The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 15 Issue 59

Saturday 26 February 1994


o Microsoft Dinged for $120 Million
o Leaving intelligence to the experts: lie detectors, Clipper
John M. Sullivan
o Janitor interrupts UPS
Lisa Balbes
o Portuguese drug ring ensnared by pager technology
Fernando Pereira
o Snag hits Reserve Bank of India's clearing operations
S. Ramani
o "Wire Pirates" - article in March 1994 Scientific American
Martin Minow
o Van Eck Radiation Helps Catch Spies
Winn Schwartau
o Re: Software testing at Sizewell
Dave Parnas
o Re: SimHealth
Bill Stewart
o Re: The ultimate couch potato
Bear Giles
o FLASH: FBI's Draft Digital Telephony Bill: EFF Summary and Analysis
Daniel J. Weitzner
o Info on RISKS (comp.risks)

Microsoft Dinged for $120 Million

"Peter G. Neumann" <>
Sat, 26 Feb 94 15:18:08 PST
A federal jury in Los Angeles found that Microsoft's MS-DOS 6.0 software
infringed upon a Stac Electronics patent for data compression, and awarded
Stac $120M in damages.  [San Francisco Chronicle, Business Digest, 24 Feb

Leaving intelligence to the experts: lie detectors and clipper

John M. Sullivan <>
Sat, 26 Feb 94 13:10:39 PST
I read this story in Robert Park's "What's New" from, and
am forwarding it because, though it came up in conjunction with the
CIA spy, it seems relevant to the discussions of Clipper here.

-> Recall the 1986 case of Larry Chin, a career CIA analyst and spy
-> for China; he also fooled the polygraph. In 1983 I was waiting to
-> testify before the House Security Subcommittee. OTA Director John
-> Gibbons was summarizing a study of the scientific validity of the
-> polygraph for the subcommittee.  Loosely paraphrased, Gibbons was
-> explaining that these things couldn't distinguish between a lie
-> and the sex act.  Seated next to me was General Richard Stillwell
-> (ret.) of the CIA. He had no idea who I was, but he could contain
-> himself no longer; leaning toward me, Stillwell muttered, "I wish
-> these damn scientists would leave intelligence to the experts."

Janitor interrupts UPS

Lisa Balbes <>
Thu, 24 Feb 94 14:02:16 -0500
                  SERVICE INTERRUPTION

Cleanliness is not always the best policy.

There was a short interruption to some ACS services on Thursday, February 24,
1994.  The gopher server, postbox, and HomeNet services were offline for about
1 hour at the beginning of the day.

A member of the custodial staff plugged his vacuum cleaner into a power strip
attached to our uninterrupted power supply (UPS).  Poooooof.  Down went
several computers and part of the network.  Just when you think that you have
solved the problem of power outages with a brand new UPS .......

ACS is working with the custodial services to remedy the problem and prevent
future such occurrences.

Lisa Balbes, Osiris Consultants     Scientific Software/Technical Writing
2229B Hedgerow Rd, Columbus, OH 43220   614-442-9850

Portuguese drug ring ensnared by pager technology

Fernando Pereira <>
Fri, 25 Feb 1994 23:57:26 -0500
This is 2nd hand from soc.culture.portuguese. Portuguese police found out that
a drug traffic ring used pagers to receive orders from clients, and also to
receive announcements of new bulk deliveries (This is a more recent practice
in Portugal than in the US, given the relatively recent arrival of pageers
there and the less serious drug problem).  They arrested one of the drug
sellers, took his pager, and started recording the arriving messages. Soon
they figured out the code used by the ring, and they caught them all.

Two lessons:

1. Physical access to a node is the best way to break into a network.

2. Old-fashioned police work can take advantage of the vulnerabilities in
criminal activities created by the use of new technology. Even if all the
links in that network had been securely encrypted, the method followed by the
portuguese police would still work. Food for thought in relation to the
current Clipper debate.

Fernando Pereira, 2D-447, AT&T Bell Laboratories, 600 Mountain Ave, PO Box 636
Murray Hill, NJ 07974-0636

Snag hits Reserve Bank of India's clearing operations

"S. Ramani" <>
Sat, 26 Feb 1994 23:50:05 +0530
By Business Times Staff, Bombay, 25 Feb 1994

Clearing of cheques at the Reserve Bank of India's national clearing cell
(NCC) at Nariman Point came to a half on Wednesday night as a result of a
"major fault" in the IBM mainframe computer handling the clearance of magnetic
ink character recognition (MICR) cheques.  The fault has crippled the
reader-sorter machine.

