic cable disrupts phone service in Northeast (Doneel Edelson) State Department loses phone service (PGN) Weld-done stake in phone lines (PGN) Find security hole, get sued (Stanley Chow) The low-down on the Berlin Fire Department Y2K-fiasco (Debora Weber-Wulff) NATO creates computer virus that reveals its secrets (Monty Solomon) Hacker endangers astronauts (Avi Rubin) Burger King gives away CD-ROM with porn addresses (PGN) Hotel phones that ID room occupants (Bertha) Electronic signatures secure? (John P. Darrow, LucFrench) *The NYT* site exposes CIA agents (Monty Solomon) Re: UK Millennium Bridge instability (Tony Woolf, John Sullivan) Microsoft software *can* damage your hardware! (Rob Slade) Another Win95/DOS interaction (Jeremy Epstein) Y2K-leapyear hangover, human error or other tomfoolery? (Ari Ollikainen) Re: Network Solutions risks (Peter Sleggs) Personal train warning (Marc Salverson) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 18 Jun 2000 10:34:18 -0700 (PDT) From: Ulf Lindqvist Subject: Collapse of UK air-traffic control computer On 17 Jun 2000, thousands of would-be passengers were stranded when the main air-traffic control computer collapsed. The National Air Traffic Services computer was fixed later in the day, but the resulting congestion caused many people to spend the night at airports around the UK, and many flights were cancelled the next day as well. Heathrow and Gatwick were hardest hit, although other UK airports experienced severe delays. This was the second time in a week that the computer system had failed. [PGN-ed, from BBC, Sunday, 18 June, 2000, 11:33 GMT http://news.bbc.co.uk/hi/english/uk/newsid_796000/796018.stm] Ulf Lindqvist, SRI International, 333 Ravenswood Ave, Menlo Park CA 94025-3493 +1 650 859-2351, http://www.sdl.sri.com/ [Also noted by Dave Stringer-Calvert, Ursula Martin, Yves Bellefeuille. PGN] [I flew back from the East Coast on 25 Jun 2000, and experienced huge delays that were blamed alternatively on thunderstorms and on air-traffic control congestion. Airports in Boston, NY, Philly, and Washington were essentially shut down. PGN] ------------------------------ Date: Thu, 29 Jun 2000 12:38:12 -0400 From: "Doneel Edelson" Subject: Sliced fiber-optic cable disrupts phone service in Northeast Phone service in the Northeast was disrupted Wednesday evening after a Bell Atlantic fiber-optic cable was sliced in Lancaster PA, affecting local customers and callers from New York to Maryland using AT&T, MCI WorldCom, and other long-distance carriers routing through that area. [PGN-ed from CNN item and USA Today items, 28 Jun 2000] ------------------------------ Date: Mon, 21 Jun 2000 6:03:21 PDT From: "Peter G. Neumann" Subject: State Department loses phone service Heavy rains knocked out telephone service for two hours for the U.S. State Department on the evening of 15 Jun 2000, and the backup batteries were unusable because of an earlier fire. [PGN-ed http://www.cnn.com/2000/US/06/16/state.phonesout.ap/index.html] ------------------------------ Date: Wed, 28 Jun 2000 7:19:12 PDT From: "Peter G. Neumann" Subject: Weld-done stake in phone lines In the last week of June 2000, during construction preparing for connecting the Bay Area Rapid Transit (BART) to the San Francisco Airport, a droplet of welding material in a manhole just south of San Francisco caused a fire that destroyed portions of 27 cables, wiping out telephone service to 25,000 customers; the process of replacing 800 feet of cable and correctly reconnecting the many thousands of wires was expected to take at least two weeks. ------------------------------ Date: Thu, 22 Jun 2000 09:59:04 -0400 From: Stanley Chow Subject: Find security hole, get sued A story in the local paper (*Ottawa Citizen*) reports that an Edmonton man found a way to win at slot machines. The report is typically weak with details; this is my understanding of what happened: - WMS Gaming Inc. is the manufacturer of video slot machines - there are back door easter-eggs on (some) blackjack machines that give you a win. - According to company lawyer, this has cost millions of dollars - Mr. Yaghi (an independent software consultant) found it somehow - Mr. Yaghi told the gaming commission and the company - company sues him for ten million dollars, and got court order to search his house The