Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Our annual RISKS Summer Slowdown Time is about to start. I will be within fingershot of the Internet only on selected occasions for the next four weeks, so do not be surprised if there are not many RISKS issues. However, please continue to send in any horror stories (or even wonderful success stories --- we have not had very many of those lately). The rate of BARFmail resulting from RISKS mailings has increased painfully in recent weeks. Some of that may be due to students leaving for the summer and general job instabilities. Last Friday, when I put out three issues on one day, I cleaned up the mess of newly rejected addresses after each mailing; the second and third mailings each generated still *MORE* newly rejected addresses, all on the same day. (I ignore directory overflows, which have also increased dramatically, assuming some of you are away; I regret if RISKS is exhausting your directories!) The BARFmail situation never converges, probably because the Internet is incredibly dynamic and the number of flaky sites remains large. Even more annoying is the persistence of E-Mail messages whose FROM: addresses are unanswerable.
>From the BALTIMORE SUN, Tuesday, 8 June:
BALTIMORE — Chesapeake & Potomac Telephone's "intercept" system — the
recordings and artificial voices activated by calls to disconnected or changed
numbers — was knocked out yesterday by a computer glitch in Richmond, Va.,
the company said. As a result, customers dialing numbers not in service were
connected to a recorded message that all circuits were busy, according to C&P
spokesman Paul G. Wood.
The problem was caused by "redundant" computer databases at a center in
Richmond, which are alternately in service as new information on
telephone-number changes is loaded five times a day. The changeover was being
made about 11:30 a.m. when a computer processing problem occurred, cutting off
access to the system, Mr. Wood said.
The problem was expected to be resolved last night, he said.
I read in the new Network World (Network World; vol. 10, no. 23; June 7, 1993) at page 6, in a story headlined "Clipper Chip Foes Denounce Scheme Over Cost Issues" by Ellen Messmer which begins on page 2, that: --> NIST Deputy Director Ray Kammer said the government is considering --> banning all other encryption and making Clipper Chip mandatory. Assuming that this quote is accurately reproduced (a typo such as the inadvertent excision of the word "not" could change the meaning completely) it would appear to me to be a most inflammatory statement, given the discussion of the issue I've been reading in RISKS Digest and elsewhere. Perhaps someone could check into this? Mark Seecof <marks@latimes.com>
Kammer spoke yesterday at the CPRS crypto conference. While he did say that government was considering all options (including presumably restrictions on non-government technology), the possibility of making private uses of crypto illegal seems very unlikely. And John Podesta from the White House said later during the day that the White House was not considering such restrictions. Marc
Computer System Security and Privacy Advisory Board, June 4, 1993
Resolution #1
At Mr. Kammer's request we have conducted two days of hearings. The clear
message of the majority of input was that there are serious concerns regarding
the Key Escrow Initiative and the Board concurs with these concerns. Many of
these issues are still to be fully understood and more time is needed to
achieving that understanding.
Accordingly, this Board resolves to have an additional meeting in July 1993 in
order to more completely respond to Mr. Kammer's request and to fulfill its
statutory obligations under P.L. 100-235. The Board recommends that the
inter-agency review take note of our input collected, our preliminary finding,
and adjust the timetable to allow for resolution of the significant issues and
problems raised.
Attached to this resolution is a preliminary distillation of the serious
concerns and problems.
Resolution #2
Key escrowing encryption technology represents a dramatic change in the
nation's information infrastructure. The full implications of this encryption
technique are not fully understood at this time. Therefore, the Board
recommends that key escrowing encryption technology not be deployed beyond
current implementations planned within the Executive Branch, until the
significant public policy and technical issues inherent with this encryption
technique are fully understood.
[Attachment to Resolution #1]]
- A convincing statement of the problem that Clipper attempts to solve has not
been provided.
- Export and important controls over cryptographic products must be reviewed.
