Search RISKS

The RISKS Digest

Volume 15 Issue 43

Saturday, 5th February 1994

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information features enabled by clicking the flashlight icon above. They are described in the news page. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Where has your Floating Point floated to?

Dave Wortman <dw@pdp1.sys.toronto.edu>

For those of you who think floating point computation is easy, I recommend as an antidote: Jean-Francois Colonna, The Subjectivity of Computers Communications of the ACM, v.36,n.8, August 1993 where he demonstrates the five **algebraically equivalent** formulae for computing x[n] = (R+1)x[n-1] - Rx[n-1]**2 produce wildly different results even for fairly innocuous values of R and x[0].

Canadian TeleSat Anik E-2 Down (A.Wexelblat, RISKS-15.41)

Colin Perkel <colin.perkel@guildnet.org>

The trouble began with Telesat's Anik E-1 going down. This caused major problems for the Canadian Press news agency and its affiliate Broadcast News, as well as several other organizations. One casualty was telephone service to the North. After eight hours, Anik E-1 was brought back on line but within minutes, Anik E-2, the country's main broadcast satellite, also went on the fritz. This knocked out TV transmission of several specialty channels, including CBC Newsworld (24 hour news service), to all areas where there are no fibre optics. These channels were switched to other satellites and most services were restored in a couple of days. Anik E-2 cost about $350 million to send up, and is not insured. Montreal-based Telesat says it is working on a possible rescue plan that could take months. For the time being, the satellite is expensive space junk. The coincidence of the two failures sparked all kinds of speculation: that either someone at Telesat screwed up big time, or a disgruntled grunt (perhaps from sweeping layoffs recently) sabotaged the bird. There was also a suggestion Telesat engineers damaged E-2 while trying to get E-1 back in business. These scenarios have all been denied. The official line is that an unusually strong magnetic storm did the damage (although other satellites nearby were not affected).

Re: Canada loses satellite-- more info (A.Wexelblat, RISKS-15.41)

luis fernandes <elf@ee.ryerson.ca>

The Toronto Star, January 27, 1994, p.D2. OTTAWA (Special [Southam News]) — Canada's main broadcast satellite may resume operating within three months, the president of Telesat Canada says. ``It is my firm belief we will restore service", Larry Boisvert told reporters Tuesday at the company's suburban Ottawa headquarters. Technicians are trying to use the satellite's 10 thrusters, normally used only to control major variations in position, to restore the fine aim needed to offer full service. As of yesterday morning, Telesat had restored all service lost last week except for channels used by two broadcast channels and eight channels usd by Telesat's telephone company owners. The company is also unable to offer television news services live feeds for mobile crews. The current troubles mean the company will again lose money in 1994, Boisvert said. Meanwhile, Telesat technicians say there is no way to repair the damage inflicted last Thursday on the $286 million satellite's stabilization system by a space energy storm. The technicians are, however, trying to devise a novel method of keeping the Anik E-2's antennae pointed at earth, working with the device's U.S.-based subcontractor. The damaged satellite is not insured. [Further reports were also noted by John Oram <oramy92@halcyon.com> Jonathan_Welch <JHWELCH@ecs.umass.edu>, herdman@gov.on.ca (Andrew P. Herdman), and erling@wm.estec.esa.nl (Erling Kristiansen). Sorry I could not run them all... PGN]

Re: Lightning on the Ethernet (Eddy, RISKS-15.41)

