From risks-request@pica.army.mil Thu Oct 29 19:18:12 1992 Return-Path: Received: from csmes.ncsl.nist.gov ([129.6.54.2]) by first.org (4.1/NIST) id AA22078; Thu, 29 Oct 92 19:17:56 EST Posted-Date: Thu, 29 Oct 92 15:50:25 PST Received-Date: Thu, 29 Oct 92 19:17:56 EST Received: from PICA.ARMY.MIL ([129.139.160.100]) by csmes.ncsl.nist.gov (4.1/NIST(rbj/dougm)) id AA01975; Thu, 29 Oct 92 19:11:14 EST Received: from PICA.ARMY.MIL by Fsac5.pica.army.mil id aa02491; 29 Oct 92 19:03 EST Received: from aed.pica.army.mil by Fsac5.pica.army.mil id aa02487; 29 Oct 92 19:01 EST Received: from chiron.csl.sri.com by AED.PICA.ARMY.MIL id aa11074; 29 Oct 92 19:00 EST Received: by chiron.csl.sri.com id AA12599 (5.65b/IDA-1.4.3.12 for risks-mil@pica.army.mil); Thu, 29 Oct 92 15:50:27 -0800 From: RISKS Forum Sender: RISKS Forum Date: Thu, 29 Oct 92 15:50:25 PST Subject: RISKS DIGEST 13.88 Reply-To: risks@csl.sri.com To: ;@risks-list.ncsl.nist.gov Message-Id: Status: R RISKS-LIST: RISKS-FORUM Digest Thursday 29 October 1992 Volume 13 : Issue 88 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: London Ambulance Service (Brian Randell, Trevor Jenkins) Structural Failure, Product Liability, Technical Insurance (Hermann Haertig) Information America (database risks) (Jan Wolitzky) Interesting/obscure interaction between users -- shared mem resources (David A. Honig) NSF Net cable-cut story is bogus (Doug Humphrey via John G. Scudder) Re: Risks in Banking, Translation, etc. (Arun Welch) Cellular reception equipment banned by Congress (Robert Allen and Mark Walsh) Re: Encryption keys (Dorothy Denning, Peter Wayner, Li Gong, Carl Ellison, Charles Mattair) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 13, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@cv.vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Thu, 29 Oct 1992 12:38:36 GMT >From: Brian.Randell@newcastle.ac.uk Subject: London Ambulance Service The top news item in the UK last night on the main BBC television news programmes, and this morning in the national papers, was the trouble at the London Ambulance Service, in particular with their computer-based ambulance dispatching system. (These problems have featured on RISKs before. [Yes, RISKS-13.38, 42, 43]) However previous complaints, warnings and campaigns about delayed ambulance dispatching had had little effect, so that the situation has been allowed to reach a crisis point, with what sound to be credible reports of a number of deaths being caused this week as a result of introducing the latest stage of computerization. No doubt many more stories will follow, but below is the entirety of the front page report in today's Independent. Brian Randell AMBULANCE CHIEF QUITS AFTER PATIENTS DIE IN COMPUTER CRASH By Ian MacKinnon and Stephen Goodwin The Chief executive of the London Ambulance Service resigned yesterday over allegations that up to 20 people may have died because of the collapse of a new computer system controlling emergency calls. Virginia Bottomley, Secretary of Sate for Health, was forced to announce an external inquiry into the 36 hours over Monday and Tuesday which led to delays of up to three hours in ambulances arriving. Nupe, the public employees' union which represents ambulance staff, said that the resignation of John Wilby was recognition of management failure, but the Government was to blame for years of underfunding. Mrs. Bottomley's response to the "teething troubles" with the 1.5m computer system introduced in stages since January drew angry responses from both backbenches. David Blunkett, Labour health spokesman, demanded that outside managerial expertise be brought in and accused Mrs. Bottomley of failing to respond to the clear signs of crisis which has been building up for months. Despite union warnings management brought the computer-aided dispatch system fully on stream at 3a.m.on Monday giving cross-London coverage for the first time. The capital had been divided into three sectors - south of the Thames, north-east and north-west - with teams sending ambulances in their area by a combination of two-way radio and telephone, and computer displays in vehicles. Attempts to introduce the system partially in March collapsed. The full introduction of the computer system effectively did away with the radio and telephone calls to stations, with the computer dispatching crews to answer calls. But within hours, during the morning rush, it became obvious to crews and control room staff that calls were going missing in the