As a result of the breakdown, clearing and settlement of about 10 lakh (i. e.
one million) cheques valued at Rs. 1,000 crores (i. e. Rs 10 thousand million,
roughly equal to US$ 300 million) have been held up over the last two days.
The disruption has sent corporate houses and the salaried class into a panic
as salary payments were due this week.

Sources in the RBI said the fault was yet to be located at the time of going
to press today.  Personnel from the RBI's Calcutta and Madras Offices and
experts from Computer Maintenance Corporation, the maintenance agent of IBM,
have been summoned.

The breakdown, according to the sources, was unprecedented in recent times and
"the experts are grappling" with the snag since yesterday.

The NCC handles about six lakh cheques each day amounting to a total value of
Rs. 1,000 crores.  Clearance of high-value cheques (over Rs. 1 lakh) and
inter-bank instruments, however, is being carried out unhampered.  The worst
hit were the public account cheques into which category fall salary cheques
and other instruments.

The NCC has been inundated with calls from commercial banks which wanted to
find out when normalcy will be restored.  As it happens, the snag that stopped
the clearing of cheques came at the end of the month and many salaried
employees have been left with no choice but to get their cheques discounted.

The back-up programmes which the NCC had were of no avail and the
experts had to be summoned.  The RBI put up a notice at its Amar
Building office and at the NCC yesterday about the snag and said: "Due
to a problem with the computer system with the national clearing cell,
processing of MICR presentations of yesterday evening (February 23)
could not be completed.  Member banks are advised that settlement of
this clearing will not be accounted for today (February 24).  A further
communication will follow."

Branches of commercial banks have been advised by their respective zonal
offices that "outward MICR clearing could not be presented" yesterday and have
been instructed not to release the credits of clearing presented on February
23 and thereafter until further notice.

"The system will have to be rectified, its programme loaded, tested to see
whether it can function to its usual capacity and then only the backlog can be
cleared," the sources said.  The would mean a delay of at least two more days,
they added.  Loading its programme, incidentally, takes a substantially long

"We have made some progress since yesterday and hope to locate the problem by
tonight.  We expect the machine to start only by tomorrow evening," the
sources added.

The mainframe could not load the programme properly on Wednesday night and all
efforts by the NCC staff came to naught.  Personnel from RBI offices and the
CMC had to be flown in yesterday.  The RBI is also in touch with IBM personnel
who designed the system.

The RBI said in a statement the "computer system developed certain hardware
and consequential software problems" on Wednesday.  "The problems are being
attended to on an emergency basis and the normal cheque clearing and
settlement work is expected to resume shortly," the statement said.

High-value cheques and inter-bank payments account for a very large
proportion of the clearing settlement in terms of value, the RBI said.

S. Ramani, National Centre for Software Technology, Gulmohar Cross Road No 9,
Juhu, Bombay 400 049, India  Ph: +91 (22) 620 0590 or 620 1606)

"Wire Pirates" - article in March 1994 Scientific American

Martin Minow <>
Thu, 24 Feb 94 11:09:59 -0800
There is a long article on the "inhabitants of Cyberspace" who "may be
villians, victims, or bystanders" in the March issue of Scientific American,
written by Paul Wallich. While the content is probably well-known to Risks
readers, the article gives a very good overview of the issues, and people

There are also photos of "Phiber Optik," Dorothy Denning, Donn Parker, and the
illustrious editor of this esteemed journal.

Of interest to historians might be the bibliography, listing information
available only by FTP or e-mail as if this is the everyday way of locating
information in a library.

Martin Minow

Van Eck Radiation Helps Catch Spies

"Winn Schwartau" <>
Thu, 24 Feb 94 14:13:19 -0500
Van Eck in Action

Over the last several years, I have discussed in great detail how the
electromagnetic emissions from personal computers (and electronic gear in
general) can be remotely detected without a hard connection and the
information on the computers reconstructed.  Electromagnetic eavesdropping is
about insidious as you can get: the victim doesn't and can't know that anyone
is 'listening' to his computer.  To the eavesdropper, this provides an ideal
means of surveillance: he can place his eavesdropping equipment a fair
distance away to avoid detection and get a clear representation of what is
being processed on the computer in question.  (Please see previous issues of
Security Insider Report for complete technical descriptions of the

