The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 21 Issue 63

Saturday 1 September 2001


The Heavens at War: NMD assessed
Pete Mellor
SDI chief says system may not be reliable
Federal tax returns missing in Pennsylvania
Hotmail hackable with one line of code
Even dead people use Microsoft software
Jeremy Epstein
More interesting MS certificates
Stuart Prescott
Directory service based on car license plate
Ulf Lindqvist
Re: Air Force office mails confidential information ...
Jay D. Dyson
Info on RISKS (comp.risks)

The Heavens at War: NMD assessed

<Pete Mellor <>>
Wed, 29 Aug 2001 11:44:20 +0100 (BST)

The Heavens at War: BBC Radio 4, 28th August 2001
Reporter and presenter: Jackie Hardgrave.


The following summary is based upon notes made while listening to the first
broadcast of the programme, together with reference to the web-site (which
does not include a full transcript).  It is as fair a summary of the content
of the programme as I could manage.  However, shorthand is not one of my
many talents, and I cannot claim total accuracy.  I stand to be corrected if
I have misquoted or wrongly attributed a quotation.  I have indicated
uncertain spellings of people's names by (sp?).

I have placed my own comments in brackets: [PM: my comments] and added some
more at the end.

Please see the web site:,
or listen to the repeat broadcast on Sunday 2nd September at 5pm (British
Summer Time).


The programme concerned the National Missile Defense system (NMD).  [PM: It
used that name throughout, although the "National" has now been dropped and
it is known as "Missile Defense System" (MDS), I believe.]  This is also
known as "Son of Star Wars" after the nickname for the President Reagan's
earlier Strategic Defense Initiative (SDI).

Main question: Will the technology work or is it doomed to expensive

The threat to the US is now perceived to be from "rogue states" and no
longer an all-out nuclear strike from Russia.  North Korea, Iran and Iraq
were specifically mentioned.  Also, although China and Russia have
sophisticated systems, an accidental launch is a possible threat.

In 1972 only 9 nation states had the capability to launch an
intercontinental ballistic missile.  This number has vastly increased.
Around 1000 ICBMs were produced last year.  Their range is continually
increasing (e.g., N. Korea has tested a missile with an intercontinental
(IC) third stage).  There is also the possibility that the possession of
intercontinental missiles may be used in diplomatic blackmail to deter the
USA from some course of action.

Michael O'Hanlon, a Senior Fellow in Foreign Policy Studies at The Brookings
Institution (a private institution that studies public policy), gave the
example of Iraq launching a new but limited attack on the Kuwaiti oilfields
in 10 to 20 years time.  If Iraq was by then capable of launching missiles
at the USA, and a new "Desert Storm" was on the way, Saddam Hussein (or
Uday, who might have taken over by then) would see no reason not to "play
for keeps" and threaten to launch an ICBM attack, or actually attack a small
city as a demonstration of what they could do.

President Reagan began the original "Star Wars" -- which failed due to
financial [PM: and technical?] reasons.  Why is "Son of Star Wars" under
way now?  1998 was a pivotal year.  India and Pakistan both tested nuclear
warheads.  The Rumsfeld (sp?) commission reported that a nation could
easily develop the capability to produce nuclear warheads and then
surprise the West by suddenly testing them.  China was suspected of having
obtained the nuclear secrets of the USA by espionage.

The Technical Dimension

There are three phases in which to destroy an ICBM launched against one's

1.  On first launch, before the missile has left the atmosphere.  This
provides a very short window of opportunity, but the missile is relatively
easily detectable by the plume of exhaust gases from the boosters or first
stage launch vehicle.

2.  In mid-course, after the missile has left the atmosphere and is
following a ballistic trajectory through space.  This offers the easiest
opportunity, since it is the longest phase.  During this phase the missile
might break up, and release its warheads and "decoys" (see below) to
follow their separate paths.

