The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 13 Issue 34

Friday 3 April 1992


o Re: SDI
David Parnas
o Re: NSA and cryptographic software
Steve Bellovin
Fred Cohen
o Risks in nuclear bombs to deflect asteroids
Marvin V. Zelkowitz
o The new Simon & Schuster Royalty Accounting System
Lauren Wiener
o Bad data allowed to enter driver database and used as basis for arrest
Eric Postpischil
o Re: U.S. Dept of Justice Rulings about Keystroke Capturing
Marc Horowitz
Thomas Zmudzinski
o RISKS of patents on software, ideas, etc.
Bob Estell
o Backup over the phones?
Robert Ebert
o Re: Now why didn't I think of that? (Windows 3.1)
James Barrett
o The Machine That Changed the World -- Public TV Series
Jack B. Rochester
o Info on RISKS (comp.risks)

Re: SDI (Newsweek, March 23,1992) (RISKS-13.33)

David Parnas <parnas@qusunt.eng.McMaster.CA>
Thu, 2 Apr 92 16:07:28 EST
When I read that

    "[The] Pentagon disagrees that deploying a space-
    and ground-based defense system poses significant
    technical challenges. The complexity of the software
    required to coordinate Star Wars, for instance, is no
    more daunting than programs that control nuclear
    reactors, it says."

I certainly breathed a sigh of relief.  Having had a look at both types of
programmes, I am comforted by the impression that the Pentagon employee who
stated that opinion had never seen either type of software.
                                                              Dave Parnas

NSA and cryptographic software

Thu, 02 Apr 92 15:52:42 EST
    The NSA and the Software Publishers' Association appear to have
    reached an agreement that would allow some exports of cryptographic
    software, as long as the keys are constrained to be sufficiently
    short.  The net effect is a slight but potentially useful
    improvement over what was previously exportable.

Umm -- according to the NY Times article on the subject, things are
actually a bit murkier.  The details of the algorithm are supposed
to be secret.  (How long that will work is debatable, of course.
In fact, it isn't even particularly debatable; I think we know the
answer.)  Naturally, a number of folks are quite upset about that

    Now that NSA and RSA have come a little closer, we need to
    bring in BSA (the Boy Scouts of America).  Be prepared!
    Imagine, a merit badge for cryptography?

Actually, they do have one.  Or rather, Way Back When, the Cub Scouts had a
something or other in cryptography.  Being innocent of the distinction between
a ``code'' and its key at the time (and for that matter, of the distinction
between a code and a cipher), I persuaded the Powers That Were that I had
fulfilled that requirement *25* times, by coming up with *25* different Caesar
                            --Steve Bellovin

Risks of a national policy against good crypto

Thu, 2 Apr 92 21:56 EST
Just an opinion - I think financial competitiveness is far more important than
not being able to read crypto to the US at this time.

I can purchase an RSA on a smart card from Phillips in the EC, but I cannot
sell a slower RSA for the PC to people in EC.  What this seems to say is that
they can have it, but I can't sell it to them - or in other words - they get
the money from our research!!!

And then there is the old wire tapping thing.  As far as I am concerned, it is
the FBI's business to find a way to read my mail if they care to, but it is not
my job to help them do it.  That's why I use an RSA whenever I want to send
something private.

          Which brings me to the newest development at ASP.  We have decided to
do all further crypto development oversees.  This is because if we do it here,
it's against the law to export it, but if we do it there, we can still import
it and sell it here.  Any such policy, if it is to be effective, must also
restrict import - otherwise, the financial motivations will move all crypto
oversees.  This is of course happening.  Want an example?

          At the 5th virus conference, the people from the EC cheered when they
heard that virus defenses are export controlled.  In my case, my EC competitors
get a 6 week advantage over me in everything they do, because each new version
has to go through paperwork at the US government that takes this long.  As a
result, I have moved my further virus defense development to the EC.  They get
the money in stead of the US getting it, but I get a smaller piece of a bigger
pie, which earns me more money in the long run.