Jon Peatfield <J.S.Peatfield@amtp.cam.ac.uk>

This isn't the story as it usually is told. ;-) True the two maths departments (applied maths and theoretical physics (DAMTP) and pure maths and mathematical statistics (DPMMS)) are next door to each other, and that DAMTP was involved in this, but DPMMS wasn't (to the best of my knowledge.) Nice rumour though, blame the pure maths dept. When I joined DAMTP in September '91 it was the week following the largest thunderstorm in several years. Sure enough many machines had got fried by the storm. Mainly it was serial lines which had died, though a few other bits and pieces had also been zapped. We did however see a large number of giant packet storms on one of our first floor segments afterwards. A number of people were involved in the tracking down of the fault, as it didn't seem to be any of the machines on the network. After a while the link going outside and over into manufacturing Engineering (Eng-Div E), was found and it turned out that the fault was a PC at the far end of this wire which had lost all sense and was filling the net with garbage. The network was terminated before the window in DAMTP and we were happy. Later checks showed that this had been installed temporarily (several years before) as building work was expected to disrupt the area where fibre links were laid but had never actually happened. We had the now much shorter segment on the first floor TDR'd and found it was over a 100M over max length. How long it was when it ran half way round Eng-Div E is unknown. Much later when searching for a fault on the ground floor we found another cable going out of a window, and cut it back/terminated it. Noone complained so we don't know where it had gone in the past. Before anyone points out just how bad our network is, let me say "WE KNOW" The ethernet in this building was installed by someone who didn't know what they were doing. They worked for the UCS and we can't get funds to replace it. We had no records of where cables go, nor their lengths. As time passes we are replacing/rewiring sections piecemeal. As I stare at the 2 30M coils of coax on the wall behind my desk which stop my feet getting tangled in the ethernet I wonder how many other networks like this one there are. All links between DAMTP and DPMMS are done with fibre, and always have been. DAMTP and DPMMS are MAC level connected so there is/was no need for other links. Indeed at the time of the incident DAMTP and DPMMS shared at least 2 machines (though no longer.) It isn't clear that unix-support had anything to do with this, other than they got told the story like everyone else who visits us. The risks are obvious, never believe anything that unix-support tells you! Jon Peatfield, Computer Officer, the DAMTP, University of Cambridge Telephone: (+44 223) 3-37852 Mail: J.S.Peatfield@amtp.cam.ac.uk

Re: Spontaneous recovery from "NOMAIL" setting

"Al Stangenberger" <forags@nature.berkeley.edu>

Something like this happened recently on ECOLOG-L (sci.bio.ecology on Internet). I forget the specifics, but basically a mailed-in submission somehow triggered a flood of duplicate messages being sent out. In order to stop the replication the list owner set everybody's status to NOMAIL but there was no record of which users were already in NOMAIL status thus there was no way to reverse the process once the error was fixed except by setting everybody back to MAIL status. I don't know if this was the listserver in question, but am cc-ing to the list owner who might be able to explain it more fully. Al Stangenberger, Dept. of Env. Sci., Policy, & Mgt., 145 Mulford Hall - Univ. of Calif., Berkeley, CA 94720 (510) 642-4424 forags@nature.berkeley.edu

Spontaneous recovery from "NOMAIL" setting?

Ron Ragsdale <R_RAGSDALE@oise.on.ca>

Setting "NOMAIL" to leave a LISTSERV keeps open the option of an easy return, but it may also lead to an unexpectedly full emailbox. Early in January, I began receiving regular messages from a LIST that I had set to NOMAIL in 1991; the LIST owner told me I was set to NOMAIL, but messages only/stopped when I sent an UNSUBSCRIBE message. Earlier this week (JAN. 16), I received my first update from RISKS in several years, under the same conditions, with my membership set to NOMAIL. Today, I received 80 messages from a LIST I had left (through NOMAIL) about four years ago and quickly sent an UNSUBSCRIBE message (which was acknowledged). A student of mine has been doing research on a number of lists and a substantial fraction of the respondents tell about similar phenomena? Is the NOMAIL setting really a time bomb that may flood your mail directory unexpectedly? (I was fortunate in TELNETing from Berkeley today just as the avalanche had begun.) If you have an explanation of this process, I would appreciate hearing it. Ron Ragsdale, Professor Emeritus, Ontario Institute for Studies in Education 252 Bloor Street West, Toronto, Ontario, Canada M5S 1V6 (416) 923-6641 X2252

Spontaneous recovery from "NOMAIL" setting?

