From: SMTP%"risks@csl.sri.com" 13-AUG-1996 21:05:50.34 To: EVERHART CC: Subj: RISKS DIGEST 18.32 From: risks@csl.sri.com Date: Tue, 13 Aug 1996 00:35:27 -0700 (PDT) Message-Id: <199608130735.AAA26336@chiron.csl.sri.com> X-Authentication-Warning: chiron.csl.sri.com: risko set sender to risks@csl.sri.com using -f To: risks@csl.sri.com Subject: RISKS DIGEST 18.32 Sender: owner-risks@csl.sri.com Precedence: bulk Reply-To: risks@csl.sri.com RISKS-LIST: Risks-Forum Digest Tuesday 13 August 1996 Volume 18 : Issue 32 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** Contents: Java security update (Ed Felten) More power to us? "It couldn't possibly happen again" department (PGN) Another London train crash; well, it's not supposed to happen! (PGN) Fire alarms on Boeing 777 triggered by fruit/frog cargo (PGN) Electromagnetic pulses to stop car chases? (Peter Wayner) GPS Receiver Explodes (David Kennedy) Bread-riots and circuses (Brian O'Connell) The risks of apathy in telephone callers (Christopher Kline) CyberRisk '96 Conference, Call for Participation (Mich Kabay) Re: Computers causing power outages (Paul Hughett) Re: "Anonymous" phone tips and CNID (Jeffrey Mattox) Re: Department of Motor Vehicle records (Steve Sapovits, Benedikt Stockebrand) Re: America Offline (James K. Huggins, Matthias Urlichs) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 12 Aug 1996 20:29:06 -0400 From: Ed Felten Subject: Java security update We have found two Java security bugs recently, one in Microsoft Internet Explorer 3.0beta3 and one in Netscape Navigator 3.0beta5. Both bugs were serious, allowing a malicious applet to gain at least full read/write access to the victim's files. Both bugs are fixed in current releases of the browsers. The Netscape bug was caused by incorrect handling of type definitions in the Java internals. Java uses special predefined names for its array types; these special names are bound to the correct array types on demand. We discovered that under certain circumstances an applet could define a class that had one of these special names. The system detected this and threw an exception, but the malicious definition was mistakenly left in one of the system's internal tables. The result was that an applet could redefine one of Java's array types. This was sufficient to break Java's type system and hence to circumvent Java's security mechanisms. The Microsoft bug allowed an applet to become a member of a security-critical Java package (module) whose membership was supposed to be limited to Java classes that are built-in to the browser. Code belonging to one of these packages can set certain security-critical variables such as the access control lists that say which files the applet is allowed to read and write. An applet could exploit this bug to obtain full file system and network access, among other things. For more details, see http://www.cs.princeton.edu/sip/News.html or contact Ed Felten (felten@cs.princeton.edu, 609-258-5906). Dirk Balfanz, Drew Dean, and Ed Felten, Safe Internet Programming Group, Department of Computer Science, Princeton University [The "current release" of the Microsoft Internet Explorer is the one that was available at midnight PDT at the end of Monday evening (i.e., 3AM EDT Tuesday 13 Aug). RISKS suggests that serious users of either browser pick up the new versions, and that people who consider themselves only casual users get more serious. PGN] ------------------------------ Date: Tue, 13 Aug 96 00:12:19 PDT From: "Peter G. Neumann" Subject: More power to us? "It couldn't possibly happen again" department Power losses on 10 Aug 1996 (Saturday) affected at least 4 million customers in 8 U.S. states from Canada to Mexico (including parts of Texas). San Francisco Airport was reduced to a mass of waiting humanity in the absence of power other than air-traffic-control emergency power that permitted just a few planes to take off. Many landings were diverted and many flights cancelled. Outages were spotty. For example, Palo Alto was down for 5 hours, while neighboring Menlo Park seems to have been (mostly?) unscathed. (Perhaps SRI's cogeneration plant helped out!) Some places were still out the next day. The Pacific Intertie between Oregon and California was reportedly involved again, but according to a late report (CBS late TV news) only as the 26th in a series of thus-far-identified problems that began with three line outages (hot weather expanding power lines), a problem at the Washington-Idaho boundary, and another problem at the McNary substation. The CBS report suggested chaos theory as an explanation, with many small causes combining in unexpected ways to cause something that allegedly is not supposed to happen. Unusually hot weather in Washington and Oregon and heavy use of air conditioners everywhere in the West contributed significantly. (I suppose Saturdays require much less commercial AC, but much more home AC.) An earlier theory that this new problem had been caused by a fire under some