Based upon data compiled from U.S. and international vendors, current controls
are negatively impacting U.S. competitiveness in the world market and are not
inhibiting the foreign production and use of cryptography (DES and RSA)
- The Clipper/Capstone proposal does not address the needs of the software
industry, which is a critical and significant component of the National
Information Infrastructure and the U.S. economy.
- Additional DES encryption alternatives and key management alternatives
should be considered since there is a significant installed base.
- The individuals reviewing the Skipjack algorithm and key management system
must be given an appropriate time period and environment in which to perform a
thorough review. This review must address the escrow protocol and chip
implementation as well as the algorithm itself.
- Sufficient information must be provided on the proposed key escrow scheme to
allow it to be fully understood by the general public. It does not appear to
be clearly defined at this time and, since it is an integral part of the
security of the system, it appears to require further development and
consideration of alternatives to the key escrow scheme (e.g., three "escrow"
entities, one of which is a non-government agency, and a software based
solution).
- The economic implications for the Clipper/Capstone proposal have not been
examined. These costs go beyond the vendor cost of the chip and include such
factors as customer installation, maintenance, administration, chip
replacement, integration and interfacing, government escrow systems costs,
etc.
- Legal issues raised by the proposal must be reviewed.
- Congress, as well as the Administration, should play a role in the conduct
and approval of the results of the review.
[NIST Resolutions on Key Escow Issues and Clipper provided by
CPSR Washington office, 666 Pennsylvania Ave., SE Suite 303,
Washington, DC 20003 rotenberg@washofc.cpsr.org]
David Kahaner (US ONR Asia) recently reported on the predictive fuzzy control
system used in the Sendai, Japan subway. This system, designed in 1982 by
Seiji Yasunobu, has been in commercial operation since 1987, and now operates
in a 15-km subway containing 17 stations, serving nearly 1 million persons
daily. It was implemented entirely by replacing traditional
Proportional-Integral-Derivative (PID) control software in each train's
onboard minicomputer. It reportedly outperforms even skilled human operators
in both smoothness and accuracy of stopping, and consumes 10% less energy than
expected with PID control. No accidents have been reported since it was
installed.
The system is being copied in several places, notably Tokyo. Kahaner writes:
The commitment of Sendai City to this new technology seems not
to be only in the trust of Japanese engineers, but also in
successful tests prior to the actual production of control
systems for commercial use. We were told that when the system
was put into operation it ran smoothly, to everyone's satisfaction,
and has required neither modification nor improvements.
On the down side, the system was designed in an ad-hoc manner. Even
though it is relatively simple, it needed extensive testing before use,
and the overall system relies on human backup. To produce desirable
properties like robustness, safety, and stability in more ambitious
fuzzy systems, much better design and verification methods are needed.
Kahaner's report can be FTPed from cs.arizona.edu in the file
japan/kahaner.reports/fuzzy5.93; it also appeared on 1993-06-04 in
comp.research.japan <1up4gi$b56@optima.cs.arizona.edu>.
