The RISKS Digest
Volume 18 Issue 25

Friday, 12th July 1996

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Western U.S. power blackout
Recent west-coast power outage and thoughts on the power grid
Nicholas C. Weaver
Massive cell-phone identifier interception
56-Bit Encryption Is Vulnerable, Says Zimmermann
John Munden is acquitted at last!
Ross Anderson
Risks of Computers In Automobiles
George Beuselinck
Re: DoD and IRS tax systems
Todd B SanMillan
"Microsoft apologizes for *offensive* thesaurus errors"
Microsoft mail, bane of mailing list software
Joe A. Dellinger
Re: More AOL censorship
Info on RISKS (comp.risks)

Western U.S. power blackout

"Peter G. Neumann" <>
Thu, 4 Jul 96 6:13:41 PDT
More than a dozen states including California, Oregon, Washington, Utah,
Nevada, Wyoming, Arizona, reported power outages on 2 July 1996.  At least
11 separate power plants "inexplicably were knocked off line".  The problem
appears to have originated at a 1500-megawatt intertie at the
California-Oregon border.  Later in the day, plants in Rock Springs,
Wyoming, and along the Colorado river also went off line.  [Source: Reuters
item, *The Boston Globe*, 3 July 1996, p.3]

On the following day, parts of Idaho were again blacked out.  Perry Gruber,
spokesman for the Bonneville Power Administration in Portland, Oregon, said,
"We can rule out sabotage.  We can rule out UFOs.  I think we can rule out
computer hackers."  Utility officials said it may take as long as a week to
find the cause(s).  [Source: Associated Press item, *The Boston Globe*, 4
July 1996., p.4]

  [Jerry Saltzer, who was in Idaho, remarked to me that what was most
  striking was the sheer confusion in reports of what might have been the
  cause.  "AP reported without comment that eleven generating plants shut down
  simultaneously, with the apparent implication that some kind of widespread
  conspiracy was involved.  Idaho Power said the problem originated in
  California, but its system autoshut down completely and had to go through a
  "Black Start".  Oregon's main power company said it was a problem on the
  Pacific Northwest Intertie.  Colorado's power company said the problem
  originated in their system but they didn't understand what it was.  Idaho
  Power said it had nothing to do with the hot weather and unusual load from
  air conditioning.  Oregon said it was caused by the hot weather and unusual
  load from air conditioning.  Three days later they still didn't have any
  consensus on what had happened.  Impressive disarray--one has the feeling
  that they don't talk to one another.  With this much lack of communication,
  I'm not sure they should be allowed to interconnect, either."  JHS]

Recent west-coast power outage and thoughts on the power grid

"Nicholas C. Weaver" <nweaver@CS.Berkeley.EDU>
Wed, 3 Jul 1996 12:56:00 -0700
[...] At least 1.5 million customers were affected by sporadic outages.
Apparently an instability in the power grid caused these problems.  (It is
interesting how sporadic these outages were.  In Berkeley, our power wasn't
interrupted, yet portions of the Bay Area subway system (BART) were without

Other contributors can no doubt explain better then I can how such
instabilities occur, but I would rather address a more frightening thought:
Can such instabilities be deliberately introduced?  Could someone actively
sabotage the power-grid in this way?

This outage didn't cause much damage.  After all, it was during the day and
hot and miserable, so a few million people were simply made uncomfortable.
But what would happen to LA if a California wide blackout occurred at say,
11pm on Dec. 31st?

One might also wonder if other portions of our energy infrastructure
are similarly vulnerable to attack?

  [The answer to your first and third questions is unfortunately YES,
  and transcend the energy infrastructure.  The Senate Governmental Affairs
  Committee Permanent Subcommittee on Investigations, chaired by Senator
  Nunn, has been holding hearings that include this very topic.  My
  testimony from 25 June is available for FTP (in PostScript form only at
  the moment) from in the file pub/neumannSenate.PS .  PGN]

Massive cell-phone identifier interception

"Peter G. Neumann" <>
Thu, 4 Jul 96 8:13:41 PDT
Two people in Brooklyn NY (Abraham Romy and Irina Bashkavich) were charged
with stealing over 80,000 cellular phone numbers, along with corresponding
identifying serial numbers and personal identification numbers, using a
scanner (digital data interceptor) from their 14th-floor windowsill above
the Belt Parkway in Brooklyn.  Police seized two handguns, six computers, 43
cellular phones, and the scanner.  Cellular-phone fraud reportedly amounts
to losses of $1.5 million per day.  [Source: An Associated Press item in
*The New York Times*, 3 July 1996, p.  B4]

