The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 14 Issue 39

Tuesday 9 March 1993


o Bruce Nuclear Plant - Potential Safety Problem
David Levan
o Steve Jackson Games/Secret Service wrapup
Eric Haines
o `Interrupt' by Toni Dwiggins
o Short Course on Software Safety?
Nancy Leveson
o Ohio student database under legal attack
Tim McBrayer
o Royal Bank client cards
Mich Kabay [2]
o Political -> Personal risks (WTC/NYC)
Stephen Tihor
o Re: World Trade Center blast
Frank Caggiano
Jay Elinsky
Chaz Heritage
o Info on RISKS (comp.risks)

Bruce Nuclear Plant - Potential Safety Problem

David Levan <>
Mon, 8 Mar 93 13:54:20 EST
Article From Ottawa Citizen, March 8, 1993 by Canadian Press.

  Ontario Hydro Cites Safety Reasons For Reducing Power Production At Bruce
  Nuclear Plant

  Power production has been reduced at Ontario Hydro's largest electrical
  generator so that engineers can solve a potential safety problem, a utility
  spokesman said Sunday. Hydro began 'derating' the units at the Bruce nuclear
  plant to 60 per cent Friday after learning the safety margin in the event of
  a reactor accident was slimmer than expected, said Tony Tidbury manager of
  reactor safety. 'This is not a problem in the reactor right now,' said
  Tidbury.  'It would only change in the event of an extremely, unlikely
  accident,' would be a huge leak of heavy water - which cools the reactor's
  radioactive fuel, Tidbury said. The Lake Huron nuclear plant produces about
  20 per cent of Ontario's electricity but Hydro spokesman Geoff McCaffery
  said the cut shouldn't be a problem."

David Levan, DLSF Systems Inc., 189 Knudson Drive, Kanata, Ontario Canada
  K2K 2C3  (613) 592-8188, fax (613) 592-2617

Steve Jackson Games/Secret Service wrapup

Eric Haines <>
Tue, 9 Mar 93 10:25:35 -0500
   [Eric Haines,, sent me a Houston Chronicle article
   by Joe Abernathy, a sometime contributor to RISKS, which Eric found
   in the electronic mail magazine "Desperado" ("no, it's not a magazine
   about hacking").  "There can be justice in the world, after all..."  EH.
   I cannot include the long copyrighted article here, but have excerpted
   from the beginning, as follows.  It's a good article.  Alas, no date.
   But Joe may still be available at if you
   want to dig up the whole thing.  Also, see RISKS-9.95,96;10.01,ff. for the
   earlier history.  PGN]

Steve Jackson Games/Secret Service wrapup
By JOE ABERNATHY Copyright 1993, Houston Chronicle [no date given]

 AUSTIN -- An electronic civil rights case against the Secret Service closed
 Thursday with a clear statement by federal District Judge Sam Sparks that the
 Service failed to conduct a proper investigation in a notorious computer
 crime crackdown, and went too far in retaining custody of seized equipment.
 The judge's formal findings in the complex case, which will likely set new
 legal precedents, won't be returned until later.  [...]

 The judge's rebuke apparently convinced the Department of Justice to close
 its defense after calling only ... one of the several government witnesses
 on hand.  "The Secret Service didn't do a good job in this case.  We know no
 investigation took place.  Nobody ever gave any concern as to whether (legal)
 statutes were involved.  We know there was damage," Sparks said in weighing

 The lawsuit, brought by Steve Jackson Games of Austin, said that the seizure
 of three computers violated the Privacy Protection Act, which provides First
 Amendment protections against seizing a publisher's works in progress.  The
 lawsuit further said that since one of the computers was being used to run a
 bulletin board system containing private electronic mail, the seizure
 violated the Electronic Communications Privacy Act in regards to the 388
 callers of the Illuminati BBS.

