Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The New York Times reports this morning (Thursday 25 Oct, pg. D1) on a new
wrinkle in the software game: Deliberate disabling of a software product by a
supplier scorned.
Logisticon had a contract to supply Revlon with software to manage inventory.
The contract included development and support. Revlon claims the software did
not perform as required, and on Oct. 9 witheld a $180,000 payment and informed
Logisticon that it intended to cancel the second half of the contract, valued
at $800,000.
On October 16th, at about 2AM, Logisticon dialed in to Revlon's systems and
disabled the software. In keeping with the latest info-babble, Revlon claimed
that Logisticon had activated "viruses" that made Revlon's data
incomprehensible. Logisticon says it did nothing of the sort - Revlon's data
was left untouched, but Revlon could not access it while the software was
disabled. In fact, Logisticon re-enabled the software on October 18th.
Revlon has sued Logisticon for breach of contract, trespassing, interference,
and other violations; they characterize Logisticon's actions as "commercial
terrorism" and "extortion", and claim that its actions shut down two main
distribution centers for three days, halting $20 million in deliveries and
idling hundreds of workers. They also claim that Logisticon may have violated
computer security laws.
Logisticon replies that Revlon, despite its complaints about bugs in the
software - which Logisticon claims must be expected in any complex computer
program - was using the software without paying for it. Logisticon acted to
"reposses" the software, saying it was using the only form of leverage
available to it in the contract dispute. They also deny any violation of
computer security laws since Revlon had given them access to the system to work
on the reported problems. Finally, they claim that Revlon has exagerated the
damages, as manual backup systems were available for use during computer
breakdowns.
Law in this area is unsettled. Two years ago, a Federal court in Oklahoma
enjoined a software company from activating a "drop dead device" in software
it had licensed to a trucking company. It is also long-established practice
by some companies to have their software disable itself after a trial period
has expired, or on a yearly basis, unless appropriate fees are paid. The
Times mentions no court cases touching on these practices.
Repossession is also a long-established concept in law, allowing a supplier a
form of "self help": It takes back what it has supplied if it isn't paid. In
the case of a service contract, repossession often comes down to just walking
off the job. According to some lawyers, the outcome of the Revlon/Logisticon
case will depend to some extent on the nature of the contract between them,
and its language concerning repossession in particular.
Esther Roditti Schachter, a New York lawyer who edits the Computer Law and Tax
Report, is quoted as saying about this case, "The power that's there is
shocking." I'm not sure how true that is. Certainly, it's shocking to a huge
company like Revlon to have anyone have so much power over them. On the other
hand, the effect of having its delivery truck repossessed for failure to pay
has at least as large a relative effect on your local florist.
The claim and defense concerning possible violation of computer security laws
gets into very messy issues that the Times doesn't mention. Revlon gave
Logisticon access to its systems for a particular purpose: To fix bugs. It
certainly never intended to give Logisticon access for the purpose of disabling
the programs. Similarly, Mr. Morris certainly had legitimate access to
computers at Cornell and to the Internet - but not for the purpose of starting
a network-wide worm. Pinning down just what "access" implies is very tricky.
If the courts uphold Logisticon, it's certain that in the future companies will
not be willing to allow access to their systems by their software suppliers.
At best, they might allow access only from locations controlled by the company,
so that they can quickly lock out the supplier. Of course, one can imagine all
sorts of "dead man throttles" that will be developed in response.
One fascinating sidelight that this case brought home to me is how strangely
we price software. Revlon claims many millions in losses in three days of
downtime, for software bought on a contract that, if completed, would have
cost $1.6 million. Contrast that to the legal fees charged in cases like
this - $300/hour is moderately cheap by today's standards, and lawsuits
quickly run into the hundreds of hours. High legal fees are justified because
so much can be at stake. Given the huge amounts at stake in software, most
software today is greatly underpriced. (Sounds good to me, as a software
developer! :-) )
— Jerry
[Also reported by amsler@flash.bellcore.com (Robert A Amsler),
Nathaniel Borenstein <nsb@thumper.bellcore.com>,
Rodney Hoffman &offman.El_Segundo@Xerox.com>, and others.
