The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 18 Issue 32

Tuesday 13 August 1996


o Java security update
Ed Felten
o More power to us? "It couldn't possibly happen again" department
o Another London train crash; well, it's not supposed to happen!
o Fire alarms on Boeing 777 triggered by fruit/frog cargo
o Electromagnetic pulses to stop car chases?
Peter Wayner
o GPS Receiver Explodes
David Kennedy
o Bread-riots and circuses
Brian O'Connell
o The risks of apathy in telephone callers
Christopher Kline
o CyberRisk '96 Conference, Call for Participation
Mich Kabay
o Re: Computers causing power outages
Paul Hughett
o Re: "Anonymous" phone tips and CNID
Jeffrey Mattox
o Re: Department of Motor Vehicle records
Steve Sapovits
Benedikt Stockebrand
o Re: America Offline
James K. Huggins
Matthias Urlichs
o Info on RISKS (comp.risks)

Java security update

Ed Felten <felten@CS.Princeton.EDU>
Mon, 12 Aug 1996 20:29:06 -0400
We have found two Java security bugs recently, one in Microsoft Internet
Explorer 3.0beta3 and one in Netscape Navigator 3.0beta5.  Both bugs were
serious, allowing a malicious applet to gain at least full read/write access
to the victim's files.  Both bugs are fixed in current releases of the

The Netscape bug was caused by incorrect handling of type definitions in the
Java internals.  Java uses special predefined names for its array types;
these special names are bound to the correct array types on demand.  We
discovered that under certain circumstances an applet could define a class
that had one of these special names.  The system detected this and threw an
exception, but the malicious definition was mistakenly left in one of the
system's internal tables.  The result was that an applet could redefine one
of Java's array types.  This was sufficient to break Java's type system and
hence to circumvent Java's security mechanisms.

The Microsoft bug allowed an applet to become a member of a
security-critical Java package (module) whose membership was supposed to be
limited to Java classes that are built-in to the browser.  Code belonging to
one of these packages can set certain security-critical variables such as
the access control lists that say which files the applet is allowed to read
and write.  An applet could exploit this bug to obtain full file system and
network access, among other things.

For more details, see or contact
Ed Felten (, 609-258-5906).

Dirk Balfanz, Drew Dean, and Ed Felten, Safe Internet Programming Group,
Department of Computer Science, Princeton University

  [The "current release" of the Microsoft Internet Explorer is the one
  that was available at midnight PDT at the end of Monday evening (i.e.,
  3AM EDT Tuesday 13 Aug).  RISKS suggests that serious users of either
  browser pick up the new versions, and that people who consider themselves
  only casual users get more serious.  PGN]

More power to us? "It couldn't possibly happen again" department

"Peter G. Neumann" <>
Tue, 13 Aug 96 00:12:19 PDT
Power losses on 10 Aug 1996 (Saturday) affected at least 4 million customers
in 8 U.S. states from Canada to Mexico (including parts of Texas).  San
Francisco Airport was reduced to a mass of waiting humanity in the absence
of power other than air-traffic-control emergency power that permitted just
a few planes to take off.  Many landings were diverted and many flights

Outages were spotty.  For example, Palo Alto was down for 5 hours, while
neighboring Menlo Park seems to have been (mostly?) unscathed.  (Perhaps
SRI's cogeneration plant helped out!)  Some places were still out the next

The Pacific Intertie between Oregon and California was reportedly involved
again, but according to a late report (CBS late TV news) only as the 26th in
a series of thus-far-identified problems that began with three line outages
(hot weather expanding power lines), a problem at the Washington-Idaho
boundary, and another problem at the McNary substation.  The CBS report
suggested chaos theory as an explanation, with many small causes combining
in unexpected ways to cause something that allegedly is not supposed to
happen.  Unusually hot weather in Washington and Oregon and heavy use of air
conditioners everywhere in the West contributed significantly.  (I suppose
Saturdays require much less commercial AC, but much more home AC.)  An
earlier theory that this new problem had been caused by a fire under some
transmission lines seems to have fallen by the wayside -- the fire
apparently occurred after the outage had been triggered.  Of course, the
computer controlled systems did exactly what they were supposed to do --
shut down when threatened with overload conditions that might be damaging to
the system.

