University of Bielefeld - Faculty of technology | |
---|---|
Networks and distributed Systems
Research group of Prof. Peter B. Ladkin, Ph.D. |
|
Back to Abstracts of References and Incidents | Back to Root |
This page was copied from: http://catless.ncl.ac.uk/Risks/17.21.html |
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
On 10 July 1995, Simson Garfinkel gave me a copy of *The New York Times* Op-Ed page from that day's National Edition. The page was mostly blank, with a nicely black-boxed obit-like message:
------------------------------------ | | | TO OUR READERS | | Because of a computer breakdown, | | some copies of The Times were | | printed without the Op-Ed page. | | | ------------------------------------Yes, I know, the page was there; it was the Ob-Ed contents that were a No-Op.
In suburban Chicago, the main computer used by air-traffic controllers for the busy midsection of the United States was out of service Monday, for the third time in a week. [The good news is that the really archaic backup system still works, although there is some disagreement over how safe it is. The main computer system is now 30 years old.]
The control system in Aurora, Illinois, handles almost 10 thousand passing flights a day, and despite the shut-down Monday, most airline passengers were burdened by only minor delays.
[Source: Paul Francuch, Voice of America, 24 Jul 1995, 10:04 PM EDT]
Airport Surveillance Radar 9 (ASR9) was supposed to be extremely reliable. ASR9s operating at Miami International Airport and Fort Lauderdale-Hollywood International Airport have failed a total of 13 times since 24 May 1995 - six times in the week of 17 July. (On 20 July, for example, the Fort Lauderdale ASR9 was down nearly five hours, following a lightning storm.) ASR9s have also failed at others of the 101 airports where it has been deployed.
While the Federal Aviation Administration maintains that passenger safety is not compromised, the agency now acknowledges that it no longer considers ASR9 nearly as reliable as it once did. Jerry Taylor, FAA radar program manager, said Friday his agency now rates ASR9 reliable only 99.35 percent of the time (instead of the originally advertised 99.99 percent). [That is .65 unreliability instead of .01, off by a factor of 65.]
Although the antenna may be operating, a break in a telephone line could prevent a radar screen from displaying data essential for tracking planes.
Down time is a significant issue in the Miami-Fort Lauderdale area because the twin ASR9 radars rely on each other for backup. When Miami fails, controllers switch to Fort Lauderdale and vice versa. Were the two systems to fail simultaneously (they haven't yet), they could put aircraft at risk. (There is no third backup.)
The Cleveland Plain Dealer, which exposed ASR9 problems in articles in late 1993, said the Huntsville ASR9 sustained 42 outages between January 1990 and December 1993, totaling 130 hours of down time.
The worst string of outages, the newspaper said, occurred at the Tri-Cities Airport in Pasco, Wash., where the ASR9 had been down a total of 3,545 hours or an average of 1,181 hours or 49 days a year.
Airport after airport was listed by the Plain Dealer as showing outages, glitches or failures. Glitches included phantom planes, real planes that vanished from screens and frequent outages.
Separately, in June 1992, Aviation Daily reported major ASR9 snafus at the St. Louis Lambert Airport.
And Friday, The Tampa Tribune reported that Tampa's ASR9 is also glitch-ridden because it has a tendency to miss storms.
In some cases, problems have been traced to software glitches or to lightning like the Fort Lauderdale case Thursday. John Dunkerly, president of the Harrisburg, Pa., chapter of the National Air Traffic Controllers Association, told the Plain Dealer it was his view the ASR9 "was vulnerable to lightning." Officials in Cleveland and Detroit also expressed the same complaint.
[Source: MIA's radar falls short of promise, But passengers are safe, FAA says by Alfonso Chardy, Herald Staff Writer, _The Miami Herald_, 24 June 1995, P.1. Stark abstracting by PGN.]
[A side box notes that a modification ``adds a computer chip to the radar computer to prevent the system from receiving `erroneous messages'.'' (Hopefully, this won't result in ignoring ERROR messages!) In general, this case seems to have many risky elements - backups dependent on one another, system dependencies on sub-systems (e.g. phone, power lines) that may not be as reliable or fail-safe as the radar product itself, and the fact that the ``caretakers'' of the system (FAA) may not be taking a ``total customer satisfaction'' approach to solving the system's problems.]