system; ambulances were arriving late or doubling up on calls. Distraught emergency callers were also held in a queuing system which failed to put them through for up to 30 minutes. Chris Humphreys, Nupe's divisional officer, said that it was hard to verify how many people might have died because of the delays but it could be as many as 20. However, the ambulance service contradicted claims that one 14-year-old boy had died of an asthma attach after waiting 45 minutes. It said that the call was dealt with in 28 minutes - although the Patient's Charter has a target of 14 minutes. A man of 83 was also said to have died before the service reverted to the old system at 2p.m. on Tuesday. Management said initially yesterday that control room staff had been overloaded by the new system as they tried to respond to the extraordinary level of calls. But in the Commons Mrs. Bottomley conceded that the computer system "broke down" and that the old system would remain in operation until the problems had been solved. Martin Gorham, deputy chief executive of South West Thames Regional Health Authority, is to take over from Mr. Wilby until a replacement is found. Mrs. Bottomley said that chief executive of another metropolitan ambulance service would be appointed to head the inquiry, which would be made public as soon as possible. But her responses and earlier failures to act on numerous warnings left MPs dismayed. David Mellor, MP for Putney, called in his first Commons contributions since resigning as Secretary of State for Heritage for "top to bottom reform". Dept. of Computing Science, The University, Newcastle upon Tyne, NE1 7RU, UK EMAIL = Brian.Randell@newcastle.ac.uk PHONE = +44 91 222 7923 FAX = +44 91 222 8232 ------------------------------ Date: Thu, 29 Oct 92 16:48:10 GMT >From: tfj@apusapus.demon.co.uk (Trevor Jenkins) Subject: London Ambulance Fiasco The UK media have had a field day in the last four days with the inauguration of the new Command and Control System for the London Ambulance Service. The press concentration has centred upon the delays experienced by people calling the service (up to eleven hours in a few cases). One distraught ambulance driver was interviewed and recounted that the police are saying "Nice of you to turn up" and other things. As of 23:00 last night Oct 28 the LAS instigated a backup procedure to ensure that calls were handled in a timely fashion. Several issues that the press did not cover were: o There appears to have been NO backup procedure at all. o The design of user interface was inadequate. o No consideration was given to system overload was made. The good news is that the first seems now to have been recitified. However, the second problem is the one that worries me the most. Much of the TV coverage centred upon shots of the Control Room itself. Wow, this is full of the latest technology---lots of fancy graphic screens showing maps and other goodies. There are trackerballs for the operators to play with. The utilisation of all of this stuff is however flawed. Many times the newscaster quoted operators saying this like: o there was no way to scroll back through the list of calls to ensure that a vehicle had actually been dispatched o the exception list just kept growing (I'll stop typing their comments as it just becomes too depressing.) The estimate is that 20 people are now dead who would otherwise still be alive. Trevor Jenkins, 134 Frankland Rd, Croxley Green, Rickmansworth, WD3 3AU email: tfj@apusapus.demon.co.uk phone: +44 (0)923 776436 [Also noted by tjfs@tadtec.co.uk (Tim Steele).] ------------------------------ Date: Tue, 27 Oct 1992 09:07:36 GMT >From: haertig@gmd.de (Hermann Haertig) Subject: SPT-4 The International Conference on Structural Failure, Product Liability and Technical Insurance, held every 3 years in Vienna, was last held in July 1992. This year's conference covered a wide range of topics. An incomplete list: - failure case studies (e.g. lots of bridges) - failure analysis using mathematical models and computer simulations (e.g. NW Detroit MD80 crash) - the influence of computer animation on court decisions - international liability law - corrosion - not much on computer risks though It turned out to be a real interdisciplinary(engineers of many disciplines + lawyers ) and very international event. Some of the presentations were very professional, e.g. those of lawyers describing the use of computer animation at court. Proceedings announced to appear in Elsevier later this year. -- hermann