56-Bit Encryption Is Vulnerable, Says Zimmermann (Edupage)

Edupage Editors <>
Sun, 30 Jun 1996 18:01:43 -0400 (EDT)
Philip Zimmermann, creator of Pretty Good Privacy encryption software,
testified before a Senate subcommittee that, based on a 1993 presentation by
Michael Wiener of Northern Telecom, it would be possible to build a machine
for $1 million that could crack a message encrypted with the Data Encryption
Standard and a 56-bit key in an average of 3.5 hours.  A more powerful
machine, costing about $10 million, could do it in 21 minutes, and a $100
million machine could bring the time down to two minutes.  Zimmermann's
testimony contradicted a recent statement by U.S. Attorney General Janet
Reno that even with a "top of the line supercomputer, decoding a 56-bit key
would take over a year and the evidence would be long gone."  At issue is
whether the U.S. should permit the general-license export of 56-bit
encryption products.  (BNA Daily Report for Executives 27 Jun 1996, A5, in
Edupage, 30 June 1996)

John Munden is acquitted at last!

Ross Anderson <>
Mon, 08 Jul 1996 18:26:10 +0100
At twenty past two today, John Munden walked free from Bury Crown
Court. This resolved a serious miscarriage of justice, and ended an
ordeal for John and his family that has lasted almost four years.

In a judgment loaded with significance for the evidential value of
cryptography and secure systems generally, His Honour Justice John
Turner, sitting with two assessors, said that `when a case turns on
computers or similar equipment then, as a matter of common justice,
the defence must have access to test and see whether there is anything
making the computers fallible'. In the absence of such access, the
court would not allow any evidence emanating from computers.

As a result of this ruling, the prosecution was not in a position to
proceed, and John Munden was acquitted.

John was one of our local policemen, stationed at Bottisham in the
Cambridge fenland, with nineteen years' service and a number of
commendations. His ordeal started in September 1992 when he returned
from holiday in Greece and found his account at the Halifax empty. He
complained and was told that since the Halifax had confidence in the
security of its computer system, he must be mistaken or lying. When
he persisted, the Halifax reported him to the police complaints
authority for attempted fraud; and in a trial whose verdict caused
great surprise, he was convicted at Mildenhall Magistrates' Court on
the 12th February 1994.

I told the story of this trial in a post to comp.risks (see number
15.54 or get It turned out
that almost none of the Halifax's `unresolved' transactions were
investigated; they had no security manager or formal quality assurance
programme; they had never heard of ITSEC; PIN encryption was done in
software on their mainframe rather than using the industry-standard
encryption hardware, and their technical manager persisted in claiming
(despite being challenged) that their system programmers were unable
to get at the keys. Having heard all this, I closed my own account at
the Halifax forthwith and moved my money somewhere I hope is safer.

But their worships saw fit to convict John of attempted fraud - which
made the national papers.

An appeal was lodged, but just before it was due to be heard - in
December 1994 - the prosecution handed us a lengthy `expert' report by
the Halifax's accountants claiming that their systems were secure.
This was confused, even over basic cryptology, but it was a fat and
glossy book written by a `big six' firm with complete access to the
Halifax's systems - so it might have made an impression on the court.
We therefore applied for, and got, an adjournment and an order giving
me - as the defence expert witness - `access to the Halifax Building
Society's computer systems, records and operational procedures'.

We tried for nine months to enforce this but got nowhere. We complained,
and an order was made by the judge that all prosecution computer evidence
be barred from the appeal. The Crown Prosecution Service nonetheless
refused to throw in the towel, and they tried to present output such as
bank statements when the appeal was finally heard today.

However, the judge would have none of it.

Many thanks to all those who helped, and especially to guys like Brian
Randell, Chuck Pfleeger and John Bull who wrote in to the Chief Constable
and pointed out that the original judgment was patently absurd. It was
largely due to their letters that John was suspended from the force rather
than sacked.

For the computer security community, the moral is obvious: if you are
designing a system whose functions include providing evidence, it had better
be able to withstand hostile review. This is understood by designers of
forensic systems, and the value of hostile review is also well known to the
military and the utilities. But with one or two exceptions - such as SET -
the banks are just not on the same planet, and the risk to them should be


Risks of Computers In Automobiles

George Beuselinck <>
Thu, 11 Jul 1996 19:43:01 -0400
Just got this in from a friend at Microsoft:

DETROIT - General Motors Corp. said Tuesday it is recalling about 292,860
Pontiacs, Oldsmobiles and Buicks from the 1996 and 1997 model years
because of an engine software problem that could result in a fire.