"Peter M. Weiss" <PMW1@PSUVM.PSU.EDU>

List Management is more art than science ... I know, I'm a list-owner of multiple lists at multiple host locations. As good as the Revised LISTSERV software is, the list owners, users, and sysadmins can and do make mistakes (like the time I accidentally added another college president to a list that I maintained when I mistyped the userid). One of the features of R-LISTSERV is for the owner to make changes to recipients' options, using various wild-card techniques ... without asking for confirmation, or for what the options were before they were set. Also, a user can be subscribed under multiple userids, yet only receive a single distribution. Why? so that (s)he can post to a private distribution list from multiple sending addresses. Peter M. Weiss, 31 Shields Bldg. — Penn State Univ — University Park, PA 16802-1202 +1 814 863 1843 pmw1@psuvm.psu.edu co-owner LDBASE-L, TQM-L, ...

Re: Verify your backups

rob horn <horn%temerity@leia.polaroid.com>

We have a practice that once per week we select one file at random and request that it be restored from backup from the previous week. It is amazing what you learn by doing this. The range of things that fail, problems that arise from odd causes, automatic systems that mysteriously stop working, is incredible. Even when all concerned know that this is the regular practice, things go wrong. So everyone who is willing to put in the time and effort to make backups should also perform at least this rudimentary QC check. Don't ever stop. Rob Horn horn@temerity.polaroid.com

Bad backups (historical note)

Dick Hamlet <hamlet@cs.pdx.edu>

The note from managers of wuarchive.wustl.edu about loss of archive files because backups were not usable reminds me of an experience with early DEC timesharing systems (c. 1968, 4-series PDP-10 operating system). (Incidently, why do I so often get the feeling that problems solved in the 1960s will reappear forever, and that each succeeding group of systems programmers has less time/talent/interest for attacking them?) I was system programming director at Computer Center Corp. (C^3), a Seattle service bureau. We used 1/2" mag tape for backup of disk files. Only after we lost the entire disk did we discover that our sole mag tape unit (the cheapest we could buy, of course!) could not read all that it wrote, and that the dump/restore software ignored all tape errors! (This was the same system in which the FORTRAN library disk i-o routine did retry for read failure, but did it on the NEXT disk block instead of the one that had failed. It was remarkably successful-- the were NO permanent failures ever logged!) Our fix for the backup program was to write checksums on tape. That way, we could check the tapes off line, and not slow the dump by doing a real file compare after the tape was written. How many dump systems today read back what has been written for backup (much less check it or do a file compare!) unless there is a restore request?

crypto policy report available online

"Lance J. Hoffman" <hoffman@seas.gwu.edu>

The following report is available by anonymous ftp from ftp.gwu.edu under directory /pub/hoffman. The document is stored under the name "cryptpol". It is a NIST-sponsored study. The table of contents and abstract follows here. CRYPTOGRAPHY: POLICY AND TECHNOLOGY TRENDS Lance J. Hoffman, Faraz A. Ali, Steven L. Heckler, Ann Huybrechts December 1, 1993 CONTENTS EXECUTIVE SUMMARY 1. INTRODUCTION 2. TECHNOLOGY 3. MARKET ANALYSIS 4. EXPORT CONTROLS 5. PUBLIC POLICY ISSUES 5.1 EXECUTIVE BRANCH 5.2 CONGRESS 5.3 TRENDS 6. POTENTIAL SCENARIOS EXECUTIVE SUMMARY During the past five years, encryption technology has become easily available to both individuals and businesses, affording them a level of security formerly available practically to only military, national security, and law enforcement agencies. As a result, a debate within the United States about the proper balance between national security and personal freedom has been initiated. Law enforcement and national security agencies would like to maintain tight control over civilian encryption technologies, while industry and individual and privacy rights advocates fight to expand their ability to distribute and use cryptographic products as they please. This report analyzes trends in encryption technology, markets, export controls, and legislation. It identifies five trends which will have a strong influence on cryptography policy in the United States: * The continued expansion of the Internet and the progressive miniaturization of cryptographic hardware combined with the increasing availability and use of strong cryptographic software means that the strongest encryption technologies will continue to become more easily obtainable everywhere in the years ahead. * Additional growth in networked and wireless communication will fuel a strong demand for encryption hardware and software both domestically and abroad, causing the U. S. high-technology industry to be increasingly interested in selling encryption products overseas and in modifying current export restrictions. * Due to the responsibilities and bureaucratic dispositions of key Executive Branch agencies, products using strong encryption algorithms such as DES will continue to face at least some export restrictions, despite the widespread availability of strong encryption products overseas. * The American public is likely to become increasingly concerned about its privacy and about cryptographic policy as a result of the increased amount of personal information available online and the growing number of wireless and networked communications. The development and increasingly widespread use of the National Information Infrastructure will heighten these concerns. * Encryption policy is becoming an important public policy issue that will engage the attention of all branches of government. Congress will become increasingly visible in this debate due to its power of agency oversight and its role in passing laws accommodating the United States' rapid rate of technological change. Agencies will remain very important since they have the implementing and, often, the planning responsibilities. Since individuals and industry have more direct influence over Congress than over most other branches of government, Congress may place somewhat more emphasis on personal freedom than many other government actors. Four potential scenarios are likely: mandatory escrowed encryption, voluntary escrowed encryption, complete decontrol of encryption, or domestic decontrol with strict export regulations. Professor Lance J. Hoffman, Dept of EECS, The George Washington University (202) 994-4955 Washington, D.C. 20052 hoffman@seas.gwu.edu Fax (202) 994-0227

