The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 19 Issue 41

Friday 17 October 1997


o New York air traffic slowed by Construction effluvia
o Union Pacific rolling (?) stock
Daniel P. B. Smith
o Indian satellite failure
Scott Lucero
o Paris police computer spares Corsican motorists
Gianfranco Boggio-Togna
o Another way to exploit local classes in Java
Andre L. Dos Santos
o Risks of installing Internet Explorer 4.0
Bryan O'Sullivan
o Cold weather impairs fiber performance
o Stink-Bombed Computers
Stuart L. Anderson
o US West and 911: Silence Is OK
Scot E. Wilcoxon
o The risks of license servers
Dan Wallach
o Risk of not updating web pages
John Oliver
o Re: Possible breakthrough in NP-completeness
Mark Stalzer
Michael A. Schatz via Gary McGraw
o Microsoft euphemisms
Matt Welsh
o Re: AOL may introduce ads on private e-mail
Matt Welsh
o Re: FBI wants to ban the Bible: steganography
Brian Clapper
o Re: FBI wants to ban the Bible: Linear A/B
Stephen Crane
Mike Williams
o The Electronic Privacy Papers: A new book by Schneier/Banisar
Bruce Schneier
o Info on RISKS (comp.risks)

New York air traffic slowed by Construction effluvia

"Peter G. Neumann" <>
Thu, 16 Oct 97 10:40:17 PDT
Air contamination (dust? chemicals?) from an overnight renovation project at
the Westbury New York area air-traffic control center caused controllers to
have to leave their stations for almost 10 hours on 15 Oct 1997.  Only a few
controllers were able to keep some air traffic going, with a spacing of 30
miles instead of five.  Newark was hit the hardest of NY's airports, with
150 flights canceled and arrival delays up to five hours.  [*San Francisco
Chronicle* News Services, 16 Oct 1997, and other sources]

Union Pacific rolling (?) stock

"Daniel P. B. Smith" <>
Tue, 14 Oct 1997 14:16:16 -0400 (EDT)
Following Union Pacific's assimilation of Southern Pacific, to form the
nation's largest railroad, UP has been unable to accurately track its
freight cars, resulting in gridlocks and lost trains -- most visibly in the
southern corridor from LA to Texas, the Gulf Coast region, and the central
corridor from Oakland to Chicago.  There are major bottlenecks in LA, North
Platte, Chicago, and Houston.  Integrating the computer systems was
reportedly ``more difficult than anticipated.''

There are many horror stories, including a load of liquid gas that had
"virtually evaporated into thin air by the time it arrived;" it took 51 days
to ship a load of plastic resin from Dallas to Forth Worth; a shipment from
Memphis to California by way of Little Rock, _then Memphis, then Little
Rock, then Memphis, then Little Rock,_ then El Paso...

A Mr. Lundgren of Englin Cotton Oil Mill reported watching one of his own
freight cars on UP tracks barreling past his office.  ``A few days later, he
saw it pass again in the opposite direction.''

  [Culled by PGN from Daniel's submitted item by Anna Wilde Mathes and
  Daniel Machalaba, *Wall Street Journal*, Monday, 13 Oct 1997, p. B1, and
  another detailed item by Carl Nolte and Kenneth Howe, *San Francisco
  Chronicle*, 11 Oct 1997, D1]

Indian satellite failure

"lucero" <>
Mon, 06 Oct 97 12:18:02 EST
According to the 6 Oct 1997 *Daily Brief*, officials in India say the
country's most advanced communications satellite was abandoned yesterday due
to a power failure aboard the craft.  The loss of the satellite reportedly
affected communications to remote parts of the nation and the operation of
satellite-dependent functioning of India's stock exchange.  This appears to
be an example of the familiar RISK of having a single point of failure, or,
more colloquially, putting all your eggs in one basket.

Scott Lucero

Paris police computer spares Corsican motorists

Sun, 5 Oct 97 22:27:40 ITA
"For more than six years, Corsican motorists fined in Paris have not paid
their PV's [_Proces Verbal_]: the central police computer rejected the code
identifying the _departement_ because, with a digit and a letter ('2A' or
'2B'), it is different from the codes used on the mainland.

