The Risks Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 15 Issue 43

Saturday 30 January 1994


o Where has your Floating Point floated to?
Dave Wortman
o Canadian TeleSat Anik E-2 Down
Colin Perkel
Luis Fernandes
o Re: Lightning on the Ethernet
Jon Peatfield
o Re: Spontaneous recovery from "NOMAIL" setting
Al Stangenberger
Ron Ragsdale
Peter M. Weiss
o Re: Verify your backups
Rob Horn
Dick Hamlet
o Crypto policy report available online
Lance J. Hoffman
o 1994 IEEE Symposium on Research in Security and Privacy
Catherine A. Meadows
o Info on RISKS (comp.risks)

Where has your Floating Point floated to?

Dave Wortman <>
Thu, 27 Jan 1994 12:27:02 -0500
For those of you who think floating point computation is easy, I recommend as
an antidote:

    Jean-Francois Colonna, The Subjectivity of Computers
    Communications of the ACM, v.36,n.8, August 1993

where he demonstrates the five **algebraically equivalent** formulae for
computing x[n] = (R+1)x[n-1] - Rx[n-1]**2 produce wildly different
results even for fairly innocuous values of R and x[0].

Canadian TeleSat Anik E-2 Down (A.Wexelblat, RISKS-15.41)

Colin Perkel <>
Sat, 29 Jan 1994 18:17:30 -0500
   The trouble began with Telesat's Anik E-1 going down. This caused major
problems for the Canadian Press news agency and its affiliate Broadcast News,
as well as several other organizations. One casualty was telephone service to
the North.
   After eight hours, Anik E-1 was brought back on line but within minutes,
Anik E-2, the country's main broadcast satellite, also went on the fritz.
   This knocked out TV transmission of several specialty channels, including
CBC Newsworld (24 hour news service), to all areas where there are no fibre
optics.  These channels were switched to other satellites and most services
were restored in a couple of days.
   Anik E-2 cost about $350 million to send up, and is not insured.
Montreal-based Telesat says it is working on a possible rescue plan that could
take months. For the time being, the satellite is expensive space junk.
   The coincidence of the two failures sparked all kinds of speculation:
that either someone at Telesat screwed up big time, or a disgruntled grunt
(perhaps from sweeping layoffs recently) sabotaged the bird. There was also
a suggestion Telesat engineers damaged E-2 while trying to get E-1 back in
business. These scenarios have all been denied. The official line is that an
unusually strong magnetic storm did the damage (although other satellites
nearby were not affected).

Re: Canada loses satellite-- more info (A.Wexelblat, RISKS-15.41)

luis fernandes <>
Fri, 28 Jan 94 16:58:36 EST
The Toronto Star, January 27, 1994, p.D2.

OTTAWA (Special [Southam News]) -- Canada's main broadcast satellite may
resume operating within three months, the president of Telesat Canada says.
``It is my firm belief we will restore service", Larry Boisvert told reporters
Tuesday at the company's suburban Ottawa headquarters.  Technicians are trying
to use the satellite's 10 thrusters, normally used only to control major
variations in position, to restore the fine aim needed to offer full service.

As of yesterday morning, Telesat had restored all service lost last week
except for channels used by two broadcast channels and eight channels usd by
Telesat's telephone company owners.  The company is also unable to offer
television news services live feeds for mobile crews.  The current troubles
mean the company will again lose money in 1994, Boisvert said.

Meanwhile, Telesat technicians say there is no way to repair the damage
inflicted last Thursday on the $286 million satellite's stabilization system
by a space energy storm.  The technicians are, however, trying to devise a
novel method of keeping the Anik E-2's antennae pointed at earth, working with
the device's U.S.-based subcontractor.

The damaged satellite is not insured.

  [Further reports were also noted by
  John Oram <>
  Jonathan_Welch <>, (Andrew P. Herdman), and (Erling Kristiansen).
  Sorry I could not run them all...  PGN]

Re: Lightning on the Ethernet (Eddy, RISKS-15.41)

Jon Peatfield <>
Sat, 29 Jan 94 03:56 GMT
This isn't the story as it usually is told.  ;-)

True the two maths departments (applied maths and theoretical physics (DAMTP)
and pure maths and mathematical statistics (DPMMS)) are next door to each
other, and that DAMTP was involved in this, but DPMMS wasn't (to the best of
my knowledge.)  Nice rumour though, blame the pure maths dept.