1994 IEEE Symp on Research in Security and Privacy: PROGRAM

Catherine A. Meadows <meadows@itd.nrl.navy.mil>

1994 IEEE SYMPOSIUM ON RESEARCH IN SECURITY AND PRIVACY May 16-18, 1994, Claremont Resort, Oakland, California Sponsored by the IEEE Technical Committee on Security and Privacy In cooperation with the International Association of Cryptologic Research Symposium Committee Cristi Garvey, General Chair Carl E. Landwehr, Vice Chair John Rushby, Program Co-Chair Catherine Meadows, Program Co-Chair PRELIMINARY PROGRAM MONDAY, MAY 16 9:15--9:30 Welcoming Remarks: Cristi Garvey and John Rushby 9:30--10:30 FORMAL MODELING OF CRYPTO PROTOCOLS A Model for Secure Protocols and Their Compositions Nevin Heintze and J.D. Tygar (CMU) On Unifying Some Cryptographic Protocol Logics Paul Syverson (NRL) and Paul C. van Oorschot (BNR) 11:00--12:30 INFORMATION FLOW Eliminating Formal Flows in Automated Information Flow Analysis Steven T. Eckmann (Unisys) Mode Security: An Infrastructure for Covert Channel Suppression Randy Browne (Independent Consultant) Simple Timing Channels Ira S. Moskowitz (NRL) and Allen R. Miller (GWU) 2:00--3:30 PANEL: Firewalls 4:00--5:00 COMPOSITION OF SECURE SYSTEMS Asynchronous Composition and Required Security Conditions N. Boulahia-Cuppens and F. Cuppens (ONERA-CERT) A General Theory of Composition for Trace Sets Closed under Selective Interleaving Functions, John McLean (NRL) 8:00: EVENING SESSIONS TUESDAY, MAY 17 9:30--10:30 DATABASE I Ensuring Data Security in Interrelated Tabular Data Ram Kumar (U. North Carolina) Collecting Garbage in Multilevel Secure Object Stores Elisa Bertino (U. Milano), Luigi Mancini (U Genova), Sushil Jajodia (GMU) 11:00--12:30 CRYPTO ENGINEERING Prudent Engineering Practice for Cryptographic Protocols Martin Abadi (DEC-SRC) and Roger Needham (Cambridge) Generating Formal Cryptographic Protocol Specifications Ulf Carlsen (ENST de Bretagne) A Low Cost, High Speed Encryption System and Method Gregory Mayhew (Hughes Aircraft) 2:00--3:30 PANEL: What Security Needs To Learn From Other Fields 4:00--5:00 DATABASE II Channel-Free Integrity Constraints in Multilevel Relational Databases Xiaolei Qian (SRI-CSL) Elimination of Inference Channels by Optimal Upgrading Mark E. Stickel (SRI-AIC) 5:00: TC MEETING 8:00: EVENING SESSIONS WEDNESDAY, MAY 18 9:30--10:30 DISTRIBUTED SYSTEMS A Secure Group Membership Protocol, Michael K. Reiter (AT&T Bell Labs) The Complexity and Composability of Secure Interoperation Li Gong and Xiaolei Qian (SRI-CSL) 11:00--12:30 ACCESS CONTROL Self-Nonself Discrimination in a Computer Stephanie Forrest, Allan Perelson, Lawrence Allen, Rajesh Cherukuri (U New Mexico, Albuquerque) Authentication and Revocation in SPM, Vijay Varadharajan (HP-Bristol) On the Minimality of Testing for Rights in Transformation Models Ravi S. Sandhu and Srinivas Ganta (GMU) 12:30: SYMPOSIUM ADJOURNS 1994 IEEE Symposium on Research in Security and Privacy REGISTRATION FORM Dates strictly enforced by postmark. Name:_______________________________________________ Affiliation:_______________________________________________ Postal Address:_______________________________________________ _______________________________________________ _______________________________________________ Phone:________________________________________________ Fax:________________________________________________ E-mail:________________________________________________ Please enter the appropriate registration fee below: Advance Member (to 4/4/94)...$260 | |--IEEE Member # (REQUIRED)_____________ Late Member (4/5/94-4/22/94).$310 | Advance Non-Member............$320 Late Non-Member...............$390 Advance Student...............$ 50 Late Student..................$ 50 Total amount due:_____________________ Do you wish to present at a poster session or lead an evening discussion? [ ]Yes [ ]No Do you have any special requirements?_______________________________________ Please indicate your method of payment by checking the appropriate box: ___ |___| Check in U.S. funds drawn on a U.S. bank (PLEASE ENCLOSE WITH THIS FORM) Credit card authorization: (Charges will appear on your statement as made by IEEE COMPUTER SOCIETY) Visa MasterCard American Express Diners Club ___ ___ ___ ___ |___| |___| |___| |___| Credit Card Number: ____________________________________________________________________________ Card Holder Name:______________________________Expiration Date:_____________ Signature:__________________________________________________________________ Mail registration to: Or fax this form (CREDIT CARD REGISTRATIONS ONLY) to: Code 5540A Naval Research Laboratory (202)404-7942 Washington, DC 20375-5337 (202)404-8888 <>>SORRY, NO REGISTRATIONS BY EMAIL<<< Evening Sessions

