The RISKS Digest
Volume 18 Issue 93

Monday, 24th March 1997

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Splendour of the Seas not so Splendid
Mich Kabay
County Data Trouble
Dave Rand
Bill Would Outlaw Online Gambling
Legal action against Internet provider affects customers
Klaus Johannes Rusch
Austria to disconnect from Internet on March 25
Gary Beckmann
On looking before you leap?
Dick Mills
The Year 2000 Problem — a new principle for Y2K tools
Thomas Reps
Retiring hardware after Y2K
Matt Welsh
Virtual Real-Estate
Tony Lima
"The Illusion of Truth" in action: apology to Simson Garfinkel
Troy Heagy
Net random-number server
Stefek Zaba
"Emergency" Web Access!
Robert J. Woodhead
Re: Telephone Scam
James Byers
Area code split and verification
Alan K. Jackson
Re: Risks of online commerce
Bob Frankston
1997 IEEE Symposium on Security and Privacy program
Mike Reiter
Info on RISKS (comp.risks)

Splendour of the Seas not so Splendid

"Mich Kabay [NCSA]" <>
Mon, 24 Mar 1997 05:19:27 -0500
The Canadian _Globe and Mail_ newspaper (97.03.22, p. A17) reports that
computerization hit choppy waters on a recent cruise:

  Splendour on the seas:
  As we learned one evening, computer problems aren't the sole domain of
  land lubbers.  Nowadays, everything is run by the darned things — even
  cruise ships.

  By Helga Loverseed

  An after-dinner power failure was probably not what the captain had in
  mind as part of our evening's entertainment, but just as we were downing
  our dessert, there was an ominous thump and we were plunged into darkness.

The author makes the following key points:

* Splendour of the Seas is a fully computer-dependent cruise ship.
* After 8 months trouble-free, the ship developed "computer problems" when
  it sailed through the Caribbean.
* The author writes that "the computers evidently didn't like the hot,
  humid climate."
* The computer failure lasted 2 hours; during that time, the ship was dead
  in the water.
* In addition, lights were dim, air-conditioning was off, and toilets
  wouldn't flush.

This behemoth is 11 stories tall, 112 metres long, and 35 metres wide.  It
houses 2,077 passengers and 723 crew and includes amenities such as a
jogging track, shopping, movies, bars, and even an 18-hole miniature golf
course.  The ship depends on computer-driven stabilizers to control roll in
rough seas.

[Comments by MK:

If the main screws and the ship's toilets don't work without computer
control, what else is computer controlled?  Navigation?  Communication?

Why was the time to repair two hours?  Are there no backup systems or were
the backup systems also down?

If anyone has more information about this incident, please contribute to
this thread.

As for me, I hope the ship's officers test its computers to see if they are
Year-2000 compliant ...


M. E. Kabay, PhD, CISSP (Kirkland, QC), Director of Education
National Computer Security Association (Carlisle, PA)

  [I suppose it might add to the hypothetical risks if the ship were to
  cross the equator for the first time precisely at the Y2K midnight!  PGN]

County Data Trouble

Dave R <>
Mon, 24 Mar 1997 08:37:58 -0600
>From *The Dallas Morning News*, 24 Mar 1997, datelined Lubbock, TX:

A cranky county computer has resulted in some minor traffic scofflaws being
listed in official records as drug offenders, child molesters, or burglars,
according to the *Lubbock Avalanche-Journal* (23 Mar 1997).  Apparently, the
computer has been mismatching the names and charges of some defendants,
including one man who was cited for not wearing a seat belt but listed in
the county computer as an accused child molester.  Officials at Ki Corp.,
which developed the software, insist that the computerized criminal record
has complete data integrity.

