The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 13 Issue 19

Thursday 27 February 1992


o The long arm of the law fingers old fingerprint
o $300,000 budget error at The Whig Standard
Jim Carroll
o Patriot missiles misled by `accidental' decoys
Lord John
o More on the Airbus A320
Andrew Marchant-Shapiro
o Re: Italian crooks let others pay phone bill
Ralph Moonen
o Two Cornell Students Arrested for Spreading Virus
o Re: Calculator Use During Exams
Bob Frankston
Brinton Cooper
Li Gong
Jeffrey Siegal
o Re: Carpal Tunnel Syndrome etc.
Steve Bellovin
Brinton Cooper
Ralph Moonen
Jeremy Barth
Simona Nass
Brinton Cooper
Torsten Lif
Claire Jones
o Info on RISKS (comp.risks)

The long arm of the law fingers old fingerprint

"Peter G. Neumann" <>
Thu, 27 Feb 92 14:51:23 PST
A fingerprint found in an unsolved 1984 murder of an 84-year-old woman was kept
in the San Francisco police database all these years.  Recently the SF print
database was linked with the Alameda County database.  The old print matched a
new one taken in connection with a petty theft case, and so eight years later
the police were able to solve the old case (burglary, arson, homicide).  The
two girls implicated were 12 and 15 at the time.  [Source: Article by Stephen
Schwartz, Chronicle Staff Writer, San Francisco Chronicle, 22 Feb 1992, p.A16]

$300,000 budget error at The Whig Standard

"Jim Carroll" <jcarroll@jacc.uucp>
Thu, 27 Feb 1992 09:00:16 -0500
From the Feb. 21 Toronto Globe and Mail...

"A misplaced computer byte has forced a daily newspaper in Kingston to chew a
sizeable hunk out of its budget for 1992. The $300,000 glitch, discovered last
month, means the Whig Standard will be hiring only two students to work as
reporters or editors this summer instead of five, and also has forced it to
reduce its spending for freelance stories, editor Neil Reynolds says.  The
computer in the newspapers accounting department somehow managed to understate
editorial cost by $300,000 when it spewed out editorial budget planning numbers
last fall.....  The newspaper is thoght to have a total editorial budget of
about $3 million a year."

What is interesting about this particular error is the size of the error
compared to the budget : 10%. Surely some cursory review should have identified
an error of this magnitude.

Jim Carroll, J.A. Carroll Consulting, Mississauga, Canada jcarroll@jacc.uucp
Voice/Fax +1.416.274.5605                                  MCI, Bix JCarroll

Patriot missiles misled by `accidental' decoys

"UKAV03::W0400" <>
27 Feb 92 13:01:00 EST
Quotes from an article in the New Scientist 15 Feb 1992:

The US Army's Patriot missiles missed many of the Iraqi missiles that the US
thought they had shot down during the Gulf War, according to a new analysis.
Iraqi's modified Scud missile, called the Al-Husayn, was difficult to hit
because it was so unstable that it broke into pieces when it reentered the
atmosphere, creating a confusing barrage of debris.

Ted Postol, a professor at MIT, re-examined the Patriot's war record at the
request of a Congressional committee.  He found that deploying Patriot missiles
defences did not reduce damage during Iraq's missile attacks on Israel and
Saudi Arabia.

Postol then examined videotapes recored by TV journalists that seemed to show
the Patriot missiles successfully intercepting Al-Husayn missiles.  Paytheon,
the Patriot's manufacturer, has used this footage to promote its missile.
Incoming Iraqi missiles are visible on the videotapes because of their
velocity, about two metres per second, {that must be a mistype in the article,
I expect it should be two kilometers per second W.} makes them glow
incandescently as they re-enter the athmosphere.  The videotape also captures
the explosions of the Patriot interceptors.

