Subject: RISKS DIGEST 14.41

Subject: RISKS DIGEST 14.41
REPLY-TO: [email protected]

RISKS-LIST: RISKS-FORUM Digest Wednesday 17 March 1993 Volume 14 : Issue 41

FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Contents:
Automated Teller Machine network problems in New Jersey (Joel A. Fine)
ATM problems in California East Bay (Lin Zucconi)
Buy IBM and get fired (Ross Anderson) [sci.crypt,alt.security]
New meaning to "program blowing up"... (David Honig)
No anonymity for Canon copiers? (Brad Mears)
Re: Steve Jackson Games (PGN)
Re: System Dynamics of Risks (John Mainwaring)
Re: 'Untested' Risk Management System for Nuclear Power (Anthony Naggs,
T. Kim Nguyen)
Electronics on Aircraft (Rob Horn)
International Card Fraud (Ralph Moonen)
Re: Garage door burglaries (King)
Re: Computer Controlled Parachutes (Robert Vernon)
Yet another White House address (Paul Robinson)

The RISKS Forum is a moderated digest discussing risks; comp.risks is its
Usenet counterpart. Undigestifiers are available throughout the Internet,
but not from RISKS. Contributions should be relevant, sound, in good taste,
objective, cogent, coherent, concise, and nonrepetitious. Diversity is
welcome. CONTRIBUTIONS to [email protected], with appropriate, substantive
"Subject:" line. Others may be ignored! Contributions will not be ACKed.
The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS,
especially .UUCP folks. REQUESTS please to [email protected].

Vol i issue j, type "FTP CRVAX.SRI.COM<CR>login anonymous<CR>AnyNonNullPW<CR>
CD RISKS:<CR>GET RISKS-i.j<CR>" (where i=1 to 14, j always TWO digits). Vol i
summaries in j=00; "dir risks-*.*<CR>" gives directory; "bye<CR>" logs out.
The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1".
<CR>=CarriageReturn; FTPs may differ; UNIX prompts for username, password.

For information regarding delivery of RISKS by FAX, phone 310-455-9300
(or send FAX to RISKS at 310-455-2364, or EMail to [email protected]).

ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.

----------------------------------------------------------------------

Date: Wed, 17 Mar 93 12:47:12 -0800
From: Joel A. Fine <[email protected]>
Subject: Automated Teller Machine network problems in New Jersey

According to CBS news, the national network of Automated Teller Machines went
on the blink earlier today (3/17/93). Apparently EDS's main computer center in
New Jersey was damaged in last week's blizzard, and the backup computer center
was temporarily being occupied by companies forced out of the World Trade
Center as a result of the bombing.

What a nightmare, to be the administrator of a system like this, and
to have to plan for the possibility of both a bombing and a blizzard.
No wonder designing fail-safe computers is hard!

- Joel Fine [email protected]

[That is what contingency planning is all about! PGN]

------------------------------

Date: 16 Mar 1993 10:38:53 U
From: "Lin Zucconi" <[email protected]>
Subject: ATM problems in California East Bay

``East Coast Storm Freezes Some [San Francisco] East Bay ATMs''

An article in the March 16, 1993 Livermore/San Ramon, CA "Valley Times" stated
that a roof collapse in a Clinton NJ computer data center operated by EDS
prevented many San Francisco East Bay residents from accessing their ATM
accounts over the weekend. The article said that "the data center...provides
the technological power that runs about 5,000 of the nation's 87,000 automatic
teller machines, including dozens in the East Bay." By Monday afternoon, EDS
hadn't restored full power to its ATM network leaving local bankers scrambling
for ATM alternatives. EDS has a back up system but it is being used by other
financial companies that suffered outages as a result of the Feb. 26 bombing
of the World Trade Center.

Quote from Larry Kurmel, executive director for the California Bankers
Association: "You tend to take these things [operating ATMs] for granted until
something like this happens. Then you realize these [ATM] systems are subject
to random events."