  [whatever that means!  PGN]

Bill Would Outlaw Online Gambling (Edupage, 23 March 1997)

Edupage Editors <>
Sun, 23 Mar 1997 15:35:44 -0500
Sen. Jon Kyl (R-Ariz.) has introduced the Internet Gambling Prohibition Act
of 1997, which would make illegal the transmission of any information
related to gambling, including bets, wagers or the chance to win a prize or
lottery.  "We don't ask ISPs (Internet service providers) to be law
enforcers, constantly checking sites," says Kyl.  Rather, ISPs would be
asked to cut off Internet access only following a written notice from a law
enforcement agency.  The ISP would not be liable for any damages, penalties
or forfeiture resulting from the perpetrator's gambling operation.  (BNA
Daily Report for Executives 20 Mar 1997; Edupage, 23 March 1997)

  [Don't bet on it.  PGN]

Legal action against Internet provider affects customers

Klaus Johannes Rusch <>
Sat, 22 Mar 1997 18:02:38 CET
On 20 Mar 1997, all computer equipment at an Internet provider's office,
VIP, was confiscated by the police following an order by judge Helene
Partik-Pable, who has been investigating a charge against persons unknown
regarding the distribution of material containing child pornography more
than a year ago.  It should be stressed that the provider, VIP, is not
subject to any legal action, the confiscation is for evidence only.

Both the office rooms and the private homes of the owners were searched, and
all equipment, including private computers, office equipment which was not
even connected to Internet and computers which customers had placed at the
ISP's location and backup tapes, were unplugged (rather than properly shut
down) and taken away.

Consequently, about 2500 customers have no connection to Internet any more,
nor access to their business data and private e-mail.

References (in German):
[1] Martin J. Laubach <> on <news:at.general>
[2] DER STANDARD, March 22, 1997, <>

Klaus Johannes Rusch,

  [Check out the full press release [1] which was also sent to RISKS
  by Martin Laubach.  PGN]

Austria to disconnect from Internet on March 25

Gary Beckmann <>
Mon, 24 Mar 1997 17:18:36 -0500
[I'm summarizing several reports I read in German.]

All the ISPs in Austria are going to pull the plug on the Internet on
Tuesday, 25 Mar 1997 from 16:00 to 18:00 MET.  This action is being taken to
protest the seizure of all the computer equipment of an ISP named ViP last
Thursday.  [...text duplicating previous message omitted...]  The ISP cannot
even begin to calculate the financial losses they will post due to this

There is some disagreement among the Austrian ISPs as to the results of the
planned Internet disconnection (A Land Goes Offline), ranging from those
that worry about their contracts guaranteeing net access to those who feel
that two hours is nothing — even one day would be barely enough to express
their outrage.  But all the ISPs have apparently agreed to the two-hour
protest shutdown.

[The risks of having agencies that don't understand the technology trying to
control it have been gone over again and again.  This is the first time,
though, that I've heard it going to this extreme.  It will be interesting to
see what the results of the protest are. --gb]

On looking before you leap?

Dick Mills <>
Fri, 21 Mar 1997 15:26:08 -0500 (EST)
I attended a firefighter's training drill this week.  We heard from a
gas/electric company representative.  He related the following anecdote.

The gas company was called to a house in Albany, NY to respond to a
complaint about a carbon-monoxide alarm activating.  When the serviceman
questioned the woman of the house about the circumstances, she said that the
alarm had been sounding since the night before.  Astounded, he asked why she
hadn't called immediately.  She replied, "My husband charged upstairs to
surf the internet for information about what to do about carbon monoxide in
the house. I'm still waiting for an answer."

The Risk?  Letting one's mind roam cyberspace while forgetting that our
bodies remain in corporeal space.  Personally, I vow to never send the
message, "FIRE! FIRE!" via e-mail.

Dick Mills +1(518)395-5154 aka

The Year 2000 Problem — a new principle for Y2K tools (RISKS-18.53)

Thomas Reps <>
Fri, 21 Mar 1997 20:09:19 -0600 (CST)
Back in October, PGN posted the following note to the RISKS newsgroup.

<> I ran into Tom Reps this morning in San Francisco ...  Tom has been
<> chartered by DARPA to make serious recommendations on the Year-2000 problem.

I would like to bring one of the results that came out of this to the
attention of RISKS readers.

