* Forwarded (from: netmail) by Roy J. Tellason using timEd 1.10.y2k.



Date: Fri, 15 Aug 2003 17:09:33 -0700
From: Patrick Lincoln 
Subject: The Road to Vulnerability (Re: Blackout, RISKS-22.85)

One lesson that can be drawn from incidents like the recent massive power
outage is that decreasing margins in all our infrastructures place critical
societal functions at greater and greater risk of significant disruptions
from rare accidental and malicious acts.  Redefining acceptable levels of
risks and protections as the world changes is hard work, but need to be
done.

Cost pressures and tight engineering under benign assumptions lead to thin
margins.  Optimized engineering leads to most events being of small
consequence (we've engineered systems to tolerate them), but some rare
events can cause massive disruption.  It would be 'bad engineering' to
overdesign a system to tolerate very rare events, if that tolerance costs
more than the failures it would prevent (in expected value to customer
terms).  Fragility to extremely rare events can be seen as good business.
It would be surprising if there weren't rare disruptions (like massive
power outages) in highly optimized infrastructures.

But the invisible hand of economics and good engineering leave systems
designed and optimized under assumptions of relatively benign environments
at great risk if new or unexpected threats arise.

Computer systems change very rapidly, and new threats arise with disturbing
speed.  The current hardware manufacture, software development, and people
practices of our cyber infrastructure are obviously subject to the same
economic motivations as described above.  So they are already (and will
become even more) fragile to rare or unexpected accidental or malicious
events.  That's 'good business' paving the road to vulnerabilities.

Post 9/11, we can point out how previously almost unthinkable scenarios are
more thinkable now, and thus engineered defenses against potential attacks
are more strongly motivated.  Govt procurement practices, corporate and
individual liability, government mandates, and other mechanisms could have
a profound impact on the reliability and cost of cyber infrastructure, but
also on large-scale economic concerns, so it may be imprudent to act
without defining the threats.  To define and quantify cyber threats and
their impact, particularly in combination with coordinated physical and
psychological attacks and effects, requires deep (read: expensive)
contemplative research, development, large experimentation, etc.  Once new
threats and defenses are defined, all the costs associated with deployment
of those mechanisms can be at least partially quantified, and then
well-reasoned decisions can be made about appropriate levels of protection
against various risks.  The pace of technology change and societal reliance
on these systems amplify the uncertainty, urgency, and magnitude of risk
here.  It is almost unthinkable that western societies would not put very
large resources against a problem of this grave potential.

--

Date: Thu, 14 Aug 2003 22:26:09 -0700
From: Lauren Weinstein 
Subject: "Blackouts and Bush's Buddies" (Re: Blackout, RISKS-22.85)

Many of the reports on today's blackout have expressed the view that it
comes as a complete surprise.

The reality of course is that such a blackout was entirely expected by
those who follow the power industry, as I discuss in the new short audio
(mp3) Fact Squad Radio feature, "Blackouts and Bush's Buddies."

It's playable via:
     http://www.factsquad.org/radio

Lauren Weinstein, lauren{at}pfir.org  http://www.pfir.org/lauren Moderator,
PRIVACY Forum - http://www.vortex.com Tel: +1 (818) 225-2800

  [Also, see System's Crash Was Predicted:
    http://www.washingtonpost.com/wp-dyn/articles/A61117-2003Aug15.html
  PGN]

--

Date: Fri, 15 Aug 2003 09:53:41 -0700
From: "NewsScan" 
Subject: Internet stays light during blackout

During yesterday's blackout in northeast U.S. states and several major
Canadian cities, wireless networks and Internet connections allowed people
to keep communicating.  The chief business officer of Equinix, which
operates Internet Business Exchange centers that serve more than 90% of the
world's Internet routes, explains: "We lost all utility power out
there, but we immediately went to battery power for a few seconds, at which
point all of our major generators kicked in" to allow normal
operations that were "totally seamless to customers." Internet
customers therefore suffered "no disruptions whatsoever" to their
Internet service resulting from the electrical system failures.  [AP/*San
Jose Mercury News*, 15 Aug 2003; NewsScan Daily, 15 August 2003] 
http://www.siliconvalley.com/mld/siliconvalley/6540489.htm

