The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 13 Issue 88

Thursday 29 October 1992

Contents

o London Ambulance Service
Brian Randell
Trevor Jenkins
o Structural Failure, Product Liability, Technical Insurance
Hermann Haertig
o Information America (database risks)
Jan Wolitzky
o Interesting/obscure interaction between users -- shared mem resources
David A. Honig
o NSF Net cable-cut story is bogus
Doug Humphrey via John G. Scudder
o Re: Risks in Banking, Translation, etc.
Arun Welch
o Cellular reception equipment banned by Congress
Robert Allen and Mark Walsh
o Re: Encryption keys
Dorothy Denning
Peter Wayner
Li Gong
Carl Ellison
Charles Mattair
o Info on RISKS (comp.risks)

London Ambulance Service

<Brian.Randell@newcastle.ac.uk>
Thu, 29 Oct 1992 12:38:36 GMT
The top news item in the UK last night on the main BBC television news
programmes, and this morning in the national papers, was the trouble at the
London Ambulance Service, in particular with their computer-based ambulance
dispatching system. (These problems have featured on RISKs before.  [Yes,
RISKS-13.38, 42, 43]) However previous complaints, warnings and campaigns about
delayed ambulance dispatching had had little effect, so that the situation has
been allowed to reach a crisis point, with what sound to be credible reports of
a number of deaths being caused this week as a result of introducing the latest
stage of computerization. No doubt many more stories will follow, but below is
the entirety of the front page report in today's Independent.  Brian Randell


  AMBULANCE CHIEF QUITS AFTER PATIENTS DIE IN COMPUTER CRASH
  By Ian MacKinnon and Stephen Goodwin

  The Chief executive of the London Ambulance Service resigned yesterday over
allegations that up to 20 people may have died because of the collapse of a new
computer system controlling emergency calls.  Virginia Bottomley, Secretary of
Sate for Health, was forced to announce an external inquiry into the 36 hours
over Monday and Tuesday which led to delays of up to three hours in ambulances
arriving.

Nupe, the public employees' union which represents ambulance staff, said that
the resignation of John Wilby was recognition of management failure, but the
Government was to blame for years of underfunding.  Mrs. Bottomley's response
to the "teething troubles" with the 1.5m computer system introduced in stages
since January drew angry responses from both backbenches.  David Blunkett,
Labour health spokesman, demanded that outside managerial expertise be brought
in and accused Mrs. Bottomley of failing to respond to the clear signs of
crisis which has been building up for months.

Despite union warnings management brought the computer-aided dispatch system
fully on stream at 3a.m.on Monday giving cross-London coverage for the first
time.  The capital had been divided into three sectors - south of the Thames,
north-east and north-west - with teams sending ambulances in their area by a
combination of two-way radio and telephone, and computer displays in vehicles.
Attempts to introduce the system partially in March collapsed.

The full introduction of the computer system effectively did away with the
radio and telephone calls to stations, with the computer dispatching crews to
answer calls.  But within hours, during the morning rush, it became obvious to
crews and control room staff that calls were going missing in the system;
ambulances were arriving late or doubling up on calls.  Distraught emergency
callers were also held in a queuing system which failed to put them through for
up to 30 minutes.

Chris Humphreys, Nupe's divisional officer, said that it was hard to verify how
many people might have died because of the delays but it could be as many as
20.  However, the ambulance service contradicted claims that one 14-year-old
boy had died of an asthma attach after waiting 45 minutes.  It said that the
call was dealt with in 28 minutes - although the Patient's Charter has a target
of 14 minutes.  A man of 83 was also said to have died before the service
reverted to the old system at 2p.m. on Tuesday.

Management said initially yesterday that control room staff had been overloaded
by the new system as they tried to respond to the extraordinary level of calls.
But in the Commons Mrs. Bottomley conceded that the computer system "broke
down" and that the old system would remain in operation until the problems had
been solved.