3.  After reentry into the atmosphere when the missile is minutes away
from its target.  By this stage, the missile will almost certainly have
broken up (if it is going to do so), releasing its lethal payload along
with its decoys.

Three interception test have been conducted so far.  [PM: I believe these
were mid-course.]  Two failed, and the third (a few weeks ago) succeeded
[PM: but this "success" has been questioned!].

NMD requires long-range interceptor missiles to destroy hostile ICBMs.  The
interceptor releases a "kill vehicle" which homes in on, and collides with,
the incoming ICBM.  No explosives are involved.  The concept has been
described as a "smart rock" or a "bullet to hit a bullet".  [PM: the term
"smart rock" cropped up in the earlier SDI also.]  A total of 250
interceptor missiles with kill vehicles are to be deployed in Alaska and
Florida (?).

Incoming ICBMs will be detected by ground-based radar and by satellite-based
infrared sensors.  Nine new radar systems will sort warheads from decoys.
Satellite-based infrared sensors will assist interception in outer space.
The problem here is that heavy objects (e.g., nuclear warheads) have the
same trajectory as light objects.  The incoming ICBM could therefore deploy
light weight decoys in large numbers without sacrificing range.  For
example, decoys could be mylar balloons with aluminium coating.  Dozens of
these could be released.

In some cases, it may be necessary to launch several interceptors.

Philip E. Coyle, an advisor to the Center for Defense Information (an
independent Military Research Organisation) and until recently the director
of Operational Test and Evaluation at the Pentagon, with responsibility for
overseeing NMD testing, gave the "hole in one" analogy.  Hitting an incoming
ICBM is like trying to score hole in one (you only get one shot!) on a golf
course where the hole is moving at 15000 mph.  With decoys, this is like
having a lot of holes with flags to aim at and having to choose the right
one at the same time!  The problem would be very different in a real
situation (unlike the tests conducted so far).  Not all eventualities can be
planned for.

Lisbeth Gronlund, Senior Staff Scientist of the Union of Concerned
Scientists, pointed out that any nation that was capable of missile
production would find the production of balloon decoys a trivial problem.

The tests so far have used decoys, and in the successful test the kill
vehicle did pick the correct target, but this was not a realistic test,
since the "warhead" was different in appearance and temperature to the
decoys [PM: presumably to a degree greater than that which the designers of
a real attacking ICBM could achieve?].

At least one of Coyle and Gronlund suggested that NMD will never be tested
in realistic conditions before being deployed, since it would almost
certainly fail!.

O'Hanlon's views partly agreed with this.  NMD cannot be tested in a totally
real situation.  However he believes that it is possible to get close to it,
for example by not telling the "defenders" when the "hostile" missile that
is their target is to be launched and what decoys it will deploy.  He stated
that, although it would be a delusion to assume that 100% success could be
guaranteed, a 95% confidence in a NMD system would be better than no defence
at all.  [PM: See below!]

The Ballistic Missile Defense Organization adopts a more bullish position: a
solution to all of these problems will be found.  One telling quotation
(unattributed) was: "The United States will do what the United States has to
do!"  Anyway, the adversary will take time the prepare and test
counter-measures, and this activity will betray itself to the intelligence

However, there is a more serious problem if the ICBM carries a lethal
chemical or biological payload.  Unlike a nuclear warhead, which is an
integrated complex device, the lethal material is just "stuff".  The payload
could divide up into twenty or more bomblets which would be released and
would fan out over the target area.  These would all be identical in
appearance, all real, and all lethal.

