The RISKS Digest
Volume 19 Issue 81

Tuesday, 16th June 1998

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


U.S. Department of Energy computer security risks
Noise-Cancelling or Signal-Cancelling?
Mark Brader
MS Outlook Express sends mail bombs
Steffen Ullrich
Exchange/Outlook plug-in for PGP bypasses crypto
N.W. Choe
Crypto export controls "neither fair nor efficient, but available"
Stefek Zaba
SLAC Hack Attack
Conrad W. Clark
Three alleged Quebec hackers accused of posting bomb recipes
Mich Kabay
Re: Javascript security
Silas S. Brown
Shuttle imaging Y2K problem?
Ellen O'Leary via Lloyd Wood
Improvements that aren't, immediacy that hurts
Jerry Leichter
Gas supply failure in Victoria, Australia
Mike Martin
Re: German high-speed train disaster
Andrew J Thornton
David Lesher
Philip H. Smith III
Social Engineering 101: AOL billing
David Cassel
A surprise from Holiday Inn on use of SSNs
Willis Frick
Re: 15th century time machine and y2k
Danny Burstein
Re: Navy stops teaching celestial navigation
Rena Borney
Re: Burglars foiled by cordless phone interception
Curt Sampson
GPS on silo missiles - I was wrong
Geoff Kuenning
Info on RISKS (comp.risks)

U.S. Department of Energy computer security risks

Fri, 12 Jun 98 10:33:28 -0500
An internal review of 64,000 unclassified computer systems throughout all
major Department of Energy facilities has found serious security lapses,
including the presence of classified and sensitive nuclear weapons
information on 1,400 systems open to anyone on the Internet.  This has
stimulated a "contamination clean-up".  Los Alamos alone has had 15 security
breaches since Nov 1997.  Apparently ftp reads — and *writes* — and
readable password files are major problems.  [Source: Brock N. Meeks, MSNBC,
29 May 1998, Stark Abstracting.  RISKS Readers, Are You Surprised?  PGN]

Noise-Cancelling or Signal-Cancelling?

Mark Brader <>
Wed, 10 Jun 98 20:53:58 EDT
Some issues of the Canadian government publication Aviation Safety Vortex
can be found at <>.
Reproduced in one of them is a notice from Bell Helicopter Textron:

|  "The use of noise-cancelling headsets by helicopter crews has become
|  commonplace."  Recently, an operator informed Bell Helicopter that he
|  was unable to hear the audio cautions and warnings while wearing one
|  of these headsets.  If a flight crew member chooses to wear any kind of
|  headset, especially a noise-cancelling headset, then that person
|  should determine that all audio cautions and warnings can be heard
|  with the headset on, prior to takeoff.

The editor observes that the principle has more general applications.

MS Outlook Express sends mail bombs

Steffen Ullrich <>
Fri, 12 Jun 1998 17:07:29 +0200
This happened today in the company I work for.  For some reason they all
(except me) use the Outlook Express which comes with MSIE4. They had some
problems in the past with it (it simply discards mails with a correct but
obviously unexpected delimiter for MIME-parts) but today one mailer started
to send huge (10Mbyte) mail bombs. The reason: If Outlook tries to send mail
it first puts the mail into a temporary box and after the mail is send it
gets moved into the outbox. If it can't write to the outbox (in this case
the outbox was one a server which had not enough space for this big mail)
the mail stays in the temporary box and after a while it tries to send it
again and again (interval varies). The bad thing is - it doesn't tell you
about the problem. Only if you attempt to move the mails by hand into the
outbox it tells you that there is no more space.  Fortunately, all outgoing
mail gets first spooled on a Linux-server which at intervals send the mail
over a ISDN line. So after the person called me asking why the mail doesn't
get send I could quickly login (from 600 kilometers away) and delete the 4
duplicates before they went out.  This is not the first time this
happened. A few days ago the Linux-server was swamped over night with about
50 30Mbyte big mails. Most of them went out, poor person who got them.
Hopefully this will be the last time - today I installed a filter which
tracks duplicates (they are not exactly duplicates - the Message-Id is
different on each instance) and sends them back to the user ;)

Exchange/Outlook plug-in for PGP bypasses crypto

"n.w. choe" <>
Sat, 13 Jun 1998 10:09:00 -0400
This one here is fairly straightforward:

The Exchange/Outlook plug-in for PGP for Personal Privacy commercial) and
PGPfreeware 5.5 from Pretty Good Privacy, Inc. (now part of Network
Associates, Inc.) does not work with Outlook 98. In particular, sending a
message in RTF, HTML or WordMail format can result in an unencrypted HTML or
Word version being sent, along with the encrypted text version.  "oops" ;) -

Crypto export controls "neither fair nor efficient, but available"

Stefek Zaba <>
Thu, 11 Jun 1998 01:26:13 +0100
Undersecretary Reinsch on crypto export controls at EPIC-98:
  "Neither fair nor efficient, but available".