The problem, though, is that too many so called security experts, (some
prominent ones who really should know better) pooh-pooh the whole concept,
maintaining they've never seen it work.  Well, I'm sorry that none of them
came to my demonstrations over the years, but Van Eck radiation IS real and
does work.  In fact, the recent headline grabbing spy case illuminates the

Exploitation of Van Eck radiation appears to be responsible, at least in part,
for the arrest of senior CIA intelligence officer Aldrich Hazen Ames on
charges of being a Soviet/Russian mole.  According to the Affidavit in support
of Arrest Warrant, the FBI used "electronic surveillance of Ames' personal
computer and software within his residence," in their search for evidence
against him.  On October 9, 1993, the FBI "placed an electronic monitor in his
(Ames') computer," suggesting that a Van Eck receiver and transmitter was used
to gather information on a real-time basis.  Obviously, then, this is an ideal
tool for criminal investigation - one that apparently works quite well.  (From
the Affidavit and from David Johnston, "Tailed Cars and Tapped Telephones: How
US Drew Net on Spy Suspects," New York Times, February 24, 1994.)

>From what we can gather at this point, the FBI black-bagged Ames' house and
installed a number of surveillance devices.  We have a high confidence factor
that one of them was a small Van Eck detector which captured either CRT
signals or keyboard strokes or both.  The device would work like this:

A small receiver operating in the 22MHz range (pixel frequency) would detect
the video signals minus the horizontal and vertical sync signals.  Since the
device would be inside the computer itself, the signal strength would be more
than adequate to provide a quality source.  The little device would then
retransmit the collected data in real-time to a remote surveillance vehicle or
site where the video/keyboard data was stored on a video or digital storage

At a forensic laboratory, technicians would recreate the original screens and
data that Mr. Ames entered into his computer.  The technicians would add a
vertical sync signal of about 59.94 Hz, and a horizontal sync signal of about
27KHz.  This would stabilize the roll of the picture. In addition, the
captured data would be subject to "cleansing" - meaning that the spurious
noise in the signal would be stripped using Fast Fourier Transform techniques
in either hardware or software.  It is likely, though, that the FBI's device
contained within it an FFT chip designed by the NSA a couple of years ago to
make the laboratory process even easier.

I spoke to the FBI and US Attorney's Office about the technology used for
this, and none of them would confirm or deny the technology used "on an active

Of course it is possible that the FBI did not place a monitoring device within
the computer itself, but merely focused an external antenna at Mr. Ames'
residence to "listen" to his computer from afar, but this presents additional
complexities for law enforcement.

     1. The farther from the source the detection equipment sits means that
the detected information is "noisier" and requires additional forensic
analysis to derive usable information.

     2. Depending upon the electromagnetic sewage content of the immediate
area around Mr. Ames' neighborhood, the FBI surveillance team would be limited
as to what distances this technique would still be viable.  Distance squared
attenuation holds true.

     3. The closer the surveillance team sits to the target, the more likely
it is that their activities will be discovered.

In either case, the technology is real and was apparently used in this
investigation.  But now, a few questions arise.

     1.  Does a court surveillance order include the right to remotely
eavesdrop upon the unintentional emanations from a suspect's electronic
equipment?  Did the warrants specify this technique or were they shrouded
under a more general surveillance authorization?  Interesting question for the

     2. Is the information garnered in this manner admissible in court?  I
have read papers that claim defending against this method is illegal in the
United States, but I have been unable to substantiate that supposition.

     3. If this case goes to court, it would seem that the investigators would
have to admit HOW they intercepted signals, and a smart lawyer (contradictory
allegory :-) would attempt to pry out the relevant details.  This is important
because the techniques are generally classified within the intelligence
community even though they are well understood and explained in open source
materials.  How will the veil of national security be dropped here?

To the best of my knowledge, this is the first time that the Government had
admitted the use of Van Eck (Tempest Busting etc.)  in public.  If anyone
knows of any others, I would love to know about it.

Re: Software testing at Sizewell (RISKS-15.58)

"Peter G. Neumann" <>
Thu, 24 Feb 94 8:54:34 PST
  [Dave Parnas asked me to post the following message from him.
  It is HIS, not MINE.  PGN]

The article in [Nuclear Engineering International, 12/93, p.10, reported by
Bob Dolan contained the following assertion, "no other reactor protection
system in the world, past or present, has received more attention than the

Having read the report that was leaked to the BBC and later circulated by
other organizations, I see no evidence to support that statement.  For
example, there have no reports of the software having been subject to a formal
(mathematically based) inspection procedure such as the one used for the
Nuclear Station at Darlington Ontario.