transmission lines seems to have fallen by the wayside -- the fire apparently occurred after the outage had been triggered. Of course, the computer controlled systems did exactly what they were supposed to do -- shut down when threatened with overload conditions that might be damaging to the system. The early July 1996 outages had very similar but less long-lasting effects. (The 2 July outages spanning 12 Western states were apparently triggered by a single tree in Idaho, as noted in RISKS-18.27, but also occurred during a hot spell.) It appears this might become a commonplace occurrence. Some power officials said that this was a really freak (i.e., very unlikely) occurrence, while others perhaps more candidly said there is very little they can do to prevent further recurrences. An emergency meeting of utilities folks is taking place this week, to consider what might be done differently. I suppose they might recommend we all wear lighter clothing and offer frequent-flier miles for recycled perspiration. But serious suggestions might include cutting down more trees? Shutting down more salmon ladders? Perhaps instituting more rolling brownouts? How about more preventive maintenance? More oversight? Closer local monitoring and more integrated/distributed system-wide monitoring? In the 11 Aug case, diagnostics apparently indicated that a massive problem was imminent something like half an hour beforehand, but those warnings were evidently not given sufficient priority. And then Monday afternoon, 13 August, there were new outages. South San Jose -- which was partly spared on 11 August, including a Neil Diamond concert -- was hit this time with some long outages; the Hicks substation apparently had a transformer explosion, affecting 27,000 customers. Palo Alto (which has its own utility company, but depends on PG&E) had a 45-minute outage that affected all 29,000 customers; the outage was blamed on PG&E having messed up by sending an erroneous control signal to Palo Alto. Please pardon any inaccuracies here. There still seem to be a lot of unknowns, and the reporting is itself spotty. I hope when all the smoke clears, we get some definitive analyses for RISKS. This is clearly a very important topic for us to contemplate, because we are increasingly dependent on our power infrastructure for our computing/communication/transportation/ ... infrastructure, which increasingly depends on our power infrastructure, etc. Also, the long-term weather prospects (including global warming, if you care to believe in it) and dramatically increased usage demands seem to to suggest more problems in the future. ------------------------------ Date: Mon, 12 Aug 96 10:09:48 PDT From: "Peter G. Neumann" Subject: Another London train crash; well, it's not supposed to happen! A London commuter train carrying about 400 passengers from Euston Station crashed into an empty train heading into Euston Station, killing one passenger and injuring about 100 near Watford Junction in Hertfordshire, 20 miles north of London, in the afternoon rush-hour on 8 Aug 1996. [Source: *San Francisco Chronicle*, 9 Aug 1996, A12] No cause was given, but of course the signalling system is supposed to prevent that from happening. (The RISKS archives include a bunch of incidents on trains in and around London.) ------------------------------ Date: Sun, 11 Aug 96 10:44:12 PDT From: "Peter G. Neumann" Subject: Fire alarms on Boeing 777 triggered by fruit/frog cargo False alarms on the Boeing 777 are apparently being triggered by unusual humidity and temperature conditions in cargo holds. For example, a London-bound Emirates aircraft was diverted to Cyprus, due to heavy-breathing mangos, and a Cathay aircraft was evacuated and the fire-suppression system activated -- due to a combination of fruit and frogs. Apparently, tropical fruit (and especially durian fruit) generates enough humidity to be detected as smoke -- thereby triggering the alarms. [Source: *Aviation Daily*, 12 Aug 1996] [I wonder what this could do to a computer system, such as a spilled-pitcher-of-durian Cray? Also, smoking mangos can be hazardous to your health? PGN] ------------------------------ Date: Sat, 10 Aug 1996 19:55:29 -0400 From: pcw@access.digex.net (Peter Wayner) Subject: Electromagnetic pulses to stop car chases? Police prepare stunning end for high-speed car chases BY GILES WHITTELL AND NIGEL HAWKES, The Times, London, 10 Aug 1996 It could be the end of the car chase as we know it. With the automotive equivalent of a stun gun, science fiction is coming to the aid of law enforcement. A high-powered electrical device under development at the Pentagon's Army Research Laboratory in Adelphi, Maryland, is to be tested by police and border patrol agents and could be in use by next year. The car stopper works by focusing an intense electromagnetic charge on the electronic systems that manage most modern engines, disabling them and paralysing the car. In the jargon of its inventors, the 150 kilovolt charge is a nemp, or