One Sunday in August this year I was booked on a scheduled flight from Buffalo to Ithaca. The ticket was issued in the UK and the reservation was confirmed. It was a little surprising therefore to be told at Buffalo airport that I had been booked on a non-existent flight: there just is no such flight on a Sunday and the printed timetable confirms this. How was I issued with such a ticket? The airline informs me that "it is rare for a problem of this nature to occur". Apparently, "when your agency made reservations for the two flights in question, our system accepted the reservation as confirmed even though the flights did not operate". They are "unable to determine where an error may have occurred" but "it is generally thought to be due to a software or message switching malfunction". That it is "rare" does not really help much. Must I (and everyone else travelling by the airline) now check *every* ticket to ensure both that the reservation status is OK and that there is actually such a flight? Or just some tickets? Which ones? (For information, this is a large international airline, not a small operator.) Mathai Joseph Department of Computer Science, University of Warwick, Coventry CV4 7AL +44 (203) 523987 firstname.lastname@example.org
>From The Age, Melbourne, 18 October, p. 2: I'm not happy, said the bloke on the phone to his bank's head office. "What did you have to go and paint it for?" . . . "My local branch . . . you've just painted the outside of it." "Um," said the nonplussed executive at the other end, . . . . "You're missing the point. I'd scratched my PIN number into the paint work. Now you've covered it over and I can't use my bloody card!" A new meaning for "bricks and mortar security." Jeff Schultz (email@example.com)
...The incident itself has "undermined the confidence" of the clients of the University's computer systems. Given the poor security of the e-mail system, perhaps one could say that the incident has given the clients an appropriate level of confidence for the computer systems involved! Lars-Henrik Eriksson, Wilhelm-Schickard-Institut, Tuebingen University On leave from the Swedish Institute of Computer Science until Oct. 20, 1993.
The *real* problem is the perceptions casual users of computers and computer networks have. A few, but not all, are: - If you are reading it on a computer, it must be true (similar to people believing photos, television, newspapers, etc. - Electronic mail is private and untamperable - Falsification of e-mail indicates that the security of the system, network, or user account has been compromised. We know that it is easier to falsify e-mail than p-mail, but not *much* easier. It is very easy in every organization I have been associated with (high school, 2 universities, a no such agency in the government, a large computer firm, and now, TIS) to get official stationery. Now, with PostScript and PCs, it is trvial to create your own stationery. The wet signature on p-mail sets it apart from most (sans digital signatures with or without certificates) e-mail. But, this is significant, in this instance, only if the recipient recognizes the wet signature. > 2. The FBI was not called in and the students (three, not five) were not > expelled, but reprimanded and (temporarily, according to another source) > denied their e-mail privileges. I suspect here my sources were telling me > actions that were being contemplated but upon which a final decision had > not yet been made. What organizations need to do is set policy on such rude behaviour. E.g., a statement indicating that misrepresenting yourself as, or impersonating, someone else — whether in e-mail, p-mail, or on the telephone — is against the rules and will result in certain sanctions. Faking p-mail is less common because there are a bunch of steps to go through along the way, allowing multiple decision points for the person's conscience to kick in (getting paper, typing, putting in envelope, sealing, addressing, stamping, taking to mail drop, and mailing). E-mail is typed up and gone in less than a minute. Most e-mail systems treat that like p-mail dropped into a postal box: from that point on it is the "property" of the recipient. Fred
Several items in this digest struck my interest. First was John Gray's comments on "porn" accidentally making it onto a CATV "children's channel". >Have you ever wondered how much trust you place on what you see on television? >Not only that broadcasters will show "appropriate" programs but that the >service will provide information when you need it. Very little. And I do not expect this to change. I really do wish the population at large would discover the "end to end principle" for itself. They should stop demanding that the CATV companies, satellite uplinkers, broadcasters, video store owners, the government, i.e., anyone and everyone but themselves, be responsible for controlling what they and their children watch. I have this product idea should make me millions once I patent and sell it to all those easily offended households: it's call an "off switch". >From firstname.lastname@example.org's comment on Denning's wiretap article: >In other words, these wiretapping capabilities are not being used against real >crimes, but against actions that are defined as criminal for