Postol played these videotapes in slow motion to an audience of the AAAS.  As
the Patriot detonations flashed on the screen, Postol stopped the tape to show
how far these explosions were from the glowing Al-Husayn warheads.  In most
cases, the Iraqi Al-Husayn warhead appeared to fly straight on unharmed.  In
one case, there was a fireball as the Iraqi warhead exploded on impact with the

The army claims that the Patriots successfully intercepted 45 of the 47
missiles they tried to shoot down.  But Postol says the tapes show that in some
of these cases, the Patriots missed their targets by at least a kilometer.
Postal measures this distance by comparing the relative motions of the Patriot
fireball, which stays in one place, and the Al-Husayn warhead.

The Patriot had a particularly hard time hitting the Al-Husayn because of
problems with the Iraqi missile.  Iraqi engineers had extended the range of the
Soviet Scud-B missile by lengthening its fuel tanks and making its warhead much
lighter.  The changes made the missile unstable, and caused the Al-Husayn to
flop belly-first as it re-entered the athmosphere, often breaking up in the
process.  the Patriot missile had to distinguish between the Al-Husayn's
warhead and other debris such as the empty fuel tank and tail fins which rained
from from the sky.  In effect, the Iraqi missile released unintended but
effective "decoys" to distract the Patriot, said Postol.  Ther Patriot had its
own problems as well.  One software bug could have directed the Patriot to
attempt to intercept an incoming missile at a point below ground.  In one case
this bug may have caused a Patriot to turn back and dive into the ground.

Postol argues that the effectiveness of the Al-Husayn's unintended decoys shows
how extremely simple factors can frustrate attempts to shoot down ballistics
missiles.  This could teach scepticism when it comes to evaluating the claims
made for missile defence technologies, such as plans for the US Star Wars

Raytheon disputes Postol's conclusions, but has not yet made public a detailed
analysis that would rebut his claims.  Defenders of the Patriot believe the
damage on the ground could have come from falling debris rather than from
detonations of the Iraqi missile's warhead.

  [It is funny how what starts as a great success, turns out less than so, when
  investigated. It also demonstrates that very simple systems can (and do)
  prevent the high technology systems working, as well as showing that
  designers of such systems get a mindset as assumes the opponents have the
  same mindset.  This is not always so...    Lord John - The Programming Peer]

More on the Airbus A320

25 Feb 92 13:55:00 EDT
On National Public Radio's Morning Edition program this AM, one report
concerned the series of crashes that have plagued the Airbus 320.  According to
this report, MOST 320 aircraft have an alarm that informs the pilot that s/he
is flying too low, but France does not require this alarm and so aircraft sold
to and/or operated by French companies do not have this alarm installed.

I don't even qualify as a dabbler in this area, but if I recall correctly, at
least 2 out of 3 crashes, and possibly all 3, involved French aircraft.  Since
they have also been somewhat similar (an apparently _unnoticed_ loss of
altitude), could this help to explain what happened?

If so, this points to a particularly interesting human interface problem --
perhaps the A320 tends to drop faster than other aircraft, but, since there is
no alarm, [some] pilots do not realize what is happening until they're too low
to do anything about it.

Any comments from qualified persons?

Andrew Marchant-Shapiro, Depts of Sociology and Political Science, Union
College, Schenectady NY 12308     518-370-6225     marchana@union.bitnet

Re: Italian crooks let others pay phone bill (Weber, RISKS-13.16)

Tue, 25 Feb 92 11:14 MET
There was a big case in the Netherlands over 5 years ago where they did the
same. The scheme involved renting a mobile phone from the Dutch PTT, copying
the EPROM, transfering the EPROM to a mobile phone which had been stolen, and
then returning the rented phone. This way, as the phone gets re-rented again
to various persons, the bill gets spread out, and it will be less obvious.

