Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
SIXTH INTERNATIONAL COMPUTER SECURITY & VIRUS CONFERENCE and Exposition
sponsored by DPMA Fin.Ind.Chapter in cooperation with
ACM-SIGSAC, BCS, CMA, COS, EDPAAph, ISSAny, NUInyla, IEEE Computer Society
Box 894 Wall Street Station, NY NY 10268 (800) 835-2246 x190
FINANCIAL FIRMS OPEN MEETING THURSDAY ON TRADE CENTER RECOVERY
To address the technical side of network and computer terrorism recovery while
information systems personnel are interested, a special public forum of
industry leaders has been scheduled for next Thursday March 11, entitled,
"Trade Center Crisis Recovery." The in-depth panel will include eight
industry representatives - from four affected financial firms that
successfully resumed business after Friday's disaster, and four suppliers that
helped them.
The panel will be housed in next week's Sixth International Computer Security
& Virus Conference at the Madison Square Garden Ramada, co-sponsored by the
eight computing and networking societies.
With damage estimates already in the multi-billions, Sally Meglathery, Elec-
tronic Security Head for the New York Stock Exchange and a scheduled panelist,
warns financial data keepers: "Review [your] restart recovery procedures to
be sure that you have adequate backup to recover from an attack."
Other than state and federal offices, the main corporations inhabiting the
famed skyscraper are indeed banks (First Boston, Sumitomo, Dai-ichi), brokers
(Dean Witter, Shearson, Salomon, Mocatta and the Commodities Exchange) and
insurance companies (Hartford and Guy Carpenter). Each type will send a
representative, as will some service firms.
William Houston, Eastern Region Head for Comdisco Data Recovery, notes that
"This is the second time in three years an electrical disaster has completely
shut down" the famed twin skyscraper. His firm helped rescue the computer,
networking and "back office" operations of two dozen downtown firms in response
to the August 13, 1990, electrical substation fire.
"We have some major customers in the Towers," notes Houston, "and while pre-
serving their anonymity I intend to plainly tell the Thursday audience just
what worked this time and what didn't."
Michael Gomoll, an executive with competitor CHI/COR Information Management,
says the terrorist act will have three key results: "Direct loss of
revenues, effects on global markets and businesses, and concerns of the
business insurance profession." Ironically, CHI/COR, a firm specializing
in disaster recovery, was itself assaulted by the crippling Chicago flood
of April 13, 1992. As part of his presentation, Gomoll intends to explain
how cable conduits played an important role in both disasters.
Last fall, the conference now hosting this "Trade Center Crisis Recovery"
roundtable, received what now seem prophetic words in its greeting from Mayor
David Dinkins: "As the telecommunications capital of the world . . . we are
also extraordinarily susceptible to the various abuses of this technology."
Another irony has to do with the "Meet the Experts" reception at the
Empire State Building Observatory following the forum. In previous years,
the hosting conference has had its skyline reception at Top of The World,
located within the Trade Center. That spot will not open this month.
also extraordinarily susceptible to the various abuses of this technology."
People using Modicon 984 Series programmable controllers with Graysoft Programmable Logic Controller (PLC) software Version 3.21 are advised to contact Graysoft (414) 357-7500 to receive the latest version (3.50) of the software. A bug in Version 3.21 can corrupt a controller's logic and cause equipment to operate erratically. PLCs are frequently used in safety-related applications. Users often assume that if their "logic" is correct then they are ok and forget that the underlying logic is implemented with software which may not be correct. Lin Zucconi zucconi@llnl.gov
[Originally in Computer Privacy Digest Sat, Volume 2 : Issue: 021,
27 Feb 93, contact comp-privacy-request@PICA.ARMY.MIL. PGN]
A few months ago, a well-respected British TV documentary show (might have
been 'World in Action') discovered that all out-going telexes from the Uk were
electronically scanned by British Telecom (the main phone company) personnel,
supervised by the security services. Direct scanning by the security services
would have been illegal. They were looking for words like 'terrorist' &
'bomb', but the civil liberties implications are far-reaching. Obviously,
this could affect the privacy of American telexes to the U.K.