Martin Gorham, deputy chief executive of South West Thames Regional Health
Authority, is to take over from Mr. Wilby until a replacement is found.  Mrs.
Bottomley said that chief executive of another metropolitan ambulance service
would be appointed to head the inquiry, which would be made public as soon as
possible.  But her responses and earlier failures to act on numerous warnings
left MPs dismayed.  David Mellor, MP for Putney, called in his first Commons
contributions since resigning as Secretary of State for Heritage for "top to
bottom reform".

Dept. of Computing Science, The University, Newcastle upon Tyne, NE1 7RU, UK
EMAIL = Brian.Randell@newcastle.ac.uk   PHONE = +44 91 222 7923
FAX = +44 91 222 8232


London Ambulance Fiasco

Trevor Jenkins <tfj@apusapus.demon.co.uk>
Thu, 29 Oct 92 16:48:10 GMT
The UK media have had a field day in the last four days with the inauguration
of the new Command and Control System for the London Ambulance Service. The
press concentration has centred upon the delays experienced by people calling
the service (up to eleven hours in a few cases). One distraught ambulance
driver was interviewed and recounted that the police are saying "Nice of you to
turn up" and other things. As of 23:00 last night Oct 28 the LAS instigated a
backup procedure to ensure that calls were handled in a timely fashion.

Several issues that the press did not cover were:

   o There appears to have been NO backup procedure at all.
   o The design of user interface was inadequate.
   o No consideration was given to system overload was made.

The good news is that the first seems now to have been recitified.

However, the second problem is the one that worries me the most. Much of the TV
coverage centred upon shots of the Control Room itself.  Wow, this is full of
the latest technology---lots of fancy graphic screens showing maps and other
goodies.  There are trackerballs for the operators to play with.  The
utilisation of all of this stuff is however flawed.  Many times the newscaster
quoted operators saying this like:

   o there was no way to scroll back through the list of calls to ensure
     that a vehicle had actually been dispatched
   o the exception list just kept growing

(I'll stop typing their comments as it just becomes too depressing.)

The estimate is that 20 people are now dead who would otherwise still be alive.

Trevor Jenkins, 134 Frankland Rd, Croxley Green, Rickmansworth, WD3 3AU
email: tfj@apusapus.demon.co.uk                phone: +44 (0)923 776436

   [Also noted by tjfs@tadtec.co.uk (Tim Steele).]


SPT-4

Hermann Haertig <haertig@gmd.de>
Tue, 27 Oct 1992 09:07:36 GMT
The International Conference on Structural Failure, Product Liability and
Technical Insurance, held every 3 years in Vienna, was last held in July 1992.
This year's conference covered a wide range of topics.  An incomplete list:

 - failure case studies (e.g. lots of bridges)
 - failure analysis using mathematical models and computer
   simulations (e.g. NW Detroit MD80 crash)
 - the influence of computer animation on court decisions
 - international liability law
 - corrosion
 - not much on computer risks though

It turned out to be a real interdisciplinary(engineers of many disciplines +
lawyers ) and very international event. Some of the presentations were very
professional, e.g.  those of lawyers describing the use of computer animation
at court.

Proceedings announced to appear in Elsevier later this year.

-- hermann haertig, Project BirliX, GMD (German National Research Center for
   Computer Science)  Hermann.Haertig@gmd.de     x400: haertig@zi.gmd.dbp.de


Information America

<wolit@mhuxd.att.com>
Thu, 29 Oct 92 16:49 EST
In the November, 1992, issue of ONLINE, is a horrifying article (pp. 103 - 105)
in the "Legal Briefing" department by one Teresa Pritchard-Schoch, entitled,
"Information America: A Tool for the Knight in Shining Armor."  The author
gushes on about what a wonderful boon the Information America database service
is for lawyers (her "Knights in Shining Armor") and others.  A few extended
quotes:

  "In one interesting case we (the research staff at a law firm)
  investigated an entire jury's background before the members were
  even selected.  The case involved three affluent plaintiffs. . . .
  Our goal was to find a jury who would not have any sympathy for
  the plaintiffs . . . .  By checking a motor vehicles license
  database and real estate property records, we were able to compile a
  jury whose members all except one drove cars more than six years old.
  Moreover, no one on the jury owned any real estate.  Online sources
  also revealed facts about the jury members' likes and dislikes which
  were subtly used to influence them at trial.  The opposing counsel was
  completely unaware of the tactics our firm used and probably still
  wonders why he lost that case. . . ."

