The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 13 Issue 58

Monday 15 June 1992

Contents

o SoundWars: SW Sabotage, Creative Technology vs. Media Vision
PGN
o FBI raid on bulletin board
Gary Chapman
o NY TIMES MAGAZINE story on defects in personal computer software
Jon Jacky
o Computer system refuses large deposit
Richard Frantz Jr.
o Delivery Failure in a Paging System
William Griswold
o Update on vote-by-telephone disaster in Nova Scotia
Daniel MacKay
o Risks of not foreseeing supplement and maintenance funds
Geraldo Xexeo
o Re: Follow-up to dead driver
Michael Favor
o Re: Where on earth are you?
Scott Traurig
o Re: Car computer downloading
Bruce Oneel
o Re: Perot computers cracked
Steve Bellovin
Joe Morris
o Product risks (Re: Parnas, Girl killed in automatic window)
Bergtor Skulason
o Online Symposium: Visions for a Sustainable World Pugwash Conference
Jeffrey Porten
o Info on RISKS (comp.risks)

SoundWars: SW Sabotage, Creative Technology vs. Media Vision

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 12 Jun 92 10:07:17 PDT
Creative Technology makes Sound Blaster, a sound board used by IBM compatibles
to create game noises and other sound effects.  Media Vision, Inc. develops
computer peripherals and also makes a competing Thunder Board, designed to be
compatible with software commonly used with Sound Blaster.  However, a new
release of a developer's software apparently works fine with Sound Blaster, but
not with Thunder Board.  Media Vision claims Creative Technology inserted a
crash code that disables Media Vision's product, and has sued them for
restraint of trade, unfair competition, and monopolization.  (Media Vision was
sued LAST MONTH by Creative Technology for violation of copyrights.)  [Source:
Article by Pamela Burdman, San Francisco Chronicle, 12 June 1992, p.B1]

      [Sounds like the Suit-of-the-Month Club.  Everyone seems to be joining.
      By the way, your media vision of RISKS is going to be creatively and
      technologically sporadic for a while as we observe Summer Slowdown Time.
      New subscribers should not be surprised if the traffic is light.  PGN]


FBI raid on bulletin board

Gary Chapman <chapman@silver.lcs.mit.edu>
Thu, 11 Jun 92 10:30:37 -0400
Summarized from *The Boston Globe*, June 11, 1992, page 39:

The FBI raided the home of a computer bulletin board operator in Millbury,
Massachusetts, yesterday, confiscating "several" computers, six modems, and a
piece of equipment called "PC Board," which the FBI said was used to run the
bulletin board system.  The Software Publishers' Association brought the
bulletin board to the FBI's attention, claiming that the system, called "Davy
Jones' Locker," contained pirated copies of copyrighted software that users
were encouraged to download.  SPA claimed that there were over 200 different
programs on the system, and users who uploaded copies of copyrighted software
got free log-on time as a bonus.  The alleged operator of the bulletin board,
Richard Kenadek, was not arrested.  The FBI would not comment on the case.

An SPA spokesperson said that the system had nearly 400 subscribers paying $49
for three months or $99 for a year to gain access to downloadable copies of
Lotus 1-2-3, Microsoft Word, and other programs.  SPA estimated that the system
distributed $675,000 worth of software since March of this year.

Sanford Sherizen, a computer security specialist in Natick, was quoted as
saying, "We're making legal history here," because this case is apparently the
first time federal authorities have gone after a bulletin board system for
violations of copyright law.

The SPA representative said that the organization runs a telephone hotline for
reports on bulletin boards offering downloadable copyrighted software, and they
get "at least ten calls a day."  SPA takes action against about two bulletin
boards a week, usually with the threat of a lawsuit.

Gary Chapman, Coordinator, The 21st Century Project, Computer Professionals for
Social Responsibility,  Cambridge, Massachusetts chapman@lcs.mit.edu


NY TIMES MAGAZINE story on defects in personal computer software

Jon Jacky <JON@gaffer.radonc.washington.edu>
Mon, 15 Jun 1992 9:11:47 -0700 (PDT)
This week's Sunday New York Times Magazine has a story by James Gleick,
"Chasing bugs in the electronic village," (June 14, 1992, p. 38 ff).  It
describes users' experiences with the Microsoft Word for Windows product, as
reported in a Compuserve forum and at user's group meetings.  Gleick reports
that, through several successive product versions, the vendor did not fix
defects that were reported by many users and claimed the product included
features that were incompletely and incorrectly implemented.  Gleick also says
these problems were not much reported in reviews in the trade magazines, even
though they were widely known in the user community.