The early July 1996 outages had very similar but less long-lasting effects.
(The 2 July outages spanning 12 Western states were apparently triggered by
a single tree in Idaho, as noted in RISKS-18.27, but also occurred during a
hot spell.)  It appears this might become a commonplace occurrence.  Some
power officials said that this was a really freak (i.e., very unlikely)
occurrence, while others perhaps more candidly said there is very little
they can do to prevent further recurrences.

An emergency meeting of utilities folks is taking place this week, to
consider what might be done differently.  I suppose they might recommend we
all wear lighter clothing and offer frequent-flier miles for recycled
perspiration.  But serious suggestions might include cutting down more
trees?  Shutting down more salmon ladders?  Perhaps instituting more rolling
brownouts?  How about more preventive maintenance?  More oversight?  Closer
local monitoring and more integrated/distributed system-wide monitoring?  In
the 11 Aug case, diagnostics apparently indicated that a massive problem was
imminent something like half an hour beforehand, but those warnings were
evidently not given sufficient priority.

And then Monday afternoon, 13 August, there were new outages.  South San
Jose -- which was partly spared on 11 August, including a Neil Diamond
concert -- was hit this time with some long outages; the Hicks substation
apparently had a transformer explosion, affecting 27,000 customers.  Palo
Alto (which has its own utility company, but depends on PG&E) had a
45-minute outage that affected all 29,000 customers; the outage was blamed
on PG&E having messed up by sending an erroneous control signal to Palo

Please pardon any inaccuracies here.  There still seem to be a lot of
unknowns, and the reporting is itself spotty.  I hope when all the smoke
clears, we get some definitive analyses for RISKS.  This is clearly a very
important topic for us to contemplate, because we are increasingly dependent
on our power infrastructure for our computing/communication/transportation/
... infrastructure, which increasingly depends on our power infrastructure,
etc.  Also, the long-term weather prospects (including global warming, if
you care to believe in it) and dramatically increased usage demands seem to
to suggest more problems in the future.

Another London train crash; well, it's not supposed to happen!

"Peter G. Neumann" <>
Mon, 12 Aug 96 10:09:48 PDT
A London commuter train carrying about 400 passengers from Euston Station
crashed into an empty train heading into Euston Station, killing one
passenger and injuring about 100 near Watford Junction in Hertfordshire, 20
miles north of London, in the afternoon rush-hour on 8 Aug 1996.  [Source:
*San Francisco Chronicle*, 9 Aug 1996, A12]

No cause was given, but of course the signalling system is supposed to
prevent that from happening.  (The RISKS archives include a bunch of
incidents on trains in and around London.)

Fire alarms on Boeing 777 triggered by fruit/frog cargo

"Peter G. Neumann" <>
Sun, 11 Aug 96 10:44:12 PDT
False alarms on the Boeing 777 are apparently being triggered by unusual
humidity and temperature conditions in cargo holds.  For example, a
London-bound Emirates aircraft was diverted to Cyprus, due to
heavy-breathing mangos, and a Cathay aircraft was evacuated and the
fire-suppression system activated -- due to a combination of fruit and
frogs.  Apparently, tropical fruit (and especially durian fruit) generates
enough humidity to be detected as smoke -- thereby triggering the alarms.
[Source: *Aviation Daily*, 12 Aug 1996]

   [I wonder what this could do to a computer system,
   such as a spilled-pitcher-of-durian Cray?  Also,
   smoking mangos can be hazardous to your health?  PGN]

Electromagnetic pulses to stop car chases?

Peter Wayner <>
Sat, 10 Aug 1996 19:55:29 -0400
       Police prepare stunning end for high-speed car chases
       BY GILES WHITTELL AND NIGEL HAWKES, The Times, London, 10 Aug 1996

       It could be the end of the car chase as we know it. With the
automotive equivalent of a stun gun, science fiction is coming to the aid of
law enforcement.  A high-powered electrical device under development at the
Pentagon's Army Research Laboratory in Adelphi, Maryland, is to be tested by
police and border patrol agents and could be in use by next year.

