The RISKS Digest
Volume 20 Issue 93

Monday, 3rd July 2000

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


o Collapse of UK air-traffic control computer
Ulf Lindqvist
o Sliced fiber-optic cable disrupts phone service in Northeast
Doneel Edelson
o State Department loses phone service
o Weld-done stake in phone lines
o Find security hole, get sued
Stanley Chow
o The low-down on the Berlin Fire Department Y2K-fiasco
Debora Weber-Wulff
o NATO creates computer virus that reveals its secrets
Monty Solomon
o Hacker endangers astronauts
Avi Rubin
o Burger King gives away CD-ROM with porn addresses
o Hotel phones that ID room occupants
o Electronic signatures secure?
John P. Darrow
o *The NYT* site exposes CIA agents
Monty Solomon
o Re: UK Millennium Bridge instability
Tony Woolf
John Sullivan
o Microsoft software *can* damage your hardware!
Rob Slade
o Another Win95/DOS interaction
Jeremy Epstein
o Y2K-leapyear hangover, human error or other tomfoolery?
Ari Ollikainen
o Re: Network Solutions risks
Peter Sleggs
o Personal train warning
Marc Salverson
o Info on RISKS (comp.risks)

Collapse of UK air-traffic control computer

Ulf Lindqvist <>
Sun, 18 Jun 2000 10:34:18 -0700 (PDT)
On 17 Jun 2000, thousands of would-be passengers were stranded when the main
air-traffic control computer collapsed.  The National Air Traffic Services
computer was fixed later in the day, but the resulting congestion caused
many people to spend the night at airports around the UK, and many flights
were cancelled the next day as well.  Heathrow and Gatwick were hardest hit,
although other UK airports experienced severe delays.  This was the second
time in a week that the computer system had failed.  [PGN-ed, from BBC,
Sunday, 18 June, 2000, 11:33 GMT]

Ulf Lindqvist, SRI International, 333 Ravenswood Ave, Menlo Park CA 94025-3493
+1 650 859-2351,  <>

  [Also noted by Dave Stringer-Calvert, Ursula Martin, Yves Bellefeuille.  PGN]

    [I flew back from the East Coast on 25 Jun 2000, and experienced
    huge delays that were blamed alternatively on thunderstorms and on
    air-traffic control congestion.  Airports in Boston, NY, Philly, and
    Washington were essentially shut down.  PGN]

Sliced fiber-optic cable disrupts phone service in Northeast

"Doneel Edelson" <>
Thu, 29 Jun 2000 12:38:12 -0400
Phone service in the Northeast was disrupted Wednesday evening after a Bell
Atlantic fiber-optic cable was sliced in Lancaster PA, affecting local
customers and callers from New York to Maryland using AT&T, MCI WorldCom,
and other long-distance carriers routing through that area.  [PGN-ed from
CNN item and USA Today items, 28 Jun 2000]

State Department loses phone service

"Peter G. Neumann" <>
Mon, 21 Jun 2000 6:03:21 PDT
Heavy rains knocked out telephone service for two hours for the U.S.  State
Department on the evening of 15 Jun 2000, and the backup batteries were
unusable because of an earlier fire.  [PGN-ed]

Weld-done stake in phone lines

"Peter G. Neumann" <>
Wed, 28 Jun 2000 7:19:12 PDT
In the last week of June 2000, during construction preparing for
connecting the Bay Area Rapid Transit (BART) to the San Francisco Airport, a
droplet of welding material in a manhole just south of San Francisco caused
a fire that destroyed portions of 27 cables, wiping out telephone service to
25,000 customers; the process of replacing 800 feet of cable and correctly
reconnecting the many thousands of wires was expected to take at least two

Find security hole, get sued

Stanley Chow <>
Thu, 22 Jun 2000 09:59:04 -0400
A story in the local paper (*Ottawa Citizen*) reports that an Edmonton
man found a way to win at slot machines. The report is typically weak
with details; this is my understanding of what happened:
  - WMS Gaming Inc. is the manufacturer of video slot machines
  - there are back door easter-eggs on (some) blackjack machines that
    give you a win.
  - According to company lawyer, this has cost millions of dollars
  - Mr. Yaghi (an independent software consultant) found it somehow
  - Mr. Yaghi told the gaming commission and the company
  - company sues him for ten million dollars, and got court order to
    search his house

The parallels with the French smartcard episode are striking. I must
reluctantly come to the conclusion:
  Crime pays a lot better than honesty.

Can anyone familiar with slot machines tell me how could this get
through the QA process? Don't they do code-inspections?