The testimony described by Joe was rather strange.  Agents testified that
there was no criminal connection, they were not even trained in the Privacy
Protection Act, and it took them only an hour to discover the true nature of
the situation.  The Electronic Frontier Foundation spent over $200,000
bringing this case to trial.  The legal ramifications are considerable.
Perhaps someone from EFF will contribute an analysis to RISKS, although many
EFFers (and I) are at Computers, Freedom, and Privacy 93 this week.  Don't
hold your breath, but perhaps we need to wait for the judge?  PGN

`Interrupt' by Toni Dwiggins

"Peter G. Neumann" <>
Tue, 9 Mar 93 16:14:33 PST
    Toni Dwiggins, Interrupt, Tor Books, Tom Doherty Associates, 317pp.,
    1993, ISBN 0-312-85345-9, only in hardcover at present, US$19.95.

A terrorist whose computer handle is `Interrupt' plots to take down the public
switched telephone network.  For telephone system techies and lovers of good
techno-mysteries, this is a well-written and compelling book that you will
find intriguing.  There are lots of good plot twists.  A marvelous first
novel by Toni Dwiggins, it is well written and well researched.

Short Course on Software Safety?

Nancy Leveson <nancy@murphy.ICS.UCI.EDU>
Tue, 09 Mar 93 09:49:58 -0800
I am trying to assess the potential interest in my teaching a short course
(a week or less) on software safety at the University of California, Irvine
this summer.  Topics could include basic system safety principles, management
of safety-critical software projects, human error and the design of the
human-machine interface, system and software hazard analysis, software
engineering practices for safety-critical systems (software requirements
analysis, design for safety, and verification of safety), and risk assessment.

Would such a course interest you?  Which of the above topics would be of
the most importance to you?

Nancy Leveson

    [Please reply directly to Nancy, not to RISKS.  We do not normally
    run prospecti for courses.  However, this potential offering is so
    closely related to the charter of the Risks Forum that it seems
    essential to include it.  Besides, Nancy has been a subscriber from
    volume 1 number 1 on and carries our entire akashic record in her head.

Ohio student database under legal attack

Tim McBrayer <tmcbraye@thor.ece.uc.EDU>
08 Mar 1993 10:47:02 -0500 (EST)
An article, entitled "School files: Dangerous data?" appeared as the headline
article in the 8 March 1993 _Cincinnati_Enquirer_.  It discusses Ohio's
Education Management Information System (EMIS), used to store demographic,
attendance, program, summer school, achievement and proficiency testing, and
post-graduation records of all public school attendees in Ohio.  The complete
set of data to be recorded was listed.  This includes family income
information, reason for leaving school (transferred schools, drug abuse,
pregnancy, etc.), and extracurricular activities (including those not(!)
related with school, such as 4-H or Scouting).  Information is indexed either
off of a Social Security number (a RISK in itself), or off of a school
district-supplied ID number.  Students switching school districts and not
using their SSN will have a new number assigned to them.  Students with
multiple ID numbers, I assume, are cross-indexed--but the article was unclear
on this point.

The EMIS system was proposed in 1989 and set to begin operation in July, 1991.
The legality of the system was challenged that month by a Cincinnati-area
school district (Princeton), and EMIS was declared illegal on Jan. 9, 1992.
The Ohio legislature then passed a law (House Bill 437) on April 30, 1992,
nullifying the previous ruling.  A new suit, filed by Princeton and others,
was filed Oct. 2, 1992, accusing the state of violating federal privacy laws.
This suit is up for decision in Hamilton County Common Pleas court this month.

Several of the well-known RISKS of large databases were brought up in the
article, which are quoted below.

   "Reliability is just one of the concerns about EMIS that led Princeton
City School District to sue the state.  'Our concern is that kids do make
mistakes, and here's a record that never disappears.' said Richard Denoyer,
Princeton superintendent.  'If a kid drinks a beer, that could be in there
   'You used to give your Social Security number on your check at the
grocery store,' Denoyer said.  'People don't do that anymore.  They know
that (with the number) you can get into where you shop, what you buy, even
how much money you have in the bank.'"
   "Some say any number that can identify a student is too much.
   'There's this whole industry of data brokers and private eyes who make a
living obtaining (personal) information,' said Evan Hendricks, editor and
publisher of _Privacy_Times_, a newsletter on privacy issues.  If they want it
badly enough, they're not above bribing an employee or impersonating a school
official to get it, he said.  'That information isn't available if there's no
name attached.'
   'When you've got that much information linked together, that increases the
risk,' the ACLU's Goldman said.  'This would just be a huge challenge (to
hackers): ''Let's look at Johnny's grades.'' '

A couple of other interesting RISKS-related comments in the article were:

"...over 50% of the requests (into the FBI's criminal database--TJM) are
non-law enforcement, typically from employers and licensing boards."