       The car stopper works by focusing an intense electromagnetic charge
on the electronic systems that manage most modern engines, disabling them
and paralysing the car. In the jargon of its inventors, the 150 kilovolt
charge is a nemp, or non-nuclear electromagnetic pulse.  Contractors are
bidding to produce a police version.

       Very precisely directed beams are required, but even then there will
be problems. A pulse powerful enough to disable an engine at any reasonable
range would also be likely to disrupt communications, damage television and
radio sets, disable computers and even stop heart pacemakers. There is also
the danger of loss of control when a car is being driven at high speed.

       Counter-measures would include using old-fashioned engines with no
electronics, or perhaps surrounding the most delicate components with
shielding. The best might be to get hold of one of the stun guns and use it
to disable pursuing police vehicles.

GPS Receiver Explodes

David Kennedy <76702.3557@CompuServe.COM>
09 Aug 96 17:28:42 EDT
Excerpted from the c4i-pro mailing list.  A PLGR is milspeak for a Precision
Lightweight GPS Receiver made by Rockwell.  Note there are no conclusions in
the report IRT whether the equipment was at fault or something else.

>Date: Thu, 08 Aug 96 16:18:00 +6
>From: Potter B MSgt ACC/SCXX <>
>Subject: c4i-pro PLGR Violent Venting at Ft Irwin, CA
>Potter B MSgt ACC/SCXX <>
>Urgent traffic regarding explosion of PLGR.  Please forward to PLGR users at
>your units.
>     Very Respectfully,
>       //Bob//
>     Readiness Branch
> ----------
>From:     Gray, Rodney, Lt CZU[]
>Sent:     Wednesday, August 07, 1996 10:59 AM
>Subject:  PLGR Violent Venting at Ft Irwin, CA
>The following point paper describe[s] the PLGR venting issue.  Please
>disseminate this message to the necessary people with your services.
>On 30 July 96 a PLGR explode[d] during operation at Fort Irwin, CA.
>Apparently there was a violent venting vice a slow vent. In other words the
>PLGR case did not contain the blast.
>The incident involved the Commanding General of the 4th Infantry Division,
>Major General Kern,  and his driver. The driver was injured by the blast.
>His left eye was bruised, he did however make a full recovery and was
>released from the hospital.

[DMK: Incident is under investigation. Rockwell has been notified.  This is the
first reported incident of this kind.  Over 55,000 units have been in the field
in the military for some time now.]  ...

>This is initial report.  Don't have enough information to make a firm
>recommendation  at this time.  Will send updates as the situation unfolds.
>                         JPO's Interim Measure
>As an interim measure, until the investigation is completed the JPO has
>recommended that all BA-5800 batteries be removed from equipment when
>connected to vehicle power.  HOWEVER, the removal of the BA-5800 when being
>powered by another power source has operational considerations.  It
>typically will cause faster use of the memory battery (estimated 3 months or
>less usage versus 1 year) causing the memory battery to fall below the
>adequate power level.  This results in the loss of COMSEC key.  Which in
>turn cause a lost of almanac  and user waypoint data.  USERS SHOULD  ASSESS
>guidance will be provided pending the results of the incident investigation.

Dave Kennedy CISSP InfoSec Recon Team Leader, National Computer Security

Bread-riots and circuses

"Brian O'Connell" <>
Sun, 11 Aug 96 22:18:02 EDT
Among the ramifications of the recently completed Olympics may be an
under-noted economic risk, and implications for other sorts of international
competition.  Retailers in this country claimed (and I believe some
statistics corroborated this claim) that because consumers were engrossed in
the TV coverage of the games they were not out buying stuff at their usual
rate.  Retail sales were thereby depressed.  If this is the case some
speculation on the economic role of entertainment culture might be in order.

What would have happened, for example, if the Olympics were twice as long?
or if they were twice as interesting?  Would the change in buying patterns
have been doubly noticeable?  Would economists have classified the blip as
serious?  What if TV was routinely so enthralling?  Would the economy
suffer?  In short, what is the likelihood of a recession caused by an
entertainment event?  (If the risk is measurable a related risk would be to
allow the Net to become too entertaining without _first_ establishing a
reliable e-payment system, so that collectively hypnotized consumers could
still shop.)