no better reason >than that Leviathan has a boot with which to stamp, and we have faces to be >stamped on. Bingo! This was one of the things that convinced me that the widespread use of strong cryptography to defeat wiretapping will on balance be a Good Thing. But to be honest, when this happens (and it will, whether the government likes it or not) it will admittedly become more difficult, though not impossible, to prosecute a few crimes that actually ought to *be* crimes. Foremost among them is influence peddling and bribery among government officials. I had resigned myself to this as an unfortunate consequence of an otherwise positive development. But then it occurred to me: the only reason crimes like influence peddling and bribery are possible is because the public has granted government officials so much trust and power in the first place! Who knows? Perhaps one of the consequences of universal cryptography will be a lessening of the power of centralized government and the delegation of much less personal authority to those within it. Re Kevin Burfitt's note on a new Australian cipher to replace DES, does anyone know if the algorithm will be publicly available? |> Isn't part of the security with DES its slowness, which implies that this |> new encryption method will be inherently risky because of its speed ? Not necessarily. DES was originally designed for hardware implementation, and many of its operations are inherently slow in software. A good example are the initial and final permutations, which consist simply of renumbering the input and output bits. This is trivial in hardware but a real pain in software. Some even suspect that these permutations were added solely to sabotage efficient software implementation, as they contribute nothing to the strength of the algorithm. Certainly not to a brute-force keysearch attack, which can be conducted after the permutations have been "factored out". A new encryption algorithm designed specifically for efficient software implementation could run much faster than software DES without necessarily being less secure. It would use the native operations and native data sizes found on most modern computers. Examples include IDEA and MD5 (although MD5 is not, strictly speaking, a cipher, it does have a cipher-like structure). |> Subject: The FAA and HERF Winn Schwartau's article on "The FAA and HERF" is exactly the kind of article we've been seeing far too many of in the media lately. Not because the subject isn't worth investigating, but because the article is long on scary anecdotes, impressive sounding jargon and calls for action, and short on cold, quantitative information and logical reasoning. The term "High Energy RF" is something I'd associate with broadcast transmitters, long range radars and microwave ovens, not your average laptop computer. Exactly what constitutes "high energy"? A few orders of magnitude would be good enough. And there are quite a few radionavigation systems in use by commercial aviation, each with its own uses, strengths and weaknesses, including vulnerability to interference. Which ones are we talking about? Over land, VOR and DME are the most common. And they work by two very different principles on widely separated radio frequencies. DME is inherently much more resistant to interference than VOR. ILS (instrument landing system), is a cousin to VOR. It probably has about the same susceptibility to interference, but in a situation with a much smaller margin for error — which is why many airlines now ban electronics during landing, even though it may not be strictly necessary. And over the oceans you have Omega, operating at VLF frequencies, usually combined with an Inertial Navigation System (INS). (GPS is not yet permitted as a primary navigation reference, and LORAN-C is common in US private planes and helicopters but rare in commercial aircraft.) So exactly which system was in use by the 747-400 in question? Chances are it was an INS, found on almost all commercial transoceanic aircraft. And INS's main feature is that it lacks a radio receiver, making it virtually immune to radio interference! This makes the anecdote just a *little* less credible. Again, I'm not trying to belittle those concerned about interference to aviation navigation. I myself fly frequently with a laptop. If there really were a hazard, believe me, I'd want to know about it. But what we need are some carefully controlled tests producing reliable, quantitative information. The closest I've seen to this appears in the October 1993 issue of PC Computing magazine. They actually measured the RF emissions from a variety of personal electronic devices, including cellular phones, AM/FM broadcast radios, walkmans, laptop computers, CD players and handheld games. Their conclusion: "...it was highly unlikely for laptops and most PEDs [portable electronic devices] to cause navigational interference. Of the devices tested, nearly half produced signals so weak they couldn't be measured above the baseline noise present on all radio frequencies... In general, we were unable to produce any real VOR interference except when we used FM receivers and cellular phones, and when we placed other devices unrealistically close -- within 6 to 12 inches of the VOR receiver antenna." Phil