Stanley Chow, Cloakware Corp, 260 Hearst way #311 Kanata, Ontario K2L 3H1
Canada  VP Engineering  (613) 271-9446 x 223

The low-down on the Berlin Fire Department Y2K-fiasco

Debora Weber-Wulff <>
Sun, 18 Jun 2000 19:22:21 +0200
The German computer biweekly magazine c't analysed the Y2K-fiasco that
caused the Berlin Fire Department to miss fires and lose fire trucks
this past New Year's Eve.  See RISKS-20.75 and RISKS-20.82.

The major culprit was the security preparations themselves, it seems.

In order to avoid the Y2K problem, the programmers had decided to give 1999
13 months instead of the usual 12. Then, just before the New Year's, they
installed a time server in order to prevent there being a problem when the
system time of the computers was compared with the normal time which is
broadcast in Germany on a special frequency. They missed one little thing:
leading zeros. The operating system delivered dates as 1:12:99 while the
time server used 01:12:99.  But since the time server was not installed
until after the 10th of December, it wasn't until midnight that the clock
struck 13, or rather 1:13:99 instead of 01:13:99.

This caused another program to cough about a date discrepancy. So the people
overseeing the systems tried to reboot the system [this at just past
midnight on the first of January! -dww]. But it wouldn't reboot, because two
of the computers were not configured properly.  If they had ignored the
error message, everything would have been okay!

Now, while the system was trying to reboot, the folks in the fire trucks got
antsy. They didn't get acknowledgements for their reports of where they
were. So they just pushed all the buttons, to see if the machine was
dead. This flooded the system additionally with repeated status messages.

Finally, the network boards come into play. They had been named as the
culprits in the first round of finger-pointing. They had just been
installed, and were misconfigured. They couldn't handle the traffic and
began producing random errors. This confused the part of the system that
keeps track of where the equipment currently is located, and then *it* died.

So they reverted to paper and pencil and fax. The fax machine which made up
the major connection for the backup system needed 30 seconds per fax, but
the reports were coming in faster than that, causing the fax cutter to
jam. This meant that the reports were in the fax memory, but there was no
way to get them out on paper, and a second fax machine was not available.

So thanks to c't for showing us that you can't be paranoid enough, you
really need to keep all your equipment rebootable, and it might be a good
idea to have a working back-up system. Luckily, the *other* guys got most of
their Y2K-stuff right, so we didn't have Armageddon happening and didn't
need to know were all the fire trucks were parked.....

Prof. Dr. Debora Weber-Wulff, TFH Berlin, FB Informatik, Luxemburger Str. 10
13353 Berlin, Germany

NATO creates computer virus that reveals its secrets

Monty Solomon <>
Sat, 24 Jun 2000 12:31:38 -0400
Bungling NATO scientists have created a computer virus "by mistake", causing
military secrets to find their way onto the internet.  The virus, called
Anti-Smyser 1, was created by scientists at NATO'S Kfor peacekeeping force
headquarters in Pristina, Kosovo.  They were seeking protection from virus
attacks similar to those launched at NATO by the Serbs during the Kosovo
conflict.  But the experiment went wrong, and scientists accidentally
unleashed the virus on themselves.  The virus, which plucks documents from
the hard drives of computers and sends invisible attachments to e-mails,
recently resurfaced at the Czech ministry of defence.

Hacker endangers astronauts

Avi Rubin <>
Mon, 3 Jul 2000 01:26:04 GMT
According to the BBC, 3 Jul 2000, a computer hacker endangered shuttle
astronauts in 1997 by overloading NASA's communication system after tapping
into the NASA system monitoring the astronauts' on-board medical signs while
docking with Mir.  Apparently, NASA has experienced more than 500,000 cyber
attacks in the past year.  [PGN-ed]

Burger King gives away CD-ROM with porn addresses

"Peter G. Neumann" <>
Mon, 26 Jun 2000 5:18:53 PDT
Declan McCullagh's news distribution included an item from Paul McMasters
written by Jonathen Lambeth that Burger King distributed free with
children's meals a CD-ROM including the Net Nanny filtering program that
with a few extra mouse clicks gets you a list of more than 2000 Internet
porn sites.  [PGN-ed]

Hotel phones that ID room occupants

That Funky Chick <>
Sun, 18 Jun 2000 21:18:49 GMT
This weekend some relatives and I were staying at a fairly nice hotel.  At
one point two of us were in the lounge, and I called the room to let my
mother know where we were in case she wanted to join us.  When I dialed
our room number, my mother's name (the name the room was reserved under)
showed up on the phone's LCD.