A while back you may recall a message I posted about a local fast food place installing a robotic soft drink machine. The machine filled drink orders as they were entered into the cash register terminals. Now there's a device for handling french fries! I saw one at a fast food place my family stopped at on the way to North Carolina last week. The device consisted of the usual side-by-side set of hot oil fryers, with a vertically moving, overhead arm added. The arm moved along an overhead track between the fryers, a feed hopper and the serving area. The cycle consisted of picking a bin from a storage area, filling it at the feed hooper and dropping it into the fryer. When a bin finished frying, the arm picked up the bin, shook the bin, then dumped the frys into the serving area. There was no obvious sign that this system was hooked into the rest of the store's ordering system. I was pleased to see that there was some sort of big red shutoff button near the serving end of the system, however the machine is not enclosed in any way. The risks? When the drink robot fails to work some soft drink gets spilt, but what happens if there's a problem with a machine that is working around hot oil? Dwight D. McKay — mckay!dwight@ecn.purdue.edu
At my local supermarket (which has wonderful food and excellent service, by the way), I usually pay with a Visa card. Like most San Francisco supermarkets, they have a customer "terminal" with a magnetic card reader: you run your card through it and sign the receipt that the cash register prints out. Couldn't be simpler. Yesterday, the clerk asked me for the card so she could run it through the "old-style" card imprinter. Apparently, enough people have been re-writing the magnetic stripes on their cards (so the billing goes somewhere else) that the clerks now sight-verify the receipt, making sure that the number embossed on the plastic card matches the number read from the magnetic stripe. Sigh, isn't progress wonderful? Martin Minow minow@apple.com
The Business Focus section of the Boulder Daily Camera (6/8/93) describes the product of a local start-up company. I _think_ this is a new variation on smartcards. Each card contains an antenna that allows communication with a "paperback book sized" transceiver. The card contains a 256-bit FRAM (stable memory requiring no power supply) to take the place of the usual magnetic strip. One would buy the card for preset amounts like other smartcards. Using the card would only require flashing the card in the vicinity of the reader; the reader then sends a signal back to the card altering the information stored in the FRAM. Intended uses are high volume transactions where physical contact between the card and scanner is too time consuming. Suggested uses include road tolls (more privacy than the fixed transmitter on the car), mass transit, student cafeteria payments, dorm security, etc. Another suggestion was "per-use" charges for things like ski lifts (will be tested at a Japanese ski area next year) and amusement park rides which are now usually charged on a "per-day" pass basis. No mention in the article of how many bits are reserved for encryption keys or whether each card will have its own Clipper chip :-). Although the same section of the newspaper had a decent discussion of ATM risk issues, the article on this smartcard didn't mention any risks. The cost of an annual ski pass would surely motivate someone to build one's own radio device for resetting the FRAM. And would using a portable computer with a mouse cord on an airplane reset my FRAM? :-) gary mcclelland, univ of colorado, mcclella@yertle.colorado.edu
You may be interested in a recent paper on the recommendations concerning the use of formal methods for safety-critical systems in current and emerging standards: "Formal Methods in Safety-Critical Standards" by J.P. Bowen. To appear in Proc. Software Engineering Standards Symposium (SESS'93), Brighton, UK, 1-3 September 1993. IEEE Computer Society Press, 1993. A copy in PostScript format is available via anonymous FTP under ftp.comlab.ox.ac.uk:/pub/Documents/techpapers/Jonathan.Bowen/sess93.ps (192.76.25.2) if you wish to retrieve a copy. Jonathan Bowen, Oxford University
CALL FOR PAPERS
The Internet Society Symposium on
Network and Distributed System Security
3-4 February 1994, Catamaran Hotel, San Diego, California
The symposium will bring together people who are building software and
hardware to provide network or distributed system security services.
The symposium is intended for those interested in practical aspects of
network and distributed system security, rather than in theory. Symposium
proceedings will be published by the Internet Society. Topics for the
symposium include, but are not limited to, the following:
* Design and implementation of services--access control, authentication,
availability, confidentiality, integrity, and non-repudiation
--including criteria for placing services at particular protocol layers.
* Design and implementation of security mechanisms and support
services--encipherment and key management systems, authorization
and audit systems, and intrusion detection systems.
* Requirements and architectures for distributed applications and
network functions--message handling, file transport, remote
file access, directories, time synchronization, interactive
sessions, remote data base management and access, routing, voice and
video multicast and conferencing, news groups, network management,
boot services, mobile computing, and remote I/O.
* Special issues and problems in security architecture, such as
— very large systems like the international Internet, and
— high-speed systems like the gigabit testbeds now being built.
* Interplay between security goals and other goals--efficiency,
reliability, interoperability, resource sharing, and low cost.