J.F. Faircliffe. i_userid_4@uk.ac.uclan.p1
Headline: Sacked expert fears nuclear safety risk Byline: Paul Brown, Environment Correspondent (The Guardian, 4 March 1993) A computer system created to make Britain's nuclear reactors safer could fail at a vital moment because it has not been tested properly, according to the man who designed it. Bob Hodson-Smith, who has been sacked by a company commissioned by Nuclear Electric to design a back-up safety system for nuclear power station controllers, says the system might not perform adequately at precisely the moment it was needed because "bugs" had not been removed from the programming. He has expressed his fears to Nuclear Electric, the state owned company that runs [all commercial] nuclear power stations in England and Wales. It is understood that the company is seriously concerned at the implications. The firm which sacked him, Active Business Services (ABS), of Sheffield, has described his fears as irrational. But Mr Hodson-Smith says: "I could no longer live with the fact that safety might be compromised and I had done nothing to warn anyone." The Safety Related Plant Status Monitoring System, as Nuclear Electric describes the system, has been in operation at a Magnox power station at Oldbury-on-Severn in Gloucestershire for aa year. Similar computer systems are being brought into operation at Dungeness A in Kent and Hinkley Point A in Somerset. Status, as the system was called, was designed to prevent the kind of accidents that occurred at Three Mile Island nuclear power station in the United States and the Piper Alpha oil platform disaster. In both cases shift workers faced with a breakdown in equipment switched to substitute systems, unaware that they had been taken out of service by a previous shift. Status was designed to prevent this happening. Staff log into the computer every item of safety-related equipment in the nuclear station, so operators can see at a glance whether it is in proper working order. Safety at nuclear stations relies on all vital equipment being duplicated at least twice so any defective equipment can be bypassed. Mr Hodson-Smith's alarm is based on the belief that the computer system might be relied on in times of emergency when "bugs" in the programming had not been removed. In memos he warned ABS that he was not satisfied the system was safe, and urged the company to inform Nuclear Electric of his fears. In a memo to ABS managing director, Paul Sellars, he said he was aware he would be "fired" if he published the information but "I am not prepared to present a false picture to Nuclear Electric. I believe that what is being done with the Status project is not morally tenable." Mr Hodson-Smith said he was not prepared to supply the newer Advanced Gas Cooled Reactor [AGR] (at) Hinkley Point B with a similar system unless Nuclear Electric were fully informed of the potential difficulties with Status at the other stations. He insisted that the system be thoroughly debugged, which could only be done by writing a technical manual explaining the system and cross-checking it. This had not been done. In a memo he said that if it was a computer system for a bank "it would be acceptable to stick together a functionally complete version, install it and hope it was right. If it failed then it can be fixed as required. However, it is simply not acceptable to do this for a nuclear power station control room system related to safety." Mr Sellars, managing director of ABS, responded by suggesting that Mr Hodson-Smith consult a psychiatrist, Dr James Conway in Sheffield. Dr Conway's view of his patient was that "he exhibited symptoms of anxiety and overwhelming worry which would be understandable ... if his fears were well-founded. He believes there is little communication with the management at present." In a letter Mr Sellars told Mr Hodson-Smith that the Status system would not become fully operative until fully tested. "The company does recognise the nature and extent of its responsibilities." The company and Mr Hodson-Smith remained at loggerheads. He was subsequently dismissed, and has begun an action for unfair dismissal. Mr Sellars said: "Mr Hodson-Smith had a very good brain but his behaviour has become irrational. He was not involved in the commercial area. He had become impossible to manage." Mr Sellars said there were no bugs in the system, which was being fully tested. Technical manuals on how the system was constructed were being written and would be provided to Nuclear Electric. Mr Hodson-Smith has sent papers detailing his fears to the three nuclear stations involved and Nuclear Electric is studying them. Nuclear