In contrast to the shocking admission by Associate Deputy Attorney General
Litt that he hadn't bothered reading the CRISIS report produced by the
National Research Council, Undersecretary Reinsch gave a very candid
characterisation of US export controls on crypto at the same session of the
EPIC conference.

In answer to a question from the floor, the Undersecretary explained at some
length that export controls are under the direct control of the Executive,
specifically the President, with little room for oversight by the judiciary
or legislature: in contrast, both controls on the domestic use of encryption
technology and import controls would require legislation.  In closing,
Undersecretary Reinsch summarised with words very similar to these: "In the
abstract, I couldn't honestly argue that export controls are either fair or
particularly efficient as a means of control; they are however available."

The abridged soundbite version - "Export controls: neither fair nor
efficient, but available" - seems like worthy tagline material for updated
editions of the Diffie-Landau book, ACP handouts, and similar. The
significance of this admission of the intellectual bankruptcy - that is to
say, the soundly pragmatic nature - of US export policy was overshadowed by
Bob "CRISIS? What CRISIS?" Litt's gaffe...

Stefek Zaba, HPLabs Bristol

SLAC Hack Attack

"Conrad W. Clark" <>
Thu, 11 Jun 1998 17:02:21 +0300
According to the San Jose Mercury, the attack was launched using LAN
sniffers.  The exposure to unencrypted passwords was mentioned, with France
with its extreme restrictions on encryption mentioned as a bad example.  The
consequences could include disabling the capability of researchers in France
to log on to SLAC over the net.

Three alleged Quebec hackers accused of posting bomb recipes

"Mich Kabay [ICSA]" <>
Tue, 9 Jun 1998 06:38:34 -0400
Three Quebec City-area men in their 20s were arraigned in Quebec court on 8
Jun 1998 for stealing Internet passwords and offering on-line recipes for
how to make explosives.  [Source: _The Gazette_ (Montreal), 9 Jun 1998, A6]

Re: Javascript security (Gong, RISKS-19.79)

"Silas S. Brown" <>
Fri, 5 Jun 1998 08:44:15 +0000
> another risk, namely missing something important that requires Java
> and/or JavaScript but where it isn't clear that they're required

This is one of the things that drives blind and partially sighted people
crazy.  The web is supposed to be a "free information for all" (who have the
technology) thing, but it isn't.  Even the best tools can't descramble a
JavaScript program, text only formatted in an image, or an image link or map
without ALT tags.

Silas S Brown, St John's College Cambridge UK
[offline after 18 June until October.]

Shuttle imaging Y2K problem?

Lloyd Wood <>
Fri, 12 Jun 1998 21:19:59 +0100 (BST)
  ---------- Forwarded message ----------
   [Multiple (at least 5) forwardings deleted.  PGN]

[[ The "SIR-C processor" is big wad of custom hardware.  SIR-C was the
   3rd Shuttle Imaging Radar mission — the premiere unclassified
   spaceborne imaging radar dataset.  Looks like it's about to go
   write-only ...  /Frew ]]

>From: Ellen O'Leary []

There is a Year 2000 problem with the SIR-C processor and it is unlikely
that there will be funds available to fix it.  The purpose of this e-mail
is to let you know this so, that you can request SIR-C data processing
before this problem shuts the processor down.

You can request SIR-C data processing over the World Wide Web at:

Please try to space your requests out over the next year or so in order
not to overload the processing team at EROS.  Please pass this along to
others who might like to know.

Ellen O'Leary, Jet Propulsion Laboratory, 4800 Oak Grove Drive
Pasadena, CA 91109   1-818-354-7250

Improvements that aren't, immediacy that hurts

Jerry Leichter <>
Sun, 14 Jun 98 10:02:41 EDT
In RISKS-19.75, Richard Cook mentions some of the problems introduced by the
reliance of hospitals on "more efficient" technologies (pagers) that can
fail (when the Galaxy IV satellite dies).