>"We're descending below 10,000 feet for our approach into (safe major >metropolitan airport). Please turn off all laptop computers, CD and cassette >players. Thank you for flying US Scare." A recent issue of PC Magazine conducted a series of tests using an HERF detector to determine the amount of leakage generated by portable computing equipment. They found that common equipment did NOT generate HERF interference above the background noise level. In other words, apart from widespread anecdotes, there is yet no evidence to back up claims that portable computers are responsible for interfering with in-flight equipment. I accept that the author's experience with corrupt FCC certification labs means that some very badly made portables could be exceptions. However, PC Magazine did find that most common non-computing devices, such as Discmans or Walkmans, DID cause measurable levels of HERF interference. It is conceivable that if such a device is used close to a control board, interference will occur. [Incident involving possible HERF interference due to a laptop.] >Investigating the incident, Boeing engineers bought the same model >laptop and tried to replicate the glitch in another 747. They couldn't." This demonstrates the point of the first paragraph. All that is available are anecdotes, which show only a weak cause/effect link, and which in many cases aren't reproducible. >There are plenty of crazies out there; and with terrorist concerns on the >rise, who knows what they might pull. Well, here are a couple of >possibilities. >Suppose I'm a real crazy bad guy, and I bring a specially modified laptop onto >an airplane. The airport security is dismal and you can get just about any >electronic device through with no trouble. But this laptop is modified to >emit very high levels of radiation; either automatically or upon command. If >I'm real nuts, and am totally committed to my cause celebre, I might be >willing to bring the plane down with me on board. More than a few people meet >that criteria. It might take a little tinkering and get on the right >fly-by-wire plane to do it, but with the number of events already on the >books, it's doable. >Or, if my survival is important, I might check my luggage through with a HERF >device, timed to 'go-off' at some point during the flight. Without me on >board, of course. Luggage scanning can't tell the difference between a 'good' >electronic device and a 'bad' one. If the FAA has something to worry about in >this realm, this certainly qualifies. While the possibility of HERF interference does suggest the possbility of new devices for carrying out terrorist acts, consider the following: 1. Most airlines require you to declare whether you have any electrical items in your baggage, and will ask you to remove the batteries (e.g. British Airways, Cathay Pacific) 2. Some airlines will not carry unaccompanied baggage (El Al is a pretty good example). 3. Some airports require you to turn on electrical devices at the security check to demonstrate that they work normally. At the levels of radiation output suggested, the X-ray/metal detector equipment would probably malfunction, which ought to make the security personnel suspicious. The ability to circumvent these procedures and successfully smuggle a 'HERF bomb' onto a plane does NOT make HERF interference any more RISKy than other devices which could destroy a plane. Instead, it points to poor execution of security procedures. If an airport's security is really bad, then one could probably smuggle a real bomb on board. As for a HERF gun aimed at planes taking off - why is this a serious risk beyond that posed by more conventional weapons? A guy standing off the end of the runway with a rifle could probably put enough holes in the fuel tank to cause trouble, and it's easier than building a HERF gun. >Cyberspace has indeed come of age, and modern airplanes are as much a part >of it as computer networks. >It's just that the FAA doesn't know what to do about it yet. >Let's hope they get up to speed quickly. Very quickly. Current research (of which there is admittedly little) indicates that portable computers are extremely unlikely to be the cause of HERF interference; the FAA would be wise to do a study on the effects of electrical devices on in-flight control systems. The security threat posed by malicious HERF bombs or guns seems no more (or no less) serious than the threat posed by conventional terrorist devices, and certainly does not justify the shock-horror writing style of the original article. There are as many RISKS in creating unnecessary panic as there are in overlooking hazards. Ted Wong, Cornell University <email@example.com>
HERF is *high energy*. It doesn't come from laptops, CD players, or FM radios. My understanding is that HERF comes from the government's testing of directed energy weapons. The characteristics of the directed energy are classified. Design and test for electromagnetic compatibility is not easy; especially when the electromagnetic environment is not defined. And that is the root of the HERF risk. BTW: I don't deny that there are risks associated with radio frequency interference from laptops, mobile transmitters, and other electronic devices. I just don't want HERF to be put in the same risk category.
