The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 13 Issue 62

Saturday 4 July 1992


o Emergency system fails — Risks of firing employees?
Jim Griffith
o Nutrasweet Telephone Sweepstakes
Ranjit Bhatnagar
o Risk of Assuming an Int will do
Russell Aminzade
o Students cheated BT to win computerised phone contest
Philip Hazel
o Computer-literate children find porn
Andrew Shapiro
o UK ATMs - legal challenge
Antony Upward
o CPSR Challenges Virginia SSN Practice
David Sobel
o Are Humans Always Responsible for Computer Errors?
Peter Danielson
o Fokker F.100 incident
Robert Dorsett
o Another Fokker F.100 incident
Olivier Plaut
o Info on RISKS (comp.risks)

Emergency system fails — Risks of firing employees?

Jim Griffith <>
Wed, 1 Jul 92 23:10:30 PDT
Oakland station KTVU news reported that a Richmond refinery's emergency
notification system was sabotaged by a disgruntled ex-employee, and the damage
wasn't discovered until a leak caused the refinery officials to attempt to use
it.  Unfortunately, I didn't catch any names, but the gist of the story is that
this refinery has a system in place which automatically dials nearby residents
when accidents occur and informs them of emergency procedures that should be
followed.  Specifically, a recent leak caused them to activate the system in an
attempt to warn residents to remain indoors for the duration.  However, the
system failed to operate.  A subsequent investigation discovered that a former
programmer who had been fired had sabotaged the system in revenge prior to

Authorities are reportedly planning on filing charges against the former
employee once they figure out what charges are appropriate.

"Reckless endangerment" springs to mind.  Hope they nail the guy to the

   [An item by Erin Hallissy in the San Francisco Chronicle, 2 July 1992,
   p.A19 had some details.  The emergency alert network is run by the Community
   Alert Network.  An EX-employee of their New York office (who has confessed
   to the malicious hacking) modified software ("reconfigured some things that
   caused it to crash") in their computer systems in both New York and San
   Jose.  In this case, the incident occurred at the Chevron refinery.  The
   network had been used four times previously (since last October) in Contra
   Costa County, twice for incidents at Chevron, once at Pacific Refinery in
   Hercules, and once for a fire at Rhone-Poulenc in Martinez.  As a sidelight,
   the previously fired perpetrator broke into the NY office two days after the
   latest Chevron emergency, "maybe just to gloat".  The system was down for
   10 hours, during which time the only emergency was the one at Chevron.
   [Note that the system cannot call unlisted numbers or numbers listed without
   street addresses.  PGN]

Nutrasweet Telephone Sweepstakes

Ranjit Bhatnagar <>
Sun, 28 Jun 92 17:56:59 EDT
Among the advertisements in this Sunday's (28 June) Philadelphia Inquirer, and
probably most every other newspaper in the United States, was an announcement
for the NutraSweet Summer Sweepstakes.  It works as follows: call the free 800
number they provide, then punch in your phone number and the UPC code from any
product containing NutraSweet, a sugar substitute.  You are immediately told
whether you won one of a few thousand prizes ranging from a tote bag to ten
thousand dollars.  In the fine print, it says that the sweepstakes will end
after two million calls are received, or at a certain date in July, whichever
comes first.  It also says that the odds of winning depend on the number of
calls received.

First point: the odds seems odd to me.  Unlike a paper sweepstakes, where all
the entries are received before the prizes are drawn, in this sweepstakes the
winners are chosen immediately.  The random selection process must have fixed
odds built-in, probably based on a projection of exactly two million calls.
Even if they have to cut off the contest before two million calls are received,
the odds for a particular call would still be the same, and some fraction of
the prizes would not be awarded.

Second point: the drawbacks of a sweepstakes where the entries are free data
calls are obvious.  People with access to smart modems or autodialing machinery
and the ability to program them have a significant advantage over those
without.  Many telephones nowadays have programmable dialers built in, but
they're usually not as useful as the following command string for a
Hayes-compatible modem:

    ATDT 18002351000,,,,,,1,

Risk of Assuming an Int will do

"Russell Aminzade: Trinity College of VT" <AMINZADE@uvmvax.bitnet>
Mon, 22 Jun 1992 12:08 EST
In the current (6/92) BYTE, Jerry Pournelle discusses his difficulties with
using the word-count feature in Microsoft Word For Windows.