Faced with this possibility, the defenders' best tactic is to strike
immediately after launch, while there is only one target.  This requires an
interceptor missile close to the point of launch.  In practice, this means
on board a ship.  President Bush has approved the budget to develop this
capability.  However, neither the ships nor the missiles they will carry
have yet been developed, and they will not be ready for service for many

Tom Colleenor (sp?) pointed out that a strike in the first stage after
launch would allow only a minute or two to decide whether to launch the
interceptor, which means that the decision must be taken by a field
commander.  [PM: This has interesting political and strategic military

For a more "Star Wars" approach the team visited Kirkland Air Force base in
New Mexico to observe developments in a real "ray gun": the use of a laser
beam strike against an ICBM.  Undergoing development is the Airborne Laser
(ABL) on B747 aircraft.  This consists of four lasers, three to track the
missile and one to kill it with a one million watt bolt of energy.  The
attack would proceed as follows: the launch of the hostile ICBM is detected
by infrared sensor detection (IRSD) [PM: on the aircraft or on satellite?].
The aircraft uses its tracking lasers to get the range and bearing and locks
on to the exhaust plume.  It then aims its large laser in the nose of the
aircraft at the plume and tracks up to the nose of the missile and unleashes
its energy.  The effect is not to destroy the missile in a sudden explosion,
but to heat the fuel tanks to the extent that they develop cracks and so to
cause a structural failure.

It will take many years for this to become ready for combat.  In the
meantime, spin-offs in smaller tactical or space-borne lasers might provide
some returns.  [PM: Space-borne lasers were a feature of the original SDI.
These were to be mounted on orbiting robotic "battle stations".  One
proposal (which was the subject of actual nuclear tests) was that the gamma
radiation from a nuclear explosion could be harnessed into a single
collimated beam which would fry everything in its path.  A battle station
carrying such a weapon would obviously be a "one-shot" device!]

Joe Cirincioni (sp?) pointed out that, also in the meantime, the bad guys
could develop a few simple counter-measures such as polishing the
nose-cone to reduce absorption of radiation, spinning the missile (not as
easy as it sounds) to avoid overheating of any one part of the surface, or
insulating it with a coating (such as cork!) to avoid things getting too

President Bush is apparently willing to spend, spend, spend his way around
these minor technical problems.

The Political Dimension

OK.  So what is there for us to worry about here?  Answer: Lots!  [PM: "Us"
seemed to mean Europeans.  However, most of the worried voices on the
programme were American, which could be good news.]

NMD will breach the 1972 Anti-Ballistic Missile (ABM) treaty by end of this
year if the Bush administration pursues its present course.  The pro-ABM
argument is that the treaty achieved a stable stalemate between the two
nuclear superpowers during the cold war by preventing either from developing
an effective protection system from behind which to launch a pre-emptive
nuclear strike, and that it still operates to forestall an offensive arms

The opposing view was put by Senator Kyle, who argued that the ABM treaty
was useful only in the cold war when there were only two nuclear superpowers
and that it is no longer relevant.  He went on to argue that the treaty was
not a cause of stability, and that the offensive arms race continued with
the treaty in place.  In fact, it locked the superpowers into a strategy
based on mutually assured destruction (appropriate acronym: MAD): If you
wipe us out, we'll wipe you out, and then we'll all be dead!  This no longer
makes sense, since there is no longer a monolithic enemy on the other side
of an Iron Curtain.  The rules have changed, and we in the US will act in
our interests, not Russia's nor anyone else's.  Russia cannot veto NMD, and
indeed, the only sanction it could threaten is a renewal of an offensive
arms race which it can no longer afford.

President Putin is less than chuffed about this!  There is some hope that
a detente might be reached around a trade-off of NMD and nuclear weapons
reduction, but the USA is currently gung-ho for its impenetrable shield.

O'Hanlon was worried that NMD might jeopardise attempts to work with Russia
to control, stabilise, and (eventually) decommission (or at least reduce)
its nuclear arsenal.  It still holds thousands of nuclear warheads mounted
on ICBMs.  These constitute a hair-trigger weapon which could be aimed at
the West in an instant.  [PM: Russia announced several years ago that its
nuclear missiles were no longer aimed at the West.  Unfortunately, to re-aim
them would take about as long as it takes to download the software.  How
long did your last reboot take?  Another small point is that many of the
weapons are in the territory of (and under the control of?) newly
independent and politically unstable states which are ex-USSR.]