When I joined DAMTP in September '91 it was the week following the largest
thunderstorm in several years.  Sure enough many machines had got fried by
the storm.  Mainly it was serial lines which had died, though a few other
bits and pieces had also been zapped.

We did however see a large number of giant packet storms on one of our first
floor segments afterwards.  A number of people were involved in the tracking
down of the fault, as it didn't seem to be any of the machines on the
network.  After a while the link going outside and over into manufacturing
Engineering (Eng-Div E), was found and it turned out that the fault was a PC
at the far end of this wire which had lost all sense and was filling the net
with garbage.  The network was terminated before the window in DAMTP and we
were happy.

Later checks showed that this had been installed temporarily (several years
before) as building work was expected to disrupt the area where fibre links
were laid but had never actually happened.

We had the now much shorter segment on the first floor TDR'd and found it
was over a 100M over max length.  How long it was when it ran half way round
Eng-Div E is unknown.

Much later when searching for a fault on the ground floor we found another
cable going out of a window, and cut it back/terminated it.  Noone
complained so we don't know where it had gone in the past.

Before anyone points out just how bad our network is, let me say "WE KNOW" The
ethernet in this building was installed by someone who didn't know what they
were doing.  They worked for the UCS and we can't get funds to replace it.  We
had no records of where cables go, nor their lengths.  As time passes we are
replacing/rewiring sections piecemeal.  As I stare at the 2 30M coils of coax
on the wall behind my desk which stop my feet getting tangled in the ethernet
I wonder how many other networks like this one there are.

All links between DAMTP and DPMMS are done with fibre, and always have been.
DAMTP and DPMMS are MAC level connected so there is/was no need for other
links.  Indeed at the time of the incident DAMTP and DPMMS shared at least 2
machines (though no longer.)

It isn't clear that unix-support had anything to do with this, other
than they got told the story like everyone else who visits us.

The risks are obvious, never believe anything that unix-support tells you!

Jon Peatfield, Computer Officer, the DAMTP, University of Cambridge
Telephone: (+44 223) 3-37852     Mail:

Re: Spontaneous recovery from "NOMAIL" setting

"Al Stangenberger" <>
Fri, 21 Jan 94 16:46:18 PST
Something like this happened recently on ECOLOG-L ( on
Internet).  I forget the specifics, but basically a mailed-in submission
somehow triggered a flood of duplicate messages being sent out.  In order
to stop the replication the list owner set everybody's status to NOMAIL
but there was no record of which users were already in NOMAIL status thus
there was no way to reverse the process once the error was fixed except by
setting everybody back to MAIL status.

I don't know if this was the listserver in question, but am cc-ing to the
list owner who might be able to explain it more fully.

Al Stangenberger, Dept. of Env. Sci., Policy, & Mgt., 145 Mulford Hall - Univ.
of Calif., Berkeley, CA  94720  (510) 642-4424

Spontaneous recovery from "NOMAIL" setting?

Ron Ragsdale <>
Fri, 21 Jan 1994 15:13:39 -0500 (EST)
Setting "NOMAIL" to leave a LISTSERV keeps open the option of an easy return,
but it may also lead to an unexpectedly full emailbox.  Early in January, I
began receiving regular messages from a LIST that I had set to NOMAIL in 1991;
the LIST owner told me I was set to NOMAIL, but messages only/stopped when I
sent an UNSUBSCRIBE message.  Earlier this week (JAN. 16), I received my first
update from RISKS in several years, under the same conditions, with my
membership set to NOMAIL.  Today, I received 80 messages from a LIST I had
left (through NOMAIL) about four years ago and quickly sent an UNSUBSCRIBE
message (which was acknowledged).

A student of mine has been doing research on a number of lists and a
substantial fraction of the respondents tell about similar phenomena?  Is the
NOMAIL setting really a time bomb that may flood your mail directory
unexpectedly?  (I was fortunate in TELNETing from Berkeley today just as the
avalanche had begun.)  If you have an explanation of this process, I would
appreciate hearing it.