     ...when I would read in the file, Word For Windows told
     me there were 767,356 characters and 135,000 words; the
     word count was in gray, indicating that it was an
     estimate...clicking on [the 'update' button] caused the
     program to trundle for a while and then proudly
     announce a total of 60,273; which, of course was
     absurd...I've since learned, though, that all I needed
     to do was add 65,535 to the total shown...

Sounds like one of the wizards at Microsoft determined that an int rather than
a longint was plenty big for the kind of documents people would be editing.

Students cheated BT to win computerised phone contest

Philip Hazel <>
Wed, 1 Jul 92 11:06:36 BST
>From the "Cambridge Evening News", June 30 1992:

[HEADLINE] Students cheated BT to win phone contest

Two students swindled BT [British Telecom] out of 68,000 pounds [sterling] in a
"lucrative scam" to constantly win on a telephone quiz game, a court heard. The
two men hired four phone lines between them under false names and left the
receivers off the hook for hours on end at a Cambridge flat to win thousands of

On one occasion, said a BT official outside court, a receiver was left off the
hook for almost 24 hours. Eight or nine hours was the average, with peak rate
calls at 48 pence a minute.

>From his winnings, Shaun Middleton bought an XR3i high-performance car and a
computer, while his confederate, Tristan Abbott-Coates, also bought a computer.
The pair were "determined to beat the system", Cambridge Crown Court heard, and
hatched a scheme to constantly win on the "Wheel of Fortune" game advertised in
the national press. The game has a 10,000 pound jackpot.

The pair rang the contest phone number, which was monitored by a computer. When
the computer asked them questions, they made no response - and the computer was
programmed to interpret silences as "no" answers.

The correct "no" answers accumulated into winning cash combinations.

A copy of the original advert, printed in The Sun newspaper, was presented as
evidence. Judge Frederick Beezley asked if it was page three. [Page 3 of The
Sun carries pin-up photographs.] When told it was not, he quipped, "Oh well,
never mind, I'll suppose I'll look at it anyway."

Middleton, 22, of St George's Road, Preston, admitted three charges of
obtaining services by deception. He won a total of 10,709 pounds but ran up an
unpaid BT bill of 51,469 pounds. Abbott-Coates, 24, of the same address,
admitted one charge of obtaining services by deception. He won a total of 2,672
pounds - but ran up an unpaid bill of 16,601 pounds.

The offences were committed while the two men each rented a room in Marshall
Street, Cambridge, between March and September last year. They moved to Preston
together to attend the polytechnic there.

Francis Sheridan, prosecuting, said that Abbott-Coates first recognised the
loophole in the telephone quiz, but Middleton was the most active in the
swindle. He said the pair used false names to hire the lines "to avoid being
cut off and thus ending a lucrative scam". Abbott-Coates chose the alias Murphy
after an actor who played a famous screen policeman.

Eventually, BT became suspicious and traced the pair to Preston. Both men were
then arressted. Sentencing was adjourned until July 24 so that social enquiry
reports could be made. Judge Beezley said he was considering a custodial
sentence, and remanded both men in custody.

Internet:       University Computing Service,
JANET:       Computer Laboratory, Pembroke St,
Phone:    +44 223 334714    Cambridge CB2 3QG, England.

computer-literate children find porn

Andrew Shapiro <>
Fri, 26 Jun 92 12:05:26 MDT
Rocky Mountain News  Mon., June 22,1992

By James Michels, Scripps Howard News Service

  Connie Lewis recently discovered one of the unpleasant shocks of patenting:
pornographic pictures her 15-year-old son had collected.
  What surprised her more was where she found them: on the screen of the
family's home computer.
  Her son had gotten them free from a local computer bulletin board.
  The pornographic pictures could have been posted on the computer bulletin
board by anyone. Lewis' son had learned about them from a friend.
  The pictures were in an area of the board restricted to adults, but all the
15-tear-old had to do to get access was to type in false information about
his name and age. He instantly gained access to dozens of pornographic
  The technology of putting pornographic pictures on computers and
distributing them by telephone is so new it is unregulated.
  Public officials say current laws don't appear to apply to the bulletin
boards. Indiana Bell can block access to sexually explicit 900 numbers, but
not to local numbers, such as those used by the boards.
  The Federal Communication Commission, which regulates telephone lines, said
the issue does not come under its jurisdiction.
  The FBI is investigating a case in which a national computer board was
used to pass along child pornography.
  So What's a responsible system operator to do?
  He can threaten to close his board to those who misuse it, but that is
often a hollow threat.
  "You have a apparently strong warning that you can be banned and so on
if you mislead the system operator," said Michael Banks, a Cincinnati
computer writer familiar with bulletin boards
  "The threat of being banned permanently is meaningless. If someone wants
to get back on, they do it with a different name."

