The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 19 Issue 67

Tuesday 14 April 1998

Contents

o Cypherpunks break GSM digital cell phone encryption
Declan McCullagh
o More on GSM crack ...
Declan McCullagh
o AT&T frame-relay network down
Doug Montalbano
Leslie Howard
o Starbucks flames out
Mark Richards
o Critical mass or critical mess?
John Fleck
o NASA Finds Problems In EOSDIS Flight Operations Software Development
Ron Baalke
o L.A. County pension fund $1.2 billion shy
Steve Bellovin
o Ruminations on MS security
A. Padgett Peterson
o AOL Long Distance electronic billing
Steve Klein
o 'Inverse Y2K'?
Streaky_Bacon
o Daylight Savings Time disaster
Henry Spencer
o UK considers universal CV database
Wendy Grossman
o Lexis-Nexis archives don't match print versions
Jorn Barger
o Tamagotchi revisited: Driver saves virtual pet, kills cyclist
Fred Ballard
o House Cat Kills Power to Dhaka Commercial District
Zachary Tumin
o Inaccurate study quoting
Fred Cohen
o Map maker sued in Dubrovnik T-43A crash
Matt Welsh
o Info on RISKS (comp.risks)

Cypherpunks break GSM digital cell phone encryption

Declan McCullagh <declan@well.com>
Mon, 13 Apr 1998 06:03:07 -0700 (PDT)
TIME Magazine, April 20, 1998
http://www.pathfinder.com/time/magazine/1998/dom/980420/
  notebook.techwatch.levit24.html

   CODEBREAKERS

   CRACKED.  Thought your new digital cell phone was safe from high-tech
   thieves? Guess again. Silicon Valley cypherpunks have broken the
   proprietary encryption technology used in 80 million GSM (Global
   System for Mobile communications) phones nationwide, including
   Motorola MicroTAC, Ericsson GSM 900 and Siemens D1900 models. Now
   crooks scanning the airwaves can remotely tap into a call and
   duplicate the owner's digital ID. "We can clone the phones," brags
   Marc Briceno, who organized the cracking. His advice: manufacturers
   should stick to publicly vetted codes that a bunch of geeks can't
   crack in their spare time. --By Declan McCullagh/Washington

From POLITECH -- the moderated mailing list of politics and technology.
To subscribe: send a message to majordomo@vorlon.mit.edu with this text:
  subscribe politech
More information is at http://www.well.com/~declan/politech/

  [Also noted by others.  *The New York Times* article (14 Apr 1998)
  included this sentence, along with discussion of its implications:
    ``What was even more intriguing than the security threat, however, was
    that cracking the code yielded a tantalizing hint that a digital key
    used by GSM may have been intentionally weakened during the design
    process to permit government agencies to eavesdrop on cellular
    telephone conversations.''
  This case should once again renew suspicions about arguments that
  trapdoored key-recovery systems will be perfectly safe for everyone to
  use and will allow only the government to have legitimate access.  PGN]


More on GSM crack ...

Declan McCullagh <declan@well.com>
Tue, 14 Apr 1998 10:01:30 -0700 (PDT)
http://cgi.pathfinder.com/netly/continue/0,1027,1898,00.html

The Netly News, April 14, 1998

Our report yesterday that GSM cell phones can be cloned has some
affected companies crying foul. Terry Phillips, public affairs
director for Omnipoint Communications, calls the crack "interesting
but not significant. It's not news." Phillips claimed that digital ID
sniffing cannot be done over the air -- which, of course, contradicts
what eminent cryptographers and security experts say. Phillips did
correctly point out, however, that we said there are 80 million GSM
phones "nationwide," when we meant worldwide.

Phillips also sniped at the motivations of the merry band of cypherpunks who
cracked the proprietary encryption code. He suggested that they're acting on
behalf of and being paid by the competition; they've been working on this
for years; they're aiming for a million-dollar prize; they never actually
broke the algorithm.

Their response: Not so, on each count. "We weren't funded by anyone," says
Marc Briceno. "The entire project was done in my spare time with a budget of
less than $100." It took only two months, Briceno says, and besides, the
million-dollar prize was just 100,000 Deutschmarks and has long since been
withdrawn anyway. Qualcomm engineer Phil Karn, whose company supports a
rival standard, says he didn't participate in the crack and was asked only
to comment on it in the press release: "Those guys did it all on their own
and deserve all the credit." As for the formerly secret algorithm, check it
out yourself at scard.org.