O'Hanlon said that the fact that the ABM treaty is 30 years old does not
make it a "relic".  His mortgage is 30 years old, but is still not a relic,
and the Constitution of the United States is even older, but is still
regarded as a useful document.

He cited an interesting example.  In 1998 a "sounding" rocket launched from
Norway was mistaken for a US attack vehicle by the Russian defences.  They
were minutes from a retaliatory launch when the mistake was discovered.

Ivan Zifrancuk (sp?), a Russian defence expert, was interviewed to give the
Russian point of view.

America's allies are also worried.  Radar bases and communications in the UK
are needed for tracking.  The Menwith Hills installation has been the target
of a Greenpeace protest.  [PM: The compliance of the present British
government is remarkable, given the likelihood that the presence of tracking
stations will make Yorkshire a primary target for America's enemies.  France
and Germany have been more outspoken.]

Phyllis Starkey MP was interviewed and stated that in her opinion NMD was a
destabilising influence, and that the British Government should look to
British interests

O'Hanlon cited the problem of China (particularly sensitive since the loss
of one of its fighter aircraft in collision with a US spy plane earlier this
year).  The Bush administration has taken pains to reassure the Chinese (as
it has the Russians) that NMD is not an offensive capability aimed at them.

Unfortunately, there is a long-standing dispute over Taiwan, and in the
medium term NMD could be capable of neutralising the effect of Chinese
missiles.  At the last count, China had only 20 missiles capable of reaching
American soil.  Senator Kyle stated that the USA would never tolerate a
military take-over of Taiwan by China, and would come to its defence.  The
existence of NMD would therefore be perceived as a threat by China, and may
provoke an arms race with China.


The old competition between predator and prey, between defence and
offence, between the baron in the castle and the besiegers using the siege
catapult were quoted.  The difference here is that the "castle" in this
new cycle of competition cannot be built without the expenditure of
billions of dollars, whereas the "catapult" (the means of penetrating or
circumventing NMD) are relatively cheap.  So where is the  money to come
from?  Step forward the loyal, long-suffering (and notoriously
tight-fisted) US taxpayers!  President Bush has promised to lighten their
burden.  Is NMD consistent with this?

As the programme concluded:  "The world awaits your decision!"

  = = = = = = = = Peter Mellor:  Personal Comments = = = = = = = =
     The Missing Dimension:  Safety, Reliability, and Software

When President Reagan launched the Strategic Defense Initiative (SDI, aka
"Star Wars"), it was intended to provide an absolutely impregnable defence
for the USA against ICBM attack.

It was widely regarded as utterly fantastical in conception, absurdly
expensive to design and construct, impossible to test, and ineffective for
its intended purpose.

An impregnable defence must have a negligible probability of letting one
attacking missile through.  O'Hanlon states that a "95%" confidence is
better than no defence at all.  Where thermonuclear devices are concerned, a
1% failure rate under mass attack means that you might as well not have
bothered.  (I saw a bumper-sticker in California which read: "A single
nuclear device can really spoil your day".  I agree!)  To destroy the USA,
only four devices are required, one at each corner, in the stratosphere,
outside US territory.  The electromagnetic pulse would cause an electrical
potential spike which would zap every non-hardened semiconductor device in
the country.  Eight out of every ten dollars would disappear in an instant.
(Think about it!)  Hitler gave up on the air assault on Britain since he
realised he could not cope with a 10% attrition rate on the raiding forces.
Now we need a 99.9999% (or higher) attrition rate.

The NMD is a cut-down version of SDI.  At least we no longer have to contend
with the spectre of a world patrolled by ever-alert robot battle stations in
orbit armed with thermonuclear devices to deliver collimated gigawatt doses
of energy to anything which ascends above 50,000 feet and rail-guns firing
several thousands of rounds per second of hypersonic projectiles at any
suspect object in orbit.