- Jon Jacky, Radiation Oncology RC-08, University of Washington, Seattle 98195


Computer system refuses large deposit

"Richard Frantz Jr." <72570.2264@compuserve.com>
14 Jun 92 06:57:14 EDT
   A branch bank officer told me that they had to refuse to accept
deposit of a check for $200,000 because the software, used by several
banks in the area, couldn't handle more than $99,999.99 in the deposit
field.  She insisted it was a computer error even though I tried to
explain it was a specification error.

        Richard Frantz Jr.


Delivery Failure in a Paging System

William Griswold <wgg@cs.UCSD.EDU>
Mon, 15 Jun 92 16:32:19 PDT
I have a friend who is a clinical psychologist specializing in crisis
counseling.  Last weekend one of her patients was in an auto accident and
called the counseling center hotline to ask for my friend.  The patient's
record indicated that her behavior could be self-destructive under stress.
Following clinic procedure, the clinic (1) paged my friend.  After a 10 minute
wait for a call back they (2) paged her again.  After another 10 minutes they
(3) called her home, reaching her immediately.  Her pager had been on and the
batteries were fine, but it had not received the page.  Anyway, my friend
immediately called the patient to discover that she had taken a large dose of
pills perhaps 30 minutes earlier.  An ambulance was called and the woman was
(barely) saved.

My friend's reaction to this failure was to update the patient's record
specifying special handling procedures in the case of a crisis call.  She
rather blithely accepted the paging system failure and said that it happens all
the time: phantom pages, missed pages, etc.  Some of these are due to keying
errors by the caller, others are due to environmental conditions blocking the
radio signal.  This incident is likely neither; two pages were made and my
friend has never missed a page at home before.

Here are my questions:

    1) What are the failure modes of pager systems?  For example:
       Can the system detect that a page is not getting through?
       What range of causes are there for a failed page?
       Can the person initiating the page be notified of failure?

    2) What responsibilities does a paging service have to inform
       its users of failures as soon as it can detect them?  What
       responsibility does it have to inform its users of recent
       failure rates?

BTW, The location of this incident was not in a metropolitan area.  This means,
apparently, that this paging service has a monopoly.

Bill Griswold, University of California, San Diego
Dept. of Computer Science and Engr.     wgg@cs.ucsd.edu


Update on vote-by-telephone disaster in Nova Scotia (RISKS-13.56)

Daniel MacKay <daniel@nstn.ns.ca>
Mon, 15 Jun 92 10:27:45 ADT
This is a follow-up on the huge local vote-by-phone fiasco.  In RISKS-13.56 I
wrote about the vote-by-phone system contracted from the telco by the Liberal
Party for their leadership convention, following Murphy's Law.

On June 8th, the telco held meetings with the Liberal Party, and with the
media.  As always, there's a little second guessing to do about what the
press releases mean.  Here's what they *say*:

 - The system was composted of two software packages which had never
   been tested together at high call volume.  ``All I can say, is it never
   occurred to anybody in my staff, and it never occurred to me.'' said
   Colin Lantham, the vice-president of business services for Maritime Tel
   and Tel.

 - The first part of the system [presumably the touchtone answering
   /selection system] was capable of handling 78,000 calls an hour.

 - The second part of the system, "set up to receive the caller's 8-digit
   PIN" proved much slower.  [I'd guess that this was the interface to
   the databases that kept track of votes and who had voted. -dm]

The *first* part of the system had a dead-session detection function, to keep
people from tying up phone lines.  However, when the second part of the system
started to slow down [transactions queued up?  -dm] the first module hung up
before the second part issued an acknowledgement.

Also, the telco says when voting was restarted, ``some rogue information stayed
in the system, causing some voters to be rejected.'' [They didn't reset the
who-had-voted list, perhaps?  -dm].  On the day of the fiasco, the telco
initially blamed the problem on a missing line of code in the software, but
they say now that that was a mistake.  The problem of people being able to vote
twice hasn't been mentioned.

