The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 17 Issue 10

Sunday 30 April 1995


o Metromover inner loop back on line
Charles P Schultz
o Radar-detector messages & cop-car computers
Mark Seecof
o AOHell
Simson L. Garfinkel
o Terrorism and telecommuting
Tim Kolar
o CyberWinter: A Forecast
Richard K. Moore
o Privacy directory
Simson L. Garfinkel
o Re: Lotus Notes authentication protocol challenged
Charlie Kaufman
o Re: Floating-Point Time
David Cline
Bill Hopkins
o Re: Digital libraries
Shannon Nelson
Michael D. Sullivan
o Clipper paper available for anon FTP
Michael Froomkin
o Advanced Surveillance, Call for Papers
Dave Banisar
o Info on RISKS (comp.risks)

Metromover inner loop back on line

28 Apr 95 08:22:57 -0600

Miami's Metromover was running again Wednesday afternoon after the downtown inner loop was closed for more than two days because of "phantom" trains on the track. Trains began rolling again on the 1.9 mile inner loop at 12:19 p.m. The rest of the 4.4-mile system - an outer loop and extensions north to the Omni International Mall and south to Brickell - was not affected.

Metro-Dade Transit Agency technicians attributed the problem to a faulty transmitter in a computer. Manny Palmeiro, a MDTA marketing manager, said the system detected trains when none were on the tracks.

"Phantom" trains have been a recurring Metromover glitch, one of a long string of computer and other electronic and electric problems plaguing the system. MDTA disclosed last week that in the spring and fall, sunshine sometimes trips safety sensors that detect the presence of trains. Those sensors are being realigned to shield them from the sun.

Last month, MDTA managers warned that Metromover glitches likely will not go away soon. In fact, they said glitches may well be a permanent fixture of the nation's largest and most elaborate downtown automated rail system. [Source: *Miami Herald*, 27 Apr 1995]

Radar-detector messages & cop-car computers

Mark Seecof <>
Thu, 27 Apr 1995 19:22:22 -0700

At page 91 of the April 1995 Law and Order magazine (v.43 no.4) in the "Police Equipment News" section a short item describes a "Collision avoidance system" which "takes advantage of the millions of radar detectors in civilian use." Basically, the system requires police cruisers and other emergency vehicles (e.g., ambulance) to be equipped with microwave transmitters designed to set off speed-radar detectors. Drivers will presumably react to radar-detector alerts by looking around, improving the chance that they will see and yield to or avoid a vehicle using lights &| siren to claim right-of-way. The detector vendor Cobra Electronics developed the system and sells detectors capable of decoding short text messages from the alerting signal. Cobra's present CAS transmitters can be programmed to send either "Emergency Vehicle" (moving vehicle) or "Road Hazard" (vehicle stopped on highway) and the scheme allows for other messages.

I'm not sure how to score the risks here. I admire the elegance of regarding existing radar detectors as general-purpose warning receivers, and the message encoding is icing on the cake. (I applaud the designers for using an open and flexible alphameric code to permit arbitrary message content.) On the other hand, the transmitters will ``pollute the channel'' (degrade S/N ratio) in a sense, making it harder for drivers to detect ``real'' radar threats. So long as police confine system use to emergencies I think it's great. If the system gains wide use, auto makers could put alert-receivers into vehicles at the factory (such receivers need not serve as general radar-detectors; they could discriminate warning signals by their alphameric code content).

An article in the same magazine at page 77 by Tom Yates titled "Magic Patrol Cars: Police Travel Information Superhighway" suggests in glowing terms the many benefits to be had from increasing the computerization of patrol cars. I think the author reveals a certain naivete. For example he writes of one in-car machine: "the system is easy to learn because the software operates under the computer industry standard MS-DOS/Windows operating systems. To make the system even faster dedicated function keys minimize the number of keystrokes required for a given operation such as calling up information, editing data, or initiating system functions." He's describing a system to be used while the patrol car is moving. Considering how the car may lurch around I wonder if users will get in trouble by sometimes striking the wrong function key? Later in his column Mr. Yates (who, I should point out, is a good writer and clearly an expert on police vehicles and operations--if still on middle of the computer learning curve) discusses engine computers and suggests that they will be improved to offer very sophisticated variations in performance for different (e.g., cruising, pursuing) situations. I'm sure many RISKS readers would wait, as I would, for the second or third software release...