Charles P. Schultz MotorolaThe father of a friend of mine is a retired US Air Force transport plane pilot, having flown such planes as C5's and C141's. Last weekend my friend mentioned that his father sometimes flew for 20 hours at a stretch.
"They take turns sleeping, don't they?" I asked.
"Sometimes they just turn the autopilot on. It rings an alarm before course corrections during the flight, so they can wake up and make that it is working right."
"But what if the autopilot screws up while they are asleep?"
"How could that happen? They have _five_ computers on board!"
This filled me with confidence to know that the sheer number of computers in the autopilot gives Air Force pilots the tranquillity they need to get a good night's sleep while their plane flies itself across the ocean...
Mike Crawford Mike_Crawford@QuickMail.Apple.Com[from efc-talk, January 7, 1995, updated July 26, 1995]
Bad cop abuses access to personal computer data
"If we, just by fluke at guessing the dates to check,
found three records called up in an unauthorized manner,
just how much more is there? It's very scary."
--- Kim Zander, "Every Woman's Health Centre"
(an abortion clinic in Vancouver, BC)
In August, 1994, several clinic staff received phone calls or mail from anti-abortion activists. They found this rather unsettling, because they'd made a point of trying to keep personal information like address or telephone numbers private.
This concern led them to the police, to whom they explained that anti-abortion activists were recording license plate numbers outside the clinic and apparently using them to track down personal information ... but the police didn't seem to do much.
In September, 1994, Gordon Watson, a prominent local anti-abortion activist, stated while on the stand in a court hearing that he had gathered license plate numbers in order to "follow up on them" and he "paid good money" to get personal information about the car owners. When clinic staff asked the Crown council and police to investigate, they were told, "Give us two weeks."
After two months of hearing nothing, the women filed a freedom-of-information request on November 15th with the Insurance Corporation of British Columbia (ICBC maintains all auto insurance and registration) seeking to find out who had been accessing their personal records. They provided 8 of their license plate numbers to be checked.
The ICBC information officer explained that while daily access logs were kept, accesses were not recorded in the personal records themselves. Without specific dates to check, finding out who accessed their records would be next to impossible.
So the women just guessed, based on when they'd been contacted.
Those were lucky guesses. On December 6th, the information officer said that 3 out of 8 records had been accessed, and those accesses were suspicious, so he'd contacted the RCMP. The accesses originated in the Delta police department, in a suburb of Vancouver.
Any cheers for the power of the FOI legislation must be tempered by the fact that the RCMP apparently sat on this issue for another month until, frustrated after what was now four months with no signs of an investigation, the women contacted the media.
Apparently, it was media inquiries that sparked some action. On January 5th, the RCMP informed the Delta police that potentially inappropriate computer accesses were coming from their department. Constable Steve Parker, whose anti-abortion views were well known, was now under a cloud of suspicion. The very same day, all Canadian TV networks ran news stories on the situation.
[efc-talk, update, July 26, 1995]
Officer admits to improper use of police computer
(excerpt from Canadian Press wire service:)
DELTA, B.C. (CP) -- A police officer acknowledged yesterday that he acted improperly when he used a police computer to check the licence plates of cars parked outside a Vancouver abortion clinic.
Steve Parker of the Delta police force was charged with discreditable conduct under the Police Act and faces a maximum penalty of a five-day suspension without pay.
From PLS_MCI_MAIL FWD>>Warning on Using Win95
Date: 6/26/95 8:44 PM
From: jbreyer@accel.com
Subject: Warning on Using Win95 [Update on RISKS-17.13 item]
Believe it or not, this is not Net humor but serious. It would otherwise be outstanding satire!
Subject: Windows 95 Warning on comp.risks [RISKS-17.13], in Information Week
Microsoft officials confirm that beta versions of Windows 95 include a small viral routine called Registration Wizard. It interrogates every system on a network gathering intelligence on what software is being run on which machine. It then creates a complete listing of both Microsoft's and competitors' products by machine, which it reports to Microsoft when customers sign up for Microsoft's Network Services, due for launch later this year.
"In Short" column, page 88, _Information Week_ magazine, May 22,1995 The implications of this action, and the attitude of Microsoft to plan such action, beggars the imagination.