Electric emphasised that the computer system had not yet been fully integrated into the control system for the reactors. Safety had therefore not been compromised. Nuclear Electric said that the system was a management tool for checking equipment. In the case of an emergency the reactor would be shutdown automatically, independently of the Status system. [A few of the risks covered: reliability of risk management systems; risk of bringing a system into disrepute by the actions of disruptive staff; risk of using a system for a year before full testing and manuals are complete; ... Anthony Naggs, Software/Electronics Engineer, PO Box 1080, Peacehaven, East Sussex BN10 8PZ UK +44 273 589701 amn@vms.brighton.ac.uk
| [An old story, eh? Security is almost always considered | too expensive until AFTER the disaster... PGN] Now let's be fair. How many other buildings got the same advice and have not been bombed? What is the expected benefit, over all major buildings, of ensuring against an event with probability x? In any case, what difference would it have made? It would made the evacuation a little smoother and less traumatic, but I doubt it would have saved any lives or gotten the buildings re-opened any sooner. Managers are always paid to decide how much risk is acceptable when weighed against how much expense. There is always some level of disaster against which you are not protected (suppose it had been a nuclear device). Maybe their decision was rotten and they just lucked out in not having a much larger loss of life; on the other hand, maybe their decision was pretty good and they had really bad luck in the placement of the bomb coupled with really good luck in not having any coincident problems to raise the death count. I don't know enough to know whether they acted correctly; I doubt that either the author of the note or the moderator know, either. scott preece, motorola/mcg urbana design center, 1101 e. university, urbana, il 61801 uunet!uiucuxc!udc!preece preece@urbana.mcd.mot.com 217-384-8589
>Help keep my building from suffering from 'World Trade Center Syndrome'
>(lack of emergency lighting)... Point me in the right direction please!
From the news I've seen, I got the impression that the emergency lighting was
controlled by a central computer somewhere, although each separate
light/battery pack had a little bit of intelligence of its own. However,
whoever programmed the emergency light microbrains had a panic routine that
just sat around trying to re-establish contact with the main controller if the
main controller had blown up. But apparently it skipped the programmer's mind
that, if the main controller had blown up, it just might be a good idea to
turn on the emergency lights.
Does anybody know if this is true? If so, it's some really poor
programming! Perhaps comp.risks would be a good place to take this.
---Joel Kolstad
More likely, they use a service called National Change of Address. A well-known company will (for a fee), update a mailing list to reflect any changes in address in the last three years. The well-known company? The United States Postal Service. Karl Kraft karl@ensuing.com
> A patient in Manchester Royal Infirmary in England was found unconscious > after she mixed up the nurse's call button with the one to give herself more > painkiller and pressed the latter button impatiently for several minutes. It is usual practice with Patient Controlled Analgesia (PCA) to have a lockout on the syringe driver, so that the patient cannot give themselves repeated doses without sufficient time between them. This not only prevents overdoses, but also means one bolus (dose) of painkiller has time to act before the patient is able to give themselves another dose, so that if the first dose is effective, the second, later, dose will not be administered by the patient. However, if the syringe driver wasn't set up with the time lockout ..... Barry. bsalkin@nyx.cs.du.edu or zchag12@ucl.ac.uk
Regarding Bill Clinton's electronic mail, Shellie Emmons
<sme46782@uxa.cso.uiuc.edu> asks, as reported here by
David Daniels <0004381897@mcimail.com>:
> (1) When you get thousands of messages a day, how do you
> respond effectively?
Same way you respond to thousands of letters or phone calls a day: delegate it
to staff members who are trusted to (at least) winnow out whatever wheat there
may be and respond to the chaff with a polite virtual form letter. There are
480 minutes in a working day; even assuming that our energetic Mr. C. puts in
more than an 8-hour day, he clearly isn't going to give even a cursory
acknowledgement, much less a thorough reading and thoughtful reply, to
thousands of messages.