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Even though this is a sensationalistic article designed to invoke a shock
response in 'decent americans' (a risk in and of itself) there are several good
points.  If it is deemed a crime to distribute, electronically, pornographic
images to minors then what sort of validation is enough? Who is actually
responsible?  Can the owner of the bulletin board be charged? Should the
original poster be charged? In this day and age of store-and-forward worldwide
networks how are legal boundaries handled? Is the system operator responsible
for all the data stored on his machine?
                                 -Andrew T. Shapiro,

UK ATMs - legal challenge

KPMG - Antony Upward,IVC <>
02 Jul 92 17:05 GMT
Banks face challenge over teller machines

Reproduced without permission from the Financial Times Weekend June 27/June 28
1992 edition.

Banks and building societies face their most serious legal challenge from
customers over cash dispensing automated teller machines (ATMs), writes Barbara

This is in spite of words of comfort from the Building Society Ombudsmen this
week.  They welcomed the new (pounds) 50 limit introduced by the Code of
Banking Practice, on losses from unauthorised use of machines unless the bank
can prove fraud or gross negligence.

Some 400 customers assembled into an action group by J. Keith Park, solicitors,
of St Helens, Merseyside, are to seek a High Court ruling, within the next two
to three weeks, that banks and building societies operating teller machines are
in breach of contract beacuse the machines are suseptible to error and fraud.

Each of the 400 will make detailed claims for losses through alleged
unauthorised withdrawals ranging from (pounds) 90 to (pounds) 13,000 and
totalling close to (pounds) 500,000.  All the claims have been rejected by
banks and building societies.

For example, Barclays stated this week that out of its 15 million machine
transactions each month, fewer than one in every 250,000 is disputed - which
would imply 60 disputes a month.  Dennis Whalley , of J.Keith Park, says he has
deduced, from ATM dispute cases that disputes have been running close to 9,000
a month.

Barclays says there is no correlation between the volume of teller machine
disputes and the reference numbers which relate to computer files. (Strange I
haven't seen a computer program yet that didn't start counting at one with
increments of one!)

For years banks and building societies have insisted that the ATM systems are
completely secure and that money can only be withdrawn with the use of a card
and personal identification number (PIN) [sic].

The obudsmen have almost inveriably backed the insitutions in rejecting claims
from customers who detected "phantom" unauthorised withdrawals, saying that
they must have unwittingly lost their cards, disclosed their PIN or been a
victim of a dishonest family member.

However, the 1989 Jack report on banking acknowledged that the PIN system was
open to fraud and last year an engineer employed by the Clydesdale Bank
confessed to removing (pounds) 17,000 from customers' accounts by arranging
phantom withdrawals using a hand-held computer.

CPSR Challenges Virginia SSN Practice

Tue, 30 Jun 1992 19:45:42 -0400
PRESS RELEASE, June 30, 1992
CPSR Challenges Virginia SSN Practice

WASHINGTON, DC — A national public interest organization has filed a "friend
of the court" brief in the federal court of appeals, calling into question the
Commonwealth of Virginia's practice of requiring citizens to provide their
Social Security numbers in order to vote.  Computer Professionals for Social
Responsibility (CPSR) alleges that Virginia is violating constitutional rights
and creating an unnecessary privacy risk.

    The case arose when a Virginia resident refused to provide his Social
Security number (SSN) to a county registrar and was denied the right to
register to vote.  Virginia is one of a handful of states that require voters
to provide an SSN as a condition of registration.  While most states that
require the number impose some restrictions on its public dissemination,
Virginia allows unrestricted public inspection of voter registration data --
including the SSN.  Marc A. Greidinger, the plaintiff in the federal lawsuit,
believes that the state's registration requirements violate his privacy and
impose an unconstitutional burden on his exercise of the right to vote.

    The CPSR brief, filed in the Fourth Circuit Court of Appeals in
Richmond, supports the claims made by Mr. Greidinger.  CPSR notes the
long-standing concern of the computing community to design safe information
systems, and the particular effort of Congress to control the misuse of the
SSN.  The organization cites federal statistics showing that the widespread use
of SSNs has led to a proliferation of fraud by criminals using the numbers to
gain driver's licenses, credit and federal benefits.  The CPSR brief further
describes current efforts in other countries to control the misuse of national
identifiers, like the Social Security number.