  "Information America databases for investigative services include
  Sleuth, Asset Locator, Executive Affiliation, People Finder, Business
  Finder, and Litigation Prep.

  "Sleuth searches millions of public records from both state and county
  sources, including corporate and limited partnership records, UCC and
  lien filings, . . . assumed and fictitious names. . . .  The
  relationships between individuals and business would be almost
  impossible to duplicate manually. . . ."

  "Asset Locator search real property records, aircraft registration
  . . ., stock holdings . . ., and personal property locators. . . . A
  real property search for transfers, rather than holdings, is also
  available. . . ."

  "People Finder accesses 111 million names, 92 million households and 61
  million telephone numbers.  The profile obtained includes the current
  address, telephone number, residence type, length of residence,
  gender, date of birth, up to four household members and their dates of
  birth, and up to ten neighbors and their names and addresses.  The
  sources of information . . . include telephone directories, the U.S.
  Postal Service's change of address file, direct marketing records,
  publishers' address files, driver's license files, voter registration
  records, birth and wedding announcements, etc."

The author acknowledges that "many . . . feel somewhat unsettled" about her
accounts, and that "Others are uneasy about increasing availability of private
information about their personal lives."  But, she argues, "this information
has always been available."

I know that commercial credit-reporting firms, such as TRW, must make
individuals' files available to them for inspection and correction.  Do such
laws apply to database services such as Information America as well?  Do any
states provide individuals with rights concerning the commercial use of
personal information identified with them?  (In the case of credit services,
you usually sign away any privacy rights when you apply for credit, but I
wasn't aware that subscribing to a magazine resulted in the same forfeiture.)
Are there any other services such as this that provide comprehensive access to
a wide range of personal information about private citizens?

Jan Wolitzky, AT&T Bell Labs, Murray Hill, NJ; 908 582-2998, wolit@mhuxd.att.com


Interesting/obscure interaction between users -- shared mem resources

"David A. Honig" <honig@ruffles.ICS.UCI.EDU>
Thu, 29 Oct 92 14:48:05 -0800
I have found that a single user can use up all the shared memory
segments that any Sun's kernel allows.  (Typically 100 segs of 1MB each,
max).  If these are not deallocated correctly, they linger until
the machine is rebooted.  Talk about "persistent" environments.


NSF Net cable-cut story is bogus

John G. Scudder <jgs@merit.edu>
Thu, 29 Oct 1992 02:31:21 -0500
I noticed the article entitled "The NSF Net cable-cut story" in RISKS-13.86.
It clearly looked bogus (9.6k?  Come on!), so I asked around a bit.  Doug
Humphrey had the answer.  I have appended his description of the real story
below (with his permission).

The RISK here is in believing everything you read...