I recently saw an interesting example of the negative effects of this "more
efficient" technology *when it is working perfectly!* I was at a restaurant
on evening with a relative who's a surgeon.  His pager went off, and he
returned the call using a cellphone.  After a brief conversation, he hung
up, pulled a scarp of paper out of his pocket and made some notes.

He then remarked on what had happened.  The call was from the lab at his
hospital, reporting some lab results which, as it turned out, were a very
strong contra-indication for an operation scheduled for the following

Now, in the old days, lab results were only reported on paper, though
inefficient, slow mechanisms.  Since all doctors now had pagers, the labs
now called immediately with the results.  On the one hand, this makes
important information available immediately.  On the other, it pretty much
guarantees that much information will reported at inappropriate times and
places.  After this phone call, an essential bit of information resided in
my relative's head, and on a scrap of paper in his pocket.  Oh, it certainly
was duplicated in the lab and patient records at the hospital — but those
records might not be routinely examined before beginning an operation.
Presumably there was at one time a method for delivering such information at
the hospital, perhaps when a doctor arrived; but any such system would
inevitably atrophy fairly rapidly as people came to rely on paging

There are many lessons to be learned (again) here.  Mostly, the problem is
one of human interface: An efficient, (mainly) reliable system is being used
in a way that does not match the needs and cognitive abilities of the human
beings who must rely on it.  But one can also point out that reliability and
safety are system properties, not component properties, and it's not clear
what effect the introduction of new technology has had on the overall

It's tempting to attribute the problem to inappropriate technology and
propose a technological fix.  Perhaps the lab should use persistent E-mail
messaging instead of volatile pager notifications.  Perhaps the doctors
should be using some "more advanced" technology (e.g., a Palm Pilot) instead
of scraps of paper.  Perhaps ... but one can speculate endlessly.  The fact
is, pagers are there; some information *does* need to be delivered and acted
on immediately, for which pager technology is the appropriate choice; it's
not clear that good alternative technologies for this particular problem
really exist right now; and even if they did, adding yet more complex
technologies might make things worse rather than better.

(There is also, of course, the social/personal issue: Surgeons have always
known that it's a part of the job that they may be called at almost any time
in emergencies.  It used to be difficult to do that, and calls really were
(mainly) restricted to emergencies.  Now, pagers are used for many things
that *don't* qualify as emergencies.  My relative isn't particularly
bothered by this, but then he's known for his concern for his patients and
willingness to put up with inconveniences on their behalf — he would
otherwise never have chosen his subspecialty, which by its nature brings him
patients who are typically extremely ill and often in unstable condition.
Most would probably not be as tolerant — when everything is an emergency,
soon nothing is an emergency.)


Gas supply failure in Victoria, Australia

"Martin, Mike" <>
Fri, 12 Jun 1998 12:41:52 +1000
On 11 June 1998 residents of the state of Victoria, Australia, were advised
to skip taking a shower and to eat a cold breakfast. Bread bakeries
throughout the state, the Ford and Toyota vehicle and other manufacturing
plants were closed. The cause was the disabling of 25 per cent of the
state's natural gas supply by a metre long block of ice that had formed in a
main supply pipe, apparently one of four. Some areas also temporarily lost
electric power, due to consequent overload.

At least 3000 workers were stood down and an estimated $30 million
production was lost.

The state's gas comes from undersea wells in Bass Strait and is treated for
distribution at a plant near Melbourne, on the south coast. The previous
night, temperatures dropped to an unseasonable 4 degrees Celsius (39 degrees
F), and water that is a byproduct of gas extraction froze in the pipe.
Attempts are being made to thaw the blockage with an electric blanket around
the pipe. According to a television news report last night, if these fail
and the apparatus is opened up, it may be up to a month before supply is
restored, due to the time required to flush out air before feeding gas
through again.

As of 11 am today gas supply is back to normal although the pipe is still
blocked. Clearly, some contingency provision must have existed.

However the incident is a reminder that disasters can occur from causes that
nobody thinks of. Sydney, Melbourne, Brisbane and Canberra, where the bulk
of Australia's large computer centres are located, are at relatively low
risk from civil insurrection, terrorism, tsunami, volcanic eruptions,
earthquakes, catastrophic floods, forest fires, hurricanes and tornados. It
is sometimes difficult to take IT disaster recovery seriously here, as the
disasters that typically make foreign news headlines are of types that we
are not very likely to suffer.