non-nuclear electromagnetic pulse. Contractors are bidding to produce a police version. Very precisely directed beams are required, but even then there will be problems. A pulse powerful enough to disable an engine at any reasonable range would also be likely to disrupt communications, damage television and radio sets, disable computers and even stop heart pacemakers. There is also the danger of loss of control when a car is being driven at high speed. Counter-measures would include using old-fashioned engines with no electronics, or perhaps surrounding the most delicate components with shielding. The best might be to get hold of one of the stun guns and use it to disable pursuing police vehicles. ------------------------------ Date: 09 Aug 96 17:28:42 EDT From: David Kennedy <76702.3557@CompuServe.COM> Subject: GPS Receiver Explodes Excerpted from the c4i-pro mailing list. A PLGR is milspeak for a Precision Lightweight GPS Receiver made by Rockwell. Note there are no conclusions in the report IRT whether the equipment was at fault or something else. >Date: Thu, 08 Aug 96 16:18:00 +6 >From: Potter B MSgt ACC/SCXX >Subject: c4i-pro PLGR Violent Venting at Ft Irwin, CA > >Potter B MSgt ACC/SCXX > >Urgent traffic regarding explosion of PLGR. Please forward to PLGR users at >your units. > > Very Respectfully, > //Bob// > ROBERT A. POTTER JR., MSgt, USAF > Readiness Branch > > ---------- >From: Gray, Rodney, Lt CZU[SMTP:GrayR@gps1.laafb.af.mil] >Sent: Wednesday, August 07, 1996 10:59 AM >Subject: PLGR Violent Venting at Ft Irwin, CA > >The following point paper describe[s] the PLGR venting issue. Please >disseminate this message to the necessary people with your services. > >Issue: > >On 30 July 96 a PLGR explode[d] during operation at Fort Irwin, CA. >Apparently there was a violent venting vice a slow vent. In other words the >PLGR case did not contain the blast. > >Discussion: > >The incident involved the Commanding General of the 4th Infantry Division, >Major General Kern, and his driver. The driver was injured by the blast. >His left eye was bruised, he did however make a full recovery and was >released from the hospital. [DMK: Incident is under investigation. Rockwell has been notified. This is the first reported incident of this kind. Over 55,000 units have been in the field in the military for some time now.] ... >Recommendation: > >This is initial report. Don't have enough information to make a firm >recommendation at this time. Will send updates as the situation unfolds. > > JPO's Interim Measure > >As an interim measure, until the investigation is completed the JPO has >recommended that all BA-5800 batteries be removed from equipment when >connected to vehicle power. HOWEVER, the removal of the BA-5800 when being >powered by another power source has operational considerations. It >typically will cause faster use of the memory battery (estimated 3 months or >less usage versus 1 year) causing the memory battery to fall below the >adequate power level. This results in the loss of COMSEC key. Which in >turn cause a lost of almanac and user waypoint data. USERS SHOULD ASSESS >THEIR OPERATIONAL IMPACT AND RISK BEFORE REMOVING THE BA-5800. Further >guidance will be provided pending the results of the incident investigation. Dave Kennedy CISSP InfoSec Recon Team Leader, National Computer Security Association ------------------------------ Date: Sun, 11 Aug 96 22:18:02 EDT From: "Brian O'Connell" Subject: Bread-riots and circuses Among the ramifications of the recently completed Olympics may be an under-noted economic risk, and implications for other sorts of international competition. Retailers in this country claimed (and I believe some statistics corroborated this claim) that because consumers were engrossed in the TV coverage of the games they were not out buying stuff at their usual rate. Retail sales were thereby depressed. If this is the case some speculation on the economic role of entertainment culture might be in order. What would have happened, for example, if the Olympics were twice as long? or if they were twice as interesting? Would the change in buying patterns have been doubly noticeable? Would economists have classified the blip as serious? What if TV was routinely so enthralling? Would the economy suffer? In short, what is the likelihood of a recession caused by an entertainment event? (If the risk is measurable a related risk would be to allow the Net to become too entertaining without _first_ establishing a reliable e-payment system, so that collectively hypnotized consumers could still shop.) Of course, the Olympics are a commercial event and as such are about creating demand for consumer goods as much as anything else. They need advertising dollars to make them run and therefore might safely be assumed to cause an economic lull and surge of proportional size. But when is demand-creation decoupled from actual consumption? How long can consumers be frozen in front of demand-creating spectacles without some of that