  [Declan's Politech mailing also appended Ross Anderson's item,
  GSM hack -- operator flunks the challenge, from RISKS-19.48,
  5 Dec 1997 <Ross.Anderson@cl.cam.ac.uk>.   PGN


AT&T frame-relay network down

<Doug_Montalbano@cc.chiron.com>
Tue, 14 Apr 1998 10:09:11 -0700
Service was interrupted Monday afternoon on AT&T's frame relay network, a
specialized system used throughout the country by businesses that conduct
large numbers of transactions for business customers and was not fully
restored yet on Tuesday.  The outage was caused by a problem in the
interaction between two switches within the network.  [_USA Today_ (13 Apr
1998) reports that 6,000 companies use frame relay
 networks; AT&T has about 40 percent of the market.]

See <http://www.techserver.com/newsroom/ntn/info/041498/info9_8325_.html>.


AT&T frame relay network down

<Leslie.Howard@harbinger.com>
Tue, 14 Apr 1998 14:45:06 +0200
AT&T Corp. said Monday its frame relay network was experiencing ``service
interruptions,'' apparently nationwide, affecting an undisclosed number of
business customers.  AT&T spokeswoman Ruthlyn Newell told Reuters by phone
late Monday afternoon that the problem in the frame-relay network, a
high-speed data network, began about 1500 EDT/1900 GMT and was ongoing as of
just before 1800 EDT/2200 GMT.  [Source: Reuters, 13 Apr 1998.]

  [Anecdotal reports I have heard indicate a 75% to 80% nationwide outage.]

Les Howard, Software Engineer, Harbinger Corporation  lhoward@harbinger.com

  [The problem was reported by AT&T to have been diagnosed and repaired
  within 24 hours.  Sounds a little like the propagation effects of the
  mammoth long-distance collapse on Martin Luther King Day, 15 Jan 1990,
  going back to RISKS-9.61.  PGN]


Starbucks flames out

"Mark Richards" <mRichard@world.std.com>
Tue, 14 Apr 1998 11:42:49 -0400
I don't know all the details yet, but our "local" Starbucks here on
Washington Street in Boston was dark this morning - as dark as their "COD"
brew.  An employee informed me that their central computer crashed, the
result being all stores "unable to open the cash register".  (Across the
entire country??)  Obviously, they are without redundancy and business common
sense.  Giving away free coffee in this situation is far better than
shutting off the lights and looking foolish.

The risk: Crashing of other mission-critical systems throughout the city
due to sleepy, caffeine-starved personnel.

<<zzzz<>

Mark Richards <mRichard@world.std.com>

  [Well, to many people the missing cup of coffee is more
  important than the frame-relay network outage elsewhere.  PGN]


Critical mass or critical mess?

John Fleck <jfleck@abqjournal.com>
Fri, 03 Apr 1998 13:18:57 -0700
From the Department of Energy's Operating Experience Weekly Summary 98-12
http://tis.eh.doe.gov/web/oeaf/oe_weekly/oe_weekly_98/oe98-12.html

Regarding a Feb. 26,1998, incident at Los Alamos National Laboratory in
which a software problem caused two uranium assemblies in a criticality
facility to accelerate toward one another:

"On February 26, the operator was closing the two stacks in slow speed when
the stepping motor unexpectedly switched to full speed. The joystick control
quit responding to the operator, and the scram button on the joystick did
not respond. The operator pressed the panel-mounted scram switch, and the
two stacks separated back to their starting positions as designed.  The
activation of the scram placed the assembly in a safe configuration. The
configuration of the assembly was such that it would have remained
subcritical even at full closure of the two stacks. Facility personnel
conducted an assessment to ensure that the assembly was not damaged.