Mark Seecof <> [all usual disclaimers implied]


Simson L. Garfinkel < >
Fri, 28 Apr 1995 15:27:59 -0400

(C) 1995 Simson L. Garfinkel
Originally appeared in The Boston Globe, April 21, 1995
[Reproduced in RISKS with the author's permission]

It's 10:00 P.M. on a weekend night, and some obnoxious guy in the America Online Chat Forum won't shut up. What do you do?

You give them the finger, of course. And if that doesn't work, you can always shoot them.

Want everybody in the chat room to shut up so you can talk? Just click the button labeled "Ghost," and the screen will clear away everyone else's comments, giving you space to make yourself heard.

You won't find these features on America Online's standard set of menu options. But they are part of a new anti-AOL program called AOHell that's making the rounds on some electronic bulletin board systems.

AOHell can do more than make mischief in America Online's chat rooms: the program has a number of devilish features that seem designed for turning online lives into living nightmares.

Armed with AOHell, one user can send dozens, or hundreds, of electronic mail messages to an unwitting victim in just a few seconds, a technique known as "mail bombing." AOHell can also mail bomb the victim's fax machine and even his US mailbox. And what if you really don't like another subscriber? Just click on the "Punt" command and you'll abruptly log them off, thanks to an apparent bug in America Online's operating software.

Why would someone develop such a program and give it away for free over the Internet?

"I hate the staff on AOL for one, I hate most of the people on AOL for another, and I wanted to cause a lot of chaos," explains one of the anonymous authors of AOHell, who identifies himself only as Da Chronic, in the program's instruction manual.

Indeed, AOHell's worst punches seem to be aimed directly at America Online itself.

AOHell has a nefarious system built into it for generating fictitious credit-card numbers. According to users, the program can make free accounts that last up to 10 hours of online time or one week, whichever comes first. For users with high bills for the nation's second-largest online service, AOHell has the ability to let users download files for free.

"Any member using AOHell will have their account immediately terminated," says Margaret Ryan, a spokesperson for the company.

AOHell is a piece of software for engaging in illegal activities, sometimes called banditware, which runs in conjunction with America Online's communications software for Windows-based computers. It appears to be the first time that such a program has been written to directly attack one of the nation's large online services.

Some of the AOHell's abilities appear to exploit bugs in the America Online system, while others, such as the ability to display a raised middle finger in a chat room, seem to merely simulate an extremely rapid typist. Ryan wouldn't say if AOL has any technical fixes in the works that would prevent the program from functioning properly.

Indeed, Ryan doesn't even know who wrote AOHell.

Although AOHell's author has chosen to remain anonymous, a built-in feature allows AOHell users to send bug reports to the program's author. Those reports get sent to a computer in Finland called an anonymous remailer, which allows people on the Internet to exchange electronic mail without knowing each other's identities.

"If you think AOH 2.0 is marvelous, wait until you see 3.0," wrote the program's author, in response to an electronic mail message. "I'm almost finished with it and it will make version 2 look like a Commodore 64 program, to say the least."

Terrorism and telecommuting

Tim Kolar <>
Fri, 28 Apr 95 23:24:31 PDT

In the aftermath of the recent tragedy in Oklahoma, there have been several reports of government agencies allowing at least temporary telecommuting arrangements for their employees.

One wonders if widespread telecommuting could alleviate this kind of problem completely.

Individual attacks and attempts to disrupt the communications backbone are a possibility, but I'm not sure there's much to attract terrorists in either of them. Harrassing individuals hasn't done much for the so-called "Unabomber", and disruption of telephone service is more an annoyance than something to live in terror of.

In any case, I like the sound of "everyone go home and work" a lot better than "we'll be installing video cameras on every street corner".

-Tim Kolar

CyberWinter: A Forecast

Richard K. Moore < >
Sun, 30 Apr 1995 09:39:02 +0000

Not that this should be unexpected news to any of you, but Cyber Winter is at hand.

We are aware of the Cyber Glaciers — in the form of the S.390 Censorship Bill and the S.1984 FBI Police-State Enablement Act — blasted loose from the Washington Ice Floes by the ever-so-timely Oklahoma explosion. But merely the _news_ of the glaciers is enough to chill hearts and will...