parallels with the French smartcard episode are striking. I must reluctantly come to the conclusion: Crime pays a lot better than honesty. Can anyone familiar with slot machines tell me how could this get through the QA process? Don't they do code-inspections? Stanley Chow, Cloakware Corp, 260 Hearst way #311 Kanata, Ontario K2L 3H1 Canada VP Engineering (613) 271-9446 x 223 stanley.chow@cloakware.com ------------------------------ Date: Sun, 18 Jun 2000 19:22:21 +0200 From: Debora Weber-Wulff Subject: The low-down on the Berlin Fire Department Y2K-fiasco The German computer biweekly magazine c't analysed the Y2K-fiasco that caused the Berlin Fire Department to miss fires and lose fire trucks this past New Year's Eve. See RISKS-20.75 and RISKS-20.82. The major culprit was the security preparations themselves, it seems. In order to avoid the Y2K problem, the programmers had decided to give 1999 13 months instead of the usual 12. Then, just before the New Year's, they installed a time server in order to prevent there being a problem when the system time of the computers was compared with the normal time which is broadcast in Germany on a special frequency. They missed one little thing: leading zeros. The operating system delivered dates as 1:12:99 while the time server used 01:12:99. But since the time server was not installed until after the 10th of December, it wasn't until midnight that the clock struck 13, or rather 1:13:99 instead of 01:13:99. This caused another program to cough about a date discrepancy. So the people overseeing the systems tried to reboot the system [this at just past midnight on the first of January! -dww]. But it wouldn't reboot, because two of the computers were not configured properly. If they had ignored the error message, everything would have been okay! Now, while the system was trying to reboot, the folks in the fire trucks got antsy. They didn't get acknowledgements for their reports of where they were. So they just pushed all the buttons, to see if the machine was dead. This flooded the system additionally with repeated status messages. Finally, the network boards come into play. They had been named as the culprits in the first round of finger-pointing. They had just been installed, and were misconfigured. They couldn't handle the traffic and began producing random errors. This confused the part of the system that keeps track of where the equipment currently is located, and then *it* died. So they reverted to paper and pencil and fax. The fax machine which made up the major connection for the backup system needed 30 seconds per fax, but the reports were coming in faster than that, causing the fax cutter to jam. This meant that the reports were in the fax memory, but there was no way to get them out on paper, and a second fax machine was not available. So thanks to c't for showing us that you can't be paranoid enough, you really need to keep all your equipment rebootable, and it might be a good idea to have a working back-up system. Luckily, the *other* guys got most of their Y2K-stuff right, so we didn't have Armageddon happening and didn't need to know were all the fire trucks were parked..... Prof. Dr. Debora Weber-Wulff, TFH Berlin, FB Informatik, Luxemburger Str. 10 13353 Berlin, Germany weberwu@tfh-berlin.de http://www.tfh-berlin.de/~weberwu ------------------------------ Date: Sat, 24 Jun 2000 12:31:38 -0400 From: Monty Solomon Subject: NATO creates computer virus that reveals its secrets Bungling NATO scientists have created a computer virus "by mistake", causing military secrets to find their way onto the internet. The virus, called Anti-Smyser 1, was created by scientists at NATO'S Kfor peacekeeping force headquarters in Pristina, Kosovo. They were seeking protection from virus attacks similar to those launched at NATO by the Serbs during the Kosovo conflict. But the experiment went wrong, and scientists accidentally unleashed the virus on themselves. The virus, which plucks documents from the hard drives of computers and sends invisible attachments to e-mails, recently resurfaced at the Czech ministry of defence. http://www.the-times.co.uk/news/pages/sti/2000/06/18/stinwenws01024.html ------------------------------ Date: Mon, 3 Jul 2000 01:26:04 GMT From: rubin@research.att.com (Avi Rubin) Subject: Hacker endangers