Regards,

--John Scudder, Merit/NSFNET Internet Engineering      jgs@merit.edu

> Date: Wed, 28 Oct 92 18:50:01 -0500
> From: Doug Humphrey <digex@access.digex.com>
> To: jgs@merit.edu
> Subject: [jgs@merit.edu: Re: .0045 mbits/sec]
>
> Concerning the message in RISKS, here is the story; I hope
> that you find it as funny as I did.
>
> A guy from JvNCnet sent out a message about the T3 being cut,
> and mentioning that traffic was being routed over their T1
> connection until the "backhoe fade" was over.  Just for fun,
> I modified the message and sent it to a private mailing list.
> The mods that I made were the name of the org (I called if JNvCnet)
> and the speed of the backup feed (I said 9.6k rather than T1)
> and of course I gave it a title of .0045mbits per second.
> I also changed the name of the sender to Steve Martin (a famous
> comedy person).
>
> In any case, I sent this to a small, private group of network
> heavies, to whom it would be grand fun.  Imagine my surprise
> when people from around the world start forwarding copies of
> RISKS to me with congrats on having such an obvious spoof
> published as fact!  Obviously one of them liked it enough
> that he sent it to RISKS.
>
> In any case, the original sender name is lost to time; I don't
> remember it.  It really was a pretty routine message from them,
> ignoring the mods that I made.
>
> So, that is the story.  I hope that helps explain it!
>
> Doug Humphrey, President, Digital Express Group, Inc.   doug@digex.com

    [Golly, it was neither April Fool's Day nor Two-Backhoe Rode.  PGN]


Re: Risks in Banking, Translation, etc. (RISKS-13.86)

Arun Welch <welch@cis.ohio-state.edu>
Tue, 27 Oct 92 13:01:52 -0500
  ... indicates that over 75% of bank computer programs are written in a
  language appropriate to the task as opposed to trying to force their models
  into the latest Object Oriented fad and 84% of banking software is designed
  to run on systems that have low mean time between failures

By an amazing coincidence, I've been talking to people at a bank about their
current technology, and they are in something of a crisis. This is a large bank
that's in the process of taking over smaller banks, and they're currently
buying banks at the rate of 3-4 a month, but they're only able to deploy
systems at the rate of one every 3-4 months. They're also in a state where most
of their software was originally written in the early 70's, and now consists of
mostly patches to the original. Their solution? To hop on the OOP bandwagon,
and target PC's as the delivery vehicle.  Unfortunately, their idea of rapid
deployment is instead of taking 5 years to deploy a system to do it in 3, and
they're unwilling to give up their ingrained programming structure so they've
got 5 people spending six months on a program that took me an hour to
prototype.  (Not that I'm claiming to be a hot-shot programmer, only that if
you put too many people to solve a rather simple problem you're not going to go
anywhere) They've got the right idea, but the implementation sucks. It's also
interesting to note that the people who will be responsible for accepting
whether the new technology works are the people currently running the old
technology systems...
                                                       welch@cis.ohio-state.edu
Arun Welch, Lisp Systems Programmer, Lab for AI Research, Ohio State University


Cellular reception equipment banned by Congress

Robert Allen <Robert.Allen@eng.sun.com>
Tue, 27 Oct 92 17:56:46 GMT
For some time, since the Electronics Communications Privacy Act was passed, it
is been a Federal crime in the U.S. to listen to communications carried out
over cellular telephone.  Only a handful of people have been prosecuted, mostly
cases where someone has taped a politician talking about things (sometimes
illegal things) over a cellphone and passed the tape on to the media.

More recently, manufacture and import of devices capable of receiving cellular
transmissions have been banned by the FCC.  Naturally this has resulted in a
run on radios which are 800MHz capable, or which can be easily modified to to
be so capable.

The reason the ban on both listening and making equipment capable of listening
is that the cellular phone lobby wants to be able to assure their potential
customers of privacy.

Comments about facist gov't aside, the risks should be obvious: if people
assume that a medium is secure, when in fact it is not only NOT secure, but is
rather heavily monitored, they are likely to say things they don't mean, or
which shouldn't be (literally) broadcast.  Currently the police use cellphones
extensively, as do drug dealers.  Court cases have stated that cordless phones
(the type which talk to the base-set in your house) are *not* protected under
the ECPA, and may be legally monitored, although there is reportedly a law in
CA which makes it illegal to do so.  In at least one case police have monitored
communications on a cordless phone, with a readily available scanner, and have
used evidence so gathered to prosecute an individual for drug related crimes.