As PGN indicated, the Defense Advanced Research Projects Agency (DARPA)
asked me last summer to help them plan a project aimed at reducing the
impact of the Year 2000 (Y2K) problem on the Department of Defense.  DARPA
was particularly interested in whether there were "any techniques in the
research community that could be applied to the Y2K problem and have impact
beyond present commercial Y2K products and services".  The most exciting of
the ideas that turned up concerns a method for using path profiling as a
heuristic to locate some of the sites in a program where there are
problematic date manipulations.  It works as follows:

  In path profiling, a program is instrumented so that the number of
  times each different loop-free path executes is accumulated during an
  execution run.  With such an instrumented program, each run (or set of
  runs) of the program generates a path spectrum for the execution --- a
  distribution of the paths that were executed.  Path spectra can be
  used to identify paths in a program that are good candidates for being
  date-dependent computations by finding differences between path
  spectra from execution runs on pre-year-2000 data and post-year-2000
  data.  By choosing input datasets to hold all factors constant except
  the way dates are used in the program, any differences in the spectra
  obtained from different execution runs can be attributed to
  date-dependent computations in the program.  Differences in the
  spectra reveal paths along which the program performed a new sort of
  computation during the post-year-2000 run, as well as paths --- and
  hence computations --- that were no longer executed during the
  post-year-2000 run.

With some further analysis of the spectra, for each such path that shows up
in the spectral difference, it is possible to identify the shortest prefix
that distinguishes it from all of the paths in the other path set.

For the Y2K problem, the path-spectrum comparison technique may
provide help with two aspect of the problem:

  (i)  determining the sites at which date-manipulation code occurs, and
  (ii) post-renovation testing.

Of course, the path-spectrum comparison technique is not guaranteed to
uncover all sites of date manipulations.  No technique can do this; all one
can hope for are good heuristics.  However, because path-spectrum comparison
involves a different principle from the principles that lie behind the
heuristics used in commercial Y2K tools, it should be a good complement to
current techniques.

Furthermore, the path-spectrum comparison technique is actually applicable
to a much wider range of software-maintenance problems than just the Y2K
problem; it offers new perspectives on program testing, on the task of
creating test data, and on what tools can be created to support program

This work is described in the following paper:

  Reps, T., Ball, T., Das, M., and Larus, J., "The use of program
  profiling for software maintenance with applications to the Year 2000
  Problem".  Technical Report TR-1335, Computer Sciences Department,
  University of Wisconsin, Madison, WI, January 1997.

The paper is available over the WWW at URL

A prototype tool for gathering and comparing path spectra (for programs that
run under Solaris on Sun SPARCstations) has been built at the University of

(The Wisconsin Alumni Research Foundation is in the process of seeking
patent protection for these techniques.)


Retiring hardware after Y2K

Matt Welsh <>
23 Mar 1997 12:43:52 GMT
In 18.90, Geoffrey Cooper writes:

>We decided to retire the product in (or at least upgrade the flash ROM
>by) the year 2037.

I hate to point this out, but this is exactly the mentality that caused the
Y2K problem in the first place. How do you know that all of these devices
will be out of use by 2037?

It seems that people can either fix the problem, or ignore it, or pretend to
fix it and give themselves a good pat on the back for doing so.

M. Welsh, Cambridge Computer Laboratory

Virtual Real-Estate

Tony Lima <>
Sun, 23 Mar 1997 20:34:00 -0700
In the San Francisco area, Coldwell-Banker is running an ad for their
real-estate services.  This ad shows a woman worrying about how she will be
able to keep the house clean while it is for sale, what with their three
kids, two dogs, and so on.  Her solution?  Coldwell-Banker puts their house
on the Web, keeping it (virtually) spotless.  The risks are obvious.  Next
step: virtual patching of that cracked foundation... (Tony Lima)

  [I'd be just as suspicious of Real Virtual-Estate.  PGN]

"The Illusion of Truth" in action: apology to Simson Garfinkel

Mon, 24 Mar 1997 12:14 -0500 (EST)
Last week I posted a message in the Usenet newsgroup  The message was then forwarded to the
RISKS digest by someone else who was browsing through the newsgroups.

It looked as if I had written the article, but I did NOT.  The author of
that column, "Hard Pressed," was Simson Garfinkel.  His Webpage address is .