Lin Zucconi [email protected]

------------------------------

Date: 12 Mar 93 15:51:24 GMT
From: [email protected] (Ross Anderson)
Subject: Buy IBM and get fired
Newsgroups: sci.crypt,alt.security

The press in Britain this morning has been full of stories about Taurus. This
was a share dealing system in which the London stock exchange and local
institutions had invested some 400 million pounds (600 million dollars). It
didn't work and a review showed that there was no reasonable prospect of it
working; it seems that it just got too complex to cope with.

It has now been written off and the chief executive of the stock exchange
`resigned' today.

A fair bit of the previous press criticism centred on the security, which was
designed by IBM and was apparently rather difficult to manage. As far as one
can tell from the press reports, it used their `common cryptographic
architecture' of 4753s for central control, DES cards in PS/2's for terminal
security, and smartcards for personal key management. Coopers and Lybrand, the
systems integrators, have also got a fair bit of stick (they sponsored
Eurocrypt 91, or so I seem to recall).

It will be interesting to see if this marks a turning point for bankers'
attitude to crypto technology. Up to now, it has been hard to sell things like
formal methods or elliptic curves to men in suits, as DES in steel boxes was
what they were comfortable with.

Future systems however may well use public key algorithms, and maybe even
electronic wallets which distribute the security processing entirely into
smartcards.

In that case, expect further entertainment, as some of the complexity will be
pushed into the settlement process, or the arbitration system, or the key
management mechanism; and the lack of relevant systems experience will exact
its pound of flesh in one way or another.

Our head of department remarked that such fiascos can be compared to the
civil engineering disasters of the nineteenth century such as the collapse of
the Tay bridge. Civil engineers eventually got their act together, but there
was a long learning process in which they worked out how to structure their
approach to large problems and combine the maths with the project management
in a way that worked.

Watch this space!

Ross

------------------------------

Date: Wed, 10 Mar 93 21:07:31 -0800
From: David Honig <[email protected]>
Subject: new meaning to "program blowing up"...

>From the Fall 1992 issue of Intervue,
the Intergraph customer newsletter:

Next time Mohammed A. Salameh is trying to find a parking
place for his van, he should use BombCAD...

--------begin article-----------

MANCHESTER, England. Royal Ordnance Security Services is using a new software
package, BombCAD, as the basis for assessing the security level of a site and
predicting the effects of an explosion within or outside a structure.

BombCAD was developed using MicroStation PC CAD software to produce
sophisticated #D models of the structure under analysis. If a building was
designed using CAD, BombCAD is able to use the original database containing
information on the overall site and building construction to produce a
computer model. [...]

Using Intergraph's modeling capabilities, Royal Ordnance can create credible
scenarios for any property or installation and determine the likely effects of
an explosion, in terms of structural damage and human injury. The range of
effects of each simulated explosion is displayed graphically on the 3D model
and reproduced as supporting evidence in a written report.

According to Andrew Quinn of Royal Ordnance, "We've already carried out
studies for four clients: two for risk assessment, one for the design of a new
building, and the fourth for modification of an existing structure. Most
clients, for obvious reasons, do not wish to be identified. However, one
example that is public knowledge is Manchester Airport. We carried out a
number of 'what-if' scenarios and were able to provide the airport information
on evacuation routes, risk areas, and general safety programs."

------------------------------

Date: Tue, 16 Mar 1993 14:17:53 -0600 (CST)
From: [email protected] (Brad Mears [I-Net])
Subject: No anonymity for Canon copiers?

The most recent issue of Popular Science had a small sidebar concerning new
copier technologies that are being used to combat counterfeiting. According
to Canon, their new color copiers include two mechanisms to prevent people
from copying currency.

The first is rather innocuous - the copier can recognize many different
currencies and will print a blank image rather than a fake bill. No obvious
risks here.

The second mechanism is a bit more threatening. According to the story,
which I quote without permission -

"Each copier embeds a code into the copied image, which is
impossible to see. A special scanner extracts the code and
a computer program then furnishes the copier's serial number,
allowing identification of the registered purchaser of the
machine."

As a means to combat counterfeiters this may be very useful. Unfortunately,
it is also useful for tracking down people who report government waste,
publishers of underground newsletters, and others who may have a legitimate
need to remain anonymous. Plus, it seems a bit too much like the Eastern bloc
countries who used to require registration of typewriters.