astronauts According to the BBC, 3 Jul 2000, a computer hacker endangered shuttle astronauts in 1997 by overloading NASA's communication system after tapping into the NASA system monitoring the astronauts' on-board medical signs while docking with Mir. Apparently, NASA has experienced more than 500,000 cyber attacks in the past year. [PGN-ed] ------------------------------ Date: Mon, 26 Jun 2000 5:18:53 PDT From: "Peter G. Neumann" Subject: Burger King gives away CD-ROM with porn addresses Declan McCullagh's news distribution included an item from Paul McMasters written by Jonathen Lambeth that Burger King distributed free with children's meals a CD-ROM including the Net Nanny filtering program that with a few extra mouse clicks gets you a list of more than 2000 Internet porn sites. [PGN-ed] ------------------------------ Date: Sun, 18 Jun 2000 21:18:49 GMT From: bertha@mhn.org (That Funky Chick) Subject: Hotel phones that ID room occupants This weekend some relatives and I were staying at a fairly nice hotel. At one point two of us were in the lounge, and I called the room to let my mother know where we were in case she wanted to join us. When I dialed our room number, my mother's name (the name the room was reserved under) showed up on the phone's LCD. I'm sure there are very good reasons why this would be a desirable thing. Certainly it would have been immediately clear to me if I had accidentally misdialed and called someone else's room. However, I can also think of some instances when this feature might not be welcome. For example, someone interested in fraud could conceivably call a room number at random, then use that occupant's name and room number to sign his guest check at the hotel restaurant. No picture ID is required during this process; the real occupant wouldn't be aware of fraudulent charges until his final bill was presented at checkout. For another example, a child who is ordinarily old enough to be left alone in a safe hotel room might not be discriminating enough to be suspicious if a stranger at the door knows a parent's name. Parents can warn their pre-teen not to open the door for "room service," but would probably not think to warn the child not to believe someone claiming to be sent by "Your mommy, Jane Smith." I don't doubt that RISKS readers will be able to come up with other scenarios. -Bertha ------------------------------ Date: Fri, 30 Jun 2000 15:34:13 -0400 (EDT) From: john.p.darrow@wheaton.edu Subject: Electronic signatures secure? Message: Note Clinton's rather poor password. President Clinton on Friday used an electronic card and his dog's name as a password to "e-sign" into law a bill that makes electronic signatures as valid as their ink counterparts. [...] "Now, let's see if this works," the self-proclaimed technologically challenged Clinton said with a chuckle as he inserted the smart card into the computer and punched in his dog's name, Buddy, as the password. [See http://www.pfir.org for a position paper on this legislation. PGN] ------------------------------ Date: Fri, 30 Jun 2000 16:02:22 EDT From: LucFrench@aol.com Subject: Electronic signatures secure? The RISK here should be obvious. No, not the bill itself (that's a subtle RISK), but using your dog's name as a password, and announcing the fact via an international news service. ------------------------------ Date: Sat, 24 Jun 2000 12:00:33 -0400 From: Monty Solomon Subject: *The NYT* site exposes CIA agents A freedom of information activist plans to publish online a classified CIA document that was pulled from *The New York Times'* site after newspaper officials learned it exposed the identities of Iranians involved in the 1953 U.S. and British-backed coup that overthrew Iran's elected officials. *The Times* used the graphic to accompany an article detailing the coup. In a technical glitch, those who visited the Times website on June 16 were able to read the names of the agents when they downloaded the graphic. *The Times* put a layer of black boxes over the names in the 200-page Portable Document Format file, allowing viewers who "froze" the page while it was being downloaded to read the names underneath. [Wired News Report, 23 Jun 2000, http://www.wired.com/news/politics/0,1283,37205,00.html] ------------------------------ Date: Tue, 20 Jun 2000 18:02:24 +0100 From: "Tony Woolf" Subject: Re: UK Millennium Bridge instability (RISKS-20.92) London's much publicised pedestrian Millennium Bridge over the Thames closed the day after it opened because it swayed alarmingly when large crowds crossed it. The public had been assured that the design, which is novel, had been extensively tested by Ove Arup using computer simulations and scale models. New Scientist magazine (17 June 2000) quotes John Dickens, a civil engineer at Loughborough University UK: "Even the most sophisticated simulation programs have assumptions built into them and until you build the whole thing you've still got a degree of uncertainty". The risk: pushing a simulation program to deal with a novel design. I wonder whether those using the program had a clear idea of exactly what assumptions were built into the program. Very likely no-one knows what most of the assumptions are because many of them probably arise out of theories that work in the usual cases. More generally, any novel design is likely to show up false assumptions in the usual design processes, whether or not those assumptions reside in a computer program. Therefore extra cost and time should be allowed specifically for the novelty factor, quite apart from that allowed for the known technical difficulties. Tony Woolf ------------------------------ Date: Sat, 17 Jun 2000 16:38:17 +0100 From: John Sullivan Subject: Re: UK Millennium Bridge instability (RISKS-20.92) On Friday 16 June 2000 you wrote: > Anything there on computer modeling? The Ove Arup homepage has a section on the engineering of the bridge at: http://www.arup.com/MillenniumBridge/ Not too much detail, but plenty of pretty pictures. Quotes: > Extensive analysis and wind tunnel testing have been carried out to > ensure the bridge is stable in a one in 10,000 year gale. > Analysis has been made of the motions resulting from pedestrians moving > across the bridge to keep them within acceptable levels. These were > tested on a shake table by the design team at Southampton University. > The pier response above ground to load was determined from computer > modeling. > We found that the maximum possible impact force from a ship bow from the > boats traveling on the Thames on the pier is in the order of 35MN - > equivalent to 26 000 people pushing at once. The bridge piers will move > just 160mm sideways under this force, and continue to support the bridge. 150,000 people crossed on the first day. I'll take a wild stab and estimate that that means about 500-2000 people on the bridge at a time, on average. (Given the size of the bridge as 320x4m, this is reasonable. You could probably comfortably fit 2500 walking people on at a time.) Under that load it was moving 8" (200mm). http://www.arup.com/MillenniumBridge/images/videos/stat.gif models the cable stresses up to a load of 5000 people. (5000 is the maximum standing load.) Overall they seem do have done a range of computer and physical modeling including a second independent computer modeling team, but vastly underestimated the number of people it would have to reliably support. Assuming the models were correct (and as they say, the stresses involved make this a ground-breaking project) you're still not going to get good outputs if your inputs are an order of magnitude out. John ------------------------------ Date: Fri, 30 Jun 2000 08:47:22 -0800 From: Rob Slade Subject: Microsoft software *can* damage your hardware! Remember the good old days? High speed disk drives, heavy aluminum platters that sometimes fractured, at speed, sending pieces of metal out through the sides of the drive? Yesterday one of my students brought in a picture he had scanned of a bunch of fragments of CD-ROM. He had been installing Microsoft LinksGolf 2000. While disk 2 (of 3) was in the drive, there was a sudden noise, the drive bay popped open, and out flew various pieces of plastic. These were moving fast enough that one cut him on the back. A number of smaller pieces are obviously still in the machine: he got the bay closed, but now it won't open any more. This drive is (or, at least, used to be) a 52x drive, so clearly we are getting up there in speed. The risks, in terms of hardware damage, software loss, and personal injury, are plain, but some interesting questions remain. Are we reaching the limits of safe