haertig, Project BirliX, GMD (German National Research Center for Computer Science) Hermann.Haertig@gmd.de x400: haertig@zi.gmd.dbp.de ------------------------------ Date: Thu, 29 Oct 92 16:49 EST >From: wolit@mhuxd.att.com Subject: Information America In the November, 1992, issue of ONLINE, is a horrifying article (pp. 103 - 105) in the "Legal Briefing" department by one Teresa Pritchard-Schoch, entitled, "Information America: A Tool for the Knight in Shining Armor." The author gushes on about what a wonderful boon the Information America database service is for lawyers (her "Knights in Shining Armor") and others. A few extended quotes: "In one interesting case we (the research staff at a law firm) investigated an entire jury's background before the members were even selected. The case involved three affluent plaintiffs. . . . Our goal was to find a jury who would not have any sympathy for the plaintiffs . . . . By checking a motor vehicles license database and real estate property records, we were able to compile a jury whose members all except one drove cars more than six years old. Moreover, no one on the jury owned any real estate. Online sources also revealed facts about the jury members' likes and dislikes which were subtly used to influence them at trial. The opposing counsel was completely unaware of the tactics our firm used and probably still wonders why he lost that case. . . ." "Information America databases for investigative services include Sleuth, Asset Locator, Executive Affiliation, People Finder, Business Finder, and Litigation Prep. "Sleuth searches millions of public records from both state and county sources, including corporate and limited partnership records, UCC and lien filings, . . . assumed and fictitious names. . . . The relationships between individuals and business would be almost impossible to duplicate manually. . . ." "Asset Locator search real property records, aircraft registration . . ., stock holdings . . ., and personal property locators. . . . A real property search for transfers, rather than holdings, is also available. . . ." "People Finder accesses 111 million names, 92 million households and 61 million telephone numbers. The profile obtained includes the current address, telephone number, residence type, length of residence, gender, date of birth, up to four household members and their dates of birth, and up to ten neighbors and their names and addresses. The sources of information . . . include telephone directories, the U.S. Postal Service's change of address file, direct marketing records, publishers' address files, driver's license files, voter registration records, birth and wedding announcements, etc." The author acknowledges that "many . . . feel somewhat unsettled" about her accounts, and that "Others are uneasy about increasing availability of private information about their personal lives." But, she argues, "this information has always been available." I know that commercial credit-reporting firms, such as TRW, must make individuals' files available to them for inspection and correction. Do such laws apply to database services such as Information America as well? Do any states provide individuals with rights concerning the commercial use of personal information identified with them? (In the case of credit services, you usually sign away any privacy rights when you apply for credit, but I wasn't aware that subscribing to a magazine resulted in the same forfeiture.) Are there any other services such as this that provide comprehensive access to a wide range of personal information about private citizens? Jan Wolitzky, AT&T Bell Labs, Murray Hill, NJ; 908 582-2998, wolit@mhuxd.att.com ------------------------------ Date: Thu, 29 Oct 92 14:48:05 -0800 >From: "David A. Honig" Subject: Interesting/obscure interaction between users -- shared mem resources I have found that a single user can use up all the shared memory segments that any Sun's kernel allows. (Typically 100 segs of 1MB each, max). If these are not deallocated correctly, they linger until the machine is rebooted. Talk about "persistent" environments. ------------------------------ Date: Thu, 29 Oct 1992 02:31:21 -0500 >From: jgs@merit.edu (John G. Scudder) Subject: NSF Net cable-cut story is bogus I noticed the article entitled "The NSF Net cable-cut story" in RISKS-13.86. It clearly looked bogus (9.6k? Come on!), so I asked around a bit. Doug Humphrey had the answer. I have appended his description of the real story below (with