BTW, what inferior kind of ATM's do they have in Italy that let you tamper
with the EPROMS inside? Maybe we have some over here in Holland too? :-)

Two Cornell Students Arrested for Spreading Virus

"Peter G. Neumann" <>
Tue, 25 Feb 92 13:12:23 PST
2 Cornell Students Arrested for Spreading Computer Virus
LEE A. DANIELS, N.Y. Times News Service

   Two Cornell University undergraduates were arrested Monday night and charged
with developing and spreading a computer virus that disrupted computers as far
away as California and Japan, Cornell officials said.  M. Stewart Lynn, vice
president for information technologies at the university in Ithaca, N.Y.,
identified the students as David Blumenthal and Mark Pilgrim.  Lynn said that
both Blumenthal, who is in the engineering program, and Pilgrim, in the college
of arts and sciences, were 19-year-old sophomores.  They were arrested Monday
night by Cornell and Ithaca police officers.  Lynn said the students were
arraigned in Ithaca City Court on charges of second-degree computer tampering,
a misdemeanor, and taken to the county jail.  Lynn said authorities believed
that the two were responsible for a computer virus planted in three Macintosh
games on Feb. 14.  [...]
   He identified the games as Obnoxious Tetris, Tetricycle and Ten Tile Puzzle.
The virus may have first appeared in a Stanford University public computer
archive and spread from there through computer users who loaded the games into
their own computers.
   Lynn said officials at Cornell and elsewhere became aware of the virus last
week and quickly developed what he described as ``disinfectant'' software to
eradicate it.  He said officials traced the virus to Cornell last week, but he
would not specify how that was done or what led officials to the two students.
Lynn said he did not yet know how much damage the virus had caused.  ``At
Cornell we absolutely deplore this kind of behavior,'' he said.

   [reference to RTM deleted.]

AP item notes both are being held in the Tompkins County Jail on $10,000 bail.

Re: Proposal for policy on calculator use during exams (Bezenek 13.16)

Tue 25 Feb 1992 20:14 -0500
The long term issues are challenging.  In a very few years, the subtablet-size
portable computer will have replaced the calculator as the issue for exams.
These systems will have a few megabytes (32, 64, 1GB?) of space (between the
paging devices and the primary memory) and a full GUI interface.  They will be
preferable to notepaper (especially the pen or its successors complementing the
keyboard).  Even more so than the current personal computers, these systems
will be an integral part of how people solve problems.  Since they are also the
reference devices, it is unclear what the distinction will be between and open
book exam and a closed book (def: a device for presenting information) exam.

Of course, one can ban them from closed book exams, but that would reduce
closed book exams to an abstract exercise unrelated to actual practice.

The problems become worse when we have the WAN infrastructure so that the
systems have builtin packet radio connections that are an integral part of
their operation.  While we can still have Faraday Cage exams, they too would be
useful for testing the ability to survive without intellectual assists, but
would not test the more important ability to take full advantage of the
technologic infrastructure.

While I sometimes go off the technical deepend in predicting what is going to
happen, I'm already working with the early forms of these technologies so the
issue is one of timing rather than possibility.

Considering that computers have still had little impact on the educational
system, once these systems drop below crucial price points they will rapidly
overwhelm the schools. I'm presuming the appropriate UI's will be available and
that the impediments are mainly economic.

Re: Proposal for policy on calculator use during exams (Bezenek 13.16)

Brinton Cooper <abc@BRL.MIL>
Tue, 25 Feb 92 9:12:19 EST
Todd M. Bezenek KO0N <plains!> communicates his proposed
policy regarding the use of calculators on closed note university exams.  In
brief, he would take possession of a device which he (the proctor) believes to
have been used to violate the intent of closed-note examinations.  He would
have a faculty member judge whether the calculating machine and its memory
content provided an illegal aid to the test-taking student.

I guess he never heard of "due process."  If you try that in universities
supported by public funds, you run the risk of being sued by the student.  His
procedure sets up a couple of faculty as a "kangaroo court" (what does that
mean, anyhow?) to judge whether a student cheated.

High-tech times may call for low-tech solutions.  I simply do not permit the
use of calculating devices on Computer Science examinations and quizzes.  The
reasoning is simple:

  Programmers should be proficient, personally, in computation.

  a. Having to work out a few numerical examples by hand can help budding
     programmers hone their ability to see more than one way to do a

  b. Using this ability can provide "sanity checks" on their software.

  c. Programmers should be able to get the answer even when their batteries
     have run down.

