Previous IssueIndexNext IssueInfoSearchingSubmit ArticleFTPDo not even think about clicking on this button

The Risks Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

 

Volume 16: Issue 3

Thursday 5 May 1994

Contents

o Spelling correction
Phil Agre
o Sigh -- security through obscurity is NOT security
Alan Wexelblat
o Bellcore cracks 129-digit RSA encryption code
Steven Tepper
o Risk of Non-Computerization?
Klaus Brunnstein
o Computers Blamed For FAA Woes
Mark Thorson
o Brief note re DIA fiasco
Paul Green
o Followup on credit card policies (re: "Streetwise Guide ...")
Rob Slade
o ABC Nightline re LaMacchia
Mich Kabay
o Risks of electronic door locks for automobiles
Paul Wallich
o Info on RISKS (comp.risks)
---------------------------------------------

spelling correction

Phil Agre Tue, 3 May 1994 15:10:22 -0700 
We've had plenty of notes about spelling correctors, but I find this one
particularly interesting.  The otherwise excellent April 1994 issue of Z
Magazine contained a particularly horrible editing error in an article by Sara
Diamond about the "American Center for Law and Justice" (ACLJ).  The ACLJ was
created by conservative Christians in order to oppose the American Civil
Liberties Union (ACLU) in court cases over issues like school prayer.
Everyone has assumed that the similarity of acronyms is deliberate; ACLJ seems
part of a fairly systematic conservative strategy of positioning
public-interest groups as "liberal" by creating conservative mirror images of
them.  Well, as the Z editors explained in their May issue, their spelling
correction program included ACLU but not ACLJ, with the result that every
instance of "ACLJ" in Diamond's article got changed to "ACLU" except, somehow,
for the very first one, which occurred (much as it does above) in parentheses
after the first mention of "American Center for Law and Justice".  Apparently
there was an uproar, with some Z readers calling up the ACLU to ask why it had
suddenly reversed its positions.  The risk is subtle: in politics, things are
often designed to outwardly resemble their opposites, or to invite confusion
or sharply defined contrast (or both) with their opposites.  As a result, it
becomes impossible to define "close enough" in (for example) a spelling
corrector without a great deal of specific background knowledge.

Phil Agre, UCSD
---------------------------------------------

Sigh -- security through obscurity is NOT security

"Alan (Miburi-san) Wexelblat" Tue, 3 May 94 17:26:46 -0400 
Peter Ladkin introduces his post with the polite phrase:

>  a vandal exploiting a not-unknown security hole

or, in American English:

Some lazy person at the target site failed to plug a known hole, probably
reasoning along the lines of "Oh, no one will know about this hole so I
don't have to deal with it."

There is no excuse for vandalism, including failure by sysops to plug known
holes.  However, if I was a user at that site I'd be more pissed at the
person who failed to prevent the vandalism when such prevention was
possible.

--Alan Wexelblat, Reality Hacker, Author, and Cyberspace Bard, Media Lab -
Advanced Human Interface Group  wex@media.mit.edu 617-258-9168
---------------------------------------------

Bellcore cracks 129-digit RSA encryption code

Steven Tepper Tue, 3 May 94 18:46:36 PDT 
      [Old news to some of us.  Oddly no one reported it to RISKS until now,
      and I did not get around to entering anything on it.  PGN]

Excerpts from an article on page 14 of the May 2 issue of Network World:

   A team led led by Bell Communications Research last week announced
   it has cracked a 129-digit encryption code, which scientists had
   predicted would take "40 quadrillion years" to break.  ...

   Breaking the RSA-129 public key required that the team find the two
   prime numbers that, when multiplied by each other, resulted in the
   129-digit key number.  ...

   This mathematically arduous task was accomplished in eight months by
   600 volunteers in 24 countries who used their organizations' spare
   computing capacity.  ...
---------------------------------------------

Risk of Non-Computerization?