This gas supply failure is a handy reminder (and the recent protracted
failure of electrical supply to Auckland CBD is another) that causes that
nobody has thought of and nobody has planned against, while individually
rare, are many. Who would have thought that a temperature drop to 4 degrees
could possibly have such an effect?

Mike Martin,, Sydney, Australia

Re: German high-speed train disaster

Andrew J Thornton <>
14 Jun 1998 00:42:50 GMT
I have been told that the British High Speed Trains have simple detectors on
board which indicate to the driver if a bearing or wheel fails. If the
indication is ignored, the braking system comes on automatically. If this is
so, the sorry story indicates an obvious risk - that something that looks
high-tech and sophisticated viz the ICE train, may not in fact be so.

Re: German high-speed train disaster

David Lesher <>
Wed, 10 Jun 1998 23:21:33 -0400 (EDT)
I'm surprised no one has noted that Linux Journal's
<> May issue carried a story
about Linux being used for a data acquisition system on the ICE trains.

The problem being studied? Prematurely out-of-round wheels...

  [URL corrected in archives, thanks to Rogier Wolff.  PGN]

Re: German high-speed train disaster (Virtel, RISKS-19.80)

Philip H. Smith III <>
Thu, 11 Jun 98 07:58:46 EDT
I suspect this is an old point to RISKS-ers, but: without disagreeing with
the basic point, it's worth noting that such systems must, alas, be manual
enough that the driver is the one who makes the ultimate decision.  Anyone
who has been on an airplane with a white-knuckled flyer knows that if there
was an "emergency stop" button, it would get pressed for every bump, groan,
or whine, and twice when fuel is vented from the overflow.  While
(presumably) most train passengers aren't as white-knuckled as some flyers,
and I wouldn't be surprised if Germans were more self-controlled about such
things than we Yanks, I'd hate to have them spend a fortune installing
Emergency Stop buttons, only to find that 25 false emergencies the first
week alone make them impractical...  For a vaguely related column from
_Upside_ magazine, see

Social Engineering 101: AOL billing

David Cassel <>
Wed, 10 Jun 1998 17:26:47 -0700
On May 26 I called AOL's billing department to test this, giving only name
and home address, and they changed my password ON THE VERY FIRST ATTEMPT.

C|Net's Jim Hu also reported the same results from his own test, though
it took him a few more calls...,4,22538,00.html

The day I called, most calls were ALREADY being forwarded to AOL's "small
group of better-trained reps".  I guess at least one phone rep hadn't
learned to forward calls to the specially-trained password representatives
in the first place.  (I believe AOL's next step is to disable the ability to
change a password for all but the specially-trained reps.)

In AOL's defense, Steve Case reported in January that the reps handled over
a million calls per week.  But there's been other stories about AOL accounts
being compromised recently...

It's ironic, because in the wake of the [other] Timothy McVeigh incident in
January, AOL's CEO Steve Case admitted they'd divulged a subscriber's
real-life name, accepted responsibility — and added "AOL's commitment to
protecting the privacy of our members is stronger than ever."

David Cassel    AOL Watch

A surprise from Holiday Inn on use of SSNs

willis frick <>
Mon, 15 Jun 1998 09:38:30 -0700 (PDT)
I just found out that Holiday Inn uses your Social Security Number as your
"frequent stayer" account number.  I called to enroll in the program, found
out that I already was enrolled (11/95)) and that my account number was my
SSN!  No, they can't change your number now, but plan to do so later in the
year for all "old" accounts that use the SSN.

Can they have been that electronically clueless as recently as November
1995?  Looks like it.

Willis Frick

Re: 15th century time machine and y2k (RISKS-19.79)

danny burstein <>
Sun, 7 Jun 1998 19:11:32 -0400 (EDT)
Are they trolling?

(a) if it was a 15th-century invention, it would have been built in the
1400s, not in 1600

(b) how did it handle September 1752?

(c) a report from an unnamed "Japanese press" outlet describing a similarly
unnamed museum in Liverpool, England?