Of course, the Olympics are a commercial event and as such are about
creating demand for consumer goods as much as anything else.  They need
advertising dollars to make them run and therefore might safely be assumed
to cause an economic lull and surge of proportional size.  But when is
demand-creation decoupled from actual consumption?  How long can consumers
be frozen in front of demand-creating spectacles without some of that effort
going to waste?  Other events aren't as predictable as the quadrennial
games.  Conventional wars, for example, don't depend on ad money and have
proven to be a pretty good draw.  Would a lengthy, televised one disrupt the
domestic economy?  Speaking of wars, what are the strategic implications of
this sort of event-driven economic upheaval?  If indeed the production of
information goods and consumption of other sorts of products _can_ become so
absurdly linked, would the DoD develop entertainment programming designed to
economically paralyze a region?  A swords-into-sitcoms approach involving
the military redeployment of Bob Hope, who could so amuse the golf-loving
citizens of another country that the resulting economic collapse might bring
down a regime?

While Radios Marti, Moscow, and Free Europe, to say nothing of the larger
phenomenon of American cultural imperialism have caused similar effects for
years, I'm more interested in the perhaps-less-overtly-hostile act of waging
economic inactivity.  The theory, however, is the same -- if the radio can
make us (or "them") want more democracy, or sneakers, it can also make us
want to stay home and listen to the radio.  Perhaps more importantly, I
wonder if new technologies (the Net, again) might provide a real-time way to
remotely instigate collective and real-life events.

All of this bread-and-circusing is to say two things, both of which have
been said before.  First, the creation of demand can be dicey; as
post-Pavlovian humans we're capable of -- and perhaps inclined to --
salivating at the sound of the bell itself rather than the prospect of food.
Second, information warfare probably means more than propaganda and printer
viruses, and can likely be tuned to selectively affect all sorts of
complicated and contingent networks, including an economy.

The risks of apathy in telephone callers

Christopher Kline <>
Thu, 8 Aug 1996 13:35:57 -0400
*Information Week* (22 Jul 1996, page 12) reports that K&T Communications of
Fort Worth, Texas has registered the phrases "I don't know", "I don't care",
"Whoever", and "It doesn't matter" as names of long-distance carriers in

The risk? When you make an operator-assisted long-distance call from Texas
and the operator asks which long distance carrier you would like to use, it
is in your best interest to have a preference. K&T charges "approximately
twice" that of the largest carriers.

Opening up the long-distance markets may help spur the growth of an
information infrastructure, but whether or not it helps lower prices for
consumers is an open question.

Christopher Kline Cornell University

  [For folks who still have rotary dials, you may find an automated
  voice interface that lets you utter those phrases as well!  PGN]

Re: Computers causing power outages (Peters, RISKS-18.30)

Paul Hughett <>
9 Aug 1996 22:16:50 GMT
Paul Peters is technically correct but also misses a valid point.  D. C.
Sessions should have said "negative incremental resistance" rather than
simply "negative resistance."  The former term means that for some range of
voltage, the current increases as the voltage decreases.  This means that
the power company cannot (necessarily) reduce the power consumption by
reducing the line voltage, which has been the usual way of handling
temporary power overloads without dropping service entirely; in fact,
decreasing the voltage may now increase the power consumption, since line
losses increase as you go toward lower voltage and higher current.  What is
perhaps worse is that a power supply, a negative incremental resistance
device, and a few passive components can make an excellent oscillator; look
up the circuit for a tunnel diode oscillator.  In other words, the power
distribution system becomes dynamically unstable, perhaps with rather large
voltage and current excursions as all the passive and active components
interact.  Not something that I want to hook my house up to.  By the way,
"negative resistance" is frequently (if incorrectly) used as a synonym for
"negative incremental resistance," and in fact this is the meaning that I
assumed was meant in the original post.

Paul Hughett  University of Pennsylvania

Re: "Anonymous" phone tips and CNID (Cook, RISKS-18.30)

Jeffrey Mattox <>
12 Aug 1996 17:46:31 GMT
Many people do not realize that most corporate phone systems have SMDR
(station message detail recording) which logs each call from each telephone.
So, even if CNID is disabled, it is very likely that a log exists of each
phone call.  It is a simple matter to search for calls to specific numbers.