Klaus Brunnstein Wed, 4 May 1994 11:16:34 +0200 
In a TV report (magazine FRONTAL, 2nd German TV channel ZDF, Tuesday May 3,
1994), recent motorsport accidents (3rd World Championship, formula 1 racing
cars, Imola/San Marino) were discussed and analysed by experts (e.g. former
World champion Niki Lauda/Austria). Besides general questions about
deficiencies in safety and protective measures, the question was discussed
whether the recent decision to forbid the computerized ground distance control
may have contributed to the strange behaviour of both racing cars which after
a curve went straight into a concrete wall, without visible signs of steering.
In both cases (Austrian driver Hackenberger, in training for his 2nd race, and
Brasilian driver Ayrton Senna, 3-times world champion), the cars crashed at
almost 300 kilometers per hour, with both drivers dying upon impact.

Until end-of-1993, formula 1 racing cars were equipped with a computerized
control system aimed at maintaining a fixed but very small distance between
the car's bottom and the track's surface, to allow for maximum contact and
therefore maximum transfer of power on the wheels. Following arguments that a
defect in the computer system may lead to serious crashes, the international
authority for this sport forbidded this computer system from 1994. This
decision may now have caused the problem on the very high speed track of
Imola, where the cars reach maximum velocities over 300 km/h. According to the
discussion quoted, the hydraulic steering support may be affected when the
car's bottom contacts, at high speed, an uneven part of the track; in such a
situation, the driver would no longer be able to steer the car and may even
loose the ability to brake. Evidently, the decision to forbid the computer
system was neither accompanied by an adequate risk analysis not were any
additional measures taken to diminish the risks e.g. by reducing the car's
speed or by enlarging the minimum distance between car's bottom and track
ground. Only now, discussions take place to reduce the speed in certain parts
of the track.

Klaus Brunnstein (May 4, 1994)
---------------------------------------------

Computers Blamed For FAA Woes

Wed, 4 May 94 01:06:17 PDT 
This morning (3 May 1994), Transportation Secretary Federico Pena appeared on
at least one morning TV show in addition the _MacNeil-Lehrer_ show to inform
the public about the shocking state of the nation's air-traffic control
technology.  On both appearances that I saw, Pena said that the FAA needed to
be a private corporation so it could acquire technology more quickly, outside
of federal regulations.

He used as an example the humble vacuum tube.  He said that the FAA is the
world's largest buyer of vacuum tubes.  That I can believe.  But then by way
of comparison, he held up a vacuum tube and a computer chip.  The tube was a
big one, about the size of a #30, which is much bigger than the tubes used on
any tube computer like ENIAC, whose tubes were about the size of a 5U4.  He
compared it against a computer chip (something packaged like an Intel 486),
and claimed the latter could replace 3.5 million vacuum tubes!

Apparently, Secretary Pena either: a) believes the FAA is running enormous,
obsolete vacuum tube computers containing millions of tubes, or b) doesn't
mind telling bald-faced lies to the American public to get support for his
objectives.  I'm not sure which is worse.

Mark Thorson (mmm@cup.portal.com)
---------------------------------------------

Brief note re DIA fiasco

Paul Green Wed, 4 May 1994 21:14:59 GMT 
As someone who has been involved in fixing a number of terrible situations
involving computers, and as someone who has not been involved in the DIA
fiasco, other than as a fascinated observer, I'm sure that when the book is
written on this, we'll find that there is ample blame for all of the parties
involved in the project.  Small groups of people make small messes.  To get a
really large mess, you need a large group of people working for many
organizations.  Anyone, or any reporter, claiming to know the source of the
problems as this stage, is either quite naive or has an axe to grind.

I think Bear Giles misses the point (in RISKS 16.01) about simple software
errors leading to massive, unintended consequences.  The issue is not (just)
syntax checkers. Sure, we've got 'em...So what?  The issue is that in a
mechanical or analog system a small error in the input or operation
generally leads to a small **and traceable** error in the output.  But in a
digital system, especially a software-based digital system that can experience
memory or data corruption, a small error in the input or operation can have
huge **and virtually untraceable** errors in the output.  I seem to recall
that it was indeed a small error that brought down the AT&T long-distance
switching system. I have to agree with the writer on this one.

Finally, judging by the number of bar-coded labels that I have to rip off my
luggage, many airports must use bar-code readers. I have to believe that this
piece of airport technology is reasonably mature.  Finally, common sense says
it has got to be more reliable to bar-code the luggage than the carts.