I fear that at least some of the human-induced software faults discussed so
often in this forum can be traced to the lack of computational skill on the
part of the programmer involved.

_Brinton Cooper

Re: Proposal for policy on calculator use during exams (Bezenek 13.16)

Li Gong <>
Wed, 26 Feb 92 14:47:31 EST
In RISKS-13.16 Todd M. Bezenek proposed a policy for dealing with "the use of
calculators on university exams."  His posting "demonstrates the risk of
introducing computing power into the classroom where it may be misused."

Unfortunately, such a policy, short of banning a student from using his/her
*own* calculator, could not beat technology.  For example, it is easy to
imagine a calculator that can be activated only by a (say 10 digit) PIN.
Today's photocopiers can operate in this fashion.  The new trick is to require
periodical input (say every 3 minute) of the PIN.  If PIN is not typed in in
time, the calculator locks itself, and starts scrambling some parts of the
memory (using the PIN as key).  then erase the key from memory afterwards.  To
find any evidence of wrong doings, the memory section in question has to be
examined within 3 minutes.

The basic point is that if a student has his/her own Trusted Computing Base, no
one can beat him/her.  If this is not true, nobody would work in the field of
computer security today.  So ban the calculators, or supply "official" ones
during exams.

Li Gong, ORA Corp, 675 Mass Ave, Cambridge, MA, USA.

Re: Proposal for policy on calculator use during exams (Bezenek 13.16)

Tue, 25 Feb 92 11:16:44 EST
You might want to consider portable computing devices with wireless
communications capabilities (packet, cellular, etc.)!

Jeffrey Siegal

Re: Proposal for policy on calculator use during exams (Bezenek 13.16)

From A to B <>
Wed, 26 Feb 92 17:25:43 GMT
At the risk of starting a lengthy and somewhat off-topic debate, I'd like to
remark that I don't think there's actually any technological risk involved

The "problem" is that calculators with memories enable students to store data
and retrieve it during the exam.  The only reason this is a "problem" at all is
that almost all exams are based around parrot-style repetition of memorized

The solution to the "problem" is to allow all students to take in whatever
reference materials they like.  Then the examination will necessarily have to
be a real test of problem-solving ability rather than a test of the candidate's
ability to regurgitate memorized data.

Of course, the problem then is that ability in examinations might in some
way tally with the candidate's ability to work in real-world situations.

>             The calculating device shall remain in the possession of the
> proctor until the contents of its memory--both vendor supplied and user
> programmed--can be examined.

What exactly are you going to do about the "vendor-supplied" part of the
memory?  Many calculators now have common physical constants stored in their
ROMs; is that unfair to those who aren't allowed to take in a databook?

If so, doesn't that mean that allowing people to take in a calculator which
performs logarithms or statistical functions is unfair to those not allowed to
take in log tables or statistical analysis reference books?

Re: Carpal Syndrome reports rise sharply (Cooper)

Mon, 24 Feb 92 20:32:00 EST
Brint Cooper states that all sufferers from carpal tunnel syndrome that he
knows are cashiers, and that none of the computer folks he knows suffer from
it.  He goes on to wonder if stress may play a role.  I can't answer that
question, but I can state, from both first-hand and second-hand knowledge, that
computer users do indeed suffer from carpal tunnel syndrome.

In my own case, the carpal tunnel syndrome is fairly mild -- but I have bad
problems with tendonitis.  Nor was the orthopedist in any doubt about what
caused my symptoms -- his first question to me was ``do you use a computer
keyboard much?''  He went on to state that most of his patients with tendonitis
of the wrist or elbow, or carpal tunnel syndrome, were heavy computer users.