One list, with mild political content, was shut down last week with no explanation. After persistent investigation, I was able to learn that someone up the byte-chain feared that the list _might_ be perceived as controversial _by someone someday_, and out of concern for his "job and family", felt he better shut down the list ASAP. I learned this from the person himself, although it took several rounds of questions to get past his layers of embarrassment.

This was at a prestigious university. I promised not to name names.

The Internet is very fragile. It doesn't require police activity to shut it down; all it takes is the fear of controversy, in a climate of media-fanned public emotions.

The lists and servers operated by universities and corporations are brittle as fine crystal — those institutions have no incentive to risk even the _potential_ censure of their customers, alumni, directors, funding sources, etc.

Commercial providers (AOL, CServe, etc) similarly won't wait for a knock on the door before they "clean up their act" — and I mean sparkling lemon-fresh baby-powder clean, suitable for children, grannies, and Baptists (no offense intended.).

We are entering what the ACLU refers to as a "chilling" era. The Well, CPSR, APC — and other sites with a conscience — will in many cases take a principled, courageous stand for cyber rights. But those are exactly the sites that the Police State legislation is designed to suppress. They can't afford to pursue the "Enumerated Defenses", the way Cyberspace INC will be able to, when it distributes its interactive soft-porn cyber-soaps into everyone's home, in order to sell burgers, lager, and designer jeans. Forget open BBS's — they'll soon be history.

It's time to get out your winter coats. For what little difference it'll make, you might want to take down the personal email and snail addresses of your online associates while you still can. ---------------------------------------------

Privacy directory

Simson L. Garfinkel < >
Sun, 30 Apr 1995 10:24:19 -0400

This isn't so much a RISK as a RESOURCE.

The Privacy Journal has assembled a really phenomenal directory of privacy professionals. The directory has hundreds of people, with their names, phone numbers, addresses, email addresses, and brief descriptions of what they do or have done that's notable in the privacy field.

I've been writing about privacy issues for nearly a decade, but even my own personal database pales in contrast to what the Privacy Journal's publisher Robert Ellis Smith has assembled.

You can get the directory for $12.50 from Smith. It is available in print or electronically.

Here is Smith's entry:

Smith, Robert Ellis
Privacy Journal
P. O. Box 28577
Providence RI 02908
fax upon request

Attorney, publishes monthly newsletter, books and special reports; author of Our Vanishing Privacy (1993), The Law of Privacy Explained (1993), Compilation of State and Federal Privacy Laws (1994)

E-mail address:

(Note: I write occasionally for The Privacy Journal, but this is still a great resource.)

Re: Lotus Notes authentication protocol challenged (Gong, RISKS-16.87)

Charlie Kaufman/Iris <Charlie_Kaufman/>
28 Apr 95 9:53:31 EDT

>(2) [...] Cynthia Dwork of IBM Almaden wrote in ACM SIGACT
>News 26(1) (March 1995) that the authentication procedure using public-key
>systems in Lotus Notes, as described in its "Internals online book", has
>security flaws. Lotus's response is (1) the actual system does not work as
>described in the manual and (2) how it actually works is proprietary
>information. [LG: (1) is dangerous by itself, and if (2) is true, then why
>pretending to describe the procedure in the first place.]

It's all true.

The authentication protocol used by Lotus Notes is a somewhat involved mix of public key and secret key cryptography designed for good security and performance. In the Security Internals online book in a section on the certificate hierarchy and the implied trust model, there is an aside on how authentication takes place once the two sides know each others public keys. Because the truth was complex and the complexity seemed irrelevant, the author substituted a "classic" public key authentication protocol for the real one. Unfortunately, while that protocol was not itself flawed, using the same public key for that protocol and for the encryption and the signing of electronic mail would be insecure. That was the central point of the Dwork article: that two well designed cryptographic protocols can be insecure when used together sharing keys. The actual Lotus Notes authentication protocol does not have this problem.

While the Lotus Notes authentication protocol was never intended to be proprietary or secret, it was also never fully publicly documented, and the public documentation that did exist was incorrect. A more complete writeup has subsequently appeared in the book "Network Security: Private Communication in a Public World", by Charlie Kaufman, Radia Perlman, and Mike Speciner, Prentice Hall, 1995. The on-line documentation will be corrected.