If any good ideas are received, he could take a "That'll teach 'em to suck
eggs!" approach: have the White House staff find some aide or advisory-panel
opening and invite his tormentor to work toward analyzing and implementing the
idea. Citizens who envision government policymakers as putting in a six-hour
day in a brandy-and-cigars atmosphere will learn their lesson right quick. :)
> (2) How do you make a public e-mail system inclusive
> and accessible?
Figure out how to ape Minitel in the context of our technological and cultural
base? Ignore the problem entirely, given that the older means of
communicating with the government will remain available?
> (3) What would happen if e-mail became the primary
> mode of(mediated) access to government?
The Golden Age of Unix Nerds, that's for sure. :) Seriously, one needs some
analysis of the modes currently used before this question can be answered.
Again, perhaps the key would be to deliberately keep the older modes
available: mail, irate phone calls to one's Congressperson, riding through the
Rose Garden on horseback and shouting at the upstairs windows, whatnot. With
all due respect to the people who are afraid of disenfranchising the
computer-illiterate, I can't see the new medium drastically changing the way
the government receives input, unless the individual representatives and
staffers *choose* to ignore other forms of input, from letters to phone calls
to lobbyists.
The real RISK, of course, is that the President would discover Usenet News!
:)
Joe
>From: Shellie Emmons <sme46782@uxa.cso.uiuc.edu> >I am currently involved in a research project that is trying to aid the >Clinton Administration in making effective use of computer-mediated >communication to stay "in touch" with the public. ... There are a number of confusions tangled up in this message; I'll summarize. Ms. Emmons is an undergraduate the UIUC who was asked by a professor to set up an email list for a research project. She posted a message about the project to three newsgroups (comp.human-factors, comp.society, comp.mail-misc), suggesting more by the description than is entirely correct, and called it "The White House Communication Project", even tho it has no official connection to the White House. The name of the project will be changed. Jack Gill is not the name of the White House person who is involved in efforts to get email running there. Any email that does go to an address used by Media Affairs Office of the White House is printed out and handed to the folks who handle ordinary White House mail; those folks add that letter to the other fifteen thousand (15,000) letters that the White House gets every day. Eventually someone may reply (via US Mail) to the message in exactly the manner that they reply to all of their hardcopy mail. There are a number of organizations trying to help the government use email, one of them is a consortium of researchers led by the MIT AI Lab. The original message above is of course an example of a computer risk: the ability to attract a considerable amount of attention and excitement in a very short period of time; the medium amplifies the message. Randall Davis, Associate Director, AI Lab
This is a comment on the technology policy statement announced by Clinton and
Gore on 2/22/93. The policy initiatives include the substance of the
National High Performance Computer Technology Act that Gore had previously
sponsored in the Senate (e.g., S. 1067 in the 101st Congress). Central to
that act and the new initiative is the National Research and Education Network
(NREN), a plan to increase the bandwidth of the internet and develop software
for its utilization. I am concerned that the technology policy does not
adequately address privacy or other concerns about the social implications of
computing, including concerns raised by its proposed initiatives.
In the hearings on the High Performance Computing Act, medical informatics was
one of the applications envisioned for the NREN. It's also part of the
Clinton technology policy. The (brief) discussion of medicine in the 2/22
statement is interesting:
"This information infrastructure — computers, computer data
banks, fax machines, telephones, and video displays — has as its
lifeline a high-speed fiber-optic network capable of transmitting
billions of bits of information in a second....
"The computing and networking technology that makes this
possible is improving at an unprecedented rate, expanding both our
imaginations for its use and its effectiveness. Through these
technologies, a doctor who needs a second opinion could transmit a
patient's entire medical record — x-rays and ultrasound scans
included — to a colleague thousands of miles away, in less time
than it takes to send a fax today."