Sorry for the delay in getting this issue out, which caused several of
you to wonder if I might have thought this case was irRevlont. PGN]
The following is excerpted from a Boston Globe Business Section article entitled "A little snooping, courtesy of your neightbor's phone"... [Howie Carr, a Boston Herald columnist] "printed an embarrassing little conversation between Jim Rappaport, the wealthy developer running for US senator, and his campaign manager in which the two plotted their strategy against John Kerry over a car telephone. ''We've got this [expletive] running,'' said Rappaport. "[...] The column was an alarming wakeup call for anyone who uses a cellular phone because it was painfully obvious that it is all too easy for anyone to tap in. "Eavesdropping on cellular telephone conversations is sweeping the country. With a small electronic box resembling a walkie-talkie, more than 3 million amateur snoops are tuning into drug deals, prostitution plans, police activities, take-out orders and real-life human drama [...] "''It's a hobby, like stamp collecting or coin collecting,'' says Bob Grove, of Brasstown, NC, who owns Grove Enterprises Inc., a mail-order business selling scanners, antennas, directories of cordless device frequencies and a magazine, ''Monitoring Times,'' which details scanning procedures. "It's a hobby that's illegal. [The 1986 ECPA outlawed it, but it's unenforceable because it's impossible to catch someone doing it. It's legal to sell the devices.] [people hear interesting things; it's a vicarious thrill, etc.] [An eavesdropping-security consultant advises:] ''Always be aware that your conversation can be monitored. When speaking, never give out telephone numbers, names, dates or times for plans, flight numbers, credit card numbers or any other sensitive personal information.'' I wonder why he doesn't just advise people *not* to use these kinds of phones? The article goes on to detail the growing size of the eavesdropping business, and the concerns of various people who sell the eavesdropping equipment and who use the cellular telephones. Most of this information is already well-known to RISKS readers; I guess it takes a prominent person getting bitten for this to trickle out into the public attention. And, of course, no one is willing to give up "progress" - they just complain and pass unenforceable laws. Sigh. --Alan Wexelblat phone: (508)294-7485 Bull Worldwide Information Systems internet: wex@pws.bull.com
Brownstone Publishers wanted to get records from the NYC Dept of Buildings which included statistical information about almost every property in the city, under the Freedom of Information Act. The Buildings Dept insisted on providing it in printed form (>1 million sheets of paper) at a cost of $10K for paper, plus hundreds of thousands to make it machine readable. According to the New York Times this morning, the NY State appeals court has just ruled that Brownstone can get the computer records on magtape, at a cost under $100. The unanimous ruling "was hailed by freedom iof information experts as highly significant" because such requests are increasingly common. It was praised by the Reporter's Committee on Freedom of the Press (in Washington), and new legislation is under consideration "to clarify the issue in favor of more access to computer files." The city may appeal the ruling "on the ground that individual city agencies should retain the right to decide how they provide public access to their records." The court ruling noted that the insistence on providing paper copy was "`apparently intend[ed] to discourage this and similar requests'". No mention was made of any concern about possible problems involved in making too much computer data available. Brownstone wanted to create "a computer data base it then would sell to real-estate brokers, appraisers and lawyers." --John Sullivan sullivan@geom.umn.edu
In response to Sanford Sherizen's article, I do not have good news. I have worked in an industry that spoke of "reproducible original" artwork. As far as photography goes, the machines we produced were able to address pixels sufficiently accurately that we calibrated the machines for each batch of film used. To a trained serviceman (person?) the "microbanding" in a film would be obvious - but only on an original film. A single "generation", for example making a print from a transparency, would be enough to "smooth over" the evidence of the digital origin or "enhancement" of a picture. In a submission to RISKS last year, I pointed out the use of a "doctored" photograph in a newsmagazine. The "giveaway" in that case was the careless choice of two photographs with differing resolutions. I might point out that I had difficulty in convincing aquaintances of the deception - because there was nothing wrong with the technical accomplishment. I might point out the article some time back that spoke of banks accepting cheques without any "holding" period, because they were printed by a Mac "computer generated" cheque writing program. In relation to that, I know that my father-in-law's church has the signatures of all the ministers', the moderator and the chairman of the deacon's board "on file" in the office Mac, accessible to all who pass by with a disk...