"This information (driver's license records) is now a public record and
state governments are bringing in a hefty revenue selling mailing lists."

The article also mentions a similar system in Texas, and says the Texas
system has not been challenged on privacy grounds.

Tim McBrayer, Computer Architecture Design Laboratory,
University of Cincinnati  (513) 556-0904

Royal Bank client cards

"Mich Kabay / JINBU Corp." <>
08 Mar 93 07:12:17 EST
A report in the Monday, 8 March 93 Globe and Mail newspaper Report on Business
by John Partridge raises questions about privacy and security: "Numbers the
Royal doesn't keep secret."

According to the report, the Royal Bank of Canada sometimes allows its
market-research firms to have not only the names, addresses, telephone
numbers, sex, and age of selected customers but also their client-card

Critics argue that releasing these card numbers could lead to fraud; e.g.,
criminals with knowledge of the numbers etc. could fraudulently obtain new
"replacement" cards and enter new personal identification numbers (PINs) at
the customer's home bank.

Defenders argue that the likelihood of success of such ploys is negligible.

Royal Bank spokesperson Denise Curran is quoted as saying that the Bank
supplies card numbers because they include coded information such as
"geographic indicators" that help the market researchers cross-tabulate

However, four other major Canadian banks refuse to provide client-card
numbers to market research firms.

The Consumers' Association of Canada objects to all banks' providing
outsiders with customer information of any kind without the client's
permission.  The Royal Bank argues that because its market research is for
its own internal use, it does not need to ask for such permission.

Michel E. Kabay, Ph.D., Director of Education,
National Computer Security Association

Royal Bank Client Cards

"Mich Kabay / JINBU Corp." <>
09 Mar 93 08:14:39 EST
John Partridge reports in the Globe and Mail newspaper's Report on
Business for Tue 9 Mar 93, that the Royal Bank of Canada has cancelled its
practice of releasing client card numbers to its market research firms.

Tony Webb, senior vice-president of personal financial services, said, "No
doubt must be allowed to remain in the minds of our customers."

Jacqueline Singh, VP of marketing, said, "...there are other ways ... to get
the geographic data ... for them [the researchers] but also keep client
numbers confidential."  She added, "Our feeling is that if there is one more
piece of information we can keep confidential, then we absolutely should and

Political->Personal risks (WTC/NYC)

Stephen Tihor <TIHOR@ACFcluster.NYU.EDU>
08 Mar 1993 14:35:58 -0400 (EDT)
Readers from outside the NY area should be aware that the World Trade Center
was built and is operated by the Port Authority of New York and New Jersey.
This bi-state agency has some surprising powers to ignore local and even many
state laws and regulations.  The building grossly violates local NYC building
and fire codes.

This is not without some advantages.  The city building codes mandate specific
practices which have high labor costs during construction and prevent the use
of many modern construction techniques even good ones.  It is unclear if the
WTC could have been built under traditional codes at all.  Of course the
safety systems used, while not to code might have have adequate "diversity" in
location and conduit routing to survive.  The basic structural design seems to
have stood up quite well.  But there are a number of cases where the ability
to ignore local code resulted in bad choices.

For example self-contained battery operated trickle-charged lighting systems
in halls and emergency stairs are present in also evey other large building.

The NYC Fire Department has repeatedly stated that they would not be able to
properly respond to a fire above the tenth floor given the building's design.
(Inadequate high pressure feed system, lack of separately routed conduits for
external power supplies to the fire fighting substations throughout the
building etc.

Re: World Trade Center blast

Tue, 9 Mar 93 11:07:11 EST
In regards to the bombing at the World Trade Center, the news reports and
comments made at the various news briefings seem to indicate that the
emergency lighting was run off the backup generators only, there were no
batteries in the emergency lights in the stairwells. Among the reasons given
was the high cost of maintainance of the batteries.