Paul Green, Sr. Technical Consultant, Stratus Computer, Inc., Marlboro, MA
01752    Paul_Green@vos.stratus.com, PaulGreen@aol.com    (508) 460-2557
---------------------------------------------

<"Rob Slade, Ed. DECrypt & ComNet, VARUG rep, 604-984-4067">
Thu, 05 May 1994 15:21:10 -0600 (MDT) 
Subject: Followup on credit card policies (re: "Streetwise Guide ...")

PGN asked me to summarise the responses to my comments in the review of "The
Streetwise Guide to PCs" by Jerome/Taylor.  I had suspected that it might be a
bit controversial, but I was surprised that the only substantive comments I
received were in regard to the difference between Canadian and American law
regarding credit card purchases.  The most apposite information was from Bear
Giles 
---------------------------------------------

ABC Nightline re LaMacchia


"Mich Kabay [NCSA]" <75300.3232@CompuServe.COM>

04 May 94 06:20:39 EDT

On 02 May 1994, ABC News _Nightline_ aired a program entitled, "Law and Order
on the Information Superhighway_, which focused on the case of David
LaMacchia, an MIT student accused of wire fraud for allegedly having run a BBS
which permitted traffic in stolen software.

The host was Chris Wallace, substituting for Ted Koppel.

I ordered a transcript of the program from Journal Graphics, Inc. / 1535 Grant
Street / Denver, CO 80203 / phone 303-831-9000 / fax 303-831-8901.

The transcript is copyright (c) 1994 American Broadcasting Companies, Inc. and
therefore I can provide only an abstract.

   [I received the entire abstract from Mich, who also provided me with an
   annotated version, which is included here.  My apologies if I omitted
   anything necessary for understanding.  However, because Mich included
   chunks of the abstract before each of his annotations, I could not run
   both the full abstract and the annotated version.  PGN]

U.S. Attorney Donald Stern accuses David LaMacchia of having tolerated the
exchange of stolen software worth more than $1 million.  Prof. Laurence Tribe
of Harvard University Law School questions the implications of such an
accusation; he argues that LaMacchia's BBS should be accorded the legal status
of a common carrier, thus exculpating the owner of crimes committed through
his communications channel.

Analysis of the Nightline program about David LaMacchia and the software
exchange BBS:

[set flame = on]

<
---------------------------------------------

Risks of electronic door locks for automobiles


Paul Wallich 
Wed, 4 May 1994 21:56:20 -0400 (EDT)

The underlying risk of electronic car door locks is that the state of the
lock depends on what a microprocessor believes rather than whether
someone has turned a key or pushed a latch button. In addition to the
obvious failure modes (do you need a working battery to unlock the car?)
the manufacturer can also program in more complex lock behavior. Drivers
and passengers may find out the full range of lock states only when
bitten by a previously unknown "feature".

For example, last week I drove a two-door Chevy Cavalier that unlocks both
doors when the ignition is turned off. Makes it harder to lock keys in the
car, but could also pose a risk of theft if you don't notice.  Compared to the
Buick Century I was driving for a few days prior to that (and you'll
understand why shortly), the Cavalier's behavior is positively benign.

During a sudden spring blizzard at 2,500 meters in Northwest New Mexico, I
discovered the Buick's quirk. I went onto the shoulder to avoid a pickup and
trailer that had decided to stop in the middle of the road during a brief
zero-visibility whiteout, and found myself stuck in a newly-minted snowbank.
So I turned on the hazard flashers and went to see how hard it would be to dig
out. Since I had left the engine running, the doors locked automatically
behind me (I later verified that this is a "well-known" behavior to the rental
agents in Albuquerque). The risks of standing outside a locked car in driving
snow on a lightly-traveled mountain road (wearing clothing more suitable for
low-altitude desert) should be obvious. Without the timely passage of two
other tourists (bound from a monastery near Abiquiu to a commune at Taos) this
posting might not have been possible.

I was somewhat taken aback to note that it took the tow-truck operator less
than a minute to unlock the car, equipped only with a small pry bar and a bent
steel rod. So the electronic locking mechanism does not seem to add security.

During the mechanical era, auto manufacturers figured out various way to make
it difficult or impossible to lock your keys in a car; it's not a good sign
that they seem to be relearning those lessons from scratch.




---------------------------------------------

Previous IssueIndexNext IssueInfoSearchingSubmit ArticleFTPDo not even think about clicking on this button


Report problems with the web pages to the maintainer