          How long will it be before we give up the little leadership we have
in information protection?  Not long!  All over the EC and in the far east and
in Australia, there are research groups forming at universities for computer
security researchers.  They get funding and tenure, and even publish articles.
In the US, there is lip service, and a few universities offer a course or two,
but you cannot find more than 2 experts at any US university!

          So I think the real risk is that in the name of maintaining national
security, we are giving up our leadership in security!

                    Have a nice day - FC

Risks in nuclear bombs to deflect asteroids

Marvin V. Zelkowitz <mvz@cs.UMD.EDU>
Thu, 2 Apr 92 17:13:01 -0500
I just listened to a local radio station talk show concerning proposals
to use nuclear weapons to change the orbit of asteroids heading towards the
earth, and while the discussion was factual, it poses a long term risk on
science in this country. The discussion was by the radio commentator and a
physicist from a local university. The general tone of the show and the
facts presented were:

1. Neither took the threat very seriously and were very flippant about the
whole process.
2. Rationale for such proposals seemed to be the large number of
(unemployed?) nuclear scientists needing a new threat to work against
since the Soviet threat is disappearing.
3. Congress held a hearing on the potential for such a collision with an
4. NASA held two workshops to discuss this problem.
5. There is a non-zero probability of such a collision actually
6. The last big collision of an asteroid with the earth was about 65
million years ago, anything that large is probably already known, we
will have several near misses first before any collision, giving from
several decades to several centuries advance warning before such a

The risk here (besides the obvious one of having the earth blow up)?
There is a lack of knowledge by the public on risks,
safety, and the costs and tradeoffs of increasing safety (and decreasing
risk), especially given the flippant tone of both radio commentators.
It was probably reasonable for Congress to hold such a hearing
since the potential damage would be catastrophic. It probably was
reasonable for NASA to hold a workshop to discuss the risks of such a
collision and potential solutions. Given the extremely small probability
of such a collision and the high costs of preventing it, the process
should have probably stopped there. However, it is important for the public
(and scientists and Congress, even) to at least study such issues.
The next time some issue like this comes up, there may be a tendency
to dismiss it before there is any scientific discussion of its reality.

-- Marv Zelkowitz, Computer Science, University of Maryland, College Park

the new Simon & Schuster Royalty Accounting System

Lauren Wiener <>
Thu, 02 Apr 92 15:29:18 -0800
I am writing a book about software bugs.  Today I was working on a chapter
featuring development disasters.  The royalty statement for a previous book
arrived.  It is several days late, in a big envelope with a glossy brochure and
a form letter that begins:

"Dear Author:

"We are very pleased to provide you with your royalty statement for the current
period.  This new statement is enhanced in form and content and is the initial
statement generated by the recently implemented Simon & Schuster Royalty
Accounting System."

The letter ends:

"Any major system implementation involves a transition and refinement period.
We anticipate that you may have issues that require attention, and we are
prepared to address your concerns in an expeditious manner.

If you have any questions, please call our Royalty Department toll free

The check is made out to Lauren Carter.  Carter?  From Wiener?
How did they do that?  It's not even close!

I called the toll-free number.  A human -- an agreeable and intelligent one --
is still in the loop at 5:30 P.M. EST.  He promises to straighten it out.
But the first thing he says to me is, "You wouldn't believe how much
they spent on this system!"

Sometimes life is too perfect.

