The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 8 Issue 28

Sunday 19 February 1989


o Continuing problems with WWMCCS command-and-control network
Jon Jacky
o US missile-warning radar endangers friendly aircraft
Jon Jacky
o Power failure problems
John Sinteur
o The Risks of Going on Vacation
Jim Carson
o Re: Faking Internet mail
Peter Scott
o Multi-gigabuck value of information theft denied
Mark Brader
o Re: multi-gigabuck information "theft"
David Chase
o Re: Authenticity in digital media
Doug Krause
o Digital doctoring of images
Richard Wiggins
o PIN? Who needs a PIN?
Bill Mahoney
o Info on RISKS (comp.risks)

Continuing problems with WWMCCS command-and-control network

Jon Jacky <>
17 Feb 1989 09:25:29 EST
The following excerpts are from GOVERNMENT COMPUTER NEWS Feb. 6, 1989 p.1:


Officials in the Office of the Secretary of Defense (OSD) planned to meet
late last week to consider transferring responsibility for procuring an
upgraded Worldwide Military Command and Control System (WWMCCS) from the
Air Force to the Defense Communications Agency. ...

Glenwood Stevener, director of DCA's Joint Data System Support Center, said
the Air Force's WWMCCS Information System (WIS) program was a victim of
a vicious circle of schedule slippage and budget cuts.  `` These things
feed on each other,'' he said.

WWMCCS began in the late 1970's as an effort to provide the president, the
Defense secretary, the Joint Chiefs of Staff and other military authorities
with information to help them make wartime decisions.

When a study later that decade showed the system was too slow and limited,
officials launched the WIS upgrade project.

The Air Force has suffered several setbacks since being selected in 1982
to manage WIS.  In July 1987, the WIS program office announced the system
would be delayed about a year due to funding cuts and system development

A year ago the General Accounting Office reported that program officials
had not adequately defined system requirements and security measures.
Subsequent funding problems delayed the project by another 12 months to
15 months.

Air Force officials who requested anonymity said OSD officials recently
set up a task force to propose alternative methods to upgrade WWMCCS in
light of WIS program difficulties. ...

DCA would take more of an ``evolutionary'' approach to the upgrade than
the Air Force did, Stevener said.  He said the Air Force has been attempting
to field a turnkey system to fulfill a broad range of WWMCCS requirements.
The DCA plan would focus on a fielding a partial system at first and
incrementally adding capabilities to it, he said.

In addition, Stevener said DCA would probably change the name of the program
to differentiate it from WIS.

- Jonathan Jacky, University of Washington

US missile-warning radar endangers friendly aircraft

Jon Jacky <>
Fri, 17 Feb 89 10:07:17 PST
These are excerpts from THE NEW YORK TIMES, Feb 12, 1989, p. 14:

COULD TRIGGER A BLAST  (no author given)

WASHINGTON, Feb. 11 (AP) - For 14 months operators of a huge radar 
installation in central Georgia that is part of the United States' defense 
warning system have had to turn off the system while military aircraft 
landed at a nearby base.

The interruptions are to avoid accidental detonations of tiny explosive 
charges found in virtually every military weapons system and in the planes 
and ships that deliver them.

The charges are used, among other things, to trigger weapons, drop bombs or
jettison fuel tanks.  They are normally fired by an electrical circuit,
bu they can also be set off by high levels of electromagnetic energy from
such sources as radio waves, static electricity, lightning or radar.

As a result, the powerful radar center has to be turned off periodically so
planes can land safely at Robins Air Force Base, two miles to the north.

That precaution is not enough, local critics contend.  They fear a major 
accident at the air base and have sued to force safety improvements.


The $90 million radar complex, on of four of its type in the United States,
would provide instant warning of a submarine-launched missile off the south-
east coast [ The story does not say so, but I believe this must be one
of the PAVE PAWS phased-array radar intallations - JJ ].

Th Air Force says the unit's time out of service caused by landing planes
totals about an hour a month.  Ther interruptions have not hindered the
early warning system, the Air Force says, because they are random and other
radars are available as backups.  Routine maintenance of the system turns the 
radar off for about 40 hours a month, an official said.

The 10-story, pyramid shaped installation consists of thousands of antennas
that can scan 240 degrees for 3,000 miles and can reportedly identify an 
object the size of a basketball 1,500 miles away.


(Robins Air Force Base) is Georgia's largest and is near the city of Warner-
Robins, which has a population of 40,000. ... Critics have filed a lawsuit
in Federal Court in Washington.  

Patricia Axelrod, coordinator of one of the groups that has joined in the 
suit ... argues that flight restrictions force pilots into`` a trapeze
act without a net'' because of the possibility of an error in the
communication required to turn off the radar. 

