The RISKS Digest
Volume 14 Issue 45

Thursday, 1st April 1993

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Formation of new society/discussion group
Pete Mellor
Re: Turn of the century date problems
Steve Peterson
Daylight Savings Time hampers police
Debora Weber-Wulff
Computer does the right thing — shuttle launch scrubbed
Pete Mellor
More on Minnesota Legislature phone fraud
Steve Peterson
Re: Call for the Class of '88
Jonathan Rice
Re: Correcting computer information ...
Pete Mellor
Re: Dutch hacker in jail for another month
Ralph Moonen
Credit and Avis rent a car re-visited
Boyd Roberts
Little green sting (saucers)
Joseph T Chew
Re: The FORTRAN-hating gateway
Phil Karn
Info on RISKS (comp.risks)

Formation of new society/discussion group

Pete Mellor <pm@cs.city.ac.uk>
Thu, 1 Apr 93 11:10:10 BST
       Society for the Promotion of Ergonomically Reasonable Measurement
                                                Peter Mellor, 1st April 1993

This is to announce the formation of the above-named Society.

Aims:

1. To resist the use of meaningless scales of measurement.

2. To improve the friendliness of information systems.

3. To resist imposed uniformity.

4. To counteract official nonsense with unofficial nonsense.

5. To have a good piss-up at least once a year.

6. Err...that's it.


Discussion of Aims:

There is a regrettable tendency today to make everything more friendly to
computers, and less friendly to people. Even some recent changes which were
intended to make calculations easier for humans have had unfortunate effects.

For example, when measuring the height and weight of people, is it more
meaningful to say:

  "Pete Mellor is 1.880 metres tall, and weighs 79.378 kilogrammes stripped."

or:

  "Pete Mellor is 6' 2" tall, tips the scales at 12 and 1/2 stone, and looks
  quite striking in a pair of tight-fitting flared jeans."?

Supporters of the aims of the Society would all agree that the second of
these descriptions is easier to grasp, and conveys far more information
that is likely to be of interest than the first.

The Society therefore supports the use of scales of measurement that are
scaled to people. So, for instance, the inch (length of top joint of thumb) is
more informative than the millimetre when doing anything on a small scale.
Going up one level of scale, the foot (distance from big toe to heel) and yard
(distance from tip of nose to end of middle finger of outstretched arm) have
served architects and furniture makers well for centuries. The metre, by
comparison, is too large for small work, and too small for large. Nobody ever
uses the decimetre or decametre anyway, so most of the metric system is
immediately redundant. Similar remarks apply to grammes and kilogrammes versus
ounces and pounds.

The scales of measurement that have evolved with us are the ones that we find
most natural to use. This applies even when it comes to measuring new things,
like software. The Society therefore promotes the measurement of source code
in hands (applied vertically up the side of a pile of print-out, in the same
way that the height of a horse is measured).

The Biblically minded may use the cubit for medium-scale measurement,
otherwise the use of the rod, pole or perch is recommended.

The system of units that the Society favours will be known as the "ton,
furlong, fortnight" system.


Political Allegiance:

In the UK, the society will seek the support of the Rainbow Alliance, and the
personal patronage of Screaming Lord Sutch and Cynthia Paine.

In Italy, it is hoped that La Cicciolina will be persuaded to sponsor us.

In other countries, all suggestions welcome.


Diversity:

Any Eurocrap aimed at doing away with our essential differences is deprecated.

For example, in the UK pillar boxes and telephones should be red, in Germany
they should be yellow.

The Society believes that books written in Britain should be spelt according
to the Oxford Dictionary. Americans who do not wish to follow this standard
are encouraged to use Mencken. The Society fully supports the Academie
Francaise in its attempt to prevent its fine language from being corrupted by
either American or English. In fact, it would like to see the Germans doing
more, such as reintroducing Gothic script. The same goes for the Welsh, Irish,
Russians, etc.

The intention is to cause a fragmentation of knowledge across language
boundaries. Since there is already far too much information around for anyone
to use sensibly, this would be entirely beneficial.

Any academic who really wants to know what is going on in artificial
intelligence at the University of Beijing should have the dedication to
learn Mandarin Chinese!


Membership:

The fee is 17s. 6d. per annum, payable to: "P. Mellor Ethanol Supplies Ltd."

Annual meetings will be held in the King's Head, Upper Street, Islington,
London, where beer is still sold at 1 pound 16 shillings per pint.
(Dates to be arranged to suit members.)

Paid-up members may charge for consultations on any matter regarding
measurement, provided fees are quoted in the appropriate national currency,
e.g., a UK member should quote a consultancy rate in guineas per fortnight.
(Any attempt to quote in ECUs will result in immediate expulsion.)