Charlie Kaufman Email: Tel: 1-508-392-5276
Iris Associates, One Technology Park Drive, Westford, MA 01886, USA

Re: Floating-Point Time (Kuenning, RISKS-17.09)

David Cline < >
Sat, 29 Apr 1995 19:49:08 GMT

> ... Since there are about 3x10^7seconds in a year, or about 10^8 every
> 3 years, one can represent about 8x16x3 = 384 years to millisecond
> precision without violating that range, right?

Wrong. This confuses milliseconds and microseconds; You can represent 285 years to *microsecond* accuracy in 53 bits. If you only care about millisecond accuracy, you can represent about 285,000 years. There are also ways of using the sign bit to double the effective range.

Dave Cline Spring Valley Software
[Your moderator is dismayed that this is dragging on so long! PGN]

Re: Floating-Point Time

Fri, 28 Apr 95 11:12:30 EDT

On the year-zero and religious wars: PGN suggests [RISKS-17.09] that first-century dates (which were, after all, not invented until well after the fact) would have created religious wars had there been computers to suggest that there should be a year zero.

Any self-respecting computer, however, would have balked at attempts to divide the factions by zero.

Bill Hopkins

hopkins@VFL.Paramax.Com Unisys Corporation (Soon to be Loral, they say)
610-648-2854 or 363-7464 Valley Forge Eng'g Ctr, POB 517, Paoli PA 19301

Re: Digital libraries (Kass, RISKS-17.09)

Thu, 27 Apr 95 13:11 PDT

> [...] However, the only media which has persistence of 50+ years which
> has been proven in a reliable way is film.

This points out a risk of being to close to the technology. Perhaps the microfilm is the only "technological" way of storing media for 50+ years, but it seems to me that the low-tech method of printed books has about 5 to 10 times that lifespan, depending on the paper and ink used. It also has the benefit of being immediately accessible to the reader, as no fancy technology is necessary to extract the data, outside of a current prescription for one's glasses.

Shannon Nelson Portland Technology Development, Intel Corp. (503) 642-8149 I don't speak for Intel

Re: Digital Libraries (Kass, RISKS-17.09)

Michael D. Sullivan < >
30 Apr 1995 01:20:08 -0400

And what about paper (acid-free), papyrus, or other similar media that have lasted hundreds or thousands of years intact? Or stone (e.g., cuneiforms or etchings on silicon)?

Microfilm (silver on film) has been around far less time than these. In fact, the film media used in the 1930s (nitrocellulose) has proven to be disastrous — it practically self-destructs. Moreover, silver has only been in use for a bit over a century as a means of fixing an image, and it has distinct disadvantages, due to oxidation. Carbon-based ink on non-acid paper, on the other hand, lasts virtually forever. Perhaps replacing paper with Mylar would be a good step, but silver halide images would not appear to be good for long-term archiving; photographers have turned to platinum and other means of giving longevity to photographic images, in lieu of silver. India ink on papyrus or vellum might last longer, though. Maybe convert the data to carbon-based laser toner on Mylar in barcodes?

Michael D. Sullivan | INTERNET E-MAIL TO:
Bethesda, Md., USA | also,

Clipper paper available for anon FTP

Michael Froomkin <>
Thu, 27 Apr 1995 15:24:59 -0400 (EDT)

My paper, "The Metaphor is the Key: Cryptography, the Clipper Chip, and the Constitution" is now available for anonymous FTP. It is about 180pp. long, and contains more than 800 references.

I would welcome your feedback on this paper — even (especially?) contributions to the inevitable errata sheet.

(Please note this document resides at what is officially a "temporary" site, so that if you create a web link to it, please let me know so that I can notify you when it moves).

Contents of FTP://

File                  Type
- - - - - - -         - - - - - - - 
clipper.asc           ASCII
clipper.wp            WP 5.1/Dos         Pkzipped version of clipper.wp            My best effort at Postscript.  YMMV.  (approx. 7Mb.)         Pkzipped version of         Gzipped version of
Ports provided by nice people (please note I have not checked these):
Unix compressed version of with carriage returns removed — courtesy of Whit Diffie
Binhexed self-extracting Microsoft Word 5.1 for Macintosh version of clipper.wp — courtesy of Ted Byfield
None of these files contains correct and final page numbers, and there are generally trivial typos that were corrected in the printed version. The printed version appears at 143 U.Penn.L.Rev. 709 (1995).

I intend to put up a web version presently. The .index file in the above directory will have details when a clean copy is ready for prime time. A link to an experimental and highly buggy HTMLized version may appear at erratic intervals at at the very bottom of the homepage.