GENERAL CHAIR:
Dan Nessett, Lawrence Livermore National Laboratory
PROGRAM CHAIRS:
Russ Housley, Xerox Special Information Systems
Rob Shirey, The MITRE Corporation
PROGRAM COMMITTEE:
Dave Balenson, Trusted Information Systems
Tom Berson, Anagram Laboratories
Matt Bishop, Dartmouth College
Ed Cain, U.S. Defense Information Systems Agency
Jim Ellis, CERT Coordination Center
Steve Kent, Bolt, Beranek and Newman
John Linn, Geer Zolot Associates
Clifford Neuman, Information Sciences Institute
Michael Roe, Cambridge University
Rob Rosenthal, U.S. National Institute of Standards and Technology
Jeff Schiller, Massachusetts Institute of Technology
Ravi Sandhu, George Mason University
Peter Yee, U.S. National Aeronautics and Space Administration
SUBMISSIONS: The committee seeks both original technical papers and proposals
for panel discussions on technical and other topics of general interest.
Technical papers should be 10-20 pages in length. Panels should include three
or four speakers. A panel proposal must name the panel chair, include a
one-page topic introduction authored by the chair, and also include one-page
position summaries authored by each speaker Both the technical papers and the
panel papers will appear in the proceedings.
Submissions must be made by 16 August 1993. Submissions should be made
via electronic mail to
1994symposium@smiley.mitre.org.
Submissions may be in either of two formats: ASCII or PostScript. If the
committee is unable to read a PostScript submission, it will be returned and
ASCII requested. Therefore, PostScript submissions should arrive well before
16 August. If electronic submission is absolutely impossible, submissions
should be sent via postal mail to
Robert W. Shirey, Mail Stop Z202
The MITRE Corporation
McLean, Virginia 22102-3481 USA
All submissions must include both an Internet electronic mail address and a
postal address. Each submission will be acknowledged through the medium by
which it is received. If acknowledgment is not received within seven days,
please contact either Rob Shirey <Shirey@MITRE.org> or Russ Housley
<Housley.McLean_CSD@xerox.com>, or telephone Mana Weigand at MITRE in Mclean,
703-883-5397.
Authors and panelists will be notified of acceptance by 15 October 1993.
Instructions for preparing camera-ready copy for the proceedings will be
postal mailed at that time. The camera-ready copy must be received by 15
November 1993.
First Announcement, Workshop on Digital Systems Reliability and Nuclear Safety
September 13-14, 1993, Rockville Crowne Plaza Hotel, Rockville, Maryland
U.S. Nuclear Regulatory Commission
U.S. Department of Commerce
Technology Administration
National Institute of Standards and Technology
WORKSHOP CO-CHAIRS
Leo Beltracchi, U.S. Nuclear Regulatory Commission
Dolores Wallace, National Institute of Standards and Technology
SPONSORED BY:
The United States Nuclear Regulatory Commission
IN COOPERATION WITH:
The National Institute of Standards and Technology
As analog hard-wired process control systems and safety systems within nuclear
power plants wear out, they are being replaced with systems using digital
technology. There are many unique design and safety issues for digital
systems. The Nuclear Regulatory Commission is developing regulations and
guidelines to address these issues.
This workshop will provide state of the art information to the Nuclear
Regulatory Commission staff and to the nuclear industry. The purposes of this
workshop are to:
- provide feedback to the NRC from outside experts regarding potential
safety issues, proposed regulatory positions, and research associated with
the application of digital systems in nuclear power plants, and
- continue the in-depth exposure of the NRC staff to digital systems design
issues related to nuclear safety by discussions with experts in the state
of the art and practice of digital systems.
September 13, 1993
OPENING SESSION
8:30 Welcome
Commissioner E. Gail de Plenque
U.S. Nuclear Regulatory Commission
8:45 Welcome and Opening Statement
Mr. Eric Beckjord, Director, Office of Nuclear Regulatory Research
U.S. Nuclear Regulatory Commission
9:00 Welcome and ACRS Perspective
Dr. J. Ernest Wilkins, Advisory Committee on Reactor Safeguards
U.S. Nuclear Regulatory Commission
ISSUE PERSPECTIVE FOR NUCLEAR POWER PLANTS
9:15 Presentation on NRC Regulatory Positions and Guidelines
Mr. William Russell
Associate Director for Inspection and Technical Assessment
Office of Nuclear Reactors, U.S. Nuclear Regulatory Commission
9:45 Presentation on NRC Research Activities
Mr. Leo Beltracchi, Senior Project Manager
Office of Nuclear Regulatory Research, U.S. Nuclear Regulatory Comm.