That aside, I also know of several others who have suffered from both problems,
including at least one who needed surgery.  Psychological stress may contribute
-- but don't discount the purely-mechanical.
                                                   --Steve Bellovin

Re: Carpal Syndrome reports rise sharply

Brinton Cooper <abc@BRL.MIL>
Tue, 25 Feb 92 0:24:28 EST
No, I don't discount the physical causes of carpal syndrome, tendonitis, and
other occupational risks of keyboards.  But I must tell you of my daughter who
had such a case of tendonitis at age 14 that her hand literally locked up at
the (piano) keyboard during a music lesson.  I don't believe I'm violating her
privacy to relate that this was a very stressful time for her for many reasons.
Today, 15 years later, she's got a handle on the stress.  Also, she can and
does play piano for 5-6 hours at a time.  It's necessary; it's how she makes
her living.

Physicians and others who are looking for the connection between computer
keyboards and orthopaedic disease must consider the stress factors.  I'd HATE
to spend 8-9 hours per day keyboarding credit card information for VISA, but
I've often spent that much time and more at keyboards building software, doing
computations, and writing scientific reports.  If we're going to build a
low-risk workplace, we must address *all* the risks, not merely those that are

Carpal Syndrome (Cooper)

Tue, 25 Feb 92 11:14 MET
I know several sufferers of CTS, and all of them are musicians. My mother was
operated on both wrists, and she never had any problems with it any more.
Likewise with the other musicians I know. (Most notedly string players) Here at
wotk also I know of at least one case, in which the sufferer was a programmer.
So also keyboard action can give it you for sure. I am pretty sure that stress
and other psychological factors are involved, but bad muscular techniques are
the no. 1 cause.
                                  --Ralph Moonen

Carpal Syndrome: Is it just psychosomatic? (Cooper)

Jeremy Barth <pubmail!>
Tue, 25 Feb 92 10:34:25 EST
I detect a dangerous elitism in this kind of observation.  The author makes a
sociological generalization based upon a tiny, non-random observational sample
with no controls.  We all tend to do this, but let's recognize that it's sloppy

Just two points (the first about the social categories affected, the second
about cultural anthropology):

1. The syndrome occurs in all kinds of work environments.  In my own personal
sphere, which again is non-representative, two of my friends suffer from the
syndrome.  They're Associated Press reporters in a fancy, white-collar New York
office who work on outmoded, non-ergonomic keyboards that are holdovers from
AP's early computerization efforts.  There's a potentially precedent-setting
class action suit wending its way through the courts involving numerous AP
reporters who report the syndrome.  There are people in their early 30's who
can't do simple things without pain, like raising a full cup of coffee to their

2. If you've studied anthropology, you know how hard it is to "see your own
kind."  All social theorizing has built into it lots of preconceptions we're
only minimally aware of.  Brinton says he's not aware of reports among his
colleagues of CT syndrome; having worked for 2 years in a fast-paced immunology
research lab, I would suggest that many hard-driven people choose to ignore
substantial pain in pursuit of their goals.  (Ever heard about the football
player who had his pinkie cut off, rather than submit to a lengthy course of
surgery, so he wouldn't have to miss 4 weeks of the season?)
                                                              Jeremy Barth

Risks of making judgments about job satisfaction (Helegesen)

Simona Nass <>
Tue, 25 Feb 1992 19:34:31 GMT
Do harp players have low job satisfaction? Are they doing it only for the
money? It's probably inaccurate to say that all cashiers/secretaries/etc. are
unhappy in their jobs. While these exceptions may not entirely refute your
anecdotal evidence, I think a better causal explanation can be found. Even if
most people getting CTS are not satisfied with their jobs, you need something
that explains why those who are satisfied also develop it. Something involving
the type of repetitive movement is probably a more proximate cause of the

I wonder if the low incidence of CTS among your computer lab friends is
explained by the way they type? Do most programmers touch-type using all ten
fingers? Also, how fast do they really type, anyway? I type between 50 and 90,
depending on the keyboard. Someone can manage to type fairly quickly (tho' not
90 wpm) using a few fingers, but the TYPE of repetitive movement is different.
Also, most computer programmers can't type as quickly when they actually have
to compose what they are typing. Some of their time is also spent searching,
scanning the text, compiling, munching M&Ms <tm> ...  :) -S.  -- Disclaimer: I
am not an attorney, though I do have an opinion on everything.
     (    or    {apple,cmcl2}!panix!simona     )