Ron Ragsdale, Professor Emeritus, Ontario Institute for Studies in Education
252 Bloor Street West, Toronto, Ontario, Canada M5S 1V6  (416) 923-6641 X2252

Spontaneous recovery from "NOMAIL" setting?

"Peter M. Weiss" <PMW1@PSUVM.PSU.EDU>
Sun, 23 Jan 1994 09:08:22 -0500 (EST)
List Management is more art than science ... I know, I'm a list-owner
of multiple lists at multiple host locations.  As good as the Revised
LISTSERV software is, the list owners, users, and sysadmins can and
do make mistakes (like the time I accidentally added another college
president to a list that I maintained when I mistyped the userid).

One of the features of R-LISTSERV is for the owner to make changes to
recipients' options, using various wild-card techniques ... without asking for
confirmation, or for what the options were before they were set.

Also, a user can be subscribed under multiple userids, yet only receive a
single distribution.  Why? so that (s)he can post to a private distribution
list from multiple sending addresses.

Peter M. Weiss, 31 Shields Bldg. -- Penn State Univ -- University Park, PA
16802-1202  +1 814 863 1843 co-owner LDBASE-L, TQM-L, ...

Re: Verify your backups

rob horn <>
21 Jan 1994 17:42:49 -0500 (EST)
We have a practice that once per week we select one file at random and request
that it be restored from backup from the previous week.  It is amazing what
you learn by doing this.  The range of things that fail, problems that arise
from odd causes, automatic systems that mysteriously stop working, is
incredible.  Even when all concerned know that this is the regular practice,
things go wrong.  So everyone who is willing to put in the time and effort to
make backups should also perform at least this rudimentary QC check.  Don't
ever stop.

Rob Horn

Bad backups (historical note)

Dick Hamlet <>
Tue, 25 Jan 94 10:45:30 PST
The note from managers of about loss of archive files
because backups were not usable reminds me of an experience with early DEC
timesharing systems (c. 1968, 4-series PDP-10 operating system).  (Incidently,
why do I so often get the feeling that problems solved in the 1960s will
reappear forever, and that each succeeding group of systems programmers has
less time/talent/interest for attacking them?)

I was system programming director at Computer Center Corp. (C^3), a Seattle
service bureau.  We used 1/2" mag tape for backup of disk files.  Only after
we lost the entire disk did we discover that our sole mag tape unit (the
cheapest we could buy, of course!) could not read all that it wrote, and that
the dump/restore software ignored all tape errors!  (This was the same system
in which the FORTRAN library disk i-o routine did retry for read failure, but
did it on the NEXT disk block instead of the one that had failed.  It was
remarkably successful-- the were NO permanent failures ever logged!)  Our fix
for the backup program was to write checksums on tape.  That way, we could
check the tapes off line, and not slow the dump by doing a real file compare
after the tape was written.  How many dump systems today read back what has
been written for backup (much less check it or do a file compare!) unless
there is a restore request?

crypto policy report available online

"Lance J. Hoffman" <>
Sat, 29 Jan 1994 09:04:55 -0500 (EST)
The following report is available by anonymous ftp from under
directory /pub/hoffman.  The document is stored under the name "cryptpol".
It is a NIST-sponsored study.

The table of contents and abstract follows here.

       Lance J. Hoffman, Faraz A. Ali, Steven L. Heckler, Ann Huybrechts
                                December 1, 1993

          1.  INTRODUCTION
          2.  TECHNOLOGY
          3.  MARKET ANALYSIS
          4.  EXPORT CONTROLS
               5.1  EXECUTIVE BRANCH
               5.2  CONGRESS
               5.3  TRENDS

                                EXECUTIVE SUMMARY

During the past five years, encryption technology has become easily available
to both individuals and businesses, affording them a level of security
formerly available practically to only military, national security, and law
enforcement agencies. As a result, a debate within the United States about
the proper balance between national security and personal freedom has been
initiated. Law enforcement and national security agencies would like to
maintain tight control over civilian encryption technologies, while industry
and individual and privacy rights advocates fight to expand their ability to
distribute and use cryptographic products as they please.