The cars are the 1996 Pontiac Bonneville, Oldsmobile Ninety Eight and
Eighty Eight, Buick Park Avenue, LeSabre, Riviera and Regal, and some
1997 Buick Le Sabres.

GM said a faulty engine system sequence can cause a backfire during
start-up. That can result in a cracked intake manifold, which in some
instances could erupt in a fire.

  With the proliferation of computer technology into automobiles, it had
  to happen sooner or later...

George Beuselinck

Re: DoD and IRS tax systems (Wexelblat, RISKS-18.23)

Todd B SanMillan <>
2 Jul 1996 15:03:43 -0700
My special note: I am also a tax-and-spend liberal, and in addition I
have a background in the rules of logic and am a native speaker of English.

<>The initiative referred to above is in the "Subcommittee Mark" of the
<>proposed next year's budget.  It's just a House Subcommittee so it's not
<>law, but it's a bad idea in my mind, even to consider it seriously.  Is the
<>Department of Star Wars and the $700 toilet seat really so excellent a
<>contracting agency that they are the clear choice to handle IRS business?

>  Typical attack based upon ignorance.  First it is the Department of

Are we really supposed to believe that the original poster was "ignorant"
of this point?  To me, the original poster was obviously employing
"rhetoric", a common argumentative technique that adds nothing to the
logical argument, merely makes a more forceful emotional appeal.  It
appears to have worked in this case.

>  I don't know the full details of the proposal.

It is also a weak argument to accuse the poster of ignorance, then admit
your own ignorance.

Next we get 2 (somewhat conflicting) explanations of "the $700 toilet
seat", from 2 different posters, one of which explains that "in fact it
was in the $600 range." I'm sorry, but this makes little difference to
the weight of the argument.  At $600 a seat, it still needs explaining, a
point that the poster recognizes by offering an explanation.

The RISKS? Employing emotional, rhetorical arguments while condemming
them in the other side of the argument does little to help your side and
keeps the noise level high.

"Microsoft apologizes for *offensive* thesaurus errors"

"Peter G. Neumann" <>
Mon, 8 Jul 96 7:32:44 PDT
Microsoft Mexico has an on-line Spanish-language thesaurus that has caused
quite a stir.  For example, the word "Indian" was equated with "man-eater"
and "savage"; "Western" with "Aryan", "white", and "civilized"; "lesbian"
with "pervert" and "depraved person".  Microsoft Mexico has apologized, and
is rushing in a language expert from their software development center in
Ireland.  [Source: *The Boston Globe*, 6 July 1996, p.58.]

Microsoft mail, bane of mailing list software

Joe A. Dellinger <>
Sat, 6 Jul 1996 16:18:56 -0500
I maintain a mailing list using the old "listproc" package.  Unfortunately,
Microsoft Mail users cannot subscribe, unsubscribe, etc, except by manually
sending e-mail to me. Microsoft mail (at least the way they are using it)
inserts a blank line at the front of the message, then some special
microsoft mail headers, and only THEN includes the text being mailed.  The
trouble is the list processor sees the Microsoft mail fields as the start of
the message and aborts (since those aren't legal listproc commands) without
reading further.

Another mailing list I subscribe to has been repeatedly "mail bombed" by
microsoft mail. If a "microsoft mail server" in the path to a recipient goes
down, the list address gets bombarded with error messages.  The error
messages then get echoed back out to the entire list and create additional
error messages. The problem appears to be that "Microsoft mail" error
messages don't conform to the mail protocols the list processor expects to
see flagging error messages, and so are not rejected by the mailing list

One other annoying incident occurred on the mailing list I maintain
(unrelated to microsoft mail this time!). Someone on the list decided to
edit their "name" to be extremely long, like so: From: (His name followed by a very long
diatribe against French nuclear testing in the Pacific here, all on one
line!)  The list processor software overflowed the field and truncated his
diatribe.  Most of the sites receiving the broadcast then barfed with
various nasty error messages because of the mismatched parenthesis, causing
a flood of error messages to come back to me as the list maintainer.

Re: More AOL censorship (Reid, RISKS-18.23)

MarkAYoung <>
7 Jul 1996 23:56:32 -0400
>This clinches it. AOL customers do not pay to receive e-mail and never have

AOL customers have a monthly allotment of time in many areas, including MAIL
and newsgroups, and have to pay for connect time beyond their allotment. The
standard plan has a 5-hour monthly allotment with $2.95/hr beyond that.

The same is currently true for CompuServe, too.

Therefore lots of spamming _will_ cost AOL customers money if they reach
their 5-hour montly allotment.

--Mark A. Young,

Please report problems with the web pages to the maintainer