Carpal Risks

Brinton Cooper <abc@BRL.MIL>
Tue, 25 Feb 92 16:25:58 EST
    I didn't expect the reaction that my piece on the relative risks of the
physical act of repetitive keyboarding and of the psychological pressure under
which many keyboard users must work.  Clearly, the risks attributable purely to
repetitive keyboarding, improper terminal and chair adjustments, lack of
breaks, poor lighting, etc overwhelmingly dominate the issue.

    While I remain committed to being alert to the effects of stress, I
yield to the many thoughtful people who wrote to me and spoke, often sadly, of
colleagues and associates who live with chronic pain directly attributable to
such work.  A few have even been ruled permanently disabled.  This is worse
than unfortunate, and I fear I misguided myself on the issue.

Re: Carpal Syndrome reports rise sharply (Cooper)

Wed, 26 Feb 92 08:52:16 +0100
Let me then point out another major group of CTS sufferers who are (at least)
as highly motivated as any hacker: Cyclists. Especially the ones who also do a
lot of keyboard work, but even some who do no keyboard/computer work have been


Having worked in a similar environment without any ill effects, I was more than
dismayed when I started showing the classical symptoms of repetitive motion
syndromes after I transferred to computer support. A period of very informal
empirical studies (I experimented :-), indicated that the culprit was the type
of work, not the system hardware. In essence: Using my SUN workstation as a
word processor to enter large amounts of text (on subjects I find interesting
and stimulating) is very prone to give me various pains and numbness symptoms
in neck, shoulders, arms and hands. Using the same workstation to edit and
debug programs is much less fatiguing. I can easily do programming work for a
full workday without problems. Just a couple of hours of word processing is
enough to give me back all the problems.

I started looking at how I work in these two situations and came to the
conclusion that the difference is quite large. Entering text I type for long
unbroken periods, moving my arms very little. Editing source code (even when
entering it the first time), I move about much more. I use the mouse and/or
cursor keys to go back and correct an indentation; I copy a chunk of code I'm
too lazy to write again; I look at the debugger, resting my chin in my hand
while I try to figure what's wrong; I click the "Step" button and stare in
disbelief as the program takes the wrong branch in a "switch"; I scratch my
head and take a sip of tea. In other words, programming work is much less
(physically) monotonous.

|>   What part does psychological or emotional stress play in the
|>   development of repetitive-motion disorders?

It wouldn't surprise me if the presence of stress hormones in the body
aggreviates the problems but my belief is that the nature of the work is much
more important. And it is possible that I like programming better than
documenting (who doesn't? :-) to the extent where this causes part of the
difference for me. But I don't think this accounts for all of it. If it did,
why would writing articles for UseNet cause similar pains?

 Torsten Lif, Ericsson Telecom AB, EO/ETX/TX/ZD, S-126 25 STOCKHOLM, SWEDEN
 Phone: +46 8 719 4881

(More on) Carpal Syndrome (Cooper)

Wed, 26 Feb 92 15:00:16 GMT
I disagree with the theory. I spend a lot of time *sitting* at a keyboard and
so do many others here. But we don't spend a lot of time bashing keys with our
fingers because we frequently stop to think. I'm sure other computing labs are
the same.  People like us don't come anywhere near the kind of keystrokes an
hour achieved by people doing repetitive keyboarding jobs like copy-typists,
data entry clerks etc. If a job requires some tedious keyboarding, we typically
have the freedom, knowledge and hardware required to automate it. Mostly people
here complain about eyestrain and backache, not carpal tunnel syndrome.

I would also caution Mr Cooper that his theory is liable to misinterpretation
by those who would like to dismiss such injuries as malingering by people who
want to get out of boring jobs.  -- Claire Jones

Please report problems with the web pages to the maintainer