An update on this. A friend of mine got hold of the beta test CD of Win95, and set up a packet sniffer between his serial port and the modem. When you try out the free demo time on The Microsoft Network, it transmits your entire directory structure in background.
This means that they have a list of every directory (and, potentially every file) on your machine. It would not be difficult to have something like a FileRequest from your system to theirs, without you knowing about it. This way they could get ahold of any juicy routines you've written yourself and claim them as their own if you don't have them copyrighted.
Needless to say, I'm rather annoyed about this. So spread the word as far and wide as possible: Steer clear of Windows 95. =
There's nothing to say that this "feature" will be removed in the final release.
[GML addition: Prodigy was accused of doing something similar several years ago. In that case it was not nearly as threatening due to: 1) it was = limited to a single PC, 2) Prodigy couldn't do much with the info (i.e. they could not pursue you for copyright infringement, nor were they trying to expand into so many businesses the way Microsoft is).]
I have to object to the inference that the woman was somehow electrocuted because she was using a card key lock.
For those familiar with the VingCard system, there is NO WAY the woman could have been electrocuted by the lock itself, as the card key is (nonconductive) plastic. The woman was likely electrocuted when she grabbed the metal doorknob.
If a faulty A/C caused the problem by causing the door to acquire a charge (obviously a metal door), she would have been electrocuted even if the hotel had used a conventionally keyed door lock (and would have most likely been zapped when she inserted the key into the lock).
An additional issue is the fact that most hotels have metal door frames (to make it more difficult for a door to be kicked in), meaning that mere contact with the door FRAME would most likely have been fatal.
William Kucharski kucharsk@drmail.dr.att.com
[also commented further on by various others, including Jim Garrison <jhg@acm.org>, and Dan Hoey <hoey@AIC.NRL.Navy.Mil>, who added (among other things), This is the hotel that hosted the Disclave science fiction convention from 1984 to 1991, and so this incident was much on the minds of the Washington Science Fiction Association at its meetings last month. ... I suppose it could be considered a technological risk that the use of card-key entry systems has led to grounded doorknobs. Dan Hoey PGN]
From the German Press Agency news wire via CompuServe's Executive News Service; translated by MK with the help of Power Translator Deluxe 1.0 from Globalink Inc:
Mini - Robots should make possible long-distance operations
Karlsruhe (German Press Agency) - scientists from Karlsruhe have developed a Mini-robot which will enable remote surgery. The prototype has been built by the university and the research center at Karlsruhe. These so-called "Mikromanipulationsroboter" are about ten centimeters long and eight centimeters broad and high.
The robot would be inserted in the field of operations and would allow specialists from anywhere in the world to participate. The computer-controlled instrument can make controlled movements with a precision of a few microns.
It may lead to the construction of extremely small robots that could swim through the veins of a person and, for example, remove plaque in atherosclerotic arteries.
[Comments from MK:
Unless due attention is paid to protecting the data stream controlling these devices, there will be direct human tragedy as a result of data errors, radio-frequency interference, and from meddling by criminal hackers.
Can someone in the Karlsruhe area investigate the security measures being put in place to protect surgical microbots from such interference?]
M.E.Kabay,Ph.D. / Dir. Education, Natl Computer Security Assn (Carlisle, PA)[>From owner-cypherpunks@toad.com Tue Jun 20 21:16:51 1995]
>I wish I remember the title or author of the paper. Anyway, such
>things leave me with the distinct impression that Internet gambling
>is no less feasible than any other kind of electronic commerce.
>
>Andrew Koenig ark@research.att.com
The quote is from the MIT Technical Report _Mental Poker_ by none other than Adi Shamir, Ronald L. Rivest, and Leonard M. Adelman. (MIT-LCS-TM-125, February 1979, about the same time they announced their RSA public key cryptoscheme). This was the seminal paper for the problem of of playing poker without a card deck over the telephone (or Internet), related to many other network protocols, such as oblivious transfer.
I have the actual MIT report, but it was also reprinted in _The Mathematical Gardner,_ edited by David A. Klarner, Wadsworth, 1981. The original RSA's protocol (later compromised, see below) is also described in Wayne Patterson's book _Mathematical Cryptology_.