Brad Mears [email protected]

------------------------------

Date: Wed, 17 Mar 93 14:45:48 PST
From: "Peter G. Neumann" <[email protected]>
Subject: Re: Steve Jackson Games

This morning's news notes that Steve Jackson Games was awarded
$50,000. [See RISKS-14.39 for the Rest of the Story.]

------------------------------

Date: Wed, 17 Mar 1993 15:56:00 +0000
From: "John (J.G.) Mainwaring" <[email protected]>
Subject: Re: System Dynamics of Risks (Yurman, RISKS-14.40)

I found that the posting by Dan Yurman on the perception of risks really
helped clarify some issues. I had not previously encountered the phrase
"level of dread" in risk analysis, and it seems particularly useful. In
statistical analysis, death in a car accident seems to be an atomic concept,
so we focus on what will save the most lives. In every day experience, death
in car accidents happens both often enough and seldom enough that we become
somewhat hardened to the possibility. Death by fire in a car accident happens
less often, but summons such a level of dread that we see it differently; we
feel that "nobody should have to die that way". We are likely to respond
"irrationally" and demand that cars be made safe from fire even if spending
the same amount of money in some other way would save more lives.

However, the point that "Some systems, once built, represent such
significant investments that it is nearly impossible to walk away from them
regardless of risks. [Senge - Yesterday's solutions are today's problems.]"
does not seem to be borne out by: "Example, nuclear waste resulting from
the balance of terror associated with nuclear weapons."

I would say that "nuclear waste ..." has become such a risk that we cannot
walk away from it, whatever the cost. Perhaps the point would be better
made as "Coal, oil and nuclear powered electricity generating plants
represent such an important investment that it would be nearly impossible
to walk away from them regardless of the risks they present".

As he argues so well later on, nuclear waste disposal has become a very
unpopular topic because of its association with nuclear weapons. We have
no investment in existing stockpiles of waste, and it would be easy to just
say that no one has room for it in their back yard, we'll just ignore the
problem. In this case, informed recognition of the risk has led to an
understanding that we must continue to invest in solutions to the existing
problems, even though it might seem cheaper to just walk away from them.

------------------------------

Date: Wed, 10 Mar 93 12:15 GMT
From: Anthony Naggs <[email protected]>
Subject: Re: 'Untested' Risk Management System for Nuclear Power Stations

Following up on my previous posting, The Guardian today (10 March 1993)
published a letter from George Jenkins, (Generation Director at Nuclear
Electric), commenting on the article thus:

The headline "sacked expert fears nuclear safety risk" (4 March) will have
concerned some readers, and the prominent article underneath suggested
that the Status computer system ". . . might be relied on in times of
emergency when 'bugs' in the programming had not been removed." May I
make three facts absolutely clear?

First, the computer system in question is a stand-alone management
information system. It is not connected to our reactor safety and control
systems at all. Indeed, if you were to visit any of the nuclear plants
where it is being tested (as your reporter was invited to do), you would
see at a glance that it is not even located on the reactor operator's desk,
and forms no part of his control process.

Second, if it were to be removed, switched off, or even fail during
operation, it would not have the slightest effect on reactor safety. The
main reactor safety systems at all UK nuclear power stations are hardwired,
and do not depend at all on computer software.

Third, any such computer system is subject in any event to rigorous checking
and validation, independent of its manufacturers. That's what we're doing.
If it fails to meet our standards of reliability - among the highest in the
world - then it will simply be rejected.