Senator Sam Nunn, the Georgia Democrat who is chairman of the Senate Armed
Services Committee, has also criticized the restrictions because of their
reliance ``on the potentially fallible human links'' required to turn the 
system off.


The Air Force has already spent $600,000 for a study by the Raytheon
Corporation, which built the radar system.  The study recommended moving it,
at a cost of $37.7 million, or modifying it, at a cost of $27 million, so it
would turn off automatically if a plane breached the restricted zone.

Lieut. Gen. Donald J. Kutyna, who heads the Air Force Space Command that has
jurisdiction over the unit, said moving it is not reasonable but modification
remains under consideration.  A decision is to be made in June.

[I find several things interesting about this story, apart from the overall
irony of the situation.  First, it is another illustration of the tendency
noted by Paul Bracken and others for modern military C3I systems to become 
ever-more tightly-coupled and interdependent in ways unforseen by their
designers.  Second, Nunn and others' assumption that some kind of automated 
system would necessarily be more reliable than the present arrangement.

- Jon Jacky, University of Washington ]

Power failure problems

Sun, 19 Feb 89 13:38 N
I ran into something curious when I visited my previous employer yesterday.
They moved to a brand new building recently, and took the opportunity to
increase access-security. They installed magnetic card readers on all doors
(including the computer-room doors), keeping physical access to the office
space and the computer room under control in a better way.

They thought.

A few days after the move, the power went down. The UPS cut in, and kept the
computer systems on juice. The operators have got 15 minutes to manually turn
off the computer systems (after software shutdown procedures of course) before
the batteries are out as well.  Unfortunately, the card readers were out,
making it very difficult indeed to enter the computer room...

No need to say that they modified the system a bit...

It's small things like this that are difficult to anticipate, but
are sooooo important...
                                        -John Sinteur

Whatever I say is not to be taken as a statement of the Dutch Army
(my current employer) or my previous employer who shall remain nameless here.

The Risks of Going on Vacation

Jim Carson <>
Sun, 19 Feb 89 12:06:31 CST
I was going to be out of town and wanted to use "vacation."  For 
those who aren't familiar with it, vacation is a program from
4.[23]BSD that sends a form letter back to anyone who sends you 
mail.  This is useful because you can let people know when you 
will return and give them other ways to contact you in an emergency.

Vacation has provisions so you don't send mail to MAILER-DAEMON, Postmaster, or
a *-Request@*, since these senders are usually automated and you could risk
getting into a mail-loop if you sent form-letters back.

Now consider what would happen if you subscribed to an automated discussion
group that sends mail without any of these lines in the header.  This was the
case with Sun-Spots, the Sun discussion group moderated by Bill LeFebvre at
Rice.  The header:

> From Sun Feb 19 09:42:43 1989
> Reply-To:
> Sender: Sun Spots Discussion <>

The discussion group was set up so when Bill is done compiling an issue, he
sends it to a mail alias containing a list of everyone who subscribes to
Sun-Spots.  When I got a copy of the issue, vacation sent a reply.  However,
since the reply goes to everyone who subscribes to the group, including myself,
a reply to the reply was sent, and so on.

About forty messages were sent before I logged in this morning to check for any
last minute mail.  One of the other subcribers sent me mail because he thought
we had a mail virus.  [...]

Re: Faking Internet mail [Re: RISKS-8.27]

Peter Scott <PJS@grouch.JPL.NASA.GOV>
Fri, 17 Feb 89 10:07:19 PDT
It is incredibly easy to fake mail.  Read RFC 821, which although it is 50
pages long, details on page 4 everything you need to know. The server on the
first remote machine (that which comes after "@") expects to see commands of
the form:
    HELO    (optional)
    MAIL From: <reverse-path>
    RCPT To: <forward-path>

Multi-gigabuck value of information theft denied

Mark Brader <>
Fri, 17 Feb 89 12:07:19 EST
A few days ago I summarized for RISKS an article that had appeared in
the Toronto Star on February 8 about a case of "theft" of information. [...]

Two days later, however, significantly different facts were reported.
(This submission to Risks was delayed because I intended to email to
Mike Tilson to ask if he wanted to write something himself.)

Information here is from the (Toronto) Globe & Mail.  The article is
headlined "Computer information theft detected by security system,
company says".  And it begins as follows:

#  The theft of information from a company's computer program [sic]
#  was detected by the firm's own computer security system.
#  Mike Tillson [sic], president of HCR Corp., which specializes in
#  developing computer software, said yesterday an unusual pattern
#  of computer access was noticed on the company's system last week.

The article continues by saying that police reports valuing the "program" at $4
billion (Canadian) were called grossly exaggerated by Tilson:  "It's more in
the tens of thousands of dollars range".  He also said that the illegal access
had been only a week before; there was no 2-month investigation.  And asked
about resale of the information , he said:  "It's not clear how one would
profit from it.  There are any number of purposes one could imagine to idle
curiosity.  There is a possibility of no criminal intent."