   [Look for Lauren's Trip Report on the panels and invited talks at
   SIGSOFT '91, which is just going to press in the ACM SIGSOFT Software
   Engineering Notes vol 17 no 2, April 1992.  I probably already noted that
   the proceedings of that conference are out as SEN vol 16 no 5, December
   1992.  PGN]

Bad data allowed to enter driver database and used as basis for arrest

Eric Postpischil <>
Thu, 2 Apr 92 05:28:44 PST
Below is the full version of a letter I have sent to various agencies and
representatives in New Hampshire.  In summary, some person was stopped for
traffic violations, and gave a false name and address and no other personal
identification. The violations were unpaid and unchallenged and so were
recorded in the given name without that person's knowledge.  License suspension
proceedings were initiated, but notice was sent to the false address since the
Department of Safety had updated their computer records with the erroneous
information.  Eventually, the innocent person was stopped and arrested for
driving without a license.
                -- edp (Eric Postpischil)

   -   -   -   -   -   -   -   -   -   -   -   -   -   -   -   -   -   -

                          6 Hamlett Drive, Apt. 17
                          Nashua, NH  03062
                          2 April 1992

An open letter to the Department of Safety, police officers, judiciary, and
legislative representatives of New Hampshire

Dear People:

A few months ago, an acquaintance of mine was stopped by a police officer for a
traffic violation.  According to a check of their driving record, their license
had been suspended, so the officer arrested them.  It turns out this person had
been the victim of a fraud, and the Department of Safety, the police, and the
courts made mistakes which compounded the consequences.  The charges have been
dropped and the Department of Safety records partially corrected, but court
records remain in error, and there are lessons to be learned from this
incident.  (I will not name the victim here, but appropriate parties, such as
officials who wish to correct records, can get this information by contacting
the author.)

Fraud occurred on three prior occasions, which the Department, the police, and
the courts failed to catch.  Some person was stopped for traffic violations.
This person apparently did not present any identification to the police officer
who stopped them, but they gave a misspelling of the victim's name as their own
and gave the address of a relative of the victim as their own address.
(According to New Hampshire statutes, a person stopped for a traffic violation
need not have their license with them but is supposed to present their driver's
license at the peace officer's office within 24 hours.)

On three occasions, this person must have failed to present identification
within the allotted time, yet there was apparently no follow-up investigation
by any of the officers involved.  The records of the violations were sent to
the Department of Safety, which accepted them as correct in spite of the fact
that there was no physical evidence at all that the person owning the affected
records was in fact the person at fault.  The Department matched the misspelled
name with that of our victim and updated their database with the new, incorrect
address.  The violations were placed in the victim's records.  Further,
proceedings were begun to suspend the victim's license.

Notices about the violations and the suspension proceedings were sent to the
incorrect address, where it was ignored.  It seems to me to have been unwise to
ignore official letters rather than forward or return them.  I guess that
because they were arriving at the incorrect address, they might have been
presumed to be spurious and unimportant.  Regardless, the fact that they were
ignored is not in any way the fault of the victim.

There are several lessons to be learned.  It is improper to place damaging data
in a person's record when there is no supporting evidence -- no record of
violations should have been placed in the victim's record nor should any court
have made a finding of guilt until there were actual physical evidence.  There
was no driver's license, no signature, no fingerprint, no match of vehicle
records, no photograph, and no witness who knew the person.  Even the police
officers who made the stops could testify only that the person said they were
the victim, not that they actually were.  As a society, we must recognize that
if we rely on databases to provide important information, then we are assuming
a great risk if incorrect data enters the database.  There must be rigid
controls to allow only accurate information into the database.  Without these
controls, the database cannot be considered accurate, and it is wrong to rely
on it.  An insecure database is not a proper basis for making arrests or
otherwise penalizing human beings.

Another lesson is that the Department and police officers should be wary of
fraud.  When a person fails to present proper identification within the
allotted 24 hours, this must be followed up by investigation.  It must not be
followed up by mechanically completing the paperwork to record a violation.
Justice requires evidence and due process, and mechanical processing of
violations provides neither to our citizens.  Further, when a person fails to
present identification during a traffic stop, the officer should secure some
other evidence of their identity, perhaps by taking a photograph for later

Finally, there is a lesson to be learned about database records and privacy.
Although the Department of Safety keeps these records, we should not consider
the Department to be the owner of the records.  Each record is owned by the
person whose record it is, and the owner has a right to know what is in the
record and when changes are made.  The owner has a right to control their
record to ensure that it is accurate.  In this incident, the Department
accepted a change to the records without checking with the owner to verify the
change.  This is like a bank allowing anybody to walk in and sign a new
signature card for your account and then letting the person withdraw funds from
your account.  That is a serious flaw.  Whenever any change is made to a
person's record, the Department should send a complete notice to that person.
When the change includes an address change, the notice should be sent to the
former address.