"Hard Pressed" reminded me of the recent episode "Illusion of Truth"
the press reports what it wishes rather than what you actually say...and I
wanted to pass it on to Babylon 5 fans.  Rather than quote the entire
article I should have listed Simson's web page address.  OR asked his
permission to quote.  I did neither.

I apologize to Simson Garfinkel and the readers of the Risks Digest for
infringing on his copyright and for the misunderstanding this caused.

  [Your moderator is astounded, mortified, and apologetic that the obvious
  self-references pointing to Simson as the creator of that piece (coauthor
  of books with Spaf, friend of Beth Weise, etc. — I had seen Simson and
  Beth at CFP just the week before) did not set off alarm bells and cause me
  to reject the message as a clear copyright violation.  However, I somehow
  missed them when selecting that item.  The volume of RISKS e-mail is
  enormous, RISKS is a pro bono effort, and this piece was really good based
  on a fast review for content that incredibly did not pick up on the
  omitted true identity of the author!  Besides, Simson has been
  occasionally sending me heads-up notices on his particularly-relevant
  Wednesday packet columns at, for possible
  mention in RISKS, but he did not so so on this seemingly relevant column.
  So, my apologies as well as Troy's.  We also received some groveling
  from Gary Grossoehme, who, unknowing, submitted the item to RISKS.

  In any event, this does remind us once again of the risks of enforcing
  copyrights and the importance of netiquette in attributions.  That even
  gives me a chance to remind you to check the RISKS reuse policy in if you rebroadcast RISKS items!  PGN]

Net random-number server

Stefek Zaba <>
Mon, 24 Mar 1997 22:13:08 +0000
Among the risks not yet mentioned is the one of using an observable quantity
directly as (for example) keying material.  Since the link to the hotbits
site is not encrypted, anyone with a machine sharing the transmission medium
can see what the random bits are. The cautious crypto-oriented user of this
service will mix the bits from the net.randomness server with some
locally-generated non-predictable bits; however, the incautious might not,
and in any case if a local source of non-predictable (and non-observable)
bits is available, using an external non-predictable but observable source
adds only the illusion of security. (There are unusual applications where
non-predictability is all that's needed, and observability is irrelevant;
but it's not the common case.)

If this service were to be used for crypto applications, the bits would need
to be not just PGP-signed, as Dan Drake suggested, but encrypted. PGP use
would require the requester to send a public key with the request; SSL would
allow the secure channel to be set up with less manual intervention.


"Emergency" Web Access!

"Robert J. Woodhead (AnimEigo)" <>
Fri, 21 Mar 1997 16:40:03 -0500
Like many people, I use a PPP modem-dialup to an ISP to access the net from
my portable computer.  Usually this is a local call, but occasionally when
travelling I have to make a quick long-distance call to get my email.

Recently I was at the video studio subtitling samurai films when the urge to
check email became too much.  The studio had a new phone system, so I found
out what the outside line prefix was, adjusted my PPP settings, and happily

The next day, back home, I plugged in my Mac and dialed up - but forgot to
revert my settings.  I dialed, immediately noticed the problem, and aborted
the attempt.

30 seconds later, the phone rang - it was 911 asking why I'd called!

My video studio had chosen "91" as their outside dialing prefix.  And, of
course, I then needed to have my modem dial 1 for long distance access, thus
putting in place a little time bomb for when I returned home!

Whoever came up with the idea of 91 as a dialing prefix ought to be stuffed
and mounted!

Robert J. Woodhead ** ** "Anime Your Way!" tm
WWW.ANIMEIGO.COM - "REGULAR" and "LITE" flavors - CHAT room too!

  [Another variant on an old RISKS theme.  PGN]

Re: Telephone Scam (Nugent RISKS-18.92; Fernandez, RISKS-18.91)

James Byers <>
Mon, 24 Mar 1997 15:00:36 -0500
Bill Nugent correctly points out that many telcos leave dialtones on
disconnected lines for safety reasons.  However, our local phone company was
prone to crossing their lines in their jumble of antique phone equipment.