The anomaly, which resulted in the absence of prosecutions for nonpayment of
fines for all cars registered in Corsica, goes back to 1990.  It has now
been removed and 'since May 1997 all PV's are correctly processed by the
program', said the _prefet de police_, Philippe Massoni. ... M. Massoni
explained that the error was introduced at the time of the changeover from
manual processing to a computer system.  It was decided to implement 'some
checks' to verify agreement between the data in the PV (car model and type),
the information recorded in a database of all cars circulating in France and
the address of the driver as recorded in the database.

'The error was related to the last check'.  There was confusion between the
city code (starting with '2A' or '2B') and the city postal code (starting
with '20').  For all other French _departements_, the first two characters
of the city code and of the postal code are the same, and numeric.  Now, the
program installed in 1990 checked that the first two characters of the city
code were numeric.  If the check failed, the record was rejected and the PV
was not processed."

Source: "Pas de PV a Paris pendant six ans pour les Corses"
     NICE-MATIN, October 5th, 1997

According to a report on French radio ('France Info', October 3rd), the
reason for the rejection was actually the mismatch between city and postal
codes (which, as bugs go, sounds more likely).

Gianfranco Boggio-Togna, Ventimiglia (Italy)

Another way to exploit local classes in Java

"Andre L. Dos Santos" <>
Wed, 8 Oct 1997 16:30:37 -0700 (PDT)
The attack described here is of interest because it uses the CLASSPATH
feature, which has been known to allow security breaches.  However, it uses
it in a different way. The result is that the security enhancements that
have been introduced by Netscape to fix the previously known vulnerability
using this feature are ineffective in stopping this attack.

The danger of setting the CLASSPATH environment variable to a path where
malicious classes are located is well known. Because of this Netscape began
restricting what a class loaded from the local disk can do starting with
Navigator 2.x.  In Navigator 3.x Netscape took it one step further with its
setScopePermission model, and Communicator 4.x has signed applets, where a
capability based model is enforced. Microsoft has not enhanced the model
suggested by Javasoft.

The security model implemented by Netscape and Microsoft considers any local
class as a "system" class. Therefore, when a class is needed the browser
searches the local disk before requesting a class from the net.  Thus, if
the user has classes in his/her local disk that have the same name as
classes that are used by a site, these classes will be used instead of the
ones from the network. Because of this it is possible to implement an attack
on a user interacting with a target site, where classes on the local disk
implement the functionality desired by the attacker. Our attack is able to
proceed because the classes that are used in our attack do not need to
request or require special privileges. The attack uses only the privileges
granted to classes loaded using the classloader.

In order to understand the risks of this flaw we have implemented a demo of
the attack on the Reliable Software Group site. This demo has as a target
the site of a bank that uses Java for login. The results of this demo is
that although the bank site uses SSL, a user is able to verify that he/she
is interacting with the desired site, when being attacked. So there is no
indication of an attack, and the user can verify the bank's
certificate. However, in the demo, instead of the browser sending the login
information to the bank server, it sends it to our server, in plain text.

As is the case with most of the previously reported CLASSPATH attacks, for
our attack it is necessary for the user to load classes on the CLASSPATH.
One can not stress enough that there is a lot of trust involved with
downloading files onto your computer and pre-loading classes onto your
classpath. Therefore, if the user is following the procedure of installing
only files that he/she can be 100% sure will not do any harm, then this
CLASSPATH attack will not work. We believe, however, that it is likely that
one could trick a user into loading .zip files.  One such file could have
the classes necessary for the attack in addition to a set of useful and
harmless classes.