I would also like to add that I am appalled that any court, magistrate, or
other judiciary official would make a finding of fault against a person not
only without evidence but also without properly serving notice to that person
at their true address.  Such administration of traffic laws is a travesty that
subverts basic principles of justice in this country.

There is one good note.  After the arrest, a letter was sent to the Department
of Safety requesting correction of the mistakes.  The Department responded
extremely quickly -- by phone the day after the letter was placed in the mail.
This is typical of the wonderful service the Department usually provides; they
are to be commended for doing an excellent job on the whole.  I only hope the
Department can provide the same quality of service in preventing mistakes like
this from happening in the first place.

On the other hand, the Attorney General's office has not acted so responsibly.
The victim has managed to identify the guilty person and locate a witness to
the fraud, yet the Attorney General's office has refused to become involved.


I call upon the Department of Safety to rectify its record-keeping procedures
so that records cannot be altered without the knowledge of their owner and that
incorrect information is detected.

I call upon police officers to be wary of fraud, to follow up with
investigation when identification is not presented, and to regard their
statements on official documents and to courts as testimony.  On this latter
point, observe that a police officer who has not examined identification cannot
truthfully testify that they witnessed a certain person committing a traffic
offense.  The most they can testify to is that they witnessed somebody claiming
to be a certain person committing an offense, and this distinction should be
made clear in all official documents and court testimony.

I call upon judiciary officials not to make any finding of fault unless there
is physical evidence and to ensure that the rights of our citizens to due
process and to confront their accusers are fully protected.  In particular, no
judiciary official should accept the presentation of a summons to an
unidentified person as proper service of a summons.

I call upon the elected representatives of our citizens to ensure that the
above tasks are accomplished.  This state and this country are sorely lacking
in data protection laws.  Every day, citizens become further bogged down in a
morass of databases containing information about them they cannot examine,
control, or correct.  People are steadily losing the ability to control their
own lives.

You, our representatives, must fix this.  You must protect people from
wrongdoing by faceless bureaucratic machinations, and you must ride herd on the
enforcement and judiciary branches of our government to ensure that our rights
to due process and fair trials are protected.

                    Eric Postpischil

Re: U.S. Dept of Justice Rulings about Keystroke Capturing

Marc Horowitz <marc@MIT.EDU>
Thu, 02 Apr 92 12:24:18 EST
<>     Unfortunately, correct.  The situation is roughly analogous to having
<> to post signs saying that there are TV cameras monitoring your condo.

I must be misunderstanding you.  The building I'm in (the student center at
MIT) has a bank branch and a grocery store.  Both have cameras, and neither
have signs announcing them, I just checked.  Neither conceal their cameras.  Is
a condo special?

<>     Very true.  For example, an "alleged penetrator" (prosecuting attorneys
<> prefer to avoid the H(acker) word as "too warm and fuzzy") was monitored
<> while committing (what I'd consider to be) electronic breaking and entry.
<> He got off because he hadn't been warned that he was being monitored.

So, if someone breaks into my house, and I managed to follow him around, and
watch him steal stuff, is that information not admissible in court because I
never tapped him on the shoulder and said "don't mind me, I'm just watching
you"?  Should I have a sign on my apartment announcing that "By entering these
premises, you consent to the possibility that the owner might actually watch
you and file charges if you are breaking and entering."?