operation with plastic disks? Or is it only defects in manufacture that cause this type of problem? Does the use of Microsoft LinksGolf void the warranty on the drive? Who do you sue for personal pain and suffering, the drive manufacturer, or Microsoft? rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: Sat, 17 Jun 2000 22:11:09 -0400 From: Epstein Family Subject: Another Win95/DOS interaction Several years ago there was a series of postings in RISKS about the unexpected interactions between Win95 and the underlying DOS operating system. I just discovered another one. I run Win95 at home (works just fine on my 133MHz Pentium). I wanted a list of all the files in a directory, so I could print it. Of course there's no easy way to do this directly from the Windows Explorer, so I started a DOS window, typed "dir /on >foo.txt" (where "/on" means "sort in alphabetic order"), and printed the resulting file. Unfortunately, "/on" *really* means "sort in alphabetic order by the 8.3 short name of the file". There doesn't seem to be a way to tell the "dir" command I want it to sort the real name of the file, not the abbreviation. Luckily I have a handy UNIX system with a decent set of tools so I can turn the list into what I really want... The RISK is assuming that software does what it's documentation says it does. --Jeremy ------------------------------ Date: Fri, 30 Jun 2000 19:23:20 -0700 From: Ari Ollikainen Subject: Y2K-leapyear hangover, human error or other tomfoolery? Today my CDMA GTE wireless cellphone is displaying the date as 6/31/00...which, as everyone knows, doesn't exist! Anyone from GTE wireless willing to provide an explanation? Ari Ollikainen, OLTECO, P.O. BOX 3688, Stanford, CA 94309-3688 Networking Architecture and Technology Ari@OLTECO.com 1-415.517.3519 ------------------------------ Date: Sun, 18 Jun 2000 08:53:54 -0500 From: peters@belsys.com (Peter Sleggs) Subject: Re: Network Solutions risks (Rhodes, RISKS-20.92) It is not difficult to NOT receive the invoices, I have 2 domains I pay for - Domain 1 _usually_ goes smoothly, but last year domain 2 did NOT result in ANY paper invoices - required to get payment generated via the accounting process, I had to bring this to Network Solutions attention and was told - just pay it via credit card - Without an invoice this comes out of MY pocket - No invoice results in hassles with auditors - The invoice they generate does not include the Canadian GST [ goods & services tax ] which they are required to collect if they provide services to canada [ at least the bean counter says so ] - With not collecting the taxes the risk is taking on the Canadian tax man :) [ which in my opinion would be a nice thing to happen to NS ] This year's screwup - I decided to pay the domain 1 for multiple years and take advantage of the discount offered ... two weeks after I did this I got a "Deactivation notice", the web interface did NOT pwy the invoice and said it did, BUT once again they do not close teh loop and provide a tracking number like the phone payment interface does, so the attempt to deal with billing@networksolutions.com starts again. Domain 2 is also missing the paper invoice this year :( So the non-payment of the fees may simply be another case of NS not properly sending out bills, with all the obvious risks there. ------------------------------ Date: Fri, 23 Jun 2000 08:33:03 -0500 From: Marc Salverson Subject: Personal train warning On 22 Jun 2000, Paul Harvey reported that most people who have died at railroad crossings "didn't hear the train coming". He must have some inside information. The point to the story was that someone is marketing a device to be installed in a car that will alert the occupants that a train is coming. Do you think they claim that's the only time it could possibly alert? No risk here! That might be more tempting to hack than a tornado siren. Marc ------------------------------ Date: 13 Dec 1999 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 19" for volume 19] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. http://the.wiretapped.net/security/textfiles/risks-digest/ . ==> PostScript copy of PGN's comprehensive historical summary of one liners: illustrative.PS at ftp.sri.com/risks . ------------------------------ End of RISKS-FORUM Digest 20.93 ************************