In Risks 15.14, Karl Smith writes (regarding Digital Signatures): > Well, now the businesses have our number. Our public key identifies us, >uniquely. Nobody else will have the same public key. This means that >businesses no longer have to try to track us down via our SSN or Driver's >license number - they've got a much better number to use to refer to us in >their database - our signature. Using the same technology, it is possible to create digital pseudonyms that can both assure a retailer of the purchaser's credentials while protecting his or her (or it's) identity. It is even possible to create "digital cash" that can be anonymously handed from person to person, copied ad infinitum, yet spent only once. A simple example: you register several pseudonyms with a credentials agency; the retailer can present your pseudo to the agency and be told "it's ok, he's on the up and up." Yet you can give each retailer different pseudos if you so desire. Of course, this requires you to trust the credentials agency; there are other protocols that eliminate this need, but they are more complicated. | Robert J. Woodhead, Biar Games / AnimEigo, Incs. trebor@forEtune.co.jp | | AnimEigo US Office Email (for general questions): firstname.lastname@example.org |
The newspaper article you mentioned was published in the *Independent on Sunday* of 4 September 1993. It is probably only fair to point out that on 3 October 1993, the *Independent* printed a clarification. In the first paragraph, they state: In fact, although Sega is developing virtual reality games for both arcade and home use, the company does not yet have any such games on the market. We accept that any suggestion in our heading that Sega is selling a game which has been found to be potentially damaging to eyesight is misleading. We apologise for any embarrassment caused. In the second (and last) paragraph: The company [Sega] also claims that the research [cited in the article] used a prototype with very high powered lenses, designed for a different application, and that the technology is so different that a comparison is not valid. Robert.Carolina@cchance.co.uk Clifford Chance 200 Aldersgate Street London EC1A 4JJ +44 71 600 1000 (work)
This implies that applying a DNR to a suspect's line does _not_ require a court order and is not considered wiretapping. In other words, the list of numbers called by a suspect is not protected as rigorously as the content of those calls. I'd like to hear more about how this data is protected or made available to investigators and others. Use of ``pen registers'', which record the numbers you dial, or ``trap and trace'' devices, which records who has called you, are regulated by 18 USC 3121-3126. The requirements for court orders are somewhat similar, though at first glance, they're somewhat easier to obtain; as I recall, the wiretap laws restrict the use of wiretaps to serious crimes, while there's no such provision in the pen register law. Steve Bellovin
Burfitt describes a new Australian encryption algorithm, notes that it runs at 20 Mbps, and asks: Isn't part of the security with DES its slowness, which implies that this new encryption method will be inherently risky because of its speed ? No, DES was never designed to be slow, though there are some aspects of its design which are inherently quite slow if done in software. You may be thinking of the UNIX system password hashing algorithm, which is based on DES, and which was indeed intended to be slow. Not that 20 Mbps is particularly fast today. Eberle and Thacker have described a 1 Gbps DES chip (Proceedings of the IEEE 1992 Custom Integrated Circuits Conference), and 40 Mbps chips are readily available. There is some slight risk in an encryptor being able to run too quickly, in that it makes exhaustive search somewhat more feasible. But key size is a much more important variable. DES's 56 bits are too few; see Wiener's design (CRYPTO '93) for a US$1 million DES-cracking machine, or for that matter the Diffie-Hellman critique of DES in 1977 on just those grounds. In evaluating this new algorithm, I'd look at the key size, whether or not the algorithm is open to public scrutiny, and whether or not the Australian government is fond of things like key escrow. Steve Bellovin
