Forum on Risks to the Public in Computers and Related Systems
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Volume 15: Issue 43
Saturday 30 January 1994
Contents
Where has your Floating Point floated to?- Dave Wortman
- Canadian TeleSat Anik E-2 Down
- Colin Perkel
Luis Fernandes - Re: Lightning on the Ethernet
- Jon Peatfield
- Re: Spontaneous recovery from "NOMAIL" setting
- Al Stangenberger
Ron Ragsdale
Peter M. Weiss - Re: Verify your backups
- Rob Horn
Dick Hamlet - Crypto policy report available online
- Lance J. Hoffman
- 1994 IEEE Symposium on Research in Security and Privacy
- Catherine A. Meadows
- Info on RISKS (comp.risks)
Where has your Floating Point floated to?
Dave Wortman <dw@pdp1.sys.toronto.edu>
Thu, 27 Jan 1994 12:27:02 -0500
For those of you who think floating point computation is easy, I recommend as
an antidote:
Jean-Francois Colonna, The Subjectivity of Computers
Communications of the ACM, v.36,n.8, August 1993
where he demonstrates the five **algebraically equivalent** formulae for
computing x[n] = (R+1)x[n-1] - Rx[n-1]**2 produce wildly different
results even for fairly innocuous values of R and x[0].
Canadian TeleSat Anik E-2 Down (A.Wexelblat, RISKS-15.41)
Colin Perkel <colin.perkel@guildnet.org>
Sat, 29 Jan 1994 18:17:30 -0500
The trouble began with Telesat's Anik E-1 going down. This caused major problems for the Canadian Press news agency and its affiliate Broadcast News, as well as several other organizations. One casualty was telephone service to the North. After eight hours, Anik E-1 was brought back on line but within minutes, Anik E-2, the country's main broadcast satellite, also went on the fritz. This knocked out TV transmission of several specialty channels, including CBC Newsworld (24 hour news service), to all areas where there are no fibre optics. These channels were switched to other satellites and most services were restored in a couple of days. Anik E-2 cost about $350 million to send up, and is not insured. Montreal-based Telesat says it is working on a possible rescue plan that could take months. For the time being, the satellite is expensive space junk. The coincidence of the two failures sparked all kinds of speculation: that either someone at Telesat screwed up big time, or a disgruntled grunt (perhaps from sweeping layoffs recently) sabotaged the bird. There was also a suggestion Telesat engineers damaged E-2 while trying to get E-1 back in business. These scenarios have all been denied. The official line is that an unusually strong magnetic storm did the damage (although other satellites nearby were not affected).
Re: Canada loses satellite-- more info (A.Wexelblat, RISKS-15.41)
luis fernandes <elf@ee.ryerson.ca>
Fri, 28 Jan 94 16:58:36 EST
The Toronto Star, January 27, 1994, p.D2. OTTAWA (Special [Southam News]) -- Canada's main broadcast satellite may resume operating within three months, the president of Telesat Canada says. ``It is my firm belief we will restore service", Larry Boisvert told reporters Tuesday at the company's suburban Ottawa headquarters. Technicians are trying to use the satellite's 10 thrusters, normally used only to control major variations in position, to restore the fine aim needed to offer full service. As of yesterday morning, Telesat had restored all service lost last week except for channels used by two broadcast channels and eight channels usd by Telesat's telephone company owners. The company is also unable to offer television news services live feeds for mobile crews. The current troubles mean the company will again lose money in 1994, Boisvert said. Meanwhile, Telesat technicians say there is no way to repair the damage inflicted last Thursday on the $286 million satellite's stabilization system by a space energy storm. The technicians are, however, trying to devise a novel method of keeping the Anik E-2's antennae pointed at earth, working with the device's U.S.-based subcontractor. The damaged satellite is not insured. [Further reports were also noted by John Oram <oramy92@halcyon.com> Jonathan_Welch <JHWELCH@ecs.umass.edu>, herdman@gov.on.ca (Andrew P. Herdman), and erling@wm.estec.esa.nl (Erling Kristiansen). Sorry I could not run them all... PGN]
Re: Lightning on the Ethernet (Eddy, RISKS-15.41)
Jon Peatfield <J.S.Peatfield@amtp.cam.ac.uk>
Sat, 29 Jan 94 03:56 GMT