his permission). The RISK here is in believing everything you read... Regards, --John Scudder, Merit/NSFNET Internet Engineering jgs@merit.edu > Date: Wed, 28 Oct 92 18:50:01 -0500 > From: Doug Humphrey > To: jgs@merit.edu > Subject: [jgs@merit.edu: Re: .0045 mbits/sec] > > Concerning the message in RISKS, here is the story; I hope > that you find it as funny as I did. > > A guy from JvNCnet sent out a message about the T3 being cut, > and mentioning that traffic was being routed over their T1 > connection until the "backhoe fade" was over. Just for fun, > I modified the message and sent it to a private mailing list. > The mods that I made were the name of the org (I called if JNvCnet) > and the speed of the backup feed (I said 9.6k rather than T1) > and of course I gave it a title of .0045mbits per second. > I also changed the name of the sender to Steve Martin (a famous > comedy person). > > In any case, I sent this to a small, private group of network > heavies, to whom it would be grand fun. Imagine my surprise > when people from around the world start forwarding copies of > RISKS to me with congrats on having such an obvious spoof > published as fact! Obviously one of them liked it enough > that he sent it to RISKS. > > In any case, the original sender name is lost to time; I don't > remember it. It really was a pretty routine message from them, > ignoring the mods that I made. > > So, that is the story. I hope that helps explain it! > > Doug Humphrey, President, Digital Express Group, Inc. doug@digex.com [Golly, it was neither April Fool's Day nor Two-Backhoe Rode. PGN] ------------------------------ Date: Tue, 27 Oct 92 13:01:52 -0500 >From: Arun Welch Subject: Re: Risks in Banking, Translation, etc. (RISKS-13.86) ... indicates that over 75% of bank computer programs are written in a language appropriate to the task as opposed to trying to force their models into the latest Object Oriented fad and 84% of banking software is designed to run on systems that have low mean time between failures By an amazing coincidence, I've been talking to people at a bank about their current technology, and they are in something of a crisis. This is a large bank that's in the process of taking over smaller banks, and they're currently buying banks at the rate of 3-4 a month, but they're only able to deploy systems at the rate of one every 3-4 months. They're also in a state where most of their software was originally written in the early 70's, and now consists of mostly patches to the original. Their solution? To hop on the OOP bandwagon, and target PC's as the delivery vehicle. Unfortunately, their idea of rapid deployment is instead of taking 5 years to deploy a system to do it in 3, and they're unwilling to give up their ingrained programming structure so they've got 5 people spending six months on a program that took me an hour to prototype. (Not that I'm claiming to be a hot-shot programmer, only that if you put too many people to solve a rather simple problem you're not going to go anywhere) They've got the right idea, but the implementation sucks. It's also interesting to note that the people who will be responsible for accepting whether the new technology works are the people currently running the old technology systems... welch@cis.ohio-state.edu Arun Welch, Lisp Systems Programmer, Lab for AI Research, Ohio State University ------------------------------ Date: Tue, 27 Oct 92 17:56:46 GMT >From: Robert.Allen@eng.sun.com (Robert Allen) Subject: Cellular reception equipment banned by Congress For some time, since the Electronics Communications Privacy Act was passed, it is been a Federal crime in the U.S. to listen to communications carried out over cellular telephone. Only a handful of people have been prosecuted, mostly cases where someone has taped a politician talking about things (sometimes illegal things) over a cellphone and passed the tape on to the media. More recently, manufacture and import of devices capable of receiving cellular transmissions have been banned by the FCC. Naturally this has resulted in a run on radios which are 800MHz capable, or which can be easily modified to to be so capable. The reason the ban on both listening and making equipment capable of listening is that the cellular phone lobby wants to be able to assure their potential customers of privacy. Comments about facist gov't aside, the risks should be obvious: if people assume that a medium is secure, when in fact it is not only NOT secure, but is rather heavily