Other points:

The use of metric sizes of nuts and bolts in the UK should be discontinued
in favour of Whitworth.

Aeroplane prices should be quoted in the currency of the country of origin.
For example, British aeroplanes should be sold at so many pounds sterling per
hundredweight, like everything else of a comparable size.

If this causes a problem in purchasing an A320, it is recommended that the
individual bits be bought independently from the various members of the Airbus
Industrie consortium in the appropriate national currencies and that these are
assembled by the buyer, rather like the purchase of a motorcycle in "kit"
form.

Since the Society opposes the use of acronyms, anything that you might have
thought the initial letters of the Society's name might have spelt is
irrelevant.

Peter Mellor, Centre for Software Reliability, City University, Northampton
Sq., London EC1V 0HB, Tel: +44(0)71-477-8422, JANET: p.mellor@city.ac.uk


Re: Turn of the century date problems (Ravin, RISKS-14.44)

Steve Peterson <peterson@fs.fs.com>
Mon, 29 Mar 93 18:24:35 CST
In a humorous vein, I've regularly proposed a "programmer's cruise" that would
depart on December 30, 1999.  The cruise would be 30 days long and would come
with the following guarantees:

* The ship would be be controlled by mechanical or simple electric
  controls — no computers in the loop.

* The crew would be tested on their ability to navigate via dead reckoning
  and celestial navigation.

* It's route would avoid going under established routes for airliners and
  would stay out of the normal shipping lanes.

* It would be impossible for anyone on-board to be contacted from the shore.

* Anything else that could be done to avoid date-related failures.

Given the spate of date-related failures, I'm starting to give it serious
consideration.

Steve Peterson, FOURTH SHIFT Corporation, 7900 International Drive,
                Bloomington, MN 55425 USA 612 851 1523 peterson@fs.com


Daylight Savings Time hampers police

Debora Weber-Wulff <dww@math.fu-berlin.de>
Wed, 31 Mar 1993 08:55:52 GMT
The "Tagespiegel", a Berlin daily, carried an article on Monday describing the
problems encountered switching from Middle European Time to Middle European
Summer Time on Sunday. It seems that the Bavarian Police Computer System was
caught unawares, and responded by closing down. "Inpol", which stores all
information about persons the police are looking for, as well as having
connections to the car and stolen car registries and other databases, just
stopped.

From 3 a.m. on no checks could be made at the borders or for stopped cars,
except for alcohol tests. A dragnet action, scheduled for 4 a.m. was carried
out despite the data loss, but only resulted in 16 arrests for DUI. The cause
of the error was still being feverishly searched for as the paper went to
press.  [no update in Tuesday's papers, so they must have found it ;-)]

Debora Weber-Wulff, Professorin fuer Softwaretechnik, Technische
Fachhochschule, FB Informatik, Luxemburgerstr. 10, 1000 Berlin 65 GERMANY


Computer does the right thing — shuttle launch scrubbed

Pete Mellor <pm@cs.city.ac.uk>
Thu, 1 Apr 93 10:05:37 BST
An item on BBC news a few days ago described how the latest shuttle launch was
aborted when the control computers closed down the main engines 3 seconds
before lift-off.

It was reported that the system had detected a stuck fuel valve.

If so, this appears to be a case of a computer system doing the
right thing for once, and probably saving the lives of the astronauts.

Does anyone have any more information on the incident?

Peter Mellor, Centre for Software Reliability, City University, Northampton
Sq., London EC1V 0HB, Tel: +44(0)71-477-8422, JANET: p.mellor@city.ac.uk


More on Minnesota Legislature phone fraud

Steve Peterson <peterson@fs.fs.com>
Tue, 30 Mar 93 11:24:27 CST
There was an item a couple issues ago about a phone fraud case in the
Minnesota Legislature.  Events since then may be of interested to RISKS
readers.

As reported previously, the Majority Leader of the Minnesota House of
Representatives (the second most powerful position in the House) hid an
$85,000 phone fraud problem for several months.

The fraud occurred because the Majority Leader's son revealed his father's
access code to the state phone system to a few of his friends, who then told
it to others, and so on.  The system was set up to allow users to dial in on
an 800 number, enter the code, then dial any number.

Once the fraud was publicly revealed the scandal has grown and the leadership
of the DFL (the Minnesota Democratic party) has been working overtime on
damage control.  Already there are articles in the local press (normally
supporters of the DFL) suggesting that they has become "too arrogant" in its
power.

Since the discovery of the fraud the following has occurred:

* The Majority Leader was forced to resign from his post.