  [On (a), Off-by-one errors are very common in naming centuries.  And this
  is only an off-by-one rather than off-by-two.  Ignoring us computer folks
  who like to count from 0, 1600 was the last year of the 16th century.
  On (b), Obviously it didn't.  but that was only a slip of a bunch of
  days and  one doubts that this thing was accurate enough to worry
  about that — not to mention leap-second corrections.
  On (c), Apparently's logo confused our contributor?
  And then there is (d), This whole item was rather whimsical anyway.  PGN]

Re: Navy stops teaching celestial navigation (RISKS-19.79)

Sat, 6 Jun 1998 19:57:15 EDT
The real problem to this ex-GI is that what happens when war breaks out and
we find the GPS signal either jammed or, worse, meaconed[*] (theoretically,
proper meaconing could result in your cruise missile heading for one of your
own sites...).  Given the reliance the US armed forces are placing on GPS,
it is an obvious Achilles heel to attack.

  [* meaconed = misbeaconed, not misspeakin'?  PGN]

Yes, there are backups, principally:

1) Radio beacons (LORAN, SHORAN, etc): Subject to jamming and beaconing

2) Inertial Navigation: Subject to drift over time. Most commonly updated by
... STAR SHOTS (i.e.: celestial navigation)

A related problem to this old grunt is that we are equipping every platoon
in the US Army with GPS. Admittedly, there is an old army saying that the
most dangerous thing on the battlefield is a second lieutenant with a map
and compass, but what happens when the GPS takes a round, the battery
resupply gets screwed up, the platoon dud forgets and leaves it behind...
150 years ago Carl Von Clausewitz came up with what he termed "friction" in
warfare - all sorts of little things go wrong frustrating the commander's
intent. Indeed, from his view, you don't win a battle, you avoid losing it
by making the fewest screwups. This is such a military given, that the US
Army lists "Simplicity" (who do you think came up with KISS - Keep It
Simple, Stupid?) as one of the Nine Principals of War. Complex plans,
complex devices fall apart...why do you think that a guy with a rifle with a
bayonet on the end is what still decides wars?

Now imagine you've got a unit which has become dependent on the GPS and have
allowed their land navigation skills to atrophy. How would you like to be
bringing in air strikes, calling artillery fire missions or even trying to
bring up evening chow to this crowd? If I was a unit commander, I'd lock up
the GPS's in the supply room and do all my field training without them. If
the balloon goes up and they work, fine, If not, we are ready.

Re: Burglars foiled by cordless phone interception (Delaney, R-19.80)

Curt Sampson <>
Wed, 10 Jun 1998 17:50:52 -0700 (PDT)
> The risks? When you are using that cordless phone, someone else may be
> listening, even if it's illegal.

This is true of *all* wireless conversations, unless you're using encryption
of course. The US government went a bit further with cellular phone
frequencies in the 800 MHz band and passed a law that requires them to be
blocked on scanners; it wasn't long before enterprising scanner owners were
opening them up, removing a diode, and re-enabling those frequencies. The US
government then passed another law which stated that scanners cannot be
easily modified to re-enable these frequencies, but this law of course is
not effective in the rest of the world. The net effect has been that it's
hard to get a scanner in Canada with these frequencies enabled because the
US imports have them disabled, and the other imports are sold via mail order
to US customers before Canadians have a chance to get their hands on them.

And the result to cellular phone users? They have a larger illusion of
privacy without actually having it.

(Various US state governments have also tried to protect people's `right' to
privacy while broadcasting what they say to everyone within a radius of
miles; in some states, I understand, it's actually illegal to use a scanner
while mobile, which prevents one even from walking out one's front door with
it. As an observer from across the border, I'm mystified by US laws: it's
too much a violation of one's freedoms to pass a law against carrying guns
around, but carrying a scanner is so much more dangerous that there must be
a law against it?)

Curt Sampson, Internet Portal Services, Inc., Vancouver, BC  (604) 257-9400
Info at

GPS on silo missiles - I was wrong

Geoff Kuenning <geoff@Ashby.CS.UCLA.EDU>
Mon, 8 Jun 1998 11:40:40 -0700
Several RISKS readers have questioned my claim that the military is prepared
to launch spare GPS satellites from silos in the event of war.  It turns out
that they are right, and I am wrong.

As it happens, I have a distant cousin who recently retired from a very high
rank in the U.S. missile forces, so I asked him.  Here's his answer:

> To my knowledge Geoff, you got this one wrong.  All of our missiles have
> warheads on them.  We used to have some that had a communications package
> on (not a satellite but a up and down space probe) but they have all been
> retired.  Sorry.

Guess I'll keep practicing with that sextant...

Geoff Kuenning

Please report problems with the web pages to the maintainer