Anthony Naggs, Software/Electronics Engineer, (and virus researcher)
Phone: +44 273 589701 Email: [email protected]

------------------------------

Date: Wed, 10 Mar 1993 16:55:34 -0500
From: [email protected] (T. Kim Nguyen)
Subject: Re: `Untested' Risk Management System for Nuclear Power (Naggs, 14.38)

[A few of the risks covered: reliability of risk management systems; risk of
bringing a system into disrepute by the actions of disruptive staff; risk of
using a system for a year before full testing and manuals are complete; ...]
Anthony Naggs, Software/Electronics Engineer, PO Box 1080, Peacehaven,
East Sussex BN10 8PZ UK +44 273 589701 [email protected]

[Naggs'] note at the end appears to be very biased against the whistle blower:
"risk of bringing a system into disrepute by the actions of disruptive staff"
is not quite the way I would have put it. The company is behaving much like
NASA did when problems with the shuttle's O-rings were discovered: instead of
fixing the problem, the company is attempting to discredit the safety-minded
individual and is attempting to sweep the problem under the rug. Yes, the
whistle blower may have been "disruptive", but only to the extent that he was
forced to publicly announce the system's problems because of the management's
refusal to acknowledge even the possibility of a problem existing.

T. Kim Nguyen, Document Imaging Systems, JTS Computer Systems Ltd., Toronto
[email protected] [email protected] uunet.ca!jts.com!kim [email protected]

------------------------------

Date: 11 Mar 1993 18:20:31 -0500 (EST)
From: horn%[email protected] (rob horn)
Subject: Electronics on Aircraft

The FAA is opening an investigation into the risks of interference from
portable electronic devices on airplanes. The previous investigation was 6
years ago, with the final report issued Sept 16, 1988. It concluded that the
risk was small and that portable electronics could safely be used. The new
investigation should issue an interim report in October and final report in
July 1994.

The reasons given for a new investigation are:

1) The number of devices in use has grown substantially. Some problem
reports identified dozens of devices in use at the time of the problem.

2) The shrinking size and low-voltage electronics of modern avionics
are potentially more vulnerable to EMI

3) Aircraft contain more composites. The previous examination was
only for metal skinned aircraft. The metal provides substantial EMI
protection.

4) There have been reports of interference from portable electronics.

From the limited number of reports there is a clear and substantial danger
from cellular phones. These have been determined to be the cause of one third
of all suspected EMI. They are also the most dangerous. Despite the
prohibition on use in flight, people are observed to use the phones during
takeoff and landing. This is the worst time for interference because the
aircraft is most sensitive to navigation and control interference at this
time.

The airlines may move more quickly. They are already authorized to impose any
restrictions that they feel appropriate. Given the incident reports there is
a potential that cellular phones may be prohibited from carry-on baggage (as
are other hazardous materials).

EMI problems should make software people feel right at home. It is
like spaghetti code. Every single wire and conductor is an antenna
and resonator. Every chip a potential transmitter. All of these
interact with each other to add or cancel. To minimize EMI you want
the sum effect to be the least efficient antenna/transmitter possible.

Fortunately, this does not conflict with the real design goals and most of the
wires are already very inefficient. The problem is tracking down the
occasional exception that is transmitting too much noise.

Rob Horn [email protected]

------------------------------

Date: Wed, 10 Mar 93 09:30 GMT
From: [email protected]
Subject: International Card Fraud

[Ralph notes that this is not directly a COMPUTER RISK,
but it is interesting anyway. PGN]

This week German shops and gas-stations have banned Dutch customers who wish
to pay with their credit card. In particular Euro-card users were duped by
this. The reason was that a recent study by fraud-prevention units in the
Netherlands noted a sharp increase in credit-card-fraud.

Unsuspecting customers at German gas-stations got into trouble when the only
means they had to pay was their credit-cards. They could still withdraw cash
from ATMs with their cards however. It's interesting that because of the
easy ways to commit fraud with a credit card, now the Germans have decided the
Dutch customers are the perpetrators.

This case makes me think of the red-lining of phone-booths in inner-city areas
with a high ethnic population. The phone company reasoned that as these areas
showed a high calling-card abuse rate, they shouldn't be allowed to call
certain countries.

--Ralph

------------------------------

Date: Tue, 16 Mar 93 10:41:18 GMT
From: [email protected]
Subject: Re: Garage door burglaries (Payne, RISKS-14.40)

>> An installer of automatic garage door openers has been arrested, pending
>> being formally charged of burglary.

This is not a particularly new risk.