The telco says the Liberal Party won't be charged for the services rendered on
Saturday.  [Like the power utility burning down your house with a million volts
by accident, and saying ``Don't worry, you won't be billed for the
electricity.'' -dm]

150 telco employees were recruited to test the system, [compared to 8000 voters
in the real system!  -dm] on Thursday the 11th, and it apparently worked.  The
telco reduced the number of incoming lines to cut down on system load.

The Liberal Party has decided to have another go at the vote-by-telephone
system in a few days, but there won't be another convention.  The telco will be
posting a 350,000$Cdn performance bond on the system, and there will be a
paper-ballot backup system on hand.

Sme candidates have asked the telco for partial reimbursements of their campain
costs on the basis that disclosure of the numbers (leaked via the kid with the
scanner listening to the cellular conversations) have destroyed their chances
of winning.  The telco claims that the numbers leaked (numbers of calls
recorded to each of the candidate's phone number) bear no relationship to the
number of votes that had been collected or would have been collected.

Daniel MacKay, NOC Manager, NSTN Operations Centre, Dalhousie University,
Halifax, Nova Scotia, Canada 902-494-NSTN               daniel@nstn.ns.ca


Risks of not foreseeing supplement and maintenance funds

Geraldo Xexeo <xexeo@dxlaa.cern.ch>
Thu, 11 Jun 1992 13:58:21 GMT
I was very impressed by Mr. Shannon's message of a $150 printer hanging up a
$0.5M VAXcluster (RISKS-13.57).  Meanwhile, it reminded me a common "hang-up"
problem we have in my institution (Federal University of Rio de Janeiro -
Brazil).

It's reasonably easy for us to get money to buy hardware; actually, we have an
ever-growing Sun and IBM-PC network.  But, it is difficult to get money to buy
supplements. This means that we are usually working under bad conditions,
because of:

  1. lack of paper or toner for our printers
  2. lack of tapes to do backup
  3. lack of maintenance contracts, due to lack of funds, etc...

It can be a third-world problem, but it is really a risk to invest in an
expensive system if you cannot afford its maintenance.  It can happen that the
cheapest choice turns to be just wasted money.

Geraldo Xexeo, CERN - PPE Division, 1211 Geneve 23, Switzerland
xexeo@dxlaa.cern.ch   gxexeo@cernvm.bitnet  FAX: (41) (22) 785 - 0207


Re: Follow-up to dead driver (Berman, RISKS-13.57)

Michael Favor <favor@ecst.csuchico.edu>
Wed, 10 Jun 92 19:40:08 pdt
How can Howard Yerusalim, State Secretary of Transportation, miss the point so
completely while claiming to offer us the "rest of the story"?  He accepts the
fact that an anonymous driver was killed in a car accident while in possesion
of Mr. Smith's stolen driver's license, yet completely ignores Mr. Smith's
claim that the anonymous driver was also responsible for the traffic violations
which caused the license to be suspensed.

I am not comforted by Mr. Yerusalim claims that State Law prohibits him from
from disclosing details of an individual's driving record, when he then accuses
Mr. Smith of vague and sweeping "disregard for state traffic safety laws" in a
public newspaper.  If Mr. Smith is cleared by the police investigation, will he
sue the state for lost wages, related damages, and slander?  It might help
motivate Pennsylvania to correct the situation.

Perhaps some RISKS readers know what procedures are used by other state
transportation departments to prevent similar situations, or could this happen
to you?
                          Michael Favor, favor@csuchico.edu


Re: Where on earth are you? (Richard Murnane, RISKS-13.57)

Scott Traurig <traurig@ncavax.decnet.lockheed.com>
Thu, 11 Jun 92 08:54:24 EDT
> I'm very suprised that the Coast Guard could have been caught out by this: It
> suggests that the "decimal minutes" representation is non-intuitive, or at
> least counter to the way most "non-mariner" people (e.g. the radio amateurs
> providing voice relays) have been educated to read geographical coordinates.
> (Or, perhaps, there are two different readout systems currently in use?)

    Having raced "the big boats" for 9 years or so now, primarily as navigator,
I may be able to supply a little background information here.  With the advent
of reliable and relatively inexpensive Loran navigational equipment, decimal
minutes has become a very popular "readout system" for displaying position.