The leaked report also showed that the authorities were quite prepared to
accept a safety-critical software product that had FAILED the majority of its
tests on the basis of vague and unsubstantiated claims that the failures were
caused by the test harness not the program itself.  The report did not
indicate that there were any plans to rectify the problems in the test harness
and carry out the test properly.  There was no indication of how the test
cases were selected and whether they were statistically meaningful.  I know
that in other nuclear plant situations, far more care was taken in the design
of testing procedures.

The Sizewellreport was kept secret and I have heard of no plans to have
British software experts who are not part of the nuclear industry take part in
the evaluation procedure.  My experience suggests that, for whatever reasons,
"inside experts" tend to be less rigorous and demanding than "outsiders".
Organisations tend to pick the experts whom they expect to say what they want
to be told.  They aren't always right in their predictions, but I have never
seen an industry knowingly engage a "loose cannon".

In the Darlington case, reports were not kept secret, and the inspection
process involved many outside consultants.

Sizewell seems to me to provide ample evidence that outside scrutiny,
openness, and an active press are essential when there are potential conflicts
between short-term financial exigency and safety.  Nobody who read that report
could have much faith in the authorities who were prepared to accept such test

Prof. David Lorge Parnas, Communications Research Laboratory
Department of Electrical and Computer Engineering, McMaster University,
Hamilton, Ontario  Canada L8S 4K1

Re: SimHealth

Wed, 23 Feb 94 20:16:35 EST
With simulations, good modelling of the real situation and initial conditions
is important.  With simulation-based propaganda, however, it's also useful to
know the biases of the game-writer and the desired conclusion you're supposed
to come to :-)

At the Knoxville World's Fair in ?1983, the Tennessee Valley Authority had a
simulation game that put you in charge of their power system, letting you pull
levers to choose how much power to get from what source, in order to keep
enough power for the demand at the best price.  The conclusion you were
supposed to get was (surprise, surprise), "Use all the hydro power you can,
then all the nukes you can, then coal&oil".  As a resident of an area whose
government gave electrical supply monopoly to the folks who own Three Mile
Island and a few other old nuclear plants, I thought they should at *least*
have the nuke plants go off-line every once in a while, spending money real
fast when they're down :-)

SimCity had a fairly strong bias toward City Planners telling people what to
do and making decisions for them instead of letting them do what they want.
Is SimHealth similarly biased toward single-decider systems?

        Bill Stewart

Re: The ultimate couch potato (Balden, RISKS-15.57)

Bear Giles <>
23 Feb 1994 23:27:03 GMT
>... In his view, this would lead to birth of the ultimate couch potato.

The solution is quite obvious, and even environmentally friendly!

Take your standard electronic stationary bike (which uses an electrical
generator to produce the current required to run the display) and replace the
current display panel with an LCD display and waterproof keyboard.

For even better performance, use logic devices that operate faster if more
power is available, so someone really cranking on the pedals will get their
job to compile faster than someone who's coasting... and hence get the fat
bonus check!

(The home version would determine the recharge period of your weapons
(in games) by the amount of power supplied by the user.)

Not only does this ensure that computer users will be among the fittest people
on the planet (doing aerobic exercise for 8 hours a day), it would eliminate
the need to use fossil fuels to power computer systems, monitors, etc.

Of course, it would require waterproof printouts.  But on the other hand, this
ensures that long meetings of the programming staff would be a thing of the

Bear Giles

FLASH: FBI's Draft Digital Telephony Bill: EFF Summary and Analysis

Daniel J. Weitzner <>
Wed, 23 Feb 1994 23:33:00 -0600
Electronic Frontier Foundation Statement on FBI Draft Digital Telephony Bill

        EFF has received a draft of the FBI's new, proposed "Digital
Telephony" bill.  After initial analysis, we strongly condemn bill, which
would require all common carriers to construct their networks to deliver to
law enforcement agencies, in real time, both the contents of all
communications on their networks and the "signalling" or transactional

        In short, the bill lays the groundwork for turning the National
Information Infrastructure into a nation-wide surveillance system, to be
used by law enforcement with few technical or legal safeguards.  This image
is not hyperbole, but a real assessment of the power of the technology and
inadequacy of current legal and technical privacy protections for users of
communications networks.