Another interesting note is that the law specifically prohibits "scanning
receivers" which are, or may be made, cellular capable.  How this affects test
equipment, non scanning receivers, other cellphones, etc., remains to be
interpreted by a court.

Here is the partial text of the law.
                                           Robert Allen, rja@sun.com
Article 2202 of alt.radio.scanner:
>From: walsh@optilink.UUCP (Mark Walsh)
Newsgroups: alt.radio.scanner
Subject: Section 408, was "Scanner Bill"
Date: 21 Oct 92 17:24:33 GMT

SEC. 408. INTERCEPTION OF CELLULAR COMMUNICATIONS.

   (a) AMENDMENT -- Section 302 of the Communications Act of 1934 (47 USC 302)
is amended by adding at the end the following new subsection:
   "(d)(1) Within 180 days after the date of enactment of this subsection, the
Commission shall prescribe and make effective regulations denying equipment
authorization (under part 15 if title 47, Code of Federal Regulations, or any
other part of that title) any scanning receiver that is capable of --
   "(A) receiving transmissions in the frequencies allocated to the domestic
cellular radio telecommunications service,
   "(B) being readily altered by the user to receive transmissions in such
frequencies, or
   "(C) being equipped with decoders that convert digital cellular
transmissions to analog voice audio.
   "(2) Beginning 1 year after the effective date of the regulations adopted
pursuant to paragraph (1), no receiver having the capabilities described in
subparagraph (A), (B), or (C) of paragraph (1), as such capabilities are
defined in such regulations, shall be manufactured in the United States or
imported for use in the United States."

Mark Walsh (walsh@optilink) -- UUCP: uunet!optilink!walsh


Re: 15th National Computer Security Conference in RISKS DIGEST 13.87

Dorothy Denning <denning@cs.cosc.georgetown.edu>
Tue, 27 Oct 92 08:55:33 EST
In response to my earlier message about registering encryption keys, some
people have asked how can I be sure that criminals won't use non-registered
keys.  I don't have a foolproof answer, but consider phone calls.  Most people
who want to encrypt will buy a commercial product with a built-in key.  The key
could be registered when the product is bought.  Yes there could be a black
market in non-compliant products, and the likelihood of that increases every
day that we fail to take action on this issue.

Peter Boucher also asked about the benefits of registering keys with a federal
agency.  After discussing this problem with law enforcement officials and
criminologists, I am convinced we are facing a potential crisis in law
enforcement if we lose the capability to conduct court authorized taps.  The
economic value alone of conducting lawful electronic surveillance is estimated
in the billions.  Much of this is related to organized crime.

Larry Hunter asked how can we be sure that the key centers won't collude with
the Department of Justice and give out the key.  If the relationship between
the phone companies and DOJ is any indication, this won't happen.  The folks at
the phone companies are so fussy about court orders that they send them back if
the semicolons aren't right.  And don't forget that even if the key center
(which I envisioned as a non-governmental agency) and DOJ collude, they still
need to get the bit stream from the phone companies.  But if this doesn't
satisfy you, Silvio Micali has an even tighter scheme that would allow your
private key to be broken up into five piece and shared with 5 trustees.  All
five pieces would be needed to restore the key, but the pieces could be
verified as allowing proper restoration without the need to actually put them
together.  He calls this "fair public-key cryptosystems."
                                                            Dorothy Denning


Re: (Denning, RISKS-13.86)

Peter Wayner <pcw@access.digex.com>
Tue, 27 Oct 92 16:08:31 -0500
>1) Can you trust the criminals to provide the keys to their data and to use
>   those keys (and no others) when transmitting incriminating data?  If not,
>   what's the point?

Actually, my favorite solution to this criminal problem is to use a one-time
pad. Then it is possible to come up with two keys. One that decrypts the
conversation into a benign one and one that decrypts it into the real message.