This isn't the story as it usually is told. ;-) True the two maths departments (applied maths and theoretical physics (DAMTP) and pure maths and mathematical statistics (DPMMS)) are next door to each other, and that DAMTP was involved in this, but DPMMS wasn't (to the best of my knowledge.) Nice rumour though, blame the pure maths dept. When I joined DAMTP in September '91 it was the week following the largest thunderstorm in several years. Sure enough many machines had got fried by the storm. Mainly it was serial lines which had died, though a few other bits and pieces had also been zapped. We did however see a large number of giant packet storms on one of our first floor segments afterwards. A number of people were involved in the tracking down of the fault, as it didn't seem to be any of the machines on the network. After a while the link going outside and over into manufacturing Engineering (Eng-Div E), was found and it turned out that the fault was a PC at the far end of this wire which had lost all sense and was filling the net with garbage. The network was terminated before the window in DAMTP and we were happy. Later checks showed that this had been installed temporarily (several years before) as building work was expected to disrupt the area where fibre links were laid but had never actually happened. We had the now much shorter segment on the first floor TDR'd and found it was over a 100M over max length. How long it was when it ran half way round Eng-Div E is unknown. Much later when searching for a fault on the ground floor we found another cable going out of a window, and cut it back/terminated it. Noone complained so we don't know where it had gone in the past. Before anyone points out just how bad our network is, let me say "WE KNOW" The ethernet in this building was installed by someone who didn't know what they were doing. They worked for the UCS and we can't get funds to replace it. We had no records of where cables go, nor their lengths. As time passes we are replacing/rewiring sections piecemeal. As I stare at the 2 30M coils of coax on the wall behind my desk which stop my feet getting tangled in the ethernet I wonder how many other networks like this one there are. All links between DAMTP and DPMMS are done with fibre, and always have been. DAMTP and DPMMS are MAC level connected so there is/was no need for other links. Indeed at the time of the incident DAMTP and DPMMS shared at least 2 machines (though no longer.) It isn't clear that unix-support had anything to do with this, other than they got told the story like everyone else who visits us. The risks are obvious, never believe anything that unix-support tells you! Jon Peatfield, Computer Officer, the DAMTP, University of Cambridge Telephone: (+44 223) 3-37852 Mail: J.S.Peatfield@amtp.cam.ac.uk
Re: Spontaneous recovery from "NOMAIL" setting
"Al Stangenberger" <forags@nature.berkeley.edu>
Fri, 21 Jan 94 16:46:18 PST
Something like this happened recently on ECOLOG-L (sci.bio.ecology on Internet). I forget the specifics, but basically a mailed-in submission somehow triggered a flood of duplicate messages being sent out. In order to stop the replication the list owner set everybody's status to NOMAIL but there was no record of which users were already in NOMAIL status thus there was no way to reverse the process once the error was fixed except by setting everybody back to MAIL status. I don't know if this was the listserver in question, but am cc-ing to the list owner who might be able to explain it more fully. Al Stangenberger, Dept. of Env. Sci., Policy, & Mgt., 145 Mulford Hall - Univ. of Calif., Berkeley, CA 94720 (510) 642-4424 forags@nature.berkeley.edu
Spontaneous recovery from "NOMAIL" setting?
Ron Ragsdale <R_RAGSDALE@oise.on.ca>
Fri, 21 Jan 1994 15:13:39 -0500 (EST)
Setting "NOMAIL" to leave a LISTSERV keeps open the option of an easy return, but it may also lead to an unexpectedly full emailbox. Early in January, I began receiving regular messages from a LIST that I had set to NOMAIL in 1991; the LIST owner told me I was set to NOMAIL, but messages only/stopped when I sent an UNSUBSCRIBE message. Earlier this week (JAN. 16), I received my first update from RISKS in several years, under the same conditions, with my membership set to NOMAIL. Today, I received 80 messages from a LIST I had left (through NOMAIL) about four years ago and quickly sent an UNSUBSCRIBE message (which was acknowledged). A student of mine has been doing research on a number of lists and a substantial fraction of the respondents tell about similar phenomena? Is the NOMAIL setting really a time bomb that may flood your mail directory unexpectedly? (I was fortunate in TELNETing from Berkeley today just as the avalanche had begun.) If you have an explanation of this process, I would appreciate hearing it. Ron Ragsdale, Professor Emeritus, Ontario Institute for Studies in Education 252 Bloor Street West, Toronto, Ontario, Canada M5S 1V6 (416) 923-6641 X2252
Spontaneous recovery from "NOMAIL" setting?