In-Re: Re: U.S. Dept of Justice Rulings about Keystroke Capturing

"zmudzinski, thomas" <ZMUDZINSKIT@UVAX6.DISA.MIL>
2 Apr 92 15:22:00 EST
      D E F E N S E   I N F O R M A T I O N   S Y S T E M S   A G E N C Y

                                        Dept:     DNSO/DISM
                                        Tel No:   703 285 5459  (DSN) 356

Subject: In-Re: Re: U.S. Dept of Justice Rulings about Keystroke Captu

Apparently my dry wit was a tad too desiccated, sorry.  Condos _do_ have some
special laws (a condo fee isn't rent nor is it a mortgage payment), but
surveillance isn't one of them.

I was giving a deliberately absurd, but all too real, example.  There _ARE_
legal requirements relative to surveillance; what depends on where you are and
what/who you're "surveillancing" (if "there ain't no word that can't be
verbed", then such verbs can certainly be gerunded, right?).

Here, you may have a vacation-behind-bars-ish requirement to post
such a sign; there, there may be no LEGAL requirement, but you post
a warning to get a better return on your effort and scare off the
badguys; (and everywhere, the Communication Cops want to get into
your knickers?).

> So, if someone breaks into my house, and I managed to follow him ...

If you do as you said, it's your word against his, and assuming he left no
physical evidence, I doubt that you'd even get the case to court.  Of course,
if you made the alleged burglar so nervous that he tripped on the throw-rug,
_YOU_ could be prosecuted under the anti-"deathtrap" laws.  (You did know that
you can't leave a deadfall inside your doorway, didn't you?)  By the way, I
wrote "prosecuted", not "convicted", but the way that juries are "instructed"
these days, I wouldn't rule it out.

> Should I have a sign on my apartment ...  >

Given the current crazy state of our laws, it wouldn't hurt.  Let me point out
that I didn't write this mess!

RISKS of patents on software, ideas, etc.

2 Apr 92 16:02:00 PST
I guess I'm getting cranky in my old age (54).  But I grow weary of the
energetic youngsters (regardless of age) who want to patent every new
toy - even if it ain't new!  Like "...the first ever machine independent
benchmarks..." hyped in one computer magazine; turned out they were
NOT comparable between PC's and Mac's, nor DOS and UNIX-like hosts;
i.e., one could not compare results, to help in a purchase decision.
NOW *that's* REAL independence!  (Not to mention that I was doing
machine independent benchmarks in 1967-68.)

Apple's claims about "look and feel" of the icon/mouse interface should
be faced down, in federal court, by a consortium of IBM, AT&T, H-P, etc.
who graciously concede the icon/mouse interface to Apple - IF (and only
if) Apple will abandon the keyboard and command line interface, on the
ground that the plaintifs (IBM et al) got there first.

Imagine using any computer, without a keyboard, and without command lines,
even short ones - like single characters.  Pretty tough.

Now, I'm not picking on Apple.  (I use a Mac II.)  It's just that their "look
and feel" suit has gotten more press than most others.  Squelching it once and
for all might make other frivolous suits more rare.

Backup over the phones?

Thu, 2 Apr 1992 11:07:48 PST
Excerpted from TidBITS#114/01-Apr-92, source: BackData,

   [Discussion of problems with existing backup systems deleted.  People
   either don't do them or don't do them well.]

   So the BackData guys realized that the best possible option is for
   all the data on your hard disk to be backed up automatically at
   night to another physical place. Short of hiring elves, the only
   way to do this is via modem, but with some of the current high-
   speed modems and sophisticated pieces of software out there, they
   figured that it would be possible with a bunch of Macs and a lot
   of storage devices.

   ....In terms of software, you just need AppleTalk Remote Access and
   Retrospect 1.3, which can back up any volume mounted on its desktop.