RSA attributed the question: _Is it possible to play a fair game of ``Mental Poker''?_ to Robert W. Floyd. However Heisenberg mentions in his memoirs that Niels Bohr invented mental card games during a boring ski trip and tried without success to write protocols for them.
The protocol originally proposed in the RSA paper was to shown be insecure by Don Coppersmith ("Cheating at Mental Poker") and by Ron Lipton (How to Cheat at Mental Poker, _Proceeding of the AMS Short Course in Cryptography_, AMS, January 1981). Lipton found a way to determine one bit about the messages using the fact that exponent mod n preserves quadratic residuosity.
A secure protocol for only two players based on probabilistic encryption was proposed by Shafi Goldwasser and Silvio Micali (Probabilistic Encryption & How to Play Mental Poker Keeping Secret All Partial Information. In _Proceedings of the 14th Annual ACM Symposium on the Theory of Computing (STOC)_, ACM-SIGACT, San Francisco, 1982, 365--377). This too was a seminal paper on probabilistic encryption.
There are many variations on mental poker protocols for more than 2 players; you may or may not have a "card dealer", trusted by all other players; allow for collusion among some players. More papers on more then 2 players:
Mordechai Yung. _K-Player Mental Poker_. Master Thesis, Tel-Aviv U., 1982.
Mordechai Yung. Cryptoprotocols: Subscription to a Public Key, The Secret Blocking, and the Multi-Player Mental Poker Game (extended abstract). In _Advances in Cryptology: Proceedings of Crypto '84_, Lecture notes in Computer Sciences #196, Springer Verlag, 1985, 439--453.
The paper by Imre B'ar'any, Zolt'an F"uredy, Mental Poker with Three or More Players, _Information and Control_, v.59, 84--93, 1983, claims that a similar problem for mental bridge was stated and partially solved by D. Grigor'ev and Yu. Matiyasevich, but apparently not published in open literature.
Steven Fortune and Michael Merritt, Poker Protocols, in _Crypto '84_, 454--464, also describe the history of mental card games.
Claude Cr'epau. A Secure Poker Protocol That Minimizes the Effect of Player Coalitions. In _Crypto '85_, 73--86.
Claude Cr'epau. A Zero-Knowledge Poker Protocol That Achieves Confidentiality of the Players' Strategy _or_ How to Achieve an Electronic Poker Face. In _Crypto '86_ 240--247.
(The above paper is closely related to Gilles Brassard and Claude Cr'epau, Zero-Knowledge Simulation of Boolean Circuits, and to Gilles Brassard, Claude Cr'epau, and Jean-Marc Robert, All-or-Nothing Disclosure of Secrets, also in _Crypto '86_. In the last protocol the players are not required to reveal their cards at the end of the game to show that they didn't cheat.)
Finally, the extended abstract by Oded Goldreich, Silvio Micali and A. Widgerson (How to Play Any Mental Game, or: A Completeness Theorem for Protocols with Honest Majority, In _Proceedings of the 19th Annual ACM Symposium on the Theory of Computing (STOC)_, ACM-SIGACT, 1987, 218--229) mentions a general solution for _any_ such mental game.
Conclusion: the effort is not small-scale, rather old, many important papers in cryptography had to do with mental poker, and the subject seems to have been beaten to death. There are protocols now that don't require a "trusted dealer".
[Maybe, but SOME trustworthy operating systems are needed, as I commented in my "infostructure" insertum in RISKS-17.19 -- or else the crypto could be compromised. PGN]
[fair game of telephone poker algorithm]
Bruce Schneier's book, _Applied Cryptography_, describes this algorithm (if my memory doesn't fail me). A very good read, even if one is not involved in cryptography.