Hotel Reservations - The Claremont Resort ========================================= The Claremont Resort in Oakland, California is 20 minutes from San Francisco and just over an hour from Napa Valley. It is situated in the Oakland-Berkeley hills overlooking the San Francisco Bay on 22 acres of beautifully landscaped lawns and gardens. Facilities include the Claremont Pool and Tennis Club and The Spa at the Claremont. Oakland Airport is 14 miles from the hotel, or attendees may choose to fly into San Francisco and rent a car. Bay Area Shuttle (415/873-7771) provides service from the San Francisco Airport or the Oakland Airport to the Claremont Resort. The charge is $10 per person one way. Parking is available at the hotel at a cost of $8 per day for guests and $1.50 per hour up to a maximum of $9 for non-guests. Hotel reservations must be made under the group name IEEE Symposium on Research in Security and Privacy. The group rate is $96 single, $108 double occupancy, plus 11% tax. The cut-off date for reservations is Saturday, April 16, 1994. Reservations made after this date will be accepted on a space available basis. Reservations must be accompanied by an advance deposit or credit card guarantee. You may cancel your individual reservations up to 72 hours prior to arrival, after which your deposit becomes non-refundable. Please be advised the check-in time is after 3:00 pm; check-out is 12 noon. For reservations and information, contact: The Claremont Resort, Ashby and Domingo Avenues, Oakland, CA 94623-0363. Phone: 510/843-3000; Fax: 510/843-6239.

Search RISKS

Please report problems with the web pages to the maintainer

Top