Several years ago, I mistakenly attached a phone to a disconnected line.  As
realized my mistake later that day, the phone rang!  I did not pick the
phone up, thinking that the call belonged to someone else.  It rang about
four times and then stopped.  Curiosity got the better of me and I dialed
the operator from the phone a few minutes later.  I told the operator that I
was at a pay phone that was not labeled and I wanted to know the number.
"You're at a coinbox?" she replied incredulously.  With my affirmative
reply, she gave me the number.

I dialed the phone from another line and, sure enough, my phone rang four
times and an answering machine picked up.  Apparently, our disconnected
phone was crossed with a local construction company!  The phone company
representative who got to hear this story tried to convince me that that I
was imagining things.  The representative also refused to believe that an
operator would give me the number of a domestic phone.  Not surprisingly,
their was a repair truck out on the street the next morning.  Funny
coincidence, the line got disconnected at about the same time.

The risks?  Certainly there are billing issues here that could cause someone
quite a headache.  Had I been a more malicious individual, I could have lost
the construction company a fair bit of business.  The operator also
disregarded whatever indications she had that I was not on a pay phone.
What would she have done if I had convincingly argued that I was a repairman
and needed some sort of special phone access?  Another case of a human
operator disregarding both training and diagnostic indicators.

James Byers

Area code split and verification

"Alan K. Jackson 245-7355" <>
Mon, 24 Mar 1997 07:40:59 -0600
Houston split its area code a few months ago, and we are beginning to
experience many problems. The latest - my wife received a new credit
card. She called the number to enable the card, and it failed because the
number in their database didn't match the number she called from - wrong
area code!

The risk - the credit card issuer will certainly lose some business, anyone
not willing to spend the time to get a human to enable the card.

In general, this is a problem with the burgeoning systems that take
advantage of the ease with which one can now trap the number of an incoming
call.  One's database of numbers can very quickly become badly out of date.

Re: Risks of online commerce

Mon, 24 Mar 1997 18:40 -0500
The problem of remembering purchases you made a month ago is one I
specifically dealt with in my Masters Thesis (URL on request — I'm on a
plane so can't check it) in 1974. The basic approach is to keep a personal
log of all transactions and automatically check the bill against these to
note exceptions. The assumption is that there would be too many
microtransactions to be able to check them all, especially when there is a

Implementing this would require a payment system with a standard client-side
component. Something that is difficult in today's decentralized marketplace.

1997 IEEE Symposium on Security and Privacy program

Mike Reiter <>
Mon, 24 Mar 1997 14:34:44 GMT
May 5-7, 1997
The Claremont Resort, Oakland, California

Sponsored by the IEEE Technical Committee on Security and Privacy
In cooperation with the International Association of Cryptologic Research

Symposium Committee:
Stephen Kent, General Chair
Michael Reiter, Vice Chair
George Dinolt, Program Co-Chair
Paul Karger, Program Co-Chair

                        PRELIMINARY PROGRAM
                         Subject to Change

Sunday May 4, 1997  4:00-7:00 Registration and Reception

Monday May 5, 1997
8:30 Introductory Remarks
9:00-10:30 Panel/Debate
        Resolved: The concept of Trusted Computing Base as a basis for
                  constructing systems to meet security requirements
                  is fundamentally flawed and should no longer be used
                  to justify system security architectures.

        Arguing in favor: Lead: Bob Blakley (IBM)
                          Second: Darrell Kienzle (U. of Virginia)
        Opposed:          Lead: William R. Shockley
                          Second: LT (USN) James P. Downey
                                  (Naval Postgraduate School)
        Moderator:        John D. McLean (Naval Research Laboratory)

11:00-12:00 Authorization and Authentication
    Toward Acceptable Metrics of Authentication
        Michael K. Reiter and Stuart G. Stubblebine (AT&T Labs--Research)
    An Authorization Scheme for Distributed Object Systems
        V. Nicomette and Y. Deswarte (LAAS-CNRS & INRIA, France)
    A Logical Language for Expressing Authorizations
        Sushil Jajodia (George Mason University), Pierangela Samarati
        (Universita' di Milano) and V. S. Subrahmanian (University of Maryland)