monitored, they are likely to say things they don't mean, or which shouldn't be (literally) broadcast. Currently the police use cellphones extensively, as do drug dealers. Court cases have stated that cordless phones (the type which talk to the base-set in your house) are *not* protected under the ECPA, and may be legally monitored, although there is reportedly a law in CA which makes it illegal to do so. In at least one case police have monitored communications on a cordless phone, with a readily available scanner, and have used evidence so gathered to prosecute an individual for drug related crimes. Another interesting note is that the law specifically prohibits "scanning receivers" which are, or may be made, cellular capable. How this affects test equipment, non scanning receivers, other cellphones, etc., remains to be interpreted by a court. Here is the partial text of the law. Robert Allen, rja@sun.com Article 2202 of alt.radio.scanner: >From: walsh@optilink.UUCP (Mark Walsh) Newsgroups: alt.radio.scanner Subject: Section 408, was "Scanner Bill" Date: 21 Oct 92 17:24:33 GMT SEC. 408. INTERCEPTION OF CELLULAR COMMUNICATIONS. (a) AMENDMENT -- Section 302 of the Communications Act of 1934 (47 USC 302) is amended by adding at the end the following new subsection: "(d)(1) Within 180 days after the date of enactment of this subsection, the Commission shall prescribe and make effective regulations denying equipment authorization (under part 15 if title 47, Code of Federal Regulations, or any other part of that title) any scanning receiver that is capable of -- "(A) receiving transmissions in the frequencies allocated to the domestic cellular radio telecommunications service, "(B) being readily altered by the user to receive transmissions in such frequencies, or "(C) being equipped with decoders that convert digital cellular transmissions to analog voice audio. "(2) Beginning 1 year after the effective date of the regulations adopted pursuant to paragraph (1), no receiver having the capabilities described in subparagraph (A), (B), or (C) of paragraph (1), as such capabilities are defined in such regulations, shall be manufactured in the United States or imported for use in the United States." Mark Walsh (walsh@optilink) -- UUCP: uunet!optilink!walsh ------------------------------ Date: Tue, 27 Oct 92 08:55:33 EST >From: denning@cs.cosc.georgetown.edu (Dorothy Denning ) Subject: Re: 15th National Computer Security Conference in RISKS DIGEST 13.87 In response to my earlier message about registering encryption keys, some people have asked how can I be sure that criminals won't use non-registered keys. I don't have a foolproof answer, but consider phone calls. Most people who want to encrypt will buy a commercial product with a built-in key. The key could be registered when the product is bought. Yes there could be a black market in non-compliant products, and the likelihood of that increases every day that we fail to take action on this issue. Peter Boucher also asked about the benefits of registering keys with a federal agency. After discussing this problem with law enforcement officials and criminologists, I am convinced we are facing a potential crisis in law enforcement if we lose the capability to conduct court authorized taps. The economic value alone of conducting lawful electronic surveillance is estimated in the billions. Much of this is related to organized crime. Larry Hunter asked how can we be sure that the key centers won't collude with the Department of Justice and give out the key. If the relationship between the phone companies and DOJ is any indication, this won't happen. The folks at the phone companies are so fussy about court orders that they send them back if the semicolons aren't right. And don't forget that even if the key center (which I envisioned as a non-governmental agency) and DOJ collude, they still need to get the bit stream from the phone companies. But if this doesn't satisfy you, Silvio Micali has an even tighter scheme that would allow your private key to be broken up into five piece and shared with 5 trustees. All five pieces would be needed to restore the key, but the pieces could be verified as allowing proper restoration without the need to actually put them together. He calls this "fair public-key cryptosystems." Dorothy Denning ------------------------------ Date: Tue, 27 Oct 92 16:08:31 -0500 >From: Peter Wayner Subject: Re: (Denning, RISKS-13.86) >1) Can you trust the criminals to provide the keys to their