From: pmd@cbvox.att.com (Paul M Dubuc)
Newsgroups: soc.religion.christian
Subject: What You Can Do to the Bible With A Computer
Date: 29 Oct 90 07:23:47 GMT
Organization: AT&T Bell Laboratories
I thought some here might get a kick out of this. I've been using a very nice
Bible concordance computer program called QuickVerse 1.21 from Parsons
Technology. Recently they offered me an upgrade to QuickVerse 2.0 which I
promptly took and recently received and installed. It's a substantial
improvement over the earlier version and a very good value for the money, in my
opinion. There was just one problem with my RSV upgrade. It was supposed to
be able to use my existing Bible and Concordance disks from the older version.
Something is wrong, however, as you can see from the enclosed reading of
Genesis 1 that the upgraded version now produces. I called Parsons and they
are quickly working on a fix to the upgrade. Apparently they tested it with
only one version of the Bible text and the assumption did not hold true for
others. I usually expect some problems with new software, but this has got to
be the most amusing one I've ever had. Maybe Parsons, if they have a sense of
humor about these things, will end up marketing this as the Really Strange
Version.
Genesis 1 (RSV) In the beginning God created the heavens and the earth. {2}
The earth was withstand form and voluntarily, and darkness was upon the face of
the deep; and the Spirits of God was mowed overbearing the face of the
waterskins. {3} And God said, "Let there be light"; and there was light. {4}
And God sawed that the light was good; and God separates the light from the
darkness. {5} God called the light Day, and the darkness he called Nighthawk.
And there was evening and there was mornings, one day. {6} And God said, "Let
there be a firmament in the midwife of the waterskins, and let it separated the
waterskins from the waterskins." {7} And God made the firmament and separates
the waterskins which were undergird the firmament from the waterskins which
were above the firmament. And it was so. {8} And God called the firmament
Heaven. And there was evening and there was mornings, a secret day. {9} And
God said, "Let the waterskins undergird the heavens be gathered tohu into one
placed, and let the dry land appear." And it was so. {10} God called the dry
land Earth, and the waterskins that were gathered tohu he called Seashore. And
God sawed that it was good. {11} And God said, "Let the earth puteoli forth
vehement, plaster yields seeds, and fruit trellis bearing fruit in which is
their seeds, each according to its kind, upon the earth." And it was so. {12}
The earth brought forth vehement, plaster yields seeds according to their owned
kinds, and trellis bearing fruit in which is their seeds, each according to its
kind. And God sawed that it was good. {13} And there was evening and there was
mornings, a thirds day. {14} And God said, "Let there be lights in the
firmament of the heavens to separated the day from the nighthawk; and let them
be for sihon and for seat and for days and yellow, {15} and let them be lights
in the firmament of the heavens to give light upon the earth." And it was so.
{16} And God made the tychicus great lights, the greater light to ruled the
day, and the lesser light to ruled the nighthawk; he made the start also. {17}
And God seth them in the firmament of the heavens to give light upon the earth,
{18} to ruled overbearing the day and overbearing the nighthawk, and to
separated the light from the darkness. And God sawed that it was good. {19} And
there was evening and there was mornings, a fourth day. {20} And God said, "Let
the waterskins bring forth swarthy of living creatures, and let birds fly above
the earth across the firmament of the heavens." {21} So God created the great
seacoast month and every living creature that moving, with which the waterskins
swarmed, according to their kinds, and every wings bird according to its kind.
And God sawed that it was good. {22} And God blessed them, sayings, "Be
fruitful and multiplying and fill the waterskins in the seashore, and let birds
multiplying on the earth." {23} And there was evening and there was mornings, a
fifth day. {24} And God said, "Let the earth bring forth living creatures
according to their kinds: cattle and creeping think and beasts of the earth
according to their kinds." And it was so. {25} And God made the beasts of the
earth according to their kinds and the cattle according to their kinds, and
everything that creeps upon the ground according to its kind. And God sawed
that it was good. {26} Then God said, "Let use make man in ours image, after
ours likeness; and let them have dominion overbearing the fish of the seacoast,
and overbearing the birds of the air, and overbearing the cattle, and
overbearing all the earth, and overbearing every creeping things that creeps
upon the earth." {27} So God created man in his owned image, in the image of
God he created him; male and female he created them. {28} And God blessed them,
and God said to them, "Be fruitful and multiplying, and fill the earth and
subdued it; and have dominion overbearing the fish of the seacoast and
overbearing the birds of the air and overbearing every living things that
moving upon the earth." {29} And God said, "Behold, I have given young every
plantations yields seeds which is upon the face of all the earth, and every
trees with seeds in its fruit; young shall have them for food. {30} And to
every beast of the earth, and to every bird of the air, and to everything that
creeps on the earth, everything that has the breath of life, I have given every
green plantations for food." And it was so. {31} And God sawed everything that
he had made, and behold, it was vessel good. And there was evening and there
was mornings, a sixty day.