effort going to waste? Other events aren't as predictable as the quadrennial games. Conventional wars, for example, don't depend on ad money and have proven to be a pretty good draw. Would a lengthy, televised one disrupt the domestic economy? Speaking of wars, what are the strategic implications of this sort of event-driven economic upheaval? If indeed the production of information goods and consumption of other sorts of products _can_ become so absurdly linked, would the DoD develop entertainment programming designed to economically paralyze a region? A swords-into-sitcoms approach involving the military redeployment of Bob Hope, who could so amuse the golf-loving citizens of another country that the resulting economic collapse might bring down a regime? While Radios Marti, Moscow, and Free Europe, to say nothing of the larger phenomenon of American cultural imperialism have caused similar effects for years, I'm more interested in the perhaps-less-overtly-hostile act of waging economic inactivity. The theory, however, is the same -- if the radio can make us (or "them") want more democracy, or sneakers, it can also make us want to stay home and listen to the radio. Perhaps more importantly, I wonder if new technologies (the Net, again) might provide a real-time way to remotely instigate collective and real-life events. All of this bread-and-circusing is to say two things, both of which have been said before. First, the creation of demand can be dicey; as post-Pavlovian humans we're capable of -- and perhaps inclined to -- salivating at the sound of the bell itself rather than the prospect of food. Second, information warfare probably means more than propaganda and printer viruses, and can likely be tuned to selectively affect all sorts of complicated and contingent networks, including an economy. ------------------------------ Date: Thu, 8 Aug 1996 13:35:57 -0400 From: Christopher Kline Subject: The risks of apathy in telephone callers *Information Week* (22 Jul 1996, page 12) reports that K&T Communications of Fort Worth, Texas has registered the phrases "I don't know", "I don't care", "Whoever", and "It doesn't matter" as names of long-distance carriers in Texas. The risk? When you make an operator-assisted long-distance call from Texas and the operator asks which long distance carrier you would like to use, it is in your best interest to have a preference. K&T charges "approximately twice" that of the largest carriers. Opening up the long-distance markets may help spur the growth of an information infrastructure, but whether or not it helps lower prices for consumers is an open question. Christopher Kline Cornell University ckline@acm.org [For folks who still have rotary dials, you may find an automated voice interface that lets you utter those phrases as well! PGN] ------------------------------ Date: 9 Aug 1996 22:16:50 GMT From: hughett@galton.psycha.upenn.edu (Paul Hughett) Subject: Re: Computers causing power outages (Peters, RISKS-18.30) Paul Peters is technically correct but also misses a valid point. D. C. Sessions should have said "negative incremental resistance" rather than simply "negative resistance." The former term means that for some range of voltage, the current increases as the voltage decreases. This means that the power company cannot (necessarily) reduce the power consumption by reducing the line voltage, which has been the usual way of handling temporary power overloads without dropping service entirely; in fact, decreasing the voltage may now increase the power consumption, since line losses increase as you go toward lower voltage and higher current. What is perhaps worse is that a power supply, a negative incremental resistance device, and a few passive components can make an excellent oscillator; look up the circuit for a tunnel diode oscillator. In other words, the power distribution system becomes dynamically unstable, perhaps with rather large voltage and current excursions as all the passive and active components interact. Not something that I want to hook my house up to. By the way, "negative resistance" is frequently (if incorrectly) used as a synonym for "negative incremental resistance," and in fact this is the meaning that I assumed was meant in the original post. Paul Hughett University of Pennsylvania ------------------------------ Date: 12 Aug 1996 17:46:31 GMT From: jeff@cher.heurikon.com (Jeffrey Mattox) Subject: Re: "Anonymous" phone tips and CNID (Cook, RISKS-18.30) Many people do not realize that most corporate phone systems have SMDR (station message detail recording) which logs each call from each telephone. So, even if CNID is disabled, it is very likely that a log exists of each phone call. It is a simple matter to search for calls to specific numbers. Jeffrey Mattox -- jeff@heurikon.com ------------------------------ Date: Mon, 12 Aug 1996 15:24:12 -0400 (EDT) From: Steve Sapovits Subject: Re: Department of Motor Vehicle records (Siegman, RISKS-18.31) I'd argue that police