Jeffrey Mattox --

Re: Department of Motor Vehicle records (Siegman, RISKS-18.31)

Steve Sapovits <>
Mon, 12 Aug 1996 15:24:12 -0400 (EDT)
I'd argue that police access is different than public access.  The police
have access to other forms of information the general public does not
have easy access to.

I don't buy arguments 2 and 3.  If you personally want your information to
be public for the sake of getting unsolicited advertising, then I have no
problem with a system that allows you to give permission to do that.

The problem is where do you stop this?  Using your first and last arguments,
why not make all credit information public so that the police can easily
detect credit card fraud and you can get targeted advertising based on
your buying habits?  Perhaps all educational and employment records should
be made public so we can check resumes for accuracy.  No thanks.  If people
want to make such information on themselves available, that's fine with me,
but I want control over my own personal information.

Steve Sapovits  N2K Telebase (

Re: Department of Motor Vehicle records (Ellermeier, RISKS-18.30)

Benedikt Stockebrand <>
12 Aug 1996 15:49:14 +0200
What's worse, some years ago the German RAF (Rote Armee Fraktion/Red Army
Fraction), the major terrorist group of that time, allegedly (i.e. it's too
long ago to remember my sources) used to somehow obtain access to the
registration data of some vehicle, fake the vehicle registration ID card
(Kraftfahrzeugschein), then steal a car of the same type and color and fake
the license plates.  Such a vehicle would pass any road block, even if every
vehicle passing the block would be checked against a vehicle registration
data base.  Handing out the necessary data sure makes life easier for some

Conclusions are left to the RISKS reader in general and the security
and intelligence folks hopefully reading this in particular.

Benedikt Stockebrand, Dortmund, Germany

  [Although RISKS truncates disclaimers, Benedikt added something to the
  effect that his name and e-mail address are not to be used in any way for
  advertising purposes, and that a fee would be imposed on unsolicited
  advertising (for proofreading costs).  It remains to see whether any
  such disclaimers could be enforced, but perhaps RISKS should add one
  to the file!  PGN]

Re: America Offline (Cassel, RISKS-18.31)

"James K. Huggins" <>
Sun, 11 Aug 1996 08:47:21 -0400 (EDT)
     [David, "dishonesty" sounds a little harsh.  How well can anyone
     predict how long it is going to take to fix a problem that has not
     yet been identified and understood?  PGN]

Exactly.  In fact, this is one of the oldest problems in our field ...  the
fact that we don't know how to predict how long it will take to do just
about anything useful (write new code, fix an old piece of code, etc.).

True honesty is all too rare in our discipline.  How often will you hear a
company say "We have a problem with our product.  We don't know what's
causing the problem, either.  We're working furiously on it to solve it, but
we can't predict whether it will take minutes or days to fix it."?  Consider
also the common practice of marketing "bug fixes" as "upgrades" ---
sometimes free, sometimes not.

Re: America Offline (Cassel, RISKS-18.31)

Matthias Urlichs <>
11 Aug 1996 16:36:04 +0200
>   [David, "dishonesty" sounds a little harsh.  How well can anyone
>   predict how long it is going to take to fix a problem that has not
>   yet been identified and understood?  PGN]

You can't, and that's the point. When I tell my customers "Try again in 15
minutes", they'll assume that I have enough data to make a reasonable
guesstimate that the repair will take 15 minutes, more or less.

If, on the other hand, I haven't the faintest idea what's going on, then
"we've had a major system crash, please try again later" would (a) be more
honest and (b) would not annoy customers by raising unfulfillable

Matthias Urlichs  noris network GmbH

CyberRisk '96 Conference, Call for Participation

Mich Kabay <75300.3232@CompuServe.COM>
12 Aug 96 21:20:22 EDT
  CyberRisk '96
  "Reducing risk and building ethical policies in the electronic workplace"

  7-8 November 1996
  National Airport Hilton, Arlington, Va.
  Organized by the National Computer Security Association


    CompuServe: GO NCSA

M. E. Kabay, Ph.D.
Director of Education, NCSA
Program Chair, CyberRisk '96

Please report problems with the web pages to the maintainer