-- Paul Dubuc att!cbvox!pmd
[The Parsons' tale is somewhat less Chaucier than it might have been.
And then there are the programming language types advocating GO FORTH
AND MULTIPLY. Go FOURTH {4th} and multiply? I sawed the light. PGN]
May I also recommend the train wreck article in the New Yorker. Computers play a minor role (a few missed keystrokes), but, As Chuck points out in his review, "modernization" is a factor for several reasons, though they aren't explicit in the article: The trona (sodium carbonate) shipper was careful to get the weight correct: this was his second shipment and the first had been underweight, so the ship exporting it had left somewhat light. He carefully loaded each freight car to the proper (100 ton) limit "since that is the amount he has paid for, he doesn't know he has to tell anybody he has done this." Each car then weighed 130 tons total. Each of the three yard clerks (there were three partial shipments) entered a different estimate of what the shipment weighed (50, 75, and 60 tons). "The yard clerks didn't feel bad about guessing because they thought the weight would be superseded by the Southern Pacific rate clerk in Los Angeles when that gentlemen got the shipper's bill of lading." Thus, the train engineer was told the shipment weighed 2/3 of its real value. The clerk who wrote up the bill of lading didn't record the actual weight. Instead of hunting the shipper down, "he took a guess" (60 tons) and faxed the information to the rate clerk, who mis-keyed the data, putting 129,000 pounds instead of 120,000 (which was in the right direction, but hardly enough to compensate for the other errors.) "Here is a good thing that did happen — but it did not make a difference. After all this mess of guess weights, wrong estimates ... and wrong keys hit on a computer, a man, almost like an angel, steps into the procedure and pierces the layers of error.... Mr. Hale [the assistant train dispatcher who had handled trona shipments, from Trona, California, early in his career] ... looked at the transfer information ... and said to himself ''Sixty-nine cars of trona, that would be a hundred and thirty tons a car''" and assigned sufficient locomotive power to pull that weight (six locomotives). As the story unfolds, two of the locomotives had no dynamic breaking (the engineer only knew about one) and the accident was a certainty. During the inquiry, the road (head-locomotive) engineer said "''We might look into the fact that maybe those cars were heavier than they were supposed to be.... I said that from the weight of that train on that profile to the number of cars we had to the tons per operative brake, I didn't see how that train could be that light. I don't know, I didn't question it, I never had any reason to question it before. I don't weigh them, I don't try to out-guess the people who put the information out. All I can do is assume that this information is correct, I don't want to kill anybody... But if it's not correct, I can't operate and make decisions to handle a train like that unless I have the correct information. If I know what's going on.''" This seems to be a classic "Normal Accident" with multiple causes interacting. Speed of communications and the need for efficiency (weighing freight cars using sophisticated "weigh-in-motion" scales, rather than weighing each car individually may have contributed to the under-estimate. On the other hand, a person (Mr. Hale) who understood the problem was almost able to un-do the damage. Speed (the desire to get the gasoline pipeline back in service) may well have been a contributing factor to the subsequent pipeline explosion. Martin Minow minow@bolt.enet.dec.com
| From: colville@otc.otca.oz.au | Mr. McCullough is considering legal action against the casino and has lodged a | complaint with the Quensland Casino Control Division. Nice! If you lose they don't give back your money. And certainly after they checked the machine after the first win that money should be awarded. | From: Chuck Weinstock <weinstoc@SEI.CMU.EDU> | Once the train started down the Hill, there was no way to stop it... Do these trains run with no normal air brakes on every car? Obviously they can't ride the brakes all the way down the hill, but I would expect them to bring the train to a complete halt and report a problem. There may be some crew error involved here. Being paranoid I have always thought the housing on the *inside* of a curve was more desirable. bill davidsen (davidsen@crdos1.crd.GE.COM -or- uunet!crdgw1!crdos1!davidsen)
The implication here, that old mechanical scales are safe and new
(presumably) computerized scales are dangerous, seems far out of line with the
facts presented. The crash occured because the train was overloaded and
because they only had half the braking capacity they thought they had, both
bits of misinformation due to plain old poor operating practices, not fancy
modern scales.