* There has been an effort by the Democrats to shift the blame to MCI, who is
  the Legislature's long distance provider.  The Republicans, sensing a
  political opportunity, are battling efforts to shift the blame.

* The House suspended its rules to approve an amendment to Minnesota's Open
  Meeting act, which restricts what types of public business can be conducted
  in private.  The amendment adds the Legislature to the list of public bodies
  which are affected by the law, which is a step that many have felt desirable
  for years.

The case has recently taken a turn into the realm of privacy law.  The Ramsey
County Attorney (the county in which the state Capitol is located) yesterday
issued a grand jury subpoena for the detailed phone records of every member of
the House.  Many members are opposed to this on the grounds that
communications between them and their constituents are privileged.  State law
is unclear on the issue and it is likely that the subpoena will be challenged
in court.  Separately, the House Speaker has asked the District Court to rule
on whether she can release the records.

In addition to the investigation by the County Attorney, State Attorney General
Hubert H. Humphrey III has opened a criminal investigation into the matter.

Steve Peterson, FOURTH SHIFT Corporation, 7900 International Drive,
                Bloomington, MN 55425 USA 612 851 1523 peterson@fs.com


Re: Call for the Class of '88 (Ravin, RISKS-14.44)

Jonathan Rice <rice@tamarack.cray.com>
Wed, 31 Mar 93 14:02:13 CST
The local paper had a bit more information.  I believe that the database in
question was one maintained by the church that Mary Bandar belongs to, in
which she is listed by consent.  This does not seem to be the usual bugbear
of huge and ill-controlled government databases.

More interesting to me from a RISKS perspective is that the clerk who
generated the form letters to potential kindergarteners actually *typed*
"1988" — it was the program itself that accepted but discarded the leading
digits, without notice.  Sorry, no idea what software was in use.

Jonathan C. Rice  |   rice@zizania.cray.com  |  ...uunet!cray!rice


Re: Correcting computer information ... (Debenham, RISKS-14.44)

Pete Mellor <pm@cs.city.ac.uk>
Tue, 30 Mar 93 11:27:56 BST
Further to the mailing by Peter Debenham <PPXPMD@ppn1.nott.ac.uk> in
RISKS-14.44:

> Recently a television advert has been running showing clips of actors
> mentioning problems that can happen with computer systems  ...

It is interesting that the government is embarking on a publicity campaign
now. I do not recall a comparable campaign when the act first came into
force, though this may be due to erasable memory chips between the ears.
DP professionals certainly had it drawn to their attention by poster
campaigns and training sessions provided internally by large computer
manufacturers, but I don't *think* there were any TV ads.

> Under the Data Protection Act (1986) in this country a Data Protection
> Registrar was set up to monitor uses of computers to store personal
> information and to be an independent source of help to get faulty data
> corrected.

This poses certain risks for computer users. Suppose that I keep
the following information on-line for my own reference:

a) Names and addresses of professional contacts.

b) Notes on their research interests.

c) Names and birthdays of members of their families. (It might be good for
   business if I sent their kids birthday cards! :-)

d) Comments such as: "This guy is an idiot. Don't get into any more projects
   with him!"

As I understand it, I am not required to register as a data holder if I
merely keep type a) data. I am *probably* required to register if I keep
b), and more so if I keep type c).

In any case, it is extremely unlikely that I would be prosecuted for failing
to register unless I were foolish enough to keep type d) data and also to
supply a copy of my file to someone who passed it back to the person about
whom I had written nasty comments.

The University keeps computer files with staff and student records. Naturally
it is registered and every employee or student has the right to see the
information held and demand that it be corrected if it is error. (In fact,
hard copies are posted to staff periodically to remind them to update their
records, e.g., change of address.)

What about e-mail, though? Suppose I send a piece of vitriolic e-mail about
a particular student to another member of staff (not that I would, of
course! :-). Am I in breach of the Act by sending the e-mail? Am I in breach
of the Act if I keep an on-line copy? Is the recipient in breach by filing
an on-line copy, and if the recipient keeps one but I don't, am I still
liable? Is the recipient in breach while it resides in the destination
mail-box before it is read? Are we both covered by the fact that the
University is registered? (In fact I *think* the Act requires registration
of particular systems.)

Regardless of whether we should register or not, does every student in the
University have the right to read every e-mail memo about them sent between
staff if these have been stored on-line? If comments are felt to be unfair,
should the student be able to demand that the record of past correspondence
be toned down even though the vitriolic original was read and acted upon
long ago, or would it suffice simply to print and file a hard copy of the
memo and delete it from the on-line file, thereby removing it from the terms
of the Act?

I am not thoroughly familiar with the wording of the Act, but I suspect the
answers to some of the above questions are far from obvious.