I'm sure there are very good reasons why this would be a desirable thing.
Certainly it would have been immediately clear to me if I had accidentally
misdialed and called someone else's room.  However, I can also think of
some instances when this feature might not be welcome.  For example,
someone interested in fraud could conceivably call a room number at random,
then use that occupant's name and room number to sign his guest check at
the hotel restaurant.  No picture ID is required during this process; the
real occupant wouldn't be aware of fraudulent charges until his final bill
was presented at checkout.

For another example, a child who is ordinarily old enough to be left alone
in a safe hotel room might not be discriminating enough to be suspicious if
a stranger at the door knows a parent's name.  Parents can warn their
pre-teen not to open the door for "room service," but would probably not
think to warn the child not to believe someone claiming to be sent by "Your
mommy, Jane Smith."

I don't doubt that RISKS readers will be able to come up with other


Electronic signatures secure?

Fri, 30 Jun 2000 15:34:13 -0400 (EDT)
  Message:  Note Clinton's rather poor password.

President Clinton on Friday used an electronic card and his dog's name as a
password to "e-sign" into law a bill that makes electronic signatures as
valid as their ink counterparts.  [...]  "Now, let's see if this works,"
the self-proclaimed technologically challenged Clinton said with a chuckle
as he inserted the smart card into the computer and punched in his dog's
name, Buddy, as the password.

  [See for a position paper on this legislation.  PGN]

Electronic signatures secure?

Fri, 30 Jun 2000 16:02:22 EDT
The RISK here should be obvious. No, not the bill itself (that's a subtle
RISK), but using your dog's name as a password, and announcing the fact via
an international news service.

*The NYT* site exposes CIA agents

Monty Solomon <>
Sat, 24 Jun 2000 12:00:33 -0400
A freedom of information activist plans to publish online a classified CIA
document that was pulled from *The New York Times'* site after newspaper
officials learned it exposed the identities of Iranians involved in the 1953
U.S. and British-backed coup that overthrew Iran's elected officials.  *The
Times* used the graphic to accompany an article detailing the coup. In a
technical glitch, those who visited the Times website on June 16 were able
to read the names of the agents when they downloaded the graphic.  *The
Times* put a layer of black boxes over the names in the 200-page Portable
Document Format file, allowing viewers who "froze" the page while it was
being downloaded to read the names underneath.  [Wired News Report, 23 Jun

Re: UK Millennium Bridge instability (RISKS-20.92)

"Tony Woolf" <>
Tue, 20 Jun 2000 18:02:24 +0100
London's much publicised pedestrian Millennium Bridge over the Thames closed
the day after it opened because it swayed alarmingly when large crowds
crossed it.  The public had been assured that the design, which is novel,
had been extensively tested by Ove Arup using computer simulations and scale

New Scientist magazine (17 June 2000) quotes John Dickens, a civil engineer
at Loughborough University UK: "Even the most sophisticated simulation
programs have assumptions built into them and until you build the whole
thing you've still got a degree of uncertainty".

The risk: pushing a simulation program to deal with a novel design.  I
wonder whether those using the program had a clear idea of exactly what
assumptions were built into the program.  Very likely no-one knows what most
of the assumptions are because many of them probably arise out of theories
that work in the usual cases.

More generally, any novel design is likely to show up false assumptions in
the usual design processes, whether or not those assumptions reside in a
computer program.  Therefore extra cost and time should be allowed
specifically for the novelty factor, quite apart from that allowed for the
known technical difficulties.

Tony Woolf

Re: UK Millennium Bridge instability (RISKS-20.92)

John Sullivan <>
Sat, 17 Jun 2000 16:38:17 +0100
On Friday 16 June 2000 you wrote:
> Anything there on computer modeling?

The Ove Arup homepage has a section on the engineering of the bridge at:

Not too much detail, but plenty of pretty pictures. Quotes:

> Extensive analysis and wind tunnel testing have been carried out to
> ensure the bridge is stable in a one in 10,000 year gale.

> Analysis has been made of the motions resulting from pedestrians moving
> across the bridge to keep them within acceptable levels.  These were
> tested on a shake table by the design team at Southampton University.

> The pier response above ground to load was determined from computer
> modeling.

> We found that the maximum possible impact force from a ship bow from the
> boats traveling on the Thames on the pier is in the order of 35MN -
> equivalent to 26 000 people pushing at once. The bridge piers will move
> just 160mm sideways under this force, and continue to support the bridge.

150,000 people crossed on the first day. I'll take a wild stab and
estimate that that means about 500-2000 people on the bridge at a
time, on average. (Given the size of the bridge as 320x4m, this is
reasonable. You could probably comfortably fit 2500 walking people on
at a time.) Under that load it was moving 8" (200mm). models the
cable stresses up to a load of 5000 people. (5000 is the maximum
standing load.)