10:15 Industry Perspective, Mr. Richard Blauw, Commonwealth Edison Company
10:45 Break
11:00 Experiences from Application of Digital Systems in a NPP
Mr. Paul Joannou, Ontario Hydro
TECHNICAL SESSION: DIGITAL SAFETY SYSTEMS FOR NUCLEAR POWER PLANTS
11:30 Hardware Aspects for Safety-Critical Systems
Mr. Al Sudduth, Duke Power Company
11:50 Software Aspects for Safety-Critical Systems
Dr. Susan Gerhart, University of Houston, Clear Lake
12:10 Human Aspects for Safety-Critical Systems
Dr. Lewis Haines, Nuclear Industry Independent Consultant
12:30 Discussion
1:00 Lunch
TECHNICAL SESSION: SOFTWARE ENGINEERING FOR HIGH INTEGRITY SYSTEMS
2:30 System and Software Hazard Analysis for Nuclear Applications
Dr. Nancy Leveson, ICS Department, University of California
2:55 Formal Methods for Requirements, Specifications
Dr. John McHugh, University of North Carolina
3:20 Software Test Cases Derived from Formal Requirements
Mr. Robert Poston, Interactive Development Environments
3:45 Break
4:00 Object Oriented Design for Safety-Critical Systems
Dr. Barbara Cuthill, National Institute of Standards and Technology
4:25 Questions and Discussions on Technical Session
September 14, 1993
TECHNICAL SESSION: METHODS FOR REDUCING RISKS IN SOFTWARE SYSTEMS
8:30 Automated Tools for Safety-Critical Software
Ms. Anne-Marie Lapassant, Commissariate a L'Energie Atomique
8:55 Risks of Safety-Critical Software
Dr. Winston Royce, TRW, Incorporated
9:20 Software Metrics for Safety-Critical Applications
Mr. Kyle Rone, IBM Houston, Texas
9:45 Software Reliability for Safety-Critical Applications
Mr. Jon Musa, AT&T Bell Laboratories
10:10 Break
10:25 Software Configuration Management for Safety-Critical Applications
Mr. Ron Berlack, Configuration Management International
10:50 How Much Software Verification and Validation is Adequate for
Nuclear Safety? Mr. Roger Fujii, Logicon, Incorporated
11:15 Software Verification and Validation for New Technology in Nuclear
Settings, Dr. Lance Miller, Science Applications International Corp.
11:40 Certification of Software for Reuse into Safety-Critical Applications
Ms. Charlotte Scheper, Research Triangle Institute
12:05 Questions and Discussions on Technical Session
1:00 Lunch
2:30 PANEL: Application of Workshop to NRC activities
Moderators: Mr. John Gallagher - Office of Nuclear Reactor Regulation
Mr. Leo Beltracchi - Office of Nuclear Regulatory Research
Panel Members
Dr. John McHugh, National Academy of Science
Dr. Joseph Naser, Electric Power Research Institute
Dr. Susan Gerhart, University of Houston, Clear Lake
Dr. Winston Rouce, TRW Incorporated
Mr. Frank McGarry, NASA Goddard Space Flight Center
Panel Issues:
- Are the proper issues being addressed?
- What other issues need to be addressed?
- Are proposed NRC regulatory positions complete and correct?
- What are the considerations for further research?
4:30 NRC Closing Remarks
LOCATION
The Workshop will be held at the Holiday Inn Crowne Plaza, Rockville, Md.
Three airports are easily accessible to the Rockville area: Washington
National Airport, Baltimore-Washington International Airport, and Dulles
International Airport.