Something which has been troubling me since the bombing and that I haven't
seen discussed anywhere was the vulnerability of the broadcasting system.  The
World Trade Center has most of the antennae for the New York area. On the day
of the bombing I was home with my kids who were watching TV at the time. All
the stations except a local PBS station, ch.21, which broadcasts from here on
Long Island and ch 2, CBS, which kept a backup antenna on the Empire State
Building were knock off the air and most weren't back on until much later that
night.  I couldn't help but think about all the years of watching those
emergency broadcast messages and wondering how they figured to keep
broadcasting through an emergency with no backup broadcast facilities.

As a side note it was interesting to see what ch 2, the CBS station did with
their one time New York monopoly.  They kept to there regular schedule, The
Wizard of Oz aired unopposed.  Actually given the events of the day it wasn't
such a poor choice.  I wonder if they got to increase there advertisement
rates for the night?

Frank Caggiano, R.N. Limited, Stony Brook N.Y.      ..!uupsi!itpd4!frank

Re: Evacuation plan, generators fail in World Trade Center blast

"Jay Elinsky" <>
Mon, 8 Mar 93 11:25:50 EST
In RISKS-14.38, Scott Preece suggests that the impact of the World Trade
Center bombing would not have been significantly reduced if the Port Authority
had acted on a study that showed the garage to be vulnerable to a car bomb.
He also suggests that neither I nor the moderator know enough to question the
Port Authority's decisions.

Well, I read the newspaper.  The blast and its aftereffects have been covered
very extensively in the local press.  I've drawn the following conclusion: If
the basement levels had contained only parking, plus the structural components
needed to keep the buildings sitting on top, then the situation would be very
different.  Evacuation would have taken place in lighted, clear stairwells
rather than pitch-dark, smoke-filled stairwells, and hundreds of smoke
inhalation injuries would have been avoided.  Most of the people who were
killed, Port Authority employees who were in offices or a lunchroom on the
garage level, would have been elsewhere and would still be alive.  The job
of getting the buildings ready for reoccupancy would be simplified, because
the air-conditioning plant wouldn't be buried under rubble.

I DON'T know how much it would have cost to retrofit the buildings to move
everything out of the basement.

Jay Elinsky, IBM T.J. Watson Research Center, Yorktown Heights, NY

Emergency lighting: intelligent? Why? (Kolstad, RISKS-14.38)

Tue, 9 Mar 1993 08:29:15 PST
In RISKS-14.38 Joel Kolstad writes:

>...emergency lighting... controlled by a central computer ... each separate
light... pack had a little bit of intelligence of its own... the emergency
light microbrains had a panic routine...trying to re-establish contact with the
main controller if the main controller had blown up...if the main controller
had blown up, it just might be a good idea to turn on the emergency lights<

Non-maintained emergency lighting normally consists per unit of a lamp, a
battery stack, a changeover relay and, in most cases, a trickle-charger for the
batteries. Supply current keeps the relay in the 'charge batteries; lamp off'
position. If it (or the relay's coil or connections) fails, the relay's spring
carries the contacts to the 'lamp on' position. Restoration of supply current
returns the unit to the 'charge batteries; lamp off' state. The device's
control system is therefore, within the usual limits, fail-safe.

I cannot imagine any good reason to replace this old, tested, cheap and
reliable system, in which each unit is independent of the others, with
something interconnected and allegedly 'intelligent', particularly since the
latter seems in the WTC's case (if the above allegation is true) to have neatly
evaded the fail-safe principle.

>'s some really poor programming!<

Safety equipment should not, IMHO, ever require 'programming'. Its operation
should be based on simple principles of physics (preferably basic mechanics),
and upon as few of them at once as is possible, and its condition and readiness
should be easily subjected to inspection at any time. Otherwise it eventually
ceases to be safety equipment at all, and becomes another hazard.

Most of the basic safety devices (e.g. Otis' elevator safety mechanism, Fermi's
gravity control-rods or Westinghouse's vacuum brake) were invented long ago and
cannot now be 'improved' by the addition of 'features' since any added
complication can only reduce reliability, their most desirable characteristic.
Adding the wild variable of 'programming' seems most unlikely ever to benefit
anyone except the programmer and salesfolk involved. I wonder how many
airpeople would buy a computer-controlled parachute...

Mystified,  Chaz

Please report problems with the web pages to the maintainer