Engineers troubleshot the control circuitry and discovered problems with the
software and flaws in the communication between the joystick controls and
the central processing unit. They determined that when the joystick
interface did not respond, a subroutine returned an ASCII (American Standard
Code for Information Interchange) character "?" to the main program for the
potentiometer settings that controlled the stepping motor speed. The main
program was never developed to deal with a question mark and translated this
value to the number equivalent of an ASCII "?" (the number 63). The number
63 corresponded to a large negative position (beyond closure of the stacks)
that caused the stepping motor to drive in at full speed when it was
selected for movement."

John Fleck, science writer, Albuquerque Journal
PO Drawer J, Albuquerque NM, 87103  (505) 823-3916  jfleck@abqjournal.com


NASA Finds Problems In EOSDIS Flight Operations Software Development

Ron Baalke <baalke@kelvin.jpl.nasa.gov>
10 Apr 1998 21:45 UT
David E. Steitz, Headquarters, Washington, DC (202/358-1730)
Allen Kenitzer, Goddard Space Flight Center, Greenbelt, MD (301/286-2806)
RELEASE:  98-60, April 10, 1998

NASA FINDS PROBLEMS IN EOSDIS FLIGHT OPERATIONS SOFTWARE DEVELOPMENT

NASA has found software performance problems with ground system software
required to control, monitor and schedule science activities on the Earth
Observing System (EOS) series of spacecraft.

Officials believe these problems will delay the software which will impact
the launch date for the Earth Observing Spacecraft AM-1.  The launch,
originally planned for late June 1998, from Vandenberg Air Force Base, CA,
will be delayed at least until the end of the year.

The Ground Control Software, called the "Flight Operations Segment" (FOS)
software, is part of the Earth Observing System Data and Information System
(EOSDIS), the ground system responsible for spacecraft control, data
acquisition, and science information processing and distribution for NASA's
Earth Science enterprise, including the EOS flight missions.

The problem is with the EOSDIS control center system FOS software that
supports the command and control of spacecraft and instruments, the
monitoring of spacecraft and instrument health and safety, the planning and
scheduling of instrument operations, and the analysis of spacecraft trends
and anomalies.

What was supposed to have been the final version of the software was
delivered to NASA by Lockheed Martin on March 31, to support integrated
simulations with the EOS AM-1 spacecraft.  Testing of this software delivery
revealed significant performance problems.  Program managers expect it to
take several weeks to clearly understand whether correcting the current
software or taking other measures is the best approach.

"We're concurrently looking at commercial off-the-shelf technology that was
not available when this software system initially was designed," said Arthur
"Rick" Obenschain, project manager for EOSDIS at NASA's Goddard Space Flight
Center, Greenbelt, MD.  "If for some reason the current software problems
cannot be fixed, we have a backup plan."

Prior to the March 31 delivery, there were three previous incremental
deliveries of the software in August 1997, December 1997 and February 1998.
Previous versions of the software successfully demonstrated real-time
commanding functions with the AM-1 spacecraft.  In the new version, however,
a number of problems identified in the previous software deliveries were not
corrected as expected, and significant problems were found in the new
capabilities.  Problems include unacceptable response time in developing
spacecraft schedules, poor performance in analyzing spacecraft status and
trends from telemetry data, and improper implementation of decision rules in
the control language used by the flight team to automate operations.

Government/contractor teams have been formed to evaluate options for
correcting these problems to minimize impact on the AM-1 launch.  A recovery
plan is being developed and will be reviewed during the last week of April.

The FOS is being developed by Lockheed Martin under subcontract to Raytheon
Information Systems Company under the EOSDIS Core System contract.  The
Flight Operations Segment of the EOSDIS software has cost $27.5 million as
of February 1998.

THE EOSDIS and EOS AM-1 are part of NASA's Earth Science enterprise, a
long-term research program designed to study Earth's land, oceans,
atmosphere, ice and life as a total integrated system.  Goddard manages the
development of EOSDIS and EOS AM-1 for NASA's Office of Earth Science,
Washington, DC.


L.A. County pension fund $1.2 billion shy

Steve Bellovin <smb@research.att.com>
Wed, 08 Apr 1998 22:47:27 -0400
A pair of computer errors made in 1977 have resulted in the Los Angeles
County pension fund having $1.2 billion less than it should.  There is no
immediate danger -- the fund's stock market investments have done very well
in recent years -- but the county will have to spend $25 million extra per
year to make up for the shortfall.  And if the stock market had not
performed so well, the mistakes could have proved "catastrophic".  [Source:
an AP wire story quoting the *L.A. Times* of 8 Apr 1997.]