Does anyone know how successful the Act has been in terms of prosecutions
for unregistered holding of data or justified demands for corrections?
Have any test cases established precedents for the points I have raised?

Perhaps a publicity campaign should be aimed at holders of data who might
be unwittingly breaking the law (as was the earlier campaign at the time the
Act came into force).

Peter Mellor, Centre for Software Reliability, City University, Northampton
Sq., London EC1V 0HB, Tel: +44(0)71-477-8422, JANET: p.mellor@city.ac.uk


Re: Dutch hacker in jail for another month (from: Hans van Staveren)

<rmoonen@ihlpl.att.com>
Tue, 30 Mar 93 08:26 GMT
->According to the papers, forged credit cards were found while searching his
->home, and that also will not help his case.  He is supposedly unwilling to
->answer any questions at this point, but is charged with crimes that could
->send him to jail for a maximum of four years.

Don't forget that when he was arrested the previous time, he also was
unwilling to answer any questions. This gives a good motive for 'nailing' this
guy. The credit cards shouldn't be much of a problem for him, because
possession of them is not as big an offense as actually using them, and that's
hard to prove.

->Although I am definitely not suggesting he is a nice guy, somehow I have some
->difficulty connecting this nervous kid in our room with a sentence of four
->years. I hope that being the first to be caught under the new law, and in the
->act to boot, is not going to give him too much extra attention from law
->officers.

I'm afraid that being the first will only make for a harsh trial, to set an
example.  It's not only the first time a hacker will go to trial under the new
law, it's also the first time one was caught red-handed. A sentence of four
years will not only ruin those four years for him, but the rest of his career
will also be in severe danger. I hope the judge has done his homework on
computers though...

(Trials in the Netherlands do not work with juries, which might be to his
advantage, because in this case, the parties involved will at least know what
they are talking about...)

--Ralph Moonen


Credit and Avis rent a car re-visited

Boyd Roberts <boyd@prl.dec.com>
Tue, 30 Mar 1993 18:49:43 +0200
On returning from my US vacation yesterday, I found a strange letter asking me
to contact my old bank whose accounts I'd closed more than a year and a half
ago.  On calling the bank today, they tell me that an Avis car rental was
billed to my old VISA card I had with then, although I'd charged it to another
card when I made the rental.  The a/c number they used was the one used on the
application form.  Must be yet another benefit of having an Avis ``Wizard
Card''.

So, this begs the question: Will any random digit sequence work as long as the
leading digits point to a real bank?  [Not if they do a real-time check.  PGN]

This is just another problem caused by renting from Avis.  The last time I did
it, their data on me was misused and cost me some US$2000 through fraudulent
`telephone' transactions of which I've only recoved half of, some 6 months
later.
            Boyd Roberts  boyd@prl.dec.com


Little green sting (saucers, Cooper/Maeda, RISKS-14.44)

Joseph T Chew <jtchew@Csa3.LBL.Gov>
Tue, 30 Mar 93 13:54:21 PST
A reading from RISKS-14.44...

> [I have seen this on several groups.  There is a question whether it
> is actually illegal if you are merely listening, as opposed to doing
> something about it.  PGN]

Might as well indulge my sense of the obvious by inserting, "...under UK
laws."  I don't know if they subscribe to the idea, as we do in the US, that
most things heard on the air may be listened to and even acted upon with
impunity.  (Newsies with a police/fire scanner take advantage of this, for
instance.)  According to my faulty memory of possibly obsolete US broadcast
law, *disclosing* the contents of non-broadcast transmissions is the no-no.

--Joe


Re: The FORTRAN-hating gateway

Phil Karn <karn@qualcomm.com>
Tue, 30 Mar 93 14:58:06 -0800
I had a very similar problem last year with the SLIP link to my house.  Every
time I tried to FTP the individual files making up the infamous PC game
Wolfenstein 3D, the transfer hung at the same point in one particular file. A
compressed archive of the same files went over fine.

Investigation showed that the offending data sequence was a long string of
ascii '+' characters.  This is the default "command escape" character on a
modem with the Hayes command set. To escape from data mode to command mode,
you send '+++' preceded and followed by at least a second of idle time. But I
*wasn't* triggering the command escape. The modem stayed in data mode. It just
corrupted my packets.

The modems in question were Motorola/Codex 3260 FASTs, which support DTE
speeds up to 115.2 kb/s. It seems that at such a high link speed,
whatever special processing the modems do on the '+' character (e.g.,
restarting a timer) takes more than one character time. So if you send
too many '+' characters in a row the modem's fifo eventually overflows.

The workaround was to change the command escape