Overall they seem do have done a range of computer and physical
modeling including a second independent computer modeling team, but
vastly underestimated the number of people it would have to reliably
support. Assuming the models were correct (and as they say, the
stresses involved make this a ground-breaking project) you're still
not going to get good outputs if your inputs are an order of magnitude


Microsoft software *can* damage your hardware!

Rob Slade <>
Fri, 30 Jun 2000 08:47:22 -0800
Remember the good old days?  High speed disk drives, heavy aluminum platters
that sometimes fractured, at speed, sending pieces of metal out through the
sides of the drive?

Yesterday one of my students brought in a picture he had scanned of a bunch of
fragments of CD-ROM.  He had been installing Microsoft LinksGolf 2000.  While
disk 2 (of 3) was in the drive, there was a sudden noise, the drive bay popped
open, and out flew various pieces of plastic.  These were moving fast enough
that one cut him on the back.  A number of smaller pieces are obviously still
in the machine: he got the bay closed, but now it won't open any more.

This drive is (or, at least, used to be) a 52x drive, so clearly we are
getting up there in speed.

The risks, in terms of hardware damage, software loss, and personal injury,
are plain, but some interesting questions remain.

Are we reaching the limits of safe operation with plastic disks?  Or is it
only defects in manufacture that cause this type of problem?

Does the use of Microsoft LinksGolf void the warranty on the drive?

Who do you sue for personal pain and suffering, the drive manufacturer, or
Microsoft?    or

Another Win95/DOS interaction

Epstein Family <>
Sat, 17 Jun 2000 22:11:09 -0400
Several years ago there was a series of postings in RISKS about the
unexpected interactions between Win95 and the underlying DOS operating system.

I just discovered another one.  I run Win95 at home (works just fine on my
133MHz Pentium).  I wanted a list of all the files in a directory, so I
could print it.  Of course there's no easy way to do this directly from the
Windows Explorer, so I started a DOS window, typed "dir /on >foo.txt" (where
"/on" means "sort in alphabetic order"), and printed the resulting file.
Unfortunately, "/on" *really* means "sort in alphabetic order by the 8.3
short name of the file".  There doesn't seem to be a way to tell the "dir"
command I want it to sort the real name of the file, not the abbreviation.

Luckily I have a handy UNIX system with a decent set of tools so I can turn
the list into what I really want...

The RISK is assuming that software does what it's documentation says it does.


Y2K-leapyear hangover, human error or other tomfoolery?

Ari Ollikainen <>
Fri, 30 Jun 2000 19:23:20 -0700
Today my CDMA GTE wireless cellphone is displaying the date
as 6/31/00...which, as everyone knows, doesn't exist!

Anyone from GTE wireless willing to provide an explanation?

Ari Ollikainen, OLTECO, P.O. BOX 3688, Stanford, CA 94309-3688
Networking Architecture and Technology 1-415.517.3519

Re: Network Solutions risks (Rhodes, RISKS-20.92)

Peter Sleggs <>
Sun, 18 Jun 2000 08:53:54 -0500
It is not difficult to NOT receive the invoices, I have 2 domains I pay
for - Domain 1 _usually_ goes smoothly, but last year domain 2 did NOT
result in ANY paper invoices - required to get payment generated via the
accounting process, I had to bring this to Network Solutions attention
and was told - just pay it via credit card

- Without an invoice this comes out of MY pocket
- No invoice results in hassles with auditors
- The invoice they generate does not include the Canadian GST [ goods &
  services tax ]  which they are required to collect if they provide
  services to canada [ at least the bean counter says so ]
- With not collecting the taxes the risk is taking on the Canadian tax
  man :) [ which in my opinion would be a nice thing to happen to NS ]

This year's screwup - I decided to pay the domain 1 for multiple years and
take advantage of the discount offered ... two weeks after I did this I got
a "Deactivation notice", the web interface did NOT pwy the invoice and said
it did, BUT once again they do not close teh loop and provide a tracking
number like the phone payment interface does, so the attempt to deal with starts again.

Domain 2 is also missing the paper invoice this year :(

So the non-payment of the fees may simply be another case of NS not properly
sending out bills, with all the obvious risks there.

Personal train warning

Marc Salverson <>
Fri, 23 Jun 2000 08:33:03 -0500
On 22 Jun 2000, Paul Harvey reported that most people who have died at
railroad crossings "didn't hear the train coming".  He must have some inside

The point to the story was that someone is marketing a device to be
installed in a car that will alert the occupants that a train is coming.  Do
you think they claim that's the only time it could possibly alert?  No risk

That might be more tempting to hack than a tornado siren.

Marc <>

Please report problems with the web pages to the maintainer