REGISTRATION
Registration will begin at 8:00 a.m. The Workshop will run from approximately
8:30 a.m. to 5:00 p.m. each day. The registration fee of $75 covers workshop
materials and proceedings that will be mailed to participants after the
workshop. A registration form is enclosed and may be duplicated; a separate
form must be forwarded for each attendee. For pre-registration, the
registration form must be mailed to the NIST Office of the Comptroller or
faxed to Lori Phillips by September 1, 1993. All requests for cancellations
and refunds must be submitted to Lori Phillips (see address and fax number at
the end of the General Information section of this brochure) in writing prior
to September 1, 1993. For answers to your registration questions contact:
- Lori Phillips, NIST, Telephone: 301/975-4513, Fax: 301/948-2067
ACCOMMODATIONS
Workshop registration does not include your hotel reservation. A
block of rooms has been reserved at:
- The Holiday Inn Crowne Plaza
1750 Rockville Pike
Rockville, Md. 20852 USA
Telephone: 301/468-1100
$98 single or $108 double. Please add 12% tax to this rate. To
register for a room, please use the enclosed hotel reservation form
and send it directly to the hotel no later than
August 27, 1993. After that date the rooms will be released for
general sale at the prevailing rates of the hotel.
TRANSPORTATION
BWI Limo, 301/441-2345, offers commercial van service from
Baltimore-Washington Airport to the Rockville area. Call for reservations.
Montgomery Airport Shuttle, 301/990-7005, is available from Dulles
International and Washington National Airports to Rockville.
>From Washington National Airport
The Washington Metro has subway service to Rockville from National
Airport. Take a Yellow Line train marked ~Gallery Place~ to Metro
Center and transfer to a Red Line train marked ~Shady Grove~ to
~Twinbrook~. Service is every 6 to 15 minutes depending on the time
of day. The time from National to the Rockville, Twinbrook Metro
stop is about 50 minutes. The hotel is adjacent to the Twinbrook
Metro stop, toward Rockville Pike.
>From Dulles International Airport
Take Dulles Access Road to the Washington Beltway I495. Go toward
Maryland (signs may say Bethesda/Rockville). Take the I270 spur off
of I495. Go about 3-4 miles into Maryland. Take the Montrose Road
Exit off of I270 (2nd exit on cloverleaf). Go about one mile and
turn left on to Rockville Pike (Rt. 355). The Crowne Plaza will be
one-half mile on the right.
COFFEE BREAKS AND LUNCHES
Refreshments will be provided at the morning, mid-morning and afternoon
breaks. Attendees are on their own for lunch.
TECHNICAL CONTACTS
- Leo Beltracchi, NRC
Telephone: 301/492-3549
Email: lxb@nrc.gov
- Dolores Wallace, NIST
Telephone: 301/975-3340
Email: wallace@swe.ncsl.nist.gov
[FOR WORKSHOP AND HOTEL RESERVATION FORMS, CONTACT Lori Philips or request
on-line forms from John Camp <jcamp@swe.ncsl.nist.gov>. TOO LONG TO INCLUDE
IN RISKS.]
Starting Thursday 10 June, the AMAST'93 Advance Programme and Registration
Information are available by anonymous ftp (with any password) on the machine
ftp.cs.utwente.nl
in plain text form as well as LaTeX sources.
You can get these files from directory pub/doc/amast93, which has
the following contents:
AdvaProg.asc : AMAST'93 Advance Programme (plain text)
RegInfo.asc : AMAST'93 Registration Information (plain text)
AdvaProg.tex : AMAST'93 Advance Programme (LaTeX source)
RegInfo.tex : AMAST'93 Registration Information (LaTeX source)
Requests of further information should be sent to the Conference Secretariat:
Mrs. Joke Lammerink, Mrs. Charlotte Bijron, Mrs. Alice Hoogvliet-Haverkate
University of Twente, Fac. Informatica
P.O. Box 217, NL-7500AE Enschede
phone: + 31 53 893680, fax: + 31 53 315283
e-mail: {lammerin | bijron | hoogvlie}@cs.utwente.nl
Please report problems with the web pages to the maintainer