"Peter M. Weiss" <PMW1@PSUVM.PSU.EDU>
Sun, 23 Jan 1994 09:08:22 -0500 (EST)
List Management is more art than science ... I know, I'm a list-owner of multiple lists at multiple host locations. As good as the Revised LISTSERV software is, the list owners, users, and sysadmins can and do make mistakes (like the time I accidentally added another college president to a list that I maintained when I mistyped the userid). One of the features of R-LISTSERV is for the owner to make changes to recipients' options, using various wild-card techniques ... without asking for confirmation, or for what the options were before they were set. Also, a user can be subscribed under multiple userids, yet only receive a single distribution. Why? so that (s)he can post to a private distribution list from multiple sending addresses. Peter M. Weiss, 31 Shields Bldg. -- Penn State Univ -- University Park, PA 16802-1202 +1 814 863 1843 pmw1@psuvm.psu.edu co-owner LDBASE-L, TQM-L, ...
Re: Verify your backups
rob horn <horn%temerity@leia.polaroid.com>
21 Jan 1994 17:42:49 -0500 (EST)
We have a practice that once per week we select one file at random and request that it be restored from backup from the previous week. It is amazing what you learn by doing this. The range of things that fail, problems that arise from odd causes, automatic systems that mysteriously stop working, is incredible. Even when all concerned know that this is the regular practice, things go wrong. So everyone who is willing to put in the time and effort to make backups should also perform at least this rudimentary QC check. Don't ever stop. Rob Horn horn@temerity.polaroid.com
Bad backups (historical note)
Dick Hamlet <hamlet@cs.pdx.edu>
Tue, 25 Jan 94 10:45:30 PST
The note from managers of wuarchive.wustl.edu about loss of archive files because backups were not usable reminds me of an experience with early DEC timesharing systems (c. 1968, 4-series PDP-10 operating system). (Incidently, why do I so often get the feeling that problems solved in the 1960s will reappear forever, and that each succeeding group of systems programmers has less time/talent/interest for attacking them?) I was system programming director at Computer Center Corp. (C^3), a Seattle service bureau. We used 1/2" mag tape for backup of disk files. Only after we lost the entire disk did we discover that our sole mag tape unit (the cheapest we could buy, of course!) could not read all that it wrote, and that the dump/restore software ignored all tape errors! (This was the same system in which the FORTRAN library disk i-o routine did retry for read failure, but did it on the NEXT disk block instead of the one that had failed. It was remarkably successful-- the were NO permanent failures ever logged!) Our fix for the backup program was to write checksums on tape. That way, we could check the tapes off line, and not slow the dump by doing a real file compare after the tape was written. How many dump systems today read back what has been written for backup (much less check it or do a file compare!) unless there is a restore request?
crypto policy report available online
"Lance J. Hoffman" <hoffman@seas.gwu.edu>
Sat, 29 Jan 1994 09:04:55 -0500 (EST)
The following report is available by anonymous ftp from ftp.gwu.edu under
directory /pub/hoffman. The document is stored under the name "cryptpol".
It is a NIST-sponsored study.
The table of contents and abstract follows here.
CRYPTOGRAPHY: POLICY AND TECHNOLOGY TRENDS
Lance J. Hoffman, Faraz A. Ali, Steven L. Heckler, Ann Huybrechts
December 1, 1993
CONTENTS
EXECUTIVE SUMMARY
1. INTRODUCTION
2. TECHNOLOGY
3. MARKET ANALYSIS
4. EXPORT CONTROLS
5. PUBLIC POLICY ISSUES
5.1 EXECUTIVE BRANCH
5.2 CONGRESS
5.3 TRENDS
6. POTENTIAL SCENARIOS
EXECUTIVE SUMMARY
During the past five years, encryption technology has become easily available
to both individuals and businesses, affording them a level of security
formerly available practically to only military, national security, and law
enforcement agencies. As a result, a debate within the United States about
the proper balance between national security and personal freedom has been
initiated. Law enforcement and national security agencies would like to
maintain tight control over civilian encryption technologies, while industry
and individual and privacy rights advocates fight to expand their ability to
distribute and use cryptographic products as they please.