    Most, if not all, units allow the user to select either degrees-minutes-
seconds or degrees-minutes-decimal minutes for display.  Most users opt for the
decimal minutes display.  It is usually easier to plot to the nearest tenth of
a minute, it is usually sufficient accuracy (approx. 200 yards - depends on
latitude), and Loran isn't much more accurate than that for absolute position
anyway.  I do because all of my racing marks have been measured and listed in
this manner by the local racing association, probably because of the above
reasons.  GPS units provide increased accuracy, of course, but 200 yards is
usually plenty close most of the time.  It is not unusual for a powerboat with
a Loran or GPS coupled autopilot to collide with the buoy selected as a
waypoint by an inattentive skipper.

    I am also surprised that the Coast Guard couldn't figure it out.  At the
very least, the previous day's position would make it obvious, and the leading
zero would make me suspicious.
                                 Scott (traurig@ncavax.decnet.lockheed.com)


Re: Car computer downloading (Sidebotham, RISKS-13.57)

Bruce Oneel <oneel@arupa.gsfc.nasa.gov>
Thu, 11 Jun 92 11:09:07 EDT
>As a sidenote, when you check in for Saturn service, your car's history is also
>uploaded to Saturn HQ. Every engine stall, my salesman told me, is recorded, as
>is the entire service history for each vehicle.

Hmm, how 'bout every engine overspeed (or overrev)?  Or, since I suspect the
engine knows what gear the transmission is in, how 'bout %time over 65mph?  I
can see it now.  "I'm sorry, Mr Foo, but we show that you drive this car
outside of it's limits.  We can't do any warranty sevice because of this"

When engine computers were newer, I read in Car and Driver that Cadillac's new
engine computer would record overspeeds.  The person they were talking to
implied that this might be used later if you reported engine problems.

Bruce O'Neel, NASA/GSFC/STX/Code 664           oneel@heasfs.gsfc.nasa.gov


Re: Perot computers cracked

Steve Bellovin <smb@ulysses.att.com>
Wed, 10 Jun 92 20:31:32 EDT
There were actually several reassuring things about the Perot incident,
especially as per the full AP story.  First, of course, they did have backups.
Not only that, the backups were stored off-site.  Second, the spokesperson said
that they didn't store sensitive information on that machine, because too many
people had access to it.  Finally, he implied that the level of computer
security wasn't that high, precisely because anyone, from anyone else's
campaign, could have walked in off the street and achieved a position of trust.
In other words, don't worry about your technical security measures if your
other protections, including personnel screening, don't match up.  Security is
as strong as the weakest link, not the strongest.
                                                    --Steve Bellovin


Re: Perot Computers Hacked (Hunter, RISKS 13.57)

Joe Morris <jcmorris@mwunix.mitre.org>
Thu, 11 Jun 92 11:19:21 -0400
One of the local radio stations broadcasting the report of this incident noted
that the Perot office had been staffed over the weekend with untrained *and
unsupervised* volunteers.  The broadcast drew no conclusions from this
statement, but it strongly suggests that the problem may have the result of an
innocent mistake in a poorly organized activity.

While it may in fact be somebody's deliberate attempt at sabotage, I'm more
inclined at this point to agree with the old adage that one should not ascribe
to malice anything which can be explained by simple stupidity.  (On the other
hand, this *is* a political environment, in which most rules are stood on their
heads...)
                 Joe Morris
                                  [There was also a related comment from Bill
                                  Bauserman, william.d.bauserman@gte.sprint.com]


Product risks (Re: Parnas, Girl killed in automatic car window)

Bergtor Skulason <bergtor@ifi.uio.no>
Mon, 15 Jun 1992 15:13:25 +0200
In RISK Volume 13 Issue 55, David Parnas writes:
> Isn't it just like our technocratic society to react to such an accident,
> caused by a completely unnecessary luxury becoming too complex, by making it
> even more complex? Wouldn't the simpler solution be to ban automatic windows

Integrating new technology into society is never painless. There is constant
conflict between pressure for new technology (or new features) and need for
stability. New technology causes changes no one can foresee, even less control.
There is no easy solution. Public debate involving specialists, interest groups
and lay people, and economic pressure on those "responsible" seems to be the
least bad way of "controlling" technology.

Banning products usually harms the consumer more than protects him.  Banning
specific products or features can be feasible in clear cut cases, but cases
usually are not clear cut. If they are, we usually have a case for product
liability not a ban. Value of products can never be stated objectively. Its
always relevant to a person or a group. What is useless to some does have value
for others. (Very few things, if any, can be shown to have objective value
independent of a person or a group).