We have notified Netscape and Microsoft about our attack.  Microsoft
answered that this is the way that Java is supposed to work.  Netscape said
that this problem can be partially solved using the function matchPrincipal
from their enhanced model. They also added that they are working on
improvements for this model and will consider a total solution to the

Andre Santos, Reliable Software Group, UCSB

  [See a paper by Flavio De Paoli, Andre Santos, and Dick Kemmerer,
  ``Vulnerability of `Secure' Web Browsers, presented last week at
  the National Computer Information Systems Security Conference in
  Baltimore, pp. 476-487, which was presented by Dick.  PGN]

Risks of installing Internet Explorer 4.0

"Bryan O'Sullivan" <>
Fri, 10 Oct 1997 21:41:18 -0700 (PDT)
  [See a subsequent message from Bryan in RISKS-19.42
  before you read this.  Note added in archive copy.  PGN]

I just downloaded and installed Microsoft Internet Exploder 4.0 onto my PC
running Windows 95 at home.  Among the optional features that come with this
release are a few tidbits that were included with Plus!, the mostly-useless
set of bells and whistles that was packaged separately from Windows 95.

Two of these features are opaque window manipulation (when you move or
resize a window, the entire window moves in real time, rather than a
rubberband representation being tweaked) and anti-aliasing of large fonts.
The anti-aliasing feature is quite useful; it makes fonts in large point
sizes noticeably less pixelated.  However, in this feature lies a small, and
somewhat malicious, piece of code.

This snippet of code apparently checks to see whether it is being asked to
render a font by the Netscape Navigator browser (or, indeed, any component
of the Communicator 4.x suite).  If it is, it gives back a plain old
jagged-edged font; otherwise, in every instance I have been able to check,
it gives back an anti-aliased font.

This appears to be a clear instance of discriminatory coding on the part of
Microsoft, and is intended, one presumes, to make Navigator look somewhat
cruddy in comparison with MSIE (not to mention all of the other software on
a system).  It begs a troubling question: what other features were included
in MSIE 4.0 that were intended to, in some sense, impede the software of
Microsoft's competitors?

Cold weather impairs fiber performance

8 Oct 1997 19:09:39 -0000
According to Interactive Week, Bellcore has recently been reminding the
world that things tend to shrink when they get cold.  Including fiber optic
cables, which tend to pull themselves more tightly around corners when they
contract.  This can interrupt signals in the fiber because the fiber isn't
engineered to do hairpin turns.

Add the move to DWDM (Dense Wave Division Multiplexing), which uses multiple
wavelengths of light on the same fiber to carry more data, and fiber that
worked before can suddenly start to go dead when the temperature drops.  The
longer wavelengths of light (up to 1650nm instead of the older 1310nm), the
more intolerant those wavelengths are to tight bending of the fiber.

This problem was first noted in 1993 when Nynex was having problems, but
people still seem not to be aware of the problem.

Of course, Bellcore wants to sell you test equipment to see if your fiber
might have these sorts of problems.

I just think it's a particularly entertaining mode of failure...


Stink-Bombed Computers

"Stuart L. Anderson" <>
Fri, 10 Oct 1997 21:30:42 -0700 (PDT)
According to the *South China Morning Post* Internet Edition of 10 Oct 1997,
the Hong Kong Government Flying Service will replace its two fixed-wing
search and rescue aircraft after the move from Kai Tak to the new airport.
Maintenance and spare parts on the two Super Kingair planes cost millions of
HK dollars (1US$ = 7.74 HK$).  The aircraft computer systems were repeatedly
corroded by hydrogen sulphide gas (rotten egg smell) from sewage and
industrial waste in a nearby waterway.

Stu Anderson (

US West and 911: Silence Is OK

Mon, 13 Oct 1997 10:16:12 -0500 (CDT)
US West has pointed out that 911 phone lines are working too well.  The 911
emergency reporting system in the largest cities in Minnesota was converted
to a digital phone system.  There is less noise on the phone lines, and
apparently there was concern that people will hear complete silence before
the ringing starts, without the common hiss of static, and will think
there's a problem with the phone or their dialing.

  Minneapolis/ St. Paul Metropolitan 9-1-1 Board Urges: When You Call 9-1-1,
  Stay on the Line

  Upgraded 9-1-1 Network Provides Quiet, Digital Connections and Improved

  MINNEAPOLIS/ST. PAUL, Minn., Oct. 8 -- It's an emergency. You need help
  fast. You pick up the telephone and call 9-1-1 ... just like you have been
  instructed many times. But there is no immediate sound on the line. No
  immediate ringing and the line is absolutely noiseless. You begin to think
  the call has not gone through.

  Don't hang up, say the Metropolitan 9-1-1 Board, U S WEST and public
  safety officials. New digital technology and an upgraded 9-1-1 network are
  providing a noise-free 9-1-1 network. So, even though you don't hear the
  typical call processing sounds, the call is being routed through the
  network to a 9-1-1 answering point. So, if you call 9-1-1, stay on the
  line. Do not hang up.  Although the seconds can seem like an eternity
  when help is needed, hanging up and redialing could cost valuable time.

  U S WEST and the Metropolitan 9-1-1 Board have implemented a new digital
  switching system and a redundant network for the 9-1-1 system serving the
  seven-county metro area. The digital system provides state-of-the-art call
  processing. The redundant network provides a backup call routing path that
  tremendously enhances the reliability of the 9-1-1 system.

  "This new digital technology and redundant network provide a highly
  reliable 9-1-1 system that is one of the best in the country," said
  Nancy Pollock, executive director for the Metropolitan 9-1-1 Board. "Our
  upgraded 9-1-1 system also provides significantly improved call transfer
  capabilities and clear, quiet connections."

  Wally Abrahamson, chair of the Metropolitan 9-1-1 Board and former
  Stillwater police chief said, "Some 911 Centers report an increase in the
  number of callers who are hanging up before the 911 call taker has the
  opportunity to answer the call. You should stay on the line, even if you
  hear silence instead of an immediate ring. Hanging up to redial could
  waste valuable time."

  The Metropolitan 9-1-1 Board serves 26 public safety answering points
  (PSAPs) in the seven-county metropolitan area.

The risks of license servers

Dan Wallach <dwallach@CS.Princeton.EDU>
Wed, 15 Oct 1997 16:50:40 -0400
I recently got this message attempting to find out what's on TV at

    login: FATAL ERROR:

    Server message:

    Message number: 18458, Severity 14, State 1, Line 0
    Server 'Microsoft SQL Server'
    Message String: Login failed- The maximum simultaneous user
    count of 25 licenses for this server has been exceeded.
    Additional licenses should be obtained and registered via the
    Licensing application in the NT Control Panel.

The risks are sending your customers to other servers using software that
actually works, although you may get some strange calls from customers
wondering why they need to buy new licenses...


Risk of not updating web pages

John Oliver <>
Tue, 14 Oct 1997 09:02:00 GMT
I have been trying to get information about courses at one of the major
Australian universities. The web site lists X as the contact person for the
Faculty of Arts. All mail to X bounces with a message that the mail spool is

After weeks of trying, I finally found someone who would read my complaint
about it and check. It turns out that X is on maternity leave and no one
changed the web page.

I wonder how many enquires are backed up in the mail queue and how many have

John (

Re: Possible breakthrough in NP-completeness (Hayward, RISKS-19.40)

Mark Stalzer <>
Wed, 1 Oct 1997 13:09:09 -0700
  I have quickly (15 min) reviewed the description of Jonathan Hayward's npc
algorithm in npc.tar.Z.uu. Using sets to represent collections of satisfying
states is clever. Unfortunately, it has been done before and it does not get
around a combinatorial explosion because the set representation (a tree) can
blow up. (Its size can in no way be bounded by the size of the formula parse
tree.) I have attached a list of references below. The reference bdd:survey
is probably the best general reference, and bdd:ordering deals with
combinatorial explosion of the data structures and the sensitivity to
variable ordering.  My dissertation also contains a chapter on these
techniques.   Mark

  AUTHOR = "R.E. Bryant",
  TITLE = "Graph-based algorithms for boolean function manipulation",
  JOURNAL = "IEEE Transactions on Computers",
  YEAR = 1986,
  VOLUME = "C-35",
  NUMBER = 8}

  AUTHOR = "R.E. Bryant",
  TITLE = "Ordered binary-decision diagrams",
  JOURNAL = "ACM Computing Surveys",
  YEAR = 1992,
  VOLUME = 24,
  NUMBER = 3}

  AUTHOR = "K.S. Brace and R.L Rudell and R.E. Bryant",
  TITLE = "Efficient implementation of a {BDD} package",
  BOOKTITLE = "27th ACM/IEEE Design Automation Conference",
  YEAR = 1990}

  AUTHOR = "K. Karplus",
  TITLE = "Representing Boolean Functions with {If-Then-Else DAGs}",
  INSTITUTION = "University of California, Santa Cruz",
  YEAR = 1988,
  NUMBER = "UCSC-CRL-88-28"}

  AUTHOR = "H-T Liaw and C-S Lin",
  TITLE = "On the {OBDD}-Representation of General Boolean Functions",
  JOURNAL = "IEEE Transactions on Computers",
  YEAR = 1992,
  VOLUME = "C-41",
  NUMBER = 6}

P =? NP

Gary McGraw <>
Wed, 1 Oct 1997 17:14:31 -0400 (EDT)
One of our star research associates took a look at the Web pages the "NP
solution" blurb pointed to.  Here's what he has to say.  gem

Without a rigorous look at the algorithm, it appears to do some sort of
short-circuiting evaluation.

If you look at a short-circuited truth table with N expressions it can have
between N+1 and F(N+1) rows in it, where F(N) is our good friend Fibonacci.
(F(0) = 1, F(1) = 1, F(N+2) = F(N) + F(N+1) for N>=0) which has a NON
polynomial closed form.

Expressions that look like:  ((((....(A || B) && C) || D) && E)....)
have the maximum number of rows in the truth table.  After converting these
to the form of just AND's and NOT's I ran it through the given program.
Interestingly, the two functions: intersection and complement were each
called very close to F(N+4) when I used an expression with N variables.
This held true for 4<N<30.  When I ran N > 30, the program core dumped.

While, I don't know for a fact that this relation continues to hold for
large N, the relation is very close for the N tried, which leads me to
believe that this is NOT a polynomial solution to the problem.

Michael A. Schatz, RST Corporation, 21515 Ridgetop Circle, Sterling, VA 20166  (703) 404-9293

Microsoft euphemisms (Re: Mellor, RISKS 19.40)

Matt Welsh <mdw@midnight.CS.Berkeley.EDU>
1 Oct 1997 23:12:48 GMT
My favorite Microsoft euphemism at last week's Professional Developer
Conference in San Diego:

  "Down-level browser": Any browser which isn't
  Internet Explorer 4.0, including Netscape.

This is apparently part of Microsoft's strategy to pull the rug out from
underneath Java and JavaScript by introducing Dynamic HTML, VBScript, and
ActiveX as the "new cutting edge" of web scripting. Apparently Microsoft's
idea is that since their browser supports this technology and nobody else's
does, all other browsers are now immediately tagged "down-level browsers".

I guess since my own homebrew Foobar Explorer Web browser has the
lastest-and-greatest version of my own FrobnitzScript language and nobody
else has it, *both* Netscape and IE are "down-level browsers" as far as I'm

M. Welsh, UC Berkeley,

Re: AOL may introduce ads on private e-mail (Rothwell, 19.40)

Matt Welsh <mdw@midnight.CS.Berkeley.EDU>
1 Oct 1997 23:16:26 GMT
>The German unit of AOL is planning to boost advertising revenues by
>including ads on private electronic mail, and AOL itself is considering it.

... thus rendering _all_ electronic mail passed through AOL "commercial
e-mail", making it illegal (without appropriate header tags) under various
proposed anti-spam bills! I love it!

M. Welsh, UC Berkeley,

Re: FBI wants to ban the Bible: steganography (Theunissen, RISKS-19.40)

Brian Clapper <>
Thu, 2 Oct 1997 10:49:11 -0400 (EDT)
I believe Mr. Theunissen is describing `steganography'--hiding secret
messages inside other messages.

According to the "International Cryptography" web page
<URL:>, there are a number of existing tools
to accomplish steganographic ends.  I quote directly from


- Stealth is a simple filter for PGP which strips of all identifying header
  information to leave only the encrypted data in a format suitable for
  steganographic use. It is available in

- Stego converts a binary file into nonsense text.

- Stegodos is a set of DOS programs that encodes binaries into captured
  images. It is available in

- MandelSteg and GIFExtract hide data in Mandelbrot GIFs. There is a home
  page, and it is available in

- Hide and Seek is a stego program for dos. It is available in

- jpeg-jsteg hides data inside a JPEG file. It is available in as a diff to the standard jpeg-v4

- Steganography Tools 4 encrypts the data with IDEA, MPJ2 (up to 512bits
  key), DES, 3DES and NSEA in CBC, ECB, CFB, OFB and PCBC modes and hides
  it inside graphics (BMP files), digital audio (WAV files) or unused
  sectors of HD floppies.

Brian Clapper,

Re: FBI wants to ban the Bible: Linear A/B (Fenimore, RISKS-19.40)

Stephen Crane <>
Fri, 3 Oct 1997 14:30:39 +0100 (BST)
Linear A is undeciphered (due to a lack of text, I would imagine).
Linear B was deciphered by Michael Ventris in 1952.  I don't think
Linear-C exists; while there were 3 Minoan languages, the first of
these was hieroglyphic, not linear.

Of (potentially) greater relevance is this URL turned up by AltaVista,

Unfortunately at the time of writing, seems to be
asleep.  Ho hum.


  [Ventris also noted by Pete Mellor <>.  PGN]

Re: FBI wants to ban the Bible: Linear A/B (Fenimore, RISKS-19.40)

Mike <>
Sun, 05 Oct 1997 16:27:20 -0400
"Forgotten Scripts," Cyrus Gordon (revised and enlarged 1982, Dorset Press
Edition 1987) is a wonderful tutorial by a primary scholar on the
application of cryptanalysis and decipherment to Egyptian, Old Persian,
Sumerian, Akkadian, Cuneiform and Hittite, Ugaritic, (non-Greek, Semitic)
Minoan in Linear A script, (Greek) Mycenean written in Linear B script, and

There are some uncertainties in all of these, awaiting more text to turn
up, but all have been deciphered.

The Electronic Privacy Papers: A new book by Schneier/Banisar

Bruce Schneier <>
Wed, 1 Oct 1997 20:18:04 -0500
Bruce Schneier and David Banisar
The Electronic Privacy Papers:
  Documents on the Battle for Privacy in the Age of Surveillance
John Wiley & Sons, 1997
ISBN: 0-471-12297-1; 747 pages
Retail: $60 hardcover

Info is at

Trying to keep up with the advancements in cryptography and digital
telephony, the government has advocated controversial new tools that will
allow them to monitor electronic communications. On the other side of the
spectrum, privacy advocates are vehemently opposed to any government
monitoring whatsoever.

The Electronic Privacy Papers is a collection of previously unreleased
documents dealing with privacy in the Information Age.  Combining public
government pronouncement, public reactions, and previously classified
documents released under FOIA, this book paints a clear picture of
government policies towards encryption and privacy and how they will impact
individuals and companies involved with the Internet.

Issues covered include:

* The economic and political rationale for demanding digital wiretapping and
* The legal foundations, and limitations to, government surveillance.
* Government strategies for soliciting cooperation from telephone companies
  and equipment manufacturers.
* Which policies industries and individuals can expect the government to
  pursue in the future.

The Electronic Privacy Papers retails for $60 in hardcover.  I am offering
it at the usual 15% discount.  Bruce Schneier, Counterpane Systems,
101 E Minnehaha Parkway, Minneapolis, MN 55419

                     Table of Contents

Introduction: Roadblocks on the Information Superhighway

Overview of Wiretapping

Government Pronouncements: The Digital Telephony Proposal
Behind the Iron Curtain: Operation Root Canal
Digital Telephony: The Public Response

Cryptography - The Cure for the Common Bug

The Field of Battle: An Overview
Early Skirmishes
The Clipper Chip Proposal
Unclassified: The Story Behind Clipper
Clipping the Clipper: Public Response to Desktop Surveillance

Atom Bombs, Fighter Planes, Machines Guns and Cryptography: Export
Untying the Gordian Knot: Efforts to Relax Export Controls

Banning Cryptography
Software Key Escrow

Bibliography of Books on Wiretapping, Cryptography and Privacy

Please report problems with the web pages to the maintainer