This report analyzes trends in encryption technology, markets, export
controls, and legislation. It identifies five trends which will have a
strong influence on cryptography policy in the United States:
* The continued expansion of the Internet and the progressive
miniaturization of cryptographic hardware combined with the increasing
availability and use of strong cryptographic software means that the
strongest encryption technologies will continue to become more easily
obtainable everywhere in the years ahead.
* Additional growth in networked and wireless communication will fuel a
strong demand for encryption hardware and software both domestically and
abroad, causing the U. S. high-technology industry to be increasingly
interested in selling encryption products overseas and in modifying
current export restrictions.
* Due to the responsibilities and bureaucratic dispositions of key
Executive Branch agencies, products using strong encryption algorithms
such as DES will continue to face at least some export restrictions,
despite the widespread availability of strong encryption products
overseas.
* The American public is likely to become increasingly concerned about
its privacy and about cryptographic policy as a result of the increased
amount of personal information available online and the growing number
of wireless and networked communications. The development and
increasingly widespread use of the National Information Infrastructure
will heighten these concerns.
* Encryption policy is becoming an important public policy issue that
will engage the attention of all branches of government. Congress will
become increasingly visible in this debate due to its power of agency
oversight and its role in passing laws accommodating the United States'
rapid rate of technological change. Agencies will remain very important
since they have the implementing and, often, the planning
responsibilities. Since individuals and industry have more direct
influence over Congress than over most other branches of government,
Congress may place somewhat more emphasis on personal freedom than many
other government actors.
Four potential scenarios are likely: mandatory escrowed encryption, voluntary
escrowed encryption, complete decontrol of encryption, or domestic decontrol
with strict export regulations.
Professor Lance J. Hoffman, Dept of EECS, The George Washington University
(202) 994-4955 Washington, D.C. 20052 hoffman@seas.gwu.edu Fax (202) 994-0227
1994 IEEE Symp on Research in Security and Privacy: PROGRAM
Catherine A. Meadows <meadows@itd.nrl.navy.mil>
Fri, 28 Jan 94 18:15:03 EST
1994 IEEE SYMPOSIUM ON RESEARCH IN SECURITY AND PRIVACY
May 16-18, 1994, Claremont Resort, Oakland, California
Sponsored by the IEEE Technical Committee on Security and Privacy
In cooperation with the International Association of Cryptologic Research
Symposium Committee
Cristi Garvey, General Chair
Carl E. Landwehr, Vice Chair
John Rushby, Program Co-Chair
Catherine Meadows, Program Co-Chair
PRELIMINARY PROGRAM
MONDAY, MAY 16
9:15--9:30 Welcoming Remarks: Cristi Garvey and John Rushby
9:30--10:30 FORMAL MODELING OF CRYPTO PROTOCOLS
A Model for Secure Protocols and Their Compositions
Nevin Heintze and J.D. Tygar (CMU)
On Unifying Some Cryptographic Protocol Logics
Paul Syverson (NRL) and Paul C. van Oorschot (BNR)
11:00--12:30 INFORMATION FLOW
Eliminating Formal Flows in Automated Information Flow Analysis
Steven T. Eckmann (Unisys)
Mode Security: An Infrastructure for Covert Channel Suppression
Randy Browne (Independent Consultant)
Simple Timing Channels
Ira S. Moskowitz (NRL) and Allen R. Miller (GWU)
2:00--3:30 PANEL: Firewalls
4:00--5:00 COMPOSITION OF SECURE SYSTEMS
Asynchronous Composition and Required Security Conditions
N. Boulahia-Cuppens and F. Cuppens (ONERA-CERT)
A General Theory of Composition for Trace Sets Closed under Selective
Interleaving Functions, John McLean (NRL)
8:00: EVENING SESSIONS
TUESDAY, MAY 17
9:30--10:30 DATABASE I
Ensuring Data Security in Interrelated Tabular Data
Ram Kumar (U. North Carolina)
Collecting Garbage in Multilevel Secure Object Stores
Elisa Bertino (U. Milano), Luigi Mancini (U Genova), Sushil Jajodia (GMU)
11:00--12:30 CRYPTO ENGINEERING
Prudent Engineering Practice for Cryptographic Protocols
Martin Abadi (DEC-SRC) and Roger Needham (Cambridge)
Generating Formal Cryptographic Protocol Specifications
Ulf Carlsen (ENST de Bretagne)