   I haven't tried this yet, but the theory is that at some point in
   the middle of the night one of their backup Macs calls your Mac
   (which had better be on). A simple macro ensures that all your
   volumes are mounted read-only on their systems, and then
   Retrospect goes to work, backing up only the files that have
   changed according to specific selectors that you set up
   previously. This allows you to avoid backing up your System file
   all the time, even though it will almost always be marked as
   modified whether or not you've added any fonts or sounds. Once the
   backup is done, another macro copies the catalog file to your hard
   disk (so you can see what was backed up), dismounts your volumes,
   and disconnects the modems to finish the process.

   Retrieval is a slightly stickier issue. Essentially, the process
   works in reverse, with one important exception. You call them and
   make sure your DAT tape is in the drive of a Mac at a certain
   phone number. After your Mac calls the storage Mac, you then run
   Retrospect over the remote connection....

   I expressed some doubt about the reliability of cobbling together
   these off-the-shelf programs, and the BackData folks admitted that
   they're in the process of writing several dedicated programs that
   will automate the process much more cleanly, one for DOS and one
   for the Mac. Their programs didn't sound as though they'd be as
   flexible as Retrospect, but would work much more cleanly over the
   phone lines, especially with restoring data. Interesting concept
   this, and one which could eventually go national with an 800
   number. It's basically a form of insurance, but one which could
   save a lot of important data in the event of disaster.

   [Summary of costs deleted.  Initial startup fee (includes hardware)
   and hourly connect fee during backups.]

The risks are numerous.  Among them:  granting "late night" dial-in access to
home and office PC file systems, physical and electronic security at the remote
site, authorization for backup restores, and backup data being held by a
commercial company that lives on profits and is vulnerable to bankruptcy or
hostile takeover.
            --Bob  (

Re: Now why didn't I think of that? (Windows 3.1)

James Barrett <>
Thu, 2 Apr 1992 06:42:54 GMT
Also, Windows 3.1 has been touted as "eliminates UAEs!!!"  Of course,
it does this by renaming them to be something else...

James C. Barrett (
Georgia Tech College of Computing

Public TV Series

"Jack B. Rochester" <>
Fri, 3 Apr 92 15:43 GMT
I saw Bob Frankston at the coming-out party for PBS's new series, "The Machine
that Changed the World" that begins next Monday, and we both thought you should
consider posting it to the Risks Forum.  Perhaps it is risky not to see how our
industry is being popularized for the mass media.  In any event, credit for the
following -- this was passed on to me by my brother, who works at DEC.  P.S.
Another risk: the title of the series is the same as that of a recent book
about the _auto_.


The Machine That Changed The World

On Monday evening, April 6, 1992 at 9:00 PM EST, and on successive Mondays
until May 4, PBS will present "The Machine that Changed the World," 5 programs
on the history of the electronic computer and its impact on society.

Produced by WGBH Boston (makers of NOVA) and the BBC, and with major funding
provided by ACM and Unisys, the series highlights the fifty year revolution in
computing and information technology -- a revolution that is still going on.

Beginning with World War II research and the ENIAC, which was co-invented by
J. Presper Eckert and the late John Mauchly (a founder of ACM). "The Machine
that Changed the World" follows the unpredictable course of information
technology from the room sized data processing centers of the 1960's to desktop
personal computers of the 1980's to virtual reality of the 1990's, describing
events that have altered society in profound and totally unexpected ways.

Check your local PBS listings for broadcast times on the
following Monday evenings:

o April 6 - "Giant Brains", covers the wartime events that led to the 1946
debut of ENIAC, the world's first general purpose electronic computer.

o April 13 - "Inventing the Future", examines how the computer rose from
obscurity to become the engine that powers business throughout the world.

o April 20 - "The Paperback Computer", explores how computers became small,
affordable and easy to use.

o April 27 - "The Thinking Machine", focuses on the most ambitious goal of all
- creating a computer that will vie with humans in intelligence.

o May 4 - "The World at Your Fingertips" looks at the social revolution wrought
by computers - and the price we pay.

Please report problems with the web pages to the maintainer