This report analyzes trends in encryption technology, markets, export
controls, and legislation.  It identifies five trends which will have a
strong influence on cryptography policy in the United States:

     * The continued expansion of the Internet and the progressive
     miniaturization of cryptographic hardware combined with the  increasing
     availability and use of strong cryptographic software means that the
     strongest encryption technologies will  continue to become more easily
     obtainable everywhere in the years ahead.

     * Additional growth in networked and wireless communication will fuel a
     strong demand for encryption hardware and software both domestically and
     abroad, causing the U. S. high-technology industry to be increasingly
     interested in selling encryption products overseas and in modifying
     current export restrictions.

     * Due to the responsibilities and bureaucratic dispositions of key
     Executive Branch agencies, products using strong encryption algorithms
     such as DES will continue to face at least some export  restrictions,
     despite the widespread availability of strong encryption products

     * The American public is likely to become increasingly concerned about
     its privacy and about cryptographic policy as a result of the increased
     amount of personal information available online and the growing number
     of wireless and networked communications.  The development and
     increasingly widespread use of the National Information Infrastructure
     will heighten these concerns.

     * Encryption policy is becoming an important public policy issue that
     will engage the attention of all branches of government.  Congress will
     become increasingly visible in this debate due to its power of agency
     oversight and its role in passing laws accommodating the United States'
     rapid rate of technological change.  Agencies will remain very important
     since they have the implementing and, often, the planning
     responsibilities.  Since individuals and industry have more direct
     influence over Congress than over most other branches of government,
     Congress may place somewhat more emphasis on personal freedom than many
     other government actors.

Four potential scenarios are likely: mandatory escrowed encryption, voluntary
escrowed encryption, complete decontrol of encryption, or domestic decontrol
with strict export regulations.

Professor Lance J. Hoffman, Dept of EECS, The George Washington University
(202) 994-4955  Washington, D.C. 20052 Fax (202) 994-0227

1994 IEEE Symp on Research in Security and Privacy: PROGRAM

Catherine A. Meadows <>
Fri, 28 Jan 94 18:15:03 EST

May 16-18, 1994, Claremont Resort, Oakland, California

Sponsored by the IEEE Technical Committee on Security and Privacy
In cooperation with the International Association of Cryptologic Research

Symposium Committee
Cristi Garvey, General Chair
Carl E. Landwehr, Vice Chair
John Rushby, Program Co-Chair
Catherine Meadows, Program Co-Chair



9:15--9:30  Welcoming Remarks: Cristi Garvey and John Rushby


  A Model for Secure Protocols and Their Compositions
    Nevin Heintze and J.D. Tygar (CMU)
  On Unifying Some Cryptographic Protocol Logics
    Paul Syverson (NRL) and Paul C. van Oorschot (BNR)

11:00--12:30    INFORMATION FLOW

  Eliminating Formal Flows in Automated Information Flow Analysis
    Steven T. Eckmann (Unisys)
  Mode Security: An Infrastructure for Covert Channel Suppression
    Randy Browne (Independent Consultant)
  Simple Timing Channels
    Ira S. Moskowitz (NRL) and Allen R. Miller (GWU)

2:00--3:30  PANEL: Firewalls


  Asynchronous Composition and Required Security Conditions
    N. Boulahia-Cuppens and F. Cuppens (ONERA-CERT)
  A General Theory of Composition for Trace Sets Closed under Selective
        Interleaving Functions, John McLean (NRL)



9:30--10:30 DATABASE I
  Ensuring Data Security in Interrelated Tabular Data
    Ram Kumar (U. North Carolina)
  Collecting Garbage in Multilevel Secure Object Stores
      Elisa Bertino (U. Milano), Luigi Mancini (U Genova), Sushil Jajodia (GMU)

11:00--12:30    CRYPTO ENGINEERING
  Prudent Engineering Practice for Cryptographic Protocols
    Martin Abadi (DEC-SRC) and Roger Needham (Cambridge)
  Generating Formal Cryptographic Protocol Specifications
    Ulf Carlsen (ENST de Bretagne)
  A Low Cost, High Speed Encryption System and Method
    Gregory Mayhew (Hughes Aircraft)