A Low Cost, High Speed Encryption System and Method
Gregory Mayhew (Hughes Aircraft)
2:00--3:30 PANEL: What Security Needs To Learn From Other Fields
4:00--5:00 DATABASE II
Channel-Free Integrity Constraints in Multilevel Relational Databases
Xiaolei Qian (SRI-CSL)
Elimination of Inference Channels by Optimal Upgrading
Mark E. Stickel (SRI-AIC)
5:00: TC MEETING
8:00: EVENING SESSIONS
WEDNESDAY, MAY 18
9:30--10:30 DISTRIBUTED SYSTEMS
A Secure Group Membership Protocol, Michael K. Reiter (AT&T Bell Labs)
The Complexity and Composability of Secure Interoperation
Li Gong and Xiaolei Qian (SRI-CSL)
11:00--12:30 ACCESS CONTROL
Self-Nonself Discrimination in a Computer
Stephanie Forrest, Allan Perelson, Lawrence Allen,
Rajesh Cherukuri (U New Mexico, Albuquerque)
Authentication and Revocation in SPM, Vijay Varadharajan (HP-Bristol)
On the Minimality of Testing for Rights in Transformation Models
Ravi S. Sandhu and Srinivas Ganta (GMU)
12:30: SYMPOSIUM ADJOURNS
1994 IEEE Symposium on Research in Security and Privacy
REGISTRATION FORM
Dates strictly enforced by postmark.
Name:_______________________________________________
Affiliation:_______________________________________________
Postal Address:_______________________________________________
_______________________________________________
_______________________________________________
Phone:________________________________________________
Fax:________________________________________________
E-mail:________________________________________________
Please enter the appropriate registration fee below:
Advance Member (to 4/4/94)...$260 |
|--IEEE Member # (REQUIRED)_____________
Late Member (4/5/94-4/22/94).$310 |
Advance Non-Member............$320
Late Non-Member...............$390
Advance Student...............$ 50
Late Student..................$ 50 Total amount due:_____________________
Do you wish to present at a poster session or lead an evening discussion?
[ ]Yes [ ]No
Do you have any special requirements?_______________________________________
Please indicate your method of payment by checking the appropriate box:
___
|___| Check in U.S. funds drawn on a U.S. bank (PLEASE ENCLOSE WITH THIS FORM)
Credit card authorization:
(Charges will appear on your statement as made by IEEE COMPUTER SOCIETY)
Visa MasterCard American Express Diners Club
___ ___ ___ ___
|___| |___| |___| |___|
Credit Card Number:
____________________________________________________________________________
Card Holder Name:______________________________Expiration Date:_____________
Signature:__________________________________________________________________
Mail registration to: Or fax this form (CREDIT CARD
REGISTRATIONS ONLY) to:
Code 5540A
Naval Research Laboratory (202)404-7942
Washington, DC 20375-5337
(202)404-8888 <>>SORRY, NO REGISTRATIONS BY EMAIL<<<
Evening Sessions
Hotel Reservations - The Claremont Resort ========================================= The Claremont Resort in Oakland, California is 20 minutes from San Francisco and just over an hour from Napa Valley. It is situated in the Oakland-Berkeley hills overlooking the San Francisco Bay on 22 acres of beautifully landscaped lawns and gardens. Facilities include the Claremont Pool and Tennis Club and The Spa at the Claremont. Oakland Airport is 14 miles from the hotel, or attendees may choose to fly into San Francisco and rent a car. Bay Area Shuttle (415/873-7771) provides service from the San Francisco Airport or the Oakland Airport to the Claremont Resort. The charge is $10 per person one way. Parking is available at the hotel at a cost of $8 per day for guests and $1.50 per hour up to a maximum of $9 for non-guests. Hotel reservations must be made under the group name IEEE Symposium on Research in Security and Privacy. The group rate is $96 single, $108 double occupancy, plus 11% tax. The cut-off date for reservations is Saturday, April 16, 1994. Reservations made after this date will be accepted on a space available basis. Reservations must be accompanied by an advance deposit or credit card guarantee. You may cancel your individual reservations up to 72 hours prior to arrival, after which your deposit becomes non-refundable. Please be advised the check-in time is after 3:00 pm; check-out is 12 noon. For reservations and information, contact: The Claremont Resort, Ashby and Domingo Avenues, Oakland, CA 94623-0363. Phone: 510/843-3000; Fax: 510/843-6239.
Report problems with the web pages to the maintainer