1:30-3:00 Applications
    Anonymous Connections and Onion Routing
        Paul F. Syverson, David M. Goldschlag and Michael G. Reed
        (Naval Research Laboratory)
    The Design and Implementation of a Multilevel Secure Log Manager
        Vikram R. Pesati, Thomas F. Keefe and Shankar Pal (Penn State
    A Secure and Reliable Bootstrap Architecture
        A. Arbaugh, David J. Farber and Jonathan M. Smith
        (University of Pennsylvania)
    An MBone Proxy for an Application Gateway Firewall
        Kelly Djahandari and Dan Sterne (Trusted Information Systems)

3:30-5:00 Security Theory
    Secure Software Architectures
        Mark Moriconi, Xiaolei Qian, R. A. Riemenschneider (SRI) and
        Li Gong (JavaSoft)
    A General Theory of Security Properties and Secure Composition
        A. Zakinthinos and E.S. Lee (Cambridge University, U.K.)
    Analyzing Consistency of Security Policies
        Laurence Cholvy and Frederic Cuppens (ONERA CERT, France)

6:00-7:30 Reception

Tuesday May 6, 1997

    Panel: Ensuring Assurance in Mobile Computing
    Moderator: Marv Schaefer (Arca)
    Panel Members: Sylvan Pinsky (NSA)
                   Drew Dean (Princeton University)
                   Jim Roskind (Netscape)
                   Li Gong (JavaSoft)
                   TBD (Microsoft)

11:00-12:00 Architectures
    Packet Filtering:  Local Enforcement for Global Policies
        Joshua D. Guttman (MITRE)
    Providing Flexibility in Information Flow Control for
    Object-Oriented Systems
        Elena Ferrari, Pierangela Samarati and Elisa Bertino
        (Universita' di Milano) and Sushil Jajodia (George Mason University)
     Automated Analysis of Cryptographic Protocols
        J. Mitchell, M. Mitchell, and U. Stern (Stanford University)

1:30-3:00 Intrusion Detection and Beyond
    How to Systematically Classify Computer Security Intrusions
        Ulf Lindqvist and Erland Jonsson (Chalmers University of
        Technology, Sweden)
    Surviving Information Warfare Attacks on Databases
        Paul Ammann and Sushil Jajodia (George Mason University),
        Catherine D. McCollum and Barbara T. Blaustein (MITRE)
    Execution Monitoring of Security-Critical Programs in a
    Distributed System: A Specification-based Approach
        Calvin Ko (Trusted Information Systems), Manfred Ruschitzka
        and Karl Levitt (University of California Davis)
    Catalytic Inference Analysis: Detecting Inference Threats due to
    Knowledge Discovery
        John Hale and Sujeet Shenoi (University of Tulsa)

3:30-5:00 5-Minute talks on breaking research results
5:00-6:00 Meeting, IEEE Technical Committee on Security and Privacy

Wednesday May 7, 1997

    Panel: Security in Innovative New Operating Systems
    Moderator: Cynthia E. Irvine (Naval Postgraduate School)
    Panel Members: Robert Grimm, Spin Project (University of Washington)
                   Frans Kaashoek, Exokernel Project
                                   (Massachusetts Institute of Technology)
                   Jay Lepreau, Flux Project (University of Utah)
                   George Necula, Fox Project (Carnegie Mellon University)
                   Larry Peterson, Scout Project (University of Arizona)

11:00-12:00 System Vulnerabilities
    Analysis of a Denial of Service Attack on TCP
        Christoph L. Schuba, Ivan V. Krsuland, Markus G. Kuhn,
        Eugene H. Spafford, Aurobindo Sundaram and Diego Zambon
        (Purdue University)
    Deniable Password Snatching: On the Possibility of Evasive
    Electronic Espionage
        A. Young and M. Yung (Columbia University)
    Number Theoretic Attacks On Secure Password Schemes
        Sarvar Patel (Bellcore)

12:00-12:15 Final Remarks

  [Truncated for RISKS.  Registration form, hotel information, etc., at .  PGN]

Please report problems with the web pages to the maintainer