The NMD proposals are less fantastic, but perhaps the more dangerous for
being slightly more plausible.

What SDI and NMD have in common is that they are both crucially dependent
on software for command and control.

The head of software development for SDI was David L. Parnas.  Once he
became aware that the current software development methods could not yield
the impossibly high reliability required for SDI, he did the decent thing
and resigned.  He did so very publicly and published his reasons for
becoming totally disillusioned with the farcical SDI enterprise in a
brilliant essay in which he stacked up each one of the then popular methods
and showed why it was doomed to fail.  [As I recall, David was merely on a
review panel, not head of development.  PGN]

His resignation and essay probably did as much to scupper SDI as its
ludicrous and exponentially increasing cost.

Now, either we have solved all of the problems with developing
high-integrity real-time embedded software in the few years since SDI was
abandoned (and I don't believe it for a nanosecond), or we are into another
technically infeasible and ultimately farcical project.

I have seen no discussion of NMD in the safety-critical systems list
recently, and no criticism anywhere from the reliability and safety
viewpoint.  (It was not even mentioned in the BBC Radio 4 programme "The
Heavens at War" that I have summarised above.)

The silence is deafening!

Peter Mellor, Centre for Software Reliability, City University,
Northampton Square, London EC1V 0HB
Tel.: +44 (0)20 7040 8422  ) NOTE: Code recently changed from
Fax.: +44 (0)20 7040 8585  )       7477 to 7040
e-mail: Pete Mellor <>

SDI chief says system may not be reliable

<"Peter G. Neumann" <>>
Wed, 15 Aug 2001 18:31:22 PDT

The head of the Pentagon's missile defense programs said he is not fully
confident in the "basic functionality" of the anti-missile system that
successfully intercepted a mock warhead in space last month.  That is why
the next test of the system, scheduled for October, will be a replay of the
July 14 test, with no additional complexities such as putting more decoys
aboard the target missile, Air Force Lt. Gen. Ronald Kadish, director of the
Ballistic Missile Defense Organization, told a group of reporters.  "It is
still not totally comfortable for me to say that we can make the hit-to-kill
technology work consistently, even in that simple scenario," Kadish said,
adding later, "We still need some more reliability in there."  [Source: AP
item, Missile Defense Chief 'Not Totally Comfortable' With Reliability of
Anti-Missile System, 15 Aug 2001; and then, there are reports of the
GPS-aided homing beacon that aided the tests -- even the two that failed!  PGN]

Federal tax returns missing in Pennsylvania

<"Peter G. Neumann" <>>
Wed, 29 Aug 2001 20:00:05 -0700 (PDT)

As many as 40,000 federal tax returns [earlier thought to be only 1800] and
tax payment checks totaling more than $800 million from New England and
upstate New York have been lost or destroyed at a processing center operated
by the Mellon Bank in Pittsburgh for the Internal Revenue Service.  One
source was quoted as saying, "The system was flawed.  It gave them incentive
to stick the payments in a drawer.  It was almost cost-effective for Mellon
to do that. There was no reward for timely processing."  (A somewhat similar
case at the IRS Philadelphia center in the mid-1980s was also noted.)
[Source: Albert B. Crenshaw, *The Washington Post*, 30 Aug 2001; Page E01]

Hotmail hackable with one line of code

<"NewsScan" <>>
Fri, 31 Aug 2001 10:35:17 -0700

Security consultant Jeremiah Grossman was able to break through Microsoft's
Hotmail and Passport protection schemes with just one line of code.
Microsoft has patched the code, but Grossman says he could do it again in 8
hours of work.  His hacking experiment used a "cross-site scripting"
technique that attaches invasive code onto programs used to make Web pages
more interactive.  Grossman calls them "a breeding ground for new types of
Web security vulnerabilities," and Shawn Hernan of the Computer Emergency
Response Team at Carnegie Mellon University says that "it's easy to dream up
very, very bad scenarios."
  [*USA Today*, 31 Aug 2001; NewsScan Daily, 31 August 2001]