Well, imagine that ("Hey Sue, lookit chromosome 17 on this guy from the
Farber! 20 bucks at 7 / 5 sez he's malignant in 5 years. Bet he hopes his
insurer never sees this, har har."). Without having any expertise here, I
find it plausible that network consults using computerized medical records
would have many benefits for patients. But it's also clear that implementing
a network-mediated record system that provided secure confidentiality would be
a challenging engineering task. I mean social as well as computer
engineering, it's the communication among people that is problematic here.
I find much to like in the technology policy, so I would love to be proven
wrong. Unfortunately, I see little evidence that privacy has sufficient
priority in the current policy or the former High Performance Computing Act.
I would appreciate hearing from others whether the policy adequately covers
other aspects of socially responsible computing. The technology policy ought
to include a statement of ethics concerning computerized information. I also
believe that the NREN should follow the example of the NIH's Human Genome
Project, which devotes 5% of its research budget to a program for studies of
the Ethical, Legal, and Social Implications of human genetic research.
William Gardner, Psychiatry Dept, School of Medicine, University of Pittsburgh
Pittsburgh, PA 15213 412-681-1102 wpg@ethics.med.pitt.edu FAX:412-624-0901
I picked up the premiere issue of a new magazine called "Wired" which
is trying to spread the word about the Digital Revolution. And
editorial blurb from the inside page is repeated here:
============
WHY WIRED?
Because the Digital Revolution is whipping though our lives like a Bengali
typhoon - while the mainstream media is still groping for the snooze button.
And because the computer "press" is too busy churning out the latest
PCInfoComputingCorporateWorld iteration of its ad sales formula cum parts
catalog to discuss the meaning or context of SOCIAL CHANGES SO PROFOUND their
only parallel is probably the discovery of fire.
There are a lot of magazines about technology. "Wired" is not one of them.
"Wired" is about the most powerful people on the planet today - THE DIGITAL
GENERATION. These are the people who not only foresaw how the merger of
computers, telecommunications and the media is transforming life at the cusp
of the millennium, they are making it happen.
OUR FIRST INSTRUCTION TO OUR WRITERS: AMAZE US.
Our second: We know a lot about digital technology, and we are bored with it.
Tell us something we've never heard before, in a way we've never seen before.
If it challenges our assumptions, so much the better.
So why not now? Why "Wired"? Because in the age of information overload, THE
ULTIMATE LUXURY IS MEANING AND CONTEXT.
Or put another way, if you're looking for the soul of our new society in wild
metamorphosis, our advice is simple. Get "Wired".
-LR [jfs: Louis Rossetto]
You can reach me at 415-904-0664 or lr@wired.com
================
Along with this they had an interesting article on "Cellular Phreaks and Code
Dudes" by John Markoff (markoff@nyt.com), which discusses how the latest rage
of Silicon Valley hackers is Cellular phones. He gives an example of how two
phreaks hacked into an OKI 900 cellular phone and some of the features they
discovered:
o how to use it as a cellular scanner.
o the manufacturer's interface so you can attach the phone to a
portable computer.
o one of the phreaks wrote some software to track other portable
phones as they move from cell to cell, this allows him to display the
approximate locations of each phone since he knows the geographical
locations of each cell.
o having the phone watch a specific number, and when that number is
used, pick up and by using a simple sound activated recorder, you've
made an instant bugging device! Maybe all the spies in Common Market
who were worried about having point to point encryption on cellular
phones didn't think of this trick?
I found this article to be worth the cost of the magazine, as it ties in
directly with RISKS readers here have been talking about. Now if it is this
easy to hack this phone, how hard would it be to hack into the general
cellular phone service machines, those that handle the passing of phones from
cell to cell?
The down side was the really annoying format, which seems to be
"Techno-babble-obnoxious" with arbitrary changes in typeface, orientation, etc
as you flip through pages. I felt that this detracted from the overall look
of the information they were trying to present, making it harder to
assimilate. I'd be interested in talking to anyone else who has read this
magazine too.
John
Please report problems with the web pages to the maintainer