A.Michael Froomkin, Associate Professor of Law, U.Miami Law School, POB 248087, Coral Gables, FL 33146 USA +1(305) 284-4285 MFROOMKI@UMIAMI.IR.MIAMI.EDU

Advanced Surveillance, Call for Papers

"Dave Banisar" <>
29 Apr 1995 13:22:30 -0400

Advanced Surveillance Technologies
Sponsored by
Privacy International, and
Electronic Privacy Information Center
4 September 1995
Copenhagen, Denmark


Over the past decade, fundamental changes have taken place in the nature and the environment of surveillance. New information systems offer an unprecedented ability to identify, monitor and track a virtually limitless number of individuals. Some leading-edge technologies are likely to revolutionize the practice of surveillance. The factors of cost, scale, size, location and distance have, in many instances, become largely irrelevant.

The impact of political and economic change throughout the world has also created unforeseen dimensions to surveillance. The evolution of a Global Information Infrastructure will have a profound impact on the scope of potential surveillance of individuals. The end of the cold war and the privatization of public sector activities has magnified the impact of change. The merging of technologies has also created new opportunities for wide-scale surveillance.

The nature of surveillance has changed to the extent that modern information systems involve a pre-requisite of general surveillance of populations. The pursuit of perfect identity has created a rush to develop systems which create an intimacy between people and technology. Advanced biometric identification and sophisticated ID card systems combine with geographic tracking to create the potential to pinpoint the location of any individual. The use of distributed databases and data matching programs makes such tracking economically feasible on a large scale.

Extraordinary advances have recently been made in the field of visual surveillance. Closed Circuit Television (CCTV) systems can digitally scan, record, reconfigure and identify human faces, even in very poor light conditions. Remote sensing through advanced satellite systems can combine with ground databases and geodemographic systems to create mass surveillance of human activity.

The globalization of information systems will take information once and for all away from the protection and jurisdiction of national boundaries. The development of data havens and rogue data states is allowing highly sensitive personal information to be processed outside any legal protection.

At a more intimate level, research is underway in more than a dozen countries with the aim of implanting microchip technology directly into the human brain. US and European medical institutes have already conducted many such operations. The creation of a direct link between the human brain and computer technology is at an advanced stage. Such procedures are initially aimed at stimulating dead senses and paralyzed limbs. Within two decades, it is possible that such implants will be at a sufficiently advanced stage to enable complex interaction between the brain and external technology.

The science of nanotechnology, which involves the re-configuration of individual atoms and molecules, will present the potential for virtually undetectable covert surveillance.

These and other developments are changing the nature and meaning of surveillance. Law has scarcely had time to address even the most visible of these changes. Public policy lags behind the technology by many years. The repercussions for privacy and for numerous other aspects of law and human rights need to be considered sooner rather than later.

This one day conference will present an overview of these leading-edge technologies, and will assess the impact that they may have in the immediate future. Experts and analysts will discuss the nature and application of the new technologies, and the public policy that should be developed to cope with their use.

The conference theme is unique, and interest in the event has already been expressed from throughout the world.

Program contents

The first session will assess new dimensions in current surveillance technologies. The remainder of the day will be devoted to exploring technologies which are in the formative stage of development.
Preliminary List of Topics:
The conference will be held in Copenhagen, and is timed to coincide with the 17th annual international meeting of privacy and data protection commissioners.

Number of participants : approximately one hundred

Cost: US $75 - Individuals/non-profit organizations $175 - Commercial organizations Privacy International and the Electronic Privacy Information Center are now requesting abstracts for papers. Papers should be directed at a general audience, and should either present an overview of an aspect of advanced surveillance technology, or they should discuss the likely use and impact of the technology.

Abstracts or papers can be emailed to Privacy International at:

Alternatively, they can be sent to :

Privacy International Washington Office
666 Pennsylvania Ave, SE, Suite 301
Washington, DC 20003 USA
1-202-544-9240 (phone)
1-202-547-5482 (fax)
Web address: gopher/ftp /cpsr/privacy/privacy_international/

David Banisar ( * 202-544-9240 (tel)
Electronic Privacy Information Center * 202-547-5482 (fax)
666 Pennsylvania Ave, SE, Suite 301 * ftp/gopher/wais
Washington, DC 20003 * HTTP://

Please report problems with the web pages to the maintainer