    Marc Rotenberg, the Director of the CPSR Washington Office said that
"This is a privacy issue of constitutional dimension.  The SSN requirement is
not unlike the poll taxes that were struck down as unconstitutional in the
1960s.  Instead of demanding the payment of money, Virginia is requiring
citizens to relinquish their privacy rights before being allowed in the voting

    CPSR argues in its brief that the privacy risk created by Virginia's
collection and disclosure of Social Security numbers is unnecessary.  The

largest states in the nation, such as California, New York and Texas, do not
require SSNs for voter registration.  CPSR points out that California, with 14
million registered voters, does not need to use the SSN to administer its
registration system, while Virginia, with less than 3 million voters, insists
on its need to demand the number.

    David Sobel, CPSR Legal Counsel, said "Federal courts have generally
recognized that there is a substantial privacy interest involved when Social
Security numbers are disclosed.  We are optimistic that the court of appeals
will require the state to develop a safer method of maintaining voting

    CPSR has led a national campaign to control the misuse of the Social
Security Number.  Earlier this year the organization testified at a hearing in
Congress on the use of the SSN as a National Identifier.  CPSR urged lawmakers
to respect the restriction on the SSN and to restrict its use in the private
sector.  The group also participated in a federal court challenge to the
Internal Revenue Service's practice of displaying taxpayers' SSNs on mailing
labels.  CPSR is also undertaking a campaign to advise individuals not to
disclose their Social Security numbers unless provided with the legal reason
for the request.

    CPSR is a national membership organization, with 2,500 members, based
in Palo Alto, CA.  For membership information contact CPSR, P.O. Box 717, Palo
Alto, CA 94303, (415) 322-3778, cpsr@csli.

For more information contact:

Marc Rotenberg, Director or David Sobel, Legal Counsel
CPSR Washington Office, (202) 544-9240 or

Paul Wolfson, attorney for Marc A. Greidinger
Public Citizen Litigation Group   (202) 833-3000

Are Humans Always Responsible for Computer Errors? (Davis,RISKS-13.54)

Peter Danielson <>
Wed, 24 Jun 92 11:30:08 PDT
While I concur with Davis' criticism of the anthromorphic attribution of the
mistake to the Endeavour's computer, I cannot accept the assumptions about
responsibility that seem to stand behind this criticism.

He seems to assume that whenever something goes wrong, some human did wrong.
This is clearly too strong.  Most technological causation works through groups
(teams, firms).  But even the weaker assumption that all wrong is attributable
to humans — let me call it Complete Human Responsibility, or CHR — is

My point is that CHR is not obviously true.  It is trivial to note that some
bad events *just happen*.  I do not see why this is not the case with artifacts
as well.  People are not naturally responsible for everything that happens,
just because people made the object(s) involved.  I suggest that we see CHR as
a value or standard, not a report of a fact about the world.  But then CHR
needs to be argued for.

The risk?  Taking a (controversial) matter of principle to be a simple fact.

Peter Danielson, Centre for Applied Ethics, University of British Columbia

Fokker F.100 incident

Robert Dorsett <>
Tue, 23 Jun 92 23:15:12 CDT
An interesting little story from AIRLINE PILOT, May 1992 issue ("No
Brakes, No Reversers!", by Joseph J. Poset, USAir).

It deals with a Fokker F.100 which landed at Chicago O'Hare, on November 21,
1991, with thrust reversers and brakes inoperative.  The F.100 is a
higher-capacity, fundamentally redesigned version of the Dutch company's
popular F.28.  It is a twin-engine, T-tailed "commuter" jet, in the 100-120
seat capacity.  It was certified in November 1987.  It has a "glass cockpit,"
but is *not* an FBW airplane, at least as far as flight control is concerned.

Essentially: the flight landed on Chicago's Runway 22L.  Upon landing, the crew
discovered their brakes and thrust reversers weren't working.  They took the
high-speed turnoff (a taxiway oriented about 30 degrees off the runway), shut
down one engine, zipped down the parallel taxiway, turned left at the end of it
(90-degree U-turn), went back up Runway 4R (reciprocal runway of the one they
landed on), took the *opposite* high-speed taxiway, and headed onto Runway 27,
which an American Airlines jet had just taken off from. Twice, the captain
thought he would have had to turn off the pavement into the rough, to avoid a

After they finally came to a stop on Runway 27, the crew noticed that their
flight computers thought they were still in the air.  The stickshaker (stall
warning) was also activated, and the "speed limit" flag on their flight display
(indicating excursion outside the approved flight envelope) was on.