Andy Isaacson irc:drewd isaac31@sebeka.polaristel.netSeveral messages in Risks have reported supposed problems with TCAS II (airborne collision avoidance system) that rumor said had led to near misses. I thought it might be helpful for us to hear the other side occasionally and see the positive side of technology. Vivek Ratan found this on misc.news.southasia:
Bombay, Jul 23 (PTI) Three cases of "air misses" involving Air India Boeing 747 over Tehran air space have prompted the Indian civil aviation authorities to take up the matter with Iranian aviation officials. In a recent communication to the civil aviation administrator in Tehran, the director of civial aviation (DGCA), Mr H S Khola, pointed out three instances which had occurred on December 14, 1994, January 6 and May 27 last. In all the three cases, the commanders were alerted by the traffic collision avoidance system (TCAS), fitted on the aircraft, and accordingly took evasive action well in time to avoid near disasters. In the December incident, the incoming flight from Toronto (AI 184) via London narrowly missed a Balkan air aircraft (flight No 8605) at 27,000 feet near a point called "Zanjan" which comes under Tehran flight information range (FIR). The Air India commander was reported to have visually sighted the aircraft. In the second case, Air India's flight (AI 159) to Paris narrowly missed an Air Lanka flight (UL 549) near "Tabrij" at 35,000 feet. Alerted by TCAS warning followed by visual sighting, the aircraft descended to avoid any collision. In the May 1995 incident, the London bound flight (AI 111) received TCAS warning near "Isfahen" again at 35,000 feet with another aircraft at close proximity. The commander descended to avoid any collision.
[Attributed to S.Ramani. PGN]
I was somewhat surprised to get a postcard in the mail on Monday, July 24, from Bell Atlantic, my local phone company. It notified me that my area code was changing from 703 to 540, provided me with some little stickers to put on the phones, encouraged me to re-program and notify everything and everybody... and mentioned that the effective date was July 15th. The postcard had been mailed on July 21st.
After several minutes of serious grumbling, I called the 800-number mentioned on the postcard, intending to whine very loudly. It was busy, and remained so for the rest of the afternoon. The local business office number rang busy most of the afternoon, but I managed to get through on about every fifth call, and after seven or eight attempts to launch myself through the voice-mail system (which was also generating internal busies!), finally reached a human being. Who informed me that the notification had erroneously gone out to the wrong set of people, the customers (residential and business) whose area code would /not/ be changing.
I noted, before ending the conversation, that mailing out the announcement first class, to the wrong customers, a week after the effective date, was unlikely to win any Good Management awards for TPC.
The computer risk seems obvious, that we have the power to cause vast disruptions to people and systems on an almost casual basis. In "the good old days," people would have looked at the labels after testing the program and verifying the counts. Today, someone entered a command into a DBMS front-end and went home for the weekend, secure in the knowledge that automated systems would carry through the instructions without intervention. As they appear to have done, last Friday.
Here's the official Bell Atlantic press release for the incident. I figure it cost them at least twenty cents per postcard, around $100,000, just to make the mistake; and that it will probably cost them another dime or so per customer to sooth things over (if it's done with a simple bill enclosure on the next cycle).
FOR IMMEDIATE RELEASE Contact: JULY 24, 1995 Paul Miller'703'CUSTOMERS GET '540' NOTICE IN ERROR804-772-1460 800-491-0190 (Va. only)
RICHMOND, VA -- Bell Atlantic misdirected some 388,000 post cards, introducing the new 540 area code, to its customers in the northern Virginia suburbs of Washington. The cards were supposed to have gone to '540' customers in the western part of the state.
The misdirected cards apparently were received by residential and business customers throughout northern Virginia's 703 area code. Bell Atlantic officials suspect the mistake stems from a programming error.
The 540 area code stretches from Lee County in southwestern Virginia northeast through Roanoke and the Shenandoah Valley to Winchester and east to Fredericksberg.
The revised 703 area code includes the counties of Arlington, Fairfax, Prince William and eastern Loudoun (to include Leesburg) and the cities of Alexandria, Falls Church and Fairfax.
ti The minister, the mints, and the net with a hole big enough to let in a
hacker.
au Radford, Tim.
pu 1, 10:4
no Availability: UMIACH C9013.00 . Article Length: Medium (6-18 col inches).
Article Type: News.
ab On Dec 7, 1994, it was revealed that just minutes after the UK government
formally joined the Internet in November, the Office of Public Service and
Science became the victim of a hacker. The hacker redesigned several pages
of the office's system.
su Office of Public Service & Science-UK; United Kingdom; UK; Computer crime;
Internet; Government agencies
IN: Guardian. Dec 8, 1994, 1, 10:4. Abbrev title: MG. ISSN: 0261-3007
b-no (UnM)new03307699
This page was copied from: | http://catless.ncl.ac.uk/Risks/17.21.html |
COPY! | |
COPY! |
by Michael Blume |