Complex regulations on safety usually lead to more complex products, that are
more expensive and more error prone. And worse it releases producers from
responsibility, because they can refer to the regulations.

There is a conflict between goverment intervention and freedom. To much or too
little harms the public, not the producers. Through public debate and by
placing (economic) responsibility were its possible, pressure can be built to
increase product quality and safety. Under pressure products become simpler and
safer, and their price reflects the producers risk of producing, because he can
not put that risk anywhere else.

Private replies to: B. Skulason,   Univ. of Iceland,   beggi@rhi.hi.is


Online Symposium: Visions for a Sustainable World Pugwash Conference

Jeffrey Porten <porten@eniac.seas.upenn.edu>
14 Jun 92 04:58:45 GMT
                   CALL FOR PARTICIPATION VIA ELECTRONIC MAIL

               STUDENT PUGWASH USA SEVENTH BIENNIAL CONFERENCE ON
                 SCIENCE, TECHNOLOGY, AND SOCIAL RESPONSIBILITY

                        VISIONS FOR A SUSTAINABLE WORLD
                      Emory University, Atlanta, Georgia
                               June 14-20, 1992

The Student Pugwash USA Biennial Conference assembles ninety students from
around the world for a week-long conference to address the impact of science
and technology on society.  The students will join accomplished men and women
from science, government, industry, and academe for an intensive week of
discussion  and interaction focusing on the following issues:

- Environmental Challenges for Developing Countries
- Energy Options: Their Social and Environmental Impact
- Health Care in Developing Countries
- Changing Dynamics of Peace and Global Security
- Educating for the Socially Responsible Use of Technology
- Ethics and the Use of Genetic Information

We are inviting all members of the e-mail community to take part in an
online symposium discussing the topics at the conference.  Each day, a
summary of the plenary and working group discussions will be mailed out
as soon as possible following their completion.  Participants in the online
symposium are invited to send back their replies, commenting on what you
receive.  Copies will be redistributed back through electronic mail, and
printed and used at the conference.  Of course, you're welcome to sign up
for the mailings even if you won't have the time to participate.

If you are interested in participating, send e-mail to
porten@eniac.seas.upenn.edu.  You will be sent more information about
Student Pugwash USA, and will receive all conference summaries.  Feel
free to subscribe anytime during the conference, or even after it's
over, as all messages will be archived and can be sent out at any time.
Please include in your message your full name; we would also appreciate
if you include your current occupation (or student affiliation), and your
city, state, and country, but this is optional.

You can also call the Student Pugwash electronic bulletin board at
215/898-2019, for more information about Student Pugwash, and to participate
in ongoing discussion about the impact of science and technology on society.
Feel free to write me, as well, if you have any specific questions.

Student Pugwash USA is a non-partisan, non-profit organization with chapters
at 35 colleges and high schools across the country.  Sister Student/Young
Pugwash organizations exist in 20 countries on four continents.  For more
information, reply to this message at porten@eniac.seas.upenn.edu.

More information about the conference follows.

For each of the listed topics, student and senior participants form small
working groups in which they will meet every morning throughout the conference
week to discuss areas of mutual interest and expertise.  These intensive
discussions offer an invaluable opportunity for students to explore the
ethical and value questions posed by advances in science and technology with
forward-thinking professionals.

Senior Participants will be present from the U.S. Congress, National
Institutes of Health, National Academy of Sciences, Carter Center, Centers
for Disease Control, Brookings Institution, Emory University, and many
other prominent institutions.  Several special events will also be held,
including a day at the Carter Presidential Center in Atlanta and an
interactive, multi-media World Game Workshop.

The separate working group meetings are complemented by afternoon and evening
plenary sessions for the full conference.  Plenaries will address issues which
cut across disciplinary boundaries such as ethical conduct in scientific
research, race and gender in science, technology and global responsibility,
and religion and science.

Student Pugwash USA is committed to representing a broad spectrum of
political,international, and disciplinary perspectives.  Previous conferences
have attracted participants from over thirty nations.  We are striving for even
greater international, intergenerational, and interdisciplinary representation
at the 1992 conference.

Jeff Porten, Annenberg School for Communication, UPenn
Graduate Group in American Civilization, UPenn

Please report problems with the web pages to the maintainer

Top