In RISKS DIGEST 15.13, Jonathan.Bowen <Jonathan.Bowen@prg.ox.ac.uk> writes: > The Wednesday 13th October 9 o'clock evening news on BBC1 TV in the UK > featured a new report from the UK HSE (Health and Safety Executive) ... > ... Does any RISKS reader have a full reference for the report? >From a telephone call to the HSE information centre just now, I gather that the news report probably referred to the latest issue of "Statement of Nuclear Incidents at Nuclear Installations", which is a regular quarterly report. It can be obtained free by post (at least in the UK) by telephoning the London Information Office of HSE on: +44 (71) 243 6385 Other useful numbers: Main HSE Information Office: Tel.: +44 (742) 892345 Fax.: +44 (742) 892333 Main HSE Publications Orders: Tel.: +44 (787) 881165 I should warn readers that none of the people to whom I spoke were sure exactly to which report the news item referred. Although they are not relevant to the original topic, readers may also be interested in the following publications of HSE: Guidance leaflet on safety of Visual Display Units (free from London office). "Display Screen Equipment Work: Guidance on Regulations", ISBN 0 11 886331 2, available also from any Dillon's bookshop, price: 5 pounds sterling. This is a guide to the EEC regulations which came into force in Jan. 93. "Programmable Electronic Systems in Safety Related Applications", in two parts: 1. An Introductory Guide, ISBN 0 11 883913 6 2. General Technical Guidelines, ISBN 0 11 883906 3 Peter Mellor, Centre for Software Reliability, City University, Northampton Sq., London EC1V 0HB, Tel: +44(0)71-477-8422, JANET: email@example.com
I think that far too much is made of the supposed "imagined communities" of readers that exist today. I never read the LA Times sports section; other readers probably read ONLY the sports section. Even specialized journals contain very few articles which are of interest to *all* readers. We associate with people we like and who already tend to share common mindsets. By word-of-mouth we refine our knowledge and opinions. I believe that the shattering, enabled by Internet, of age- and geography-based ghettos, is far more important than whatever new limitations might be imposed by a-priori electronic information filtering. I welcome the day when both source and destination filters are so refined that I open with pleasure all of my "junk" mail, and I no longer have bookshelves full of magazines and journals where 80% of the content is of no interest to me. I'm confident that personal contacts plus "news flash" features, "best of" anthologies, and the ramblings of a few favorite columnists (Jerry Pournelle, Dave Barry, P.J. O'Rourke, Ann Landers,...) are quite sufficient to bring any truly important items past any electronic filters. --Bruce BHamilton.LAX1B@Xerox.COM 310/333-3538
There was a good discussion of the Multics ring structure in the new (this year) ALT.OS.MULTICS discussion (we don't give up easily!). What was interesting was that the revisionist view is that rings were not all that useful. Rings were useful internally to provide a supervisor and supersupervisor (kernel) mode and a user mode, though they were overkill for that purpose. Nontrivial attempts to use rings ran up against the mutually suspicious subsystem problem. Similarly the hardware pointer validation was insufficient for real applications. Basically, protecting the operating system is a minor problem as systems become more complex and the focus shifts from operating system as master of the universe to the operating system as a nice utility that helps keep the local system intact but the real action is in the interactions between subsystems and physically separate systems.
Yves_Royer in risks 15.08 only knows one OS that uses privilege rings for protection. When I was young everyone expected that all OS would in future be like that. It's amusing to note that the only manufacturer currently making a substantial profit out "conventional" mainframes is also the only manufacturer offering this style of protection in the system. Maybe the loss of this 30 year old technology from the mainstream of OS development indicates a strange risk: if it was developed in academia so that you can't patent it most of industry will go for a patentable alternative even if that's patently inferior. Tom Thomson firstname.lastname@example.org P.S. for anyone interested, the manufacturer, mainframe series, and OS referred to above are ICL, Series 39, and VME respectively; 16 ring hardware protection fully exploited by the software, with an OS that's been around for 20 years.
Please report problems with the web pages to the maintainer