--

Date: Fri, 15 Aug 2003 15:59:26 -0600
From: "Declan A Rieb" 
Subject: Re: Power-grid overload (RISKS-22.85)

Quoting [with permission] a colleague in a hallway conversation:

Review of yesterday's lesson:

Q. What is the ONE critical Infrastructure? [upon which all the others depend]
A. Electricity

Q. What is its most salient feature?
A. Nobody knows how it works. [Or perhaps more correctly, how it DOESN'T work.]

Declan A Rieb, , 505 845-8515
Sandia National Laboratories MS1202, Albuquerque NM 87185-1202

--

Date: Sun, 17 Aug 2003 00:04:24 -0400
From: Edward Reid 
Subject: Re: Power-grid overload (RISKS-22.85)

> All this supposedly happened in nine seconds, and yet the cause is still
> unclear!

The very fact that it happened so fast is one reason that expert
speculation on the cause has been slow to come. (Political speculation, of
course, occurred almost as fast as the outage.) Most large outages,
including the ones in the northeast US in 1965 and 1977, propagated over a
period of many minutes. They involved overloads which did not immediately
trip protection. The symptoms were such that the (human) system operators
were expected to see them and react, and the failure of the operators to
shed load quickly was a major factor in the extent of the outages.

By contrast, this outage spread so fast that only automatic controls had
any chance of stopping it once it began. (Whether recognizably dangerous
conditions existed before the first failure remains to be seen. Analysis of
contingencies is a major part of online control systems, but choosing the
proper actions to minimize risk is an extremely complex problem.) In those
outages decades ago, the system was gradually pulled over the brink. In
this
outage, it was tossed over the edge like a finger flicking a match stick.
The Niagara area saw a flow change of 3GW, the output of three nukes, in
under a second.

We're already hearing "we will put changes in place so that this will
not happen again". But a system operator who has spent eight hours a
day for the past 25 years keeping a system up -- successfully -- needs more
than a few seconds to shift mindset and do the almost unthinkable -- shed
load -- to protect the system, even when the signs are clear.  Problems of
this nature are so rare that we do not, cannot, trust either the humans or
the computers. Perhaps the best action would be to provide effective
simulators so that the operators can spend a few hours a week reminding
themselves of what a real emergency feels like.  But most likely we will
see proposals which leave the humans out of the loop.

Of course, certain technical measures would help. So far, the newspaper
analyses of the outages correctly point out limited transmission capacity
as a problem. Deeper problems are the anti-regulatory environment, that
safety doesn't sell, and the failure to invest in conservation.

Building "excess" transmission capacity has no market incentive.
Excess capacity is essential to safety, but safety doesn't sell. The market
calls it excess capacity; people call it a safety net. When a critical line
fails, parallel lines must have "excess" capacity to take over
the flow, and this safety net must remain intact when lines are out of
service for maintenance. Safety nets are not cheap.

Conservation is far more cost-effective than new construction at ensuring
continuous availability of electricity. But this is not a market-savvy
investment, so until we accept that we need non-market investments in
conservation, we will continue to waste our most effective resource.

--

Date: Fri, 15 Aug 2003 11:10:50 -0400
From: Jonathan Kamens 
Subject: Re: Power-grid overload (RISKS-22.85)

>  A grid overload just after 4pm EDT knocked out power in NY City, Boston,
>  Cleveland, Detroit, Toronto, and Ottawa, among many other cities,

For the record, Boston did not lose power.  According to the *Boston
Herald*, the only cities in Massachusetts that lost power were Pittsfield
and Springfield.  I don't know first-hand whether that information is
accurate, but I do know that the greater Boston area, or at least the
portions of it in which I and my coworkers traveled yesterday, never lost
power.

--

Date: Fri, 15 Aug 2003 17:42:51 -0500
From: William Ehrich 
Subject: msblast and the power failure?