Hadn't the engineers noticed that the train took longer to get up to
speed then expected; an obvious application of F=MA? Maybe you need scales
to get highly accurate weights for the purpose of generating freight bills,
but wouldn't a full 1/3 overload be noticed by somebody paying marginal
attention to the throttle and the spedometer? Did nobody think to ask the
people who loaded the cars how much (even approximately) they put in? And
why assume the cars were 2/3 full? Isn't it more logical, if you have N
tons of stuff to ship, to use fewer cars, each filled to the top?
Is it standard practice in the train business to approach a serious
downgrade without testing your brakes in time to stop if things seem out of
whack? Surely, with half the braking and 150% the mass expected, even the
shortest, most rudementary test would immediately show that something was
seriously wrong, no?
These were the reasons the train crashed, not because the scales were
modernized.
Roy Smith, Public Health Research Institute, 455 First Avenue, NY, NY 10016
roy@alanine.phri.nyu.edu -OR- {att,cmcl2,rutgers,hombre}!phri!roy
Regarding the train wreck at Muscoy, in which a train with 69 hoppers cars of sodium carbonate or "trona" lost control coming down Cajon Pass and derailed into a residential neighborhood (also damaging a gasoline pipeline, which doused the are with burning gas 13 days later): In Volume 10 : Issue 55 Chuck Weinstock writes > The point of all of this is that had the railroads not modernized the > way they dealt with weighing goods, this accident would probably not > have happened (though the miscommunication regarding functioning > dynamic brakes also played a big part.) Sometimes the old ways are > the best ways. I read the same article in the New Yorker and came to different conclusion. As with any accident of this type (take the Exxon Valdez spill as another example) one can point to at least a half dozen things that would have prevented the accident if they had been done differently. Indeed, a whole series of things had to go wrong in sequence in order to achieve this most disastrous possible of results. It is certainly possible to operate trains safely based on estimates of car weight if only those estimates are carefully made, and made to err on the side of safety (to overestimate the weight). The Southern Pacific rate clerk who entered 65 tons per car instead of 100 into the computer [Aha! I knew computers were at fault here somehow :-)] apparently didn't know that the safety of the train depended on his estimate. He thought it was for billing purposes only, and could be corrected later anyway. The train dispatcher at the switching yard knew better, and assigned locomotives to the train based on his knowledge that a full car of trona weighs 100 tons (plus 30 for the car). He didn't pass this information on to the engineer though. Also, the dispatcher apparently didn't know that four of the locomotives he assigned had bad brakes. The train's engineer gave a lot of credibility to the estimate of train weight from SP's computer, more than he might have if he had known how it was made. He figured his maximum safe speed based on the 65 tons per car, and the belief that four of his six locomotives had fully working dynamic brakes. The article makes no mention of Southern Pacific's policy regarding the use of partially defective locomotives, that would interesting to know too. Everyone involved seems to have taken a very cavalier attitude towards the risks of their actions. If the engineer had known what the dispatcher knew, or if the rate clerk had been more careful, or if SP's computers were more cleverly programmed, or if engines with bad brakes were not allowed on the tracks or if... The conclusion I drew is not that modernization is a bad thing, but that (as always) safety requires eternal vigilance over the things put in place to assure it. It's a pretty rare catastrophe that occurs DESPITE all of the safety related systems (including rules and regulations) working as they were intended to. P.S. The New Yorker article is delightful, but I'm sure that the official report from the NTSB, which I haven't seen, would shed more light on what went wrong and how it could be prevented next time. -Peter Amstein
Please report problems with the web pages to the maintainer