For instance:

Message:   P  L  U  T  O  N  I  U  M  R  E  A  D  Y

Key # 1:   1  4 10  5  7  8 12 19  4  3 10 19 21 10

Crypttext: Q  P  E  Y  V  V  U  N  Q  U  O  T  Y  I

Key # 2:  10 24  0 24  2 19 13 25 14  6  3 19  5  4

Message 2: G  R  E  A  T  C  H  O  C  O  L  A  T  E

So the criminals send key #1 to their cohorts and register key # 2 with the
Federal Key Exchange Registry. When the cops bug the line all they hear about
is the stories about their trip to Hershey PA.

Of course non-one-time-pad systems can't work this way.  DES can't be rigged
this way.

-Peter Wayner


Re: (Denning, RISKS-13.86)

<li@oracorp.com>
Thu, 29 Oct 92 14:55:51 EST
In Risks-13.87 a few people expressed concern that how one could trust a single
"independent" agency and whether such an agency exists or could ever be formed.
It seems that Prof. Denning's scheme could be easily extended to use threshold
schemes (including threshold signature schemes) so that such trust is spread
among many (and perhaps mutually hostile) agencies to reduce the chance of
corruption and collusion.
                               Li GONG, ORA Corp., Ithaca, NY 14850


Re: 15th National Computer Security Conference (RISKS-13.86)

Carl Ellison <cme@ellisun.sw.stratus.com>
27 Oct 92 21:10:14 GMT
>I believe this scheme is pretty tight.  Silvio Micali has evidently invented
>another method of safeguarding the keys in a registry, called "fair
>cryptography", but I don't know the details.
>                                                 Dorothy Denning

The scheme is not tight.  This assumes that the Executive branch:

1.  has a right to eavesdrop on citizens
2.  can be trusted not to exceed its authority

If you assume that the government agencies are those of the Nixon
Administration -- or worse, those which we would have had if Watergate
hadn't been exposed -- you need a much tighter protocol to prevent abuses.

You need to specify the characteristics of the key agency and the key
acquisition process so that even if the Executive branch is completely corrupt,
the rights of the citizens are protected.  You should probably also allow for
the possibility of collusion by the Supreme Court, given what we've seen in
recent years.

So, how about a protocol in which approval of all three branches of government
-- and probably both the house and senate -- hopefully with a majority vote in
each -- is needed for each specific key -- or better yet, for each message in
each key?  Let those branches cooperate in decrypting the session key for a
message and let them deliver the decrypted message (or session key) to the FBI.
If that were part of the protocol, then I'd believe that you're getting close
to the kind of protection which US citizens deserve.

Of course, the proper solution is an amendment to the Constitution
guaranteeing a right to privacy for all citizens -- probably prohibiting
all wiretaps, in the process.

I'm told that the State of Alaska has a guaranteed right to privacy.

If that's true, are wiretaps allowed on calls within the state?

Carl Ellison, Stratus Computer Inc, 55 Fairbanks Boulevard ; Marlborough MA
01752-1298      cme@sw.stratus.com   (508)460-2783      FAX: (508)624-7488


Re: Denning, RISKS-13.86

Charles Mattair <mattair@sun44.synercom.hounix.org>
Tue, 27 Oct 92 09:58:31 CST
Given the attitude of the FBI/NSA/DEA/et al., as to warrantless searches, the
ability of NSA to tap most communications without the service providers
knowledge and the current circus of everybody investigating everybody WRT
Iraqgate, I fear Ms. Denning places a little too much trust in the
trustworthiness of the Federal Government.

Incidentally, she appears to overlook the risk after step 3: my key, in
plaintext, is available to anybody with access to the paperwork for the
triggering investigation.  Furthermore, given the propensity of the Federales
to engage in "shotgun" type investigations - witness Operation Sun Devil - my
crypto security may be compromised for completely fallacious reasons.

Charles Mattair                 mattair@synercom.hounix.org

Please report problems with the web pages to the maintainer

Top