Possible connection? Wild guess? I'm not competent to evaluate this:
  http://www.heise.de/newsticker/data/ju-15.08.03-001/  [in German]

  [The cited article is written by Juergen Schmidt, senior editor of heise,
  which publishes c't, which we have quoted in RISKS before.
  (See http://www.heise.de/ct/impress.shtml ; tel +49 511 53 52 300.)
  Basically, this article notes that National Grid is a "reference client"
  of Northern Dynamics, and that OPC uses COM/DCOM, and that this is
  precisely the technology that the Blaster worm trashes.  It does not
  *claim* that OPC was used for any of the SCADA applications that might
  have triggered the propagation, but merely raises the question of whether
  this might have been the case.  The possibility is not too far fetched,
  especially if the common flaw existed in multiple distributed computerized
  control systems.  ADDED NOTE, *The International Herald Tribune* has a
  story this weekend on MS shutting down www.windowsupdate.com saying that
  "Security experts say they have found no evidence that the blackout
  ... was related" to Blaster.  But then so much else is unclear, so who
  knows?  Thanks to Peter Ladkin for providing background on this.  PGN]

--

Date: Fri, 15 Aug 2003 16:00:00 -0400
From: "monty solomon" 
Subject: Flaw seen in patch by Microsoft

A program Microsoft instructed customers to use to fix a hole in its
Windows software, which is vulnerable to attack by the Blaster/Lovsan worm
that infected computers this week, may itself be flawed.  A glitch in the
Microsoft Windows Update patch-management system used to download Windows
software fixes has tricked some customers into thinking their systems were
patched to prevent Lovsan, when they really were not, said Russ Cooper,
moderator of a mailing list with 30,000 subscribers that tracks Microsoft's
software weaknesses.  ...  [Source: CBS MarketWatch, 15 Aug 2003] 
   http://www.chron.com/cs/CDA/ssistory.mpl/business/2049216



Date: Fri, 15 Aug 2003 16:52:16 -0400
From: "Anderson, Matt" 
Subject: Legit website or nefarious scam?

I received an e-mail asking be to join something called the American
Consumer Panel (http://www.americanconsumerpanel.com), and as a "perk" for
joining, I would be sent an Amazon gift certificate.  On the website, they
claim to be a service of Forester Research (even links to Forester's site
and shows a copyright (for what ever that is worth)) yet doing a search on
Forester finds no mention of them.  Anyways, something besides all of that
made me suspicious (maybe how the URL got redirected to
https://netpanel.gmi-mr.com/portals/gpms_cp/5000585/) so I checked out the
terms and conditions of membership and buried down in the middle of the
terms was this gem,

"5. Third-Party Accounts
By participating in the Service, you authorize ACP to access your spending
and savings in your personal accounts, including but not limited to your
credit card and bank accounts, using ACP's secure, computerized system, [and
authorize your third-party account providers to provide us with such
information.] Where applicable, you also authorize ACP to record your
Web-surfing behavior. You agree that ACP assumes no responsibility and shall
incur no liability with respect to the acts, omissions, or determinations of
any such third-party account providers."

Maybe it's over-reacting on my part, but ignoring the web-surfing
monitoring, it seems a stretch for a research company to need to access my
personal credit cards and bank accounts.  Even if this is legitimate (I sent
an e-mail to Forester and have not received a response), access is a very
vague term.  If I have access to something, what kind of permissions do I
have?  Can I remove money or transfer it to another account?  Additionally,
some banks charge you for 3rd party access so you could get whacked with all
kinds of bank fees.  Regardless, buried this deep into the terms and
conditions makes this whole site very suspicious.  Risks seem obvious
enough...

M{at} Anderson  Sr. Enterprise Architect  manderson{at}gaic.com



Date: Sat, 16 Aug 2003 12:36:31 -0800
From: Rob Slade 
Subject: Re: Identity Crisis and *The Washington Post* (RISKS-22.84)

> *The Washington Post Magazine* Cover Story:
> Identity Crisis, by Robert O'Harrow Jr.
> http://www.washingtonpost.com/wp-dyn/articles/A25358-2003Aug6.html

It is rather ironic, in view of the topic, that you cannot get to the story
without allowing both cookies and JavaScript in your browser.  The site
itself sets about a dozen cookies on your machine, and there are outside
sites that set cookies as well: something called surfaid (which I allowed),
the ubiquitous Doubleclick (which I got away with blocking), and something
called atdmt.com (which I allowed, out of fear that I wouldn't see the
story otherwise).

rslade{at}vcn.bc.ca      slade{at}victoria.tc.ca      rslade{at}sun.soci.niu.edu
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade



---