Even dead people use Microsoft software

<"Jeremy Epstein" <>>
Fri, 24 Aug 2001 10:19:27 -0400

Computerworld reports that a Microsoft letter-writing campaign opposing the
anti-trust actions used the names of dead people.  The Utah Attorney
General, who received the letters, was not amused.  Other Attorneys General
received duplicate letters with similar problems.  MSFT says they didn't do
it, but pointed to "Citizens Against Government Waste" which is a leading
the effort.

The risk is that any sufficiently automated letter writing system is going
to eventually screw up and get caught.  Dead people don't handwrite letters.

More interesting MS certificates

<Stuart Prescott <>>
Fri, 24 Aug 2001 10:32:53 +1000

I noticed today that the Microsoft WindowsUpdate site was offering a Service
Pack 2 for Internet Explorer, and since a number of our machines here use
IE5.5 I decided to have a look at what "functionality" it offered.  As with
all downloads from WindowsUpdate, they are cryptographically signed;
however, this time some of the components were signed by "IE Beta Division",
with a certificate authority of "IE Beta Division"... i.e. (PGN: pardon the
pun) the certificates are not trustworthy.

The RISKS? Naturally, there are issues here in verifying that these updates
are actually from Microsoft. Then there are the RISKS of users saying "No"
to installing the badly signed bits and possibly ending up with a (more)
broken IE installation. Or there is the RISK of users becoming used to
dismissing error messages....

I didn't realise that MS and IE could become even scarier with time...

Directory service based on car license plate

<Ulf Lindqvist <>>
Mon, 27 Aug 2001 09:38:03 -0700 (PDT)

>From Swedish newspaper *Aftonbladet* Aug 27, 2001,,2789,84644,00.html

In Sweden, a new type of directory service will soon be introduced by the
company Ahhaaa [yes, that actually seems to be their name, see ]. You will be able to call this service 24-7, give
the license plate number of a car, and they will immediately tell you the
name, address and phone number of the person registered as owner of that
car. If the owner is a business, they will also tell you the number of
employees and annual revenue.

The article states a number a "benefits", such as calling the driver who
just cut you off to complain, locate parking violators or notify an owner
whose car has been broken into. Last but not least, the article suggests
that if you find another driver attractive, this service would make it
easier to make contact.

It does not take a criminal mastermind to see ample opportunities for abuse
- road rage, stalking, fraud etc. One could argue that this information has
always been available to the public in Sweden, albeit from different sources
(see for an
explanation of the Swedish Principle of Public Access to
Information). However, with modern technology, deregulation of
telecommunication services, and the ubiquitousness of mobile phones, the
information is instantly available and therefore the opportunities to act on
impulse are much greater.

Ulf Lindqvist, System Design Lab, SRI International, 333 Ravenswood Ave,
Menlo Park CA 94025-3493, USA +1 650 859-2351

Re: Air Force office mails confidential information ...

<"Jay D. Dyson" <>>
Sat, 25 Aug 2001 19:30:05 -0700 (PDT)

Jim Griffith (RISKS-21.62) noted an Air Force Academy officer accidentally
sent confidential information about some 40 cadets to all 4400 cadets at the

This incident sounds suspiciously like a Sircam worm infection of the
officer's system.  First off, I doubt that e-mail is typically utilized to
send out such reports since such confidential information should never be
sent in the clear.  Secondly, how else can the Air Force explain the means
by which the mail was so readily disseminated?

I don't believe we're being told the whole story here.  And I believe an
officer is being let off the hook when he should be nailed for actions that
are tantamount to criminal negligence.

Please report problems with the web pages to the maintainer