The information not being HCR customer data, and Tilson declining to identify
it, the article goes on to mention UNIX, to mumble about AT&T intellectual
property, and to note that AT&T is not in the investigation "at this stage".

Mark Brader             "Every new technology carries with it
SoftQuad Inc., Toronto           an opportunity to invent a new crime"
utzoo!sq!msb,                — Laurence A. Urgenson

Re: multi-gigabuck information "theft"

David Chase <>
Thu, 16 Feb 89 12:11:44 -0800
In RISKS 8.26, Jeff Makey says:

> The "computer files" are nothing more than the source
> code for AT&T's UNIX operating system ... few thousand dollars --
> a far cry from $4 billion.  I suspect that AT&T's lawyers are at
> the root of this sensationalism.

I think in this case the lawyers are doing their job, and it might not be
sensationalism.  I believe (word of mouth from UNIX-related legal mess that
some friends were in long ago) that the UNIX operating system is protected by
trade secret law, and (according to my copy of _Legal Care for Your Software_)
a corollary of this is that you must diligently maintain the "secret"
(licensed, confidential) status of that software, or all your legal protection
is gone.  If the lawyers don't behave like rabid piranhas, then perhaps they
aren't being diligent, and if they aren't diligent and lose trade secret
protection, then the loss to AT&T could well total billions.

And, of course, since we're talking about product protection, "UNIX" is a
trademark of AT&T.

David Chase

Re: Authenticity in digital media [RISKS-8.26]

Doug Krause <dkrause@ORION.CF.UCI.EDU>
17 Feb 89 11:39:37 GMT
"ALBTSB::SCHILLING1" <> writes:
>Seeing hasn't been believing for a long time.  Remember Fred Astaire dancing on
>the ceiling in the movie "Singing in the Rain"?

Gene Kelly was in "Singing in the Rain".  Fred Astaire's ceiling dance
was in "Royal Wedding".

Douglas Krause, University of California, Irvine   

                        [Also noted by (Chris Brown).]

Digital doctoring of images (re Steve Philipson, RISKS-8.25)

Thu, 16 Feb 89 09:33:00 EST
Steve Philipson points out the risks of new technologies to digitally alter
video images and audio recordings.  An article in The Whole Earth Review about
three years ago discussed the digital doctoring of photographic (still) images;
that technology is quite mature already.  The article pointed out that the
major news publishers such as Time own digital processing devices that put the
best airbrush artist to shame.  It is quite easy to merge unrelated images,
superimposing a person in a scene he never visited, and to cover all the seams.
It is also easy to remove unwanted objects and blend in the background to cover.

The claim in this article was that photographic images were no longer
worthwhile as evidence of anything.  I suspect that is a bit strong; the
testimony of a photographer that her record is honest would probably hold
water.  (After all, the notes of a police officer can be altered, but are
admissable when read as part of testimony.)  Also, few currently have direct
access to this technology.

But the risks are real.

PIN? Who needs a PIN? (Alan Wexelblat, RISKS-8.26)

Sat, 18 Feb 89 01:10:44 -0500
Like most ATMs, the Diebolds (there are several models) are programmable from
the host computer. This can include modes where the pin is read and encrypted
(DES) before sending, or where the PIN is read and sent in the clear, or where
the pin is not even read. It would seem a little strange to run the ATM in the
last mode, but I have seen a system in the UK where the PIN is transmitted over
a bisync line with no encryption whatsoever. In any case, the menus, the "fast
$xx" amount, the order of operations when processing a user transaction, etc.
are all remotely programmable. It could be that the ATM you were at had been
incorrectly programmed, but generally there is one file in the host that
contains the ATM information, and this is just sent down over the wire to all
of them.  Your name was probably encoded on track 1 or 3 of the card.

                    [That does open up some significant vulnerabilities.  PGN]

On a related note, I noticed quite a risk using credit cards.  We are currently
implementing a credit card (CC) authorization system for retail stores, and the
handy way to test it seemed to be to run my own card through the magnetic
reader. Now, a CC has a "track two" where the account information is encoded.
After the account information, there is a special character that serves as a
field sep, and then "issuing bank discretionary data" follows. In this field
the first four are usually the expiration date on the card.  In the case of
Commercial Federal here in Omaha, my checking account is there, AND it is the
issuing bank for my CC.  Imagine my suprise when testing the card reader with
my CC. The CC account is there, so is the expiration date, followed immediately
by MY CHECKING ACCOUNT NUMBER at Commercial Federal! So apparently my bank
account number is going over the wire every time I buy something with my Visa...

Bill Mahoney

Please report problems with the web pages to the maintainer