2:00--3:30  PANEL: What Security Needs To Learn From Other Fields

4:00--5:00  DATABASE II
  Channel-Free Integrity Constraints in Multilevel Relational Databases
    Xiaolei Qian (SRI-CSL)
  Elimination of Inference Channels by Optimal Upgrading
    Mark E. Stickel (SRI-AIC)

5:00:       TC MEETING



  A Secure Group Membership Protocol, Michael K. Reiter (AT&T Bell Labs)

  The Complexity and Composability of Secure Interoperation
    Li Gong and Xiaolei Qian (SRI-CSL)

11:00--12:30    ACCESS CONTROL
  Self-Nonself Discrimination in a Computer
    Stephanie Forrest, Allan Perelson, Lawrence Allen,
    Rajesh Cherukuri (U New Mexico, Albuquerque)
  Authentication and Revocation in SPM, Vijay Varadharajan (HP-Bristol)
  On the Minimality of Testing for Rights in Transformation Models
    Ravi S. Sandhu and Srinivas Ganta (GMU)


   1994 IEEE Symposium on Research in Security and Privacy

                       REGISTRATION FORM

Dates strictly enforced by postmark.

Postal Address:_______________________________________________

Please enter the appropriate registration fee below:

  Advance Member (to 4/4/94)...$260 |
                                     |--IEEE Member # (REQUIRED)_____________
  Late Member (4/5/94-4/22/94).$310 |

  Advance Non-Member............$320
  Late Non-Member...............$390
  Advance Student...............$ 50
  Late Student..................$ 50    Total amount due:_____________________
Do you wish to present at a poster session or lead an evening discussion?
                                                              [ ]Yes  [ ]No

Do you have any special requirements?_______________________________________

Please indicate your method of payment by checking the appropriate box:
 |___| Check in U.S. funds drawn on a U.S. bank (PLEASE ENCLOSE WITH THIS FORM)

   Credit card authorization:
   (Charges will appear on your statement as made by IEEE COMPUTER SOCIETY)

         Visa            MasterCard      American Express     Diners Club
          ___               ___                 ___               ___
         |___|             |___|               |___|             |___|
  Credit Card Number:


  Card Holder Name:______________________________Expiration Date:_____________


Mail registration to:                     Or fax this form (CREDIT CARD
                                          REGISTRATIONS ONLY) to:
    Code 5540A
    Naval Research Laboratory         (202)404-7942
    Washington, DC  20375-5337
    (202)404-8888                <>>SORRY, NO REGISTRATIONS BY EMAIL<<<

Evening Sessions

Hotel Reservations - The Claremont Resort
The Claremont Resort in Oakland, California is 20 minutes from San
Francisco and just over an hour from Napa Valley.  It is situated in
the Oakland-Berkeley hills overlooking the San Francisco Bay on 22
acres of beautifully landscaped lawns and gardens.  Facilities include
the Claremont Pool and Tennis Club and The Spa at the Claremont.

Oakland Airport is 14 miles from the hotel, or attendees may choose to
fly into San Francisco and rent a car.  Bay Area Shuttle (415/873-7771)
provides service from the San Francisco Airport or the Oakland Airport
to the Claremont Resort.  The charge is $10 per person one way.
Parking is available at the hotel at a cost of $8 per day for guests
and $1.50 per hour up to a maximum of $9 for non-guests.

Hotel reservations must be made under the group name IEEE Symposium on
Research in Security and Privacy.  The group rate is $96 single, $108
double occupancy, plus 11% tax.  The cut-off date for reservations is
Saturday, April 16, 1994.  Reservations made after this date will be
accepted on a space available basis.  Reservations must be accompanied
by an advance deposit or credit card guarantee.  You may cancel your
individual reservations up to 72 hours prior to arrival, after which
your deposit becomes non-refundable.  Please be advised the check-in
time is after 3:00 pm;  check-out is 12 noon.

For reservations and information, contact: The Claremont Resort, Ashby and
Domingo Avenues, Oakland, CA 94623-0363.
 Phone: 510/843-3000; Fax: 510/843-6239.

Please report problems with the web pages to the maintainer