access is different than public access. The police have access to other forms of information the general public does not have easy access to. I don't buy arguments 2 and 3. If you personally want your information to be public for the sake of getting unsolicited advertising, then I have no problem with a system that allows you to give permission to do that. The problem is where do you stop this? Using your first and last arguments, why not make all credit information public so that the police can easily detect credit card fraud and you can get targeted advertising based on your buying habits? Perhaps all educational and employment records should be made public so we can check resumes for accuracy. No thanks. If people want to make such information on themselves available, that's fine with me, but I want control over my own personal information. Steve Sapovits N2K Telebase (http://www.n2k.com) steves@telebase.com ------------------------------ Date: 12 Aug 1996 15:49:14 +0200 From: Benedikt Stockebrand Subject: Re: Department of Motor Vehicle records (Ellermeier, RISKS-18.30) What's worse, some years ago the German RAF (Rote Armee Fraktion/Red Army Fraction), the major terrorist group of that time, allegedly (i.e. it's too long ago to remember my sources) used to somehow obtain access to the registration data of some vehicle, fake the vehicle registration ID card (Kraftfahrzeugschein), then steal a car of the same type and color and fake the license plates. Such a vehicle would pass any road block, even if every vehicle passing the block would be checked against a vehicle registration data base. Handing out the necessary data sure makes life easier for some folks. Conclusions are left to the RISKS reader in general and the security and intelligence folks hopefully reading this in particular. Benedikt Stockebrand, Dortmund, Germany [Although RISKS truncates disclaimers, Benedikt added something to the effect that his name and e-mail address are not to be used in any way for advertising purposes, and that a fee would be imposed on unsolicited advertising (for proofreading costs). It remains to see whether any such disclaimers could be enforced, but perhaps RISKS should add one to the risks.info file! PGN] ------------------------------ Date: Sun, 11 Aug 1996 08:47:21 -0400 (EDT) From: "James K. Huggins" Subject: Re: America Offline (Cassel, RISKS-18.31) [David, "dishonesty" sounds a little harsh. How well can anyone predict how long it is going to take to fix a problem that has not yet been identified and understood? PGN] Exactly. In fact, this is one of the oldest problems in our field ... the fact that we don't know how to predict how long it will take to do just about anything useful (write new code, fix an old piece of code, etc.). True honesty is all too rare in our discipline. How often will you hear a company say "We have a problem with our product. We don't know what's causing the problem, either. We're working furiously on it to solve it, but we can't predict whether it will take minutes or days to fix it."? Consider also the common practice of marketing "bug fixes" as "upgrades" --- sometimes free, sometimes not. ------------------------------ Date: 11 Aug 1996 16:36:04 +0200 From: smurf@noris.de (Matthias Urlichs) Subject: Re: America Offline (Cassel, RISKS-18.31) > [David, "dishonesty" sounds a little harsh. How well can anyone > predict how long it is going to take to fix a problem that has not > yet been identified and understood? PGN] You can't, and that's the point. When I tell my customers "Try again in 15 minutes", they'll assume that I have enough data to make a reasonable guesstimate that the repair will take 15 minutes, more or less. If, on the other hand, I haven't the faintest idea what's going on, then "we've had a major system crash, please try again later" would (a) be more honest and (b) would not annoy customers by raising unfulfillable expectations. Matthias Urlichs noris network GmbH ------------------------------ Date: 12 Aug 96 21:20:22 EDT From: Mich Kabay <75300.3232@CompuServe.COM> Subject: CyberRisk '96 Conference, Call for Participation CyberRisk '96 "Reducing risk and building ethical policies in the electronic workplace" 7-8 November 1996 National Airport Hilton, Arlington, Va. Organized by the National Computer Security Association FOR MORE INFORMATION: WWW: http://www.ncsa.com CompuServe: GO NCSA E-Mail: info@ncsa.com M. E. Kabay, Ph.D. Director of Education, NCSA Program Chair, CyberRisk '96 ------------------------------ Date: 19 July 1996 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Or use BITNET LISTSERV. Alternatively, (via majordomo) DIRECT REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] The INFO file (guidelines, submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. All contributors are assumed to have read the full info file. ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS ------------------------------ End of RISKS-FORUM Digest 18.32 ************************