        Although the FBI suggests that the bill is primarily designed to
maintain status quo wiretap capability in the face of technological
changes, in fact, it seeks vast new surveillance and monitoring tools.
Among the new powers given to law enforcement are:

1. Real-time access to transactional information creates the ability to
monitor individuals in real time.

        The bill would require common carrier network (telephone companies
and anyone who plans to get into the telephone business, such as cable TV
companies) to deliver, in real time, so called "call setup information."
In the simplest case, call setup information is a list of phone numbers
dialed by a given telephone currently under surveillance.  As we all come
to use electronic communications for more and more purposes, however, this
simple call setup information could also reveal what movies we've order,
which online information services we've connected to, which political
bulletin boards we've dialed, etc. With increasing use of
telecommunications, this simple transactional information reveals almost as
much about our private lives as would be learned if someone literally
followed us around on the street, watching our every move.

        We are all especially vulnerable to this kind of surveillance,
because, unlike wiretapping the *content* of our communications, it is
quite easy for law enforcement to get permission to obtain this
transactional information.  Whereas courts scrutinize wiretap requests very
carefully, authorizations for access to call setup information are
routinely granted with no substantive review.  Some federal agencies, such
as the IRS, even have the power to issue administrative subpoenas on their
own, without appearing before a court.

        The real impact of the FBI proposal turns, in part, on the fact
that it is easy to obtain court approval for seizing transactional data.

       The change from existing law contained in the FBI proposal is that
carriers would have to deliver this call setup information *in real time*,
directly to a remote listening post designated by law enforcement.  Today,
the government can obtain this information, but generally has to install a
device (called a 'pen register') which is monitored manually at the
telephone company switching office.

2. Access to communication and signalling information for any mobile
communication, regardless of location allows tracking of an individual's

        The bill requires that carriers be able to deliver either the
contents or transactional information associated with any subscriber, even
if that person is moving around from place to place with a cellular or PCS
phone.  It is conceivable that law enforcement could use the signalling
information to identify that location of a target, whether that person is
the subject of a wiretap order, or merely a subpoena for call setup

        This provision takes a major step beyond current law in that it
allows for a tap and/or trace on a *person*, as opposed to mere
surveillance of a telephone line.

3. Expanded access to electronic communications services, such as the
Internet, online information services, and BBSs.

        The privacy of electronic communications services such as
electronic mail is also put at grave risk.  Today, a court order is
required under the Electronic Communications Privacy Act to obtain the
contents of electronic mail, for example.  Those ECPA provisions would
still apply for the contents of such messages, but the FBI bill suggests
that common carriers might be responsible for delivering the addressing
information associated with electronic mail and other electronic
communications.  For example, if a user connects to the Internet over local
telephone lines, law enforcement might be able to demand from the telephone
company information about where the user sent messages, and into which
remote systems that user connects.  All of this information could be
obtained by law enforcement without every receiving a wiretap order.

4. The power to shut down non-compliant networks

        Finally, the bill proposes that the Attorney General have the power
to shut down any common carrier service that fails to comply with all of
these requirements.  Some have already called this the "war powers"
provision.  Granting the Department of Justice such control over our
nation's communications infrastructure is a serious threat to our First
Amendment right to send and receive information, free from undue government


The posting represents EFF's initial response to the new FBI proposal.
Several documents, including the full text of the proposed bill and a more
detailed section-by-section analysis are available by anonymous ftp on
EFF's ftp site.

This document is digtel94.announce .

The documents can be located via ftp, gopher, or www, as follows:

for gopher, same but replace first part with:


for WWW, same but replace first part with:


"I believe in markets doing what they do well, which is to develop technology,
and letting citizens do what they ideally do well, which is to set policy."

-Esther Dyson, President, EDventure Holdings, Inc.

The Electronic Frontier Foundation is working to protect your privacy.  To
help stop Clipper and eliminate export controls on cryptography, support a
bill introduced in the House of Representatives, HR 3627.  To support the
bill, send email to <>.

Daniel J. Weitzner, Senior Staff Counsel, Electronic Frontier Foundation
1001 G St, NW  Suite 950 East, Washington, DC 20001  <>
202-347-5400 (v) 202-393-5509 (f)
*** Send mail to for information on EFF. ***

Please report problems with the web pages to the maintainer