data and to use > those keys (and no others) when transmitting incriminating data? If not, > what's the point? Actually, my favorite solution to this criminal problem is to use a one-time pad. Then it is possible to come up with two keys. One that decrypts the conversation into a benign one and one that decrypts it into the real message. For instance: Message: P L U T O N I U M R E A D Y Key # 1: 1 4 10 5 7 8 12 19 4 3 10 19 21 10 Crypttext: Q P E Y V V U N Q U O T Y I Key # 2: 10 24 0 24 2 19 13 25 14 6 3 19 5 4 Message 2: G R E A T C H O C O L A T E So the criminals send key #1 to their cohorts and register key # 2 with the Federal Key Exchange Registry. When the cops bug the line all they hear about is the stories about their trip to Hershey PA. Of course non-one-time-pad systems can't work this way. DES can't be rigged this way. -Peter Wayner ------------------------------ Date: Thu, 29 Oct 92 14:55:51 EST >From: li@oracorp.com Subject: Re: (Denning, RISKS-13.86) In Risks-13.87 a few people expressed concern that how one could trust a single "independent" agency and whether such an agency exists or could ever be formed. It seems that Prof. Denning's scheme could be easily extended to use threshold schemes (including threshold signature schemes) so that such trust is spread among many (and perhaps mutually hostile) agencies to reduce the chance of corruption and collusion. Li GONG, ORA Corp., Ithaca, NY 14850 ------------------------------ Date: 27 Oct 92 21:10:14 GMT >From: cme@ellisun.sw.stratus.com (Carl Ellison) Subject: Re: 15th National Computer Security Conference (RISKS-13.86) >I believe this scheme is pretty tight. Silvio Micali has evidently invented >another method of safeguarding the keys in a registry, called "fair >cryptography", but I don't know the details. > Dorothy Denning The scheme is not tight. This assumes that the Executive branch: 1. has a right to eavesdrop on citizens 2. can be trusted not to exceed its authority If you assume that the government agencies are those of the Nixon Administration -- or worse, those which we would have had if Watergate hadn't been exposed -- you need a much tighter protocol to prevent abuses. You need to specify the characteristics of the key agency and the key acquisition process so that even if the Executive branch is completely corrupt, the rights of the citizens are protected. You should probably also allow for the possibility of collusion by the Supreme Court, given what we've seen in recent years. So, how about a protocol in which approval of all three branches of government -- and probably both the house and senate -- hopefully with a majority vote in each -- is needed for each specific key -- or better yet, for each message in each key? Let those branches cooperate in decrypting the session key for a message and let them deliver the decrypted message (or session key) to the FBI. If that were part of the protocol, then I'd believe that you're getting close to the kind of protection which US citizens deserve. Of course, the proper solution is an amendment to the Constitution guaranteeing a right to privacy for all citizens -- probably prohibiting all wiretaps, in the process. I'm told that the State of Alaska has a guaranteed right to privacy. If that's true, are wiretaps allowed on calls within the state? Carl Ellison, Stratus Computer Inc, 55 Fairbanks Boulevard ; Marlborough MA 01752-1298 cme@sw.stratus.com (508)460-2783 FAX: (508)624-7488 ------------------------------ Date: Tue, 27 Oct 92 09:58:31 CST >From: mattair@sun44.synercom.hounix.org (Charles Mattair) Subject: Re: Denning, RISKS-13.86 Given the attitude of the FBI/NSA/DEA/et al., as to warrantless searches, the ability of NSA to tap most communications without the service providers knowledge and the current circus of everybody investigating everybody WRT Iraqgate, I fear Ms. Denning places a little too much trust in the trustworthiness of the Federal Government. Incidentally, she appears to overlook the risk after step 3: my key, in plaintext, is available to anybody with access to the paperwork for the triggering investigation. Furthermore, given the propensity of the Federales to engage in "shotgun" type investigations - witness Operation Sun Devil - my crypto security may be compromised for completely fallacious reasons. Charles Mattair mattair@synercom.hounix.org ------------------------------ End of RISKS-FORUM Digest 13.88 ************************ Downloaded From P-80 International Information Systems 304-744-2253