People have always been exposed when they hired locksmiths. Locksmiths must
be licenced and bonded for this reason, in most states. Indeed, despite
these precautions one hears about a case of locksmith burglary now and again.

There are, however, two new features to the risk:

* You can change the code easily. Most people can't hire a locksmith to
change their lock and then change the key themselves.

This change is in the customer's favor, but he needs to do it.

* I would not be surprised to read about a burglary ring that builds a device
to detect and record garage door opener codes. Jog around town wearing
what appears to be a personal stereo while people are coming home from work
in the evening, and when you get home read the tape, jot down your codes,
and burgle away the next day.

There are ways of dealing with this, such as time-dependent codes, but i
don't expect to see them coming to a garage door near me anytime soon.

------------------------------

Date: Wed, 17 Mar 1993 18:38:38 +1000
From: Robert Vernon <[email protected]>
Subject: Re: Computer Controlled Parachutes (Heritage, RISKS-14.39)

> I wonder how many air people would buy a computer-controlled parachute...

In fact computer controlled parachute deployment is possible.

Traditionally a parachutist manually deploys his main parachute. If that
fails then he follows a set procedure to release the main and deploy the
reserve parachute. Mains usually open but sometimes they don't, so every
parachutist must be trained in reserve procedures. Yet over the years the
most common reason for death has been to simply fail to deploy the reserve
when needed. In a high stress situation some people just seem to forget all
their training.

So the Automatic Activation Device (AAD) was invented. These work on the rate
of change of air-pressure. If you are descending too fast at a set height,
then your parachute is deployed regardless. Note that an AAD is a backup
only. You are not supposed to ever be low enough to need one and they should
only fire if for some reason you don't or can't deploy. The mechanical models
have always been regarded as too unreliable, too bulky and too expensive for
experienced jumpers use so AADs have mostly been installed on student
equipment.

A new microcomputer controlled model called a Cypres answer most of the
normal complaints. They are reliable, accurate, and small. And they
have extra features like automatically adjusting for zero altitude.

Until recently most experienced jumpers still refused to attach even this AAD
to their own equipment. "No way will I risk it firing at the wrong time".
Then last December a highly experienced (10000+ jumps) US jumper died when he
was knocked unconscious in freefall. His rig had been given to him as
demonstration gear and it had a Cypres installed. His last comment in the
plane was supposed to be "I might have to wear it but they can't make me turn
it on". After this death, the waiting list for a Cypres went from 2 weeks to
18 weeks and jumpers who wouldn't be seen dead with an AAD started talking
seriously about installing one.

The RISK: I'm not sure there is one. The Cypres sounds too good to be true.
Anyone who has one won't die. Yet I keep feeling that that is the risk. They
are supposed to be a backup but I am afraid that people will slowly put less
emphasis on reserve procedures and rely on this device working. One day it
won't and the jumper will not know what to do. There is a lot of discussion
in the Skydiving community about this topic at the moment.

Bob V!

------------------------------

Date: Wed, 17 Mar 1993 12:17:50 -0500 (EST)
From: [email protected]
Sender: Paul Robinson <[email protected]>
Subject: Yet another White House address
To: Telecom Digest <[email protected]>,
Comp Privacy <[email protected]>,
Risks in computing <[email protected]>, [email protected],

MCI Mail announced yet another E-Mail address for messages to be sent to the
White House. It stated in the note that messages sent to the address would be
sent as paper mail to the White House via the USPS, rather than as E-Mail.

The implication, since the usual charge for individual messages is 50c for the
first 500 characters, that this could conceivably be something that the White
House is paying for, since MCI Mail permits "autoforwarding" of a message sent
to a mailbox to be sent to a fax number, another E-Mail address or a Paper
Mail address.

If MCI is doing this to encourage MCI Mail subscribers to send messages,
then messages from users on Internet will almost certainly either bounce
or not be sent.

I encourage people on Internet to try sending a message to the address
supplied by MCI Mail for messages to the White House to see what happens.

I guess that's all I need to say.

OH YES! You need the E-Mail address, don't you? :)

[email protected]

Paul Robinson -- [email protected]

------------------------------

End of RISKS-FORUM Digest 14.41
************************