After some investigation, it was discovered that both Air/Ground switches
(located on the landing gear) were each "stuck," thus relaying improper data to
the computers and devices which controlled the stickshaker, various
annunciators, reversers, and ground braking.  It was only after maintenance
applied glycol that the computers indicated the proper modes.

Now, there's nothing new about the use of Air/Ground switches--they're used,
for instance, to prevent the inadvertent application of reverse thrust in
flight, for most airliners.  They're also used to deactivate stall-warning
systems on the ground.  But this is a pretty widespread set of high-level
services that were affected by the switches being out of whack.  I don't
believe, for instance, that the A/G switch is used to establish whether wheel
braking is available, on most airliners. It also has interesting ramifications
to FBW aircraft, which might use an independent "ground control" mode to
determine how everything from nosewheel steering to rudder control to wheel
brakes work.  In this case, if the airplane did not have nosewheel steering
(for instance, if the design was highly compartmentalized into "ground"
services and "air" services), it may have gone off the high-speed taxiway, into
the rough, and ended up on yet another runway.  This could have been a major

There is a "flight-test" article on the F.100 in the January 30, 1998, issue of
FLIGHT INTERNATIONAL, by Harry Hopkins ("Fokker 100: protect by wire.").  It's
interesting reading.

Robert Dorsett, Internet:

Re: Fokker F.100

Robert Dorsett <>
Wed, 24 Jun 92 15:50:21 CDT
More info on the Fokker incident.  Note that it wasn't based on an ASRS report;
I had confused it with another article.  R.

>I hate to say it, but I find that incident pretty unbelieveable.
>Firstly, I can't imagine that, if the Fokker had enough momentum to
>need to come back on runway 4, that it wouldn't have groundlooped
>around the 180 (90?) degree turn.

The article said they had a 25G38 kt headwind on roll-out.   Around
40-50 kt at the first high-speed exit.  But then again, if they hadn't
stopped by the loop back up RWY 4, that headwind would have become a
TAILWIND...  The article indicates they started *accelerating* up RWY 4.
They entered the other high-speed exit at 20-30 knots.

>Also, F100's like F28's, don't
>*have* thrust reversers, so the continual reference to them worries me.

It was penned by the captain, based upon his ASRS report.  He was much
more inexperienced than his F/O, but surely not that much! :-)

>Are you sure of the veracity of the publication?

Absolutely not.  It's garbage.  But the occasional article catches my interest.

>It wasn't dated April 1 or something?

No.  I went to the FLIGHT article cited, looking for more information.
Generally, it played up Fokker's in-flight protections; it's quite interesting.
Little on systems.

On the last page: "Final roll-out to a standstill was made without reverse
thrust, and with late minimum braking for test purposes.  Rudder and pedal
steering completed a halt within 2ft of the centerline.  Reverse was
restricted temporarily to idle anyway, because full reverse efflux can
impinge on the tailplane, and a modification will set a gap between
the two target doors to spill some flow centrally.  The F.28 is not fitted
with reversers.

"Reverse opeation is shown by a green 'R' at the top of the primary engine
instrument display, but I did not find it compelling.  A brighter panel,
nearer to peripheral vision, would be easier to take in."

Perhaps reversers were INOP on early models, or are optional equipment.  I
don't imagine there's a compelling need for them on the lighter configurations,
but this is probably a regulatory issue.

Another Fokker F.100 incident

Olivier PLAUT <>
29 Jun 92 12:29:04 +0200
A Swissair pilot reported to me another incident he had with a F100 just a few
days ago: they had no flaps for landing.

The computer controls if flaps on both wings are extending together, and if
not, it blocks to avoid an asymetrical configuration.

The flaps were moving correctly, but the computer had a false indication and
did not permit to extend them.

The aircraft landed without problem at 160 KTS instead of 130.  The passengers
didn't even remark an abnormality.

Olivier Plaut, Institute of Forensic Medicine, Toxicology Unit, University of
Geneva, Av. de Champel 9,  CH-1211 Geneve 4, Switzerland   +41 (22) 702.56.12

Please report problems with the web pages to the maintainer