Ruminations on MS security

"A. Padgett Peterson Information Security" <PADGETT@hobbes.orl.lmco.com>
Fri, 10 Apr 1998 14:48:53 -0400 (EDT)
Before I launch this commentary, I need to make a couple of things clear:
1) Speaking for myself only as a private individual
2) Think the wizards at Redmond have produced some marvelous products but that
   like the certain letter agencies, their agenda is not necessarily the same
   as mine.  At least letter agencies seem to have fewer lawyers.

Do have some experience with the second since 1990 when sent a letter to the
software giant that a simple routine placed into IO.SYS would eliminated all
known MBR and boot sector viruses. The response was that it was not in their
business interest.

(Routine was simple - check the byte at 0000:004F for a value equal to or
greater than C0 - if below, "Redmond, we have a problem". I generally use
something a bit more sophisticated but was all that was needed. Note: this
works only before the operating system - any operating system - loads.)

Since then we have been granted such features as the ability to create word
macro viruses and a server operating system that was rated NCSC C2 so long
as it was not connected to a network. However the new crop of offerings are
even more innovative.

Suffice it to say that for years we have been able to tell users that "you
cannot get a virus just by opening E-Mail". Well, that bug is being fixed.

It seems that with the default installation of the just-released mail-reader
product coupled with the 98 version of the operating system (at least the
current beta which contains a necessary .DLL), all of the factors needed to
accomplish the above are present.

In fact, in recent days I have been able to drop an executable file both on
c:\ and into the startup directory just by opening the mail reader
("preview", which includes script execution for some reason, is a default
feature),

True, a warning screen is presented if the applet is unsigned (have heard
that signatures are already floating around the internet), but the same
screen is presented if word is opened as well, so I suspect it may become as
quickly ignored as other such mechanisms have been in the past (like all
security annoyances, there is an easy way to turn it off).

I have little expectation that the manufacturer will see the error of their
ways and remove the single necessary construct.  It is probably required for
PUSH. It is entertaining though to find in the on-line language reference
the statement that the scripting language has no File I/O.  I'm sure that in
some obscure legal language, that must be syntactically correct or it would
not be there; however, I found it remarkably simple to drop an executable
file on the hard disk that executed on the next boot.  Times are about to
become "interesting".  Caveat Y'all.

Padgett


AOL Long Distance electronic billing

Steve Klein <yourmac@mich.com>
Thu, 9 Apr 98 00:10:09 -0400
A long-distance telephone service called "The Phone Company" has recently
begun marketing its service through America Online, doing business under the
name AOL Long Distance.  For those with long memories, this is the same
company that, a few years back, agreed to pay AOL $100 million for exclusive
marketing rights to the AOL customer database.

One way they keep their costs down is that they don't mail out bills.  To
get a detailed listing of one's calls, the subscriber is supposed to sign on
to America Online, and click a button labeled "Show me my bill."  The
problem?  It doesn't work for Mac users who connect to AOL via an ISP.  The
button links to a secure web page which fails to load in the AOL browser.  I
also tried Netscape Navigator 4.04.1, and Internet Explorer 4.0a.  No luck.

(It took them a week from when I first reported the problem for them to
determine just what the problem is.)

Their solution?  I'm supposed to call them once a month, and request that
they e-mail my bill to me.  (Ironically, they tout electronic bill retrieval
as a "convenience."  Hmmm.)  So today I called and asked them to mail me my
bill.  Guess what?  It's an HTML file, and my mail client doesn't do HTML.

(And no, they didn't ask me for ANY identifying information before
discussing my account, except my phone number.)

They refused to say when, if ever, the problem will be fixed.

  [...] "The RISKS are obvious..."

Steve Klein, Your Mac Expert, Macintosh Consulting  YourMac@aol.com
248 YOUR-MAC or 248 968-7622  fax:    248 968-2769


'Inverse Y2K' ?

"Streaky_Bacon" <streaky_bacon@msn.com>
Fri, 10 Apr 1998 09:20:04 +0100
Wine broker Bordeaux Index has spent a fortune making sure its computers can
handle the Millennium bug.  Yesterday it had no trouble shifting a magnum of
Chateau Margaux 1900 for GBP9,000 - but trying to log the sale proved more
difficult.  No matter how hard they tried, the computer kept changing the
description to Ch. Margaux 2000.  "We are stumped," says a spokesman.  "We
can't get it to register the proper name."  [Source: UK *Daily Telegraph*
(City Diary) 9 Apr 1998]

The RISKS are obvious!

[Perhaps I must suppress such aphorisms!  But a Hamming code on the year
might help.  Then we could ask how much would a Margaux Hamming Weigh?  PGN]


Daylight Savings Time disaster

Henry Spencer <henry@spsystems.net>
Mon, 6 Apr 1998 15:31:19 -0400 (EDT)
A friend works for a large institutional employer, which has one of the
usual fancy phone systems including voice mail.  Apparently they had a
problem making the daylight-saving-time switch yesterday; today everyone
got e-mail saying:

  "We regret to inform you that while attempting to adjust the time on our
  [name deleted] telephone and voice mail systems, the [company deleted]
  technician inadvertently transposed the month and date resulting in the
  voice system deleting messages that had been previously heard.  We are
  currently in the process of [determining] if the data can be restored..."

The most obvious fix is to automate the DST transition, as many systems now
do.  One can perhaps argue about that, given the complexity of the rules and
the way they change from place to place and even from year to year.  But if
it's not automated, one would at least hope for a less error-prone interface
to handle the highly predictable requirement of moving the time forward or
back one hour, especially given the apparently severe consequences of
getting it wrong.

(For that matter, one would hope for a less error-prone interface for
setting the date when that's needed, given the long-known ambiguity of
dates like 11/04... to say nothing of 11/04/01, which is not far away.)

Henry Spencer henry@spsystems.net (henry@zoo.toronto.edu)


UK considers universal CV database

Wendy Grossman <wendyg@cix.compulink.co.uk>
Thu, 2 Apr 98 21:41 BST-1
According to this morning's *Independent* newspaper, Tony Higgins, the chief
executive of the University and Colleges Admissions Service (this is a
centralized clearinghouse for college/university applications that acts as a
matchmaker between kids and schools in a mad six-week summer scramble), is
to suggest a scheme for a database of every citizen in the UK that will hold
all their educational and other achievements.  The article goes on to
outline the uses to which such a database could be put: proof of
qualifications for entry to university or employment, checking on the state
of student loans.  "Eventually," education editor Judith Judd writes
enthusiastically, "they might also contain pupils' results from the age of
five."  The idea is that the existence of the profile will encourage people
to continue learning throughout their lives.  Ha Ha.  Ministers are supposed
to be considering giving everyone a NUMBER to attach to their profiles.

There are so many risks involved in this that it's impossible to list them
all.  I just hope it works out that the most significant risk is to Higgins:
that he gets so thoroughly ripped to shribbons for this that it deters all
government ministers in future.


Lexis-Nexis archives don't match print versions

Jorn Barger <jorn@mcs.com>
Thu, 9 Apr 1998 09:59:56 -0500
The Columbia Journalism Review has an online piece at:
<URL:http://www.cjr.org/html/98-03-04-archive.html>
called "How Accurate Are Your Archives?" by Bruce William Oakley in which he
describes comparing the Lexis-Nexis versions of published articles with the
actual hardcopy:

  I compared articles in the commercial electronic archives, such as
  Lexis-Nexis or DataTimes, of four newspapers to the paper versions from
  their national and local fronts on arbitrarily chosen dates. Not one
  archived version flawlessly matched newsprint. The errors ranged from
  incorrect punctuation to incorrect headlines and bylines.

The most striking example almost led to a lawsuit, when a public figure was
accused of having served time, in the Lexis-Nexis version-- a research error
that had been corrected in the final proofs before publication, but never
got transmitted back to the archived version.

URL:http://www.mcs.net/~jorn/html/weblogs/weblog.html


Tamagotchi revisited: Driver saves virtual pet, kills cyclist

Fred Ballard <ballardf@pprd.abbott.com>
Thu, 09 Apr 1998 09:54:14 -0500
The following was forwarded to me, source unspecified.  Fred Ballard

MARSEILLE, France _ A French driver killed a cyclist and injured another
after she took her eye off the road trying to save her Tamagotchi virtual
pet, police said Wednesday.  The 27-year-old woman became distracted when
the electronic pet, which was attached to her car key ring, started to send
out distress signals.  She asked a companion in her car to attend to the
Tamagotchi but in the confusion she failed to notice a group of cyclists on
the road ahead and slammed into the back of them.  One died instantly and
another was taken to hospital.  Police said the woman was arrested after
Sunday's accident near the southern city of Marseille.  [See RISKS-19.36-37.
PGN]


House Cat Kills Power to Dhaka Commercial District

"Zachary Tumin" <ztumin@princeton.com>
Sun, 12 Apr 1998 11:09:58 -0400
An Associated Press report from Dhaka, Bangladesh today reported that large
parts of the Bangladeshi capital lost power and fell dark Saturday, April 11
when a cat, who had walked into the control room of a power station, stepped
on some wires and caused a short circuit.  The cat died immediately, but
power was out for two hours Saturday from Dhaka's principal shopping
district.  Power was restored only after the cat's remains were removed and
the equipment cleaned.

  [If you'll pardon my French, this was
  "Un chat" in the dark.  PGN]


Re: Inaccurate study quoting (Perillo, RISKS-19.65)

Fred Cohen <fc@all.net>
Thu, 2 Apr 1998 17:40:38 -0800 (PST)
I think that Robert Perillo's two points are extremely important. In
essence, the reports assert that law enforcement won't benefit much by
improved ability to read all electronic messages and that the only real
benefit is in cost savings.

On the other side of the coin, the financial impact of the release of
information leading to the breaking of sophisticated cryptographic keys can
be extremely high. For example, cryptography is used to cover the vast
majority of interbank transfers (trillions daily), in stock trading (similar
magnitude), and in credit card transactions (a big number as well).  The
risks in these financial arenas is so severe that legal export of high
quality cryptographic hardware for electronic banking applications has been
done for many years.

As we move increasingly toward electronic commerce the risks of breakable
cryptography are far higher than the benefit in cost reductions to law
enforcement. Indeed, if codes could be broken for law enforcement purposes,
the defense could assert that law enforcement planted the information using
its ability to break the codes. Even if this were not technically true for
some particular cryptosystem, the increased litigation costs associated with
prosecuting cryptography-related cases could be far higher than the savings
that breaking cryptography would seem to generate. But I have digressed a
bit.

My main point is that these conclusions seem to lead very directly to the
need for a cost/benefit analysis of breakable crypto vs. unbreakable crypto.
It's all well and good to hear claims on both sides of the crypto issue, but
since the issue identified in the government's study seems to be one of
money - and not one of whether we can catch and successfully prosecute
criminals or whether individual privacy is more or less important than law
enforcement - it would seem a valuable exercise to figure out whether and
where it is more cost effective to have breakable crypto than unbreakable
crypto. Unless it can be clearly demonstrated to be more cost effective to
have breakable crypto, the debate should be over as far as law enforcement
is concerned.

FC

Fred Cohen & Associates: http://all.net - fc@all.net - tel/fax:510-454-0171


Map maker sued in Dubrovnik T-43A crash

Matt Welsh <mdw@now.CS.Berkeley.EDU>
3 Apr 1998 20:24:25 GMT
From CNN Online at http://www.cnn.com/US/9804/03/brown.crash.suit.ap/ :

Jeppesen Sanderson, a Colorado map company, is being sued by the families of
some of those killed in the April 1996 crash of a military B737-200 (T-43A)
in Dubrovnik, Croatia. Among those killed was U.S. Commerce Secretary Ron
Brown.

The suit claims that "the Jeppesen chart listed a minimum descent altitude
for the approach which was too low and put ... the aircraft on a collision
course with the mountain". The chart allegedly also failed to warn pilots
that two NDB's where required for the approach and which NDB stations should
be used.

M. Welsh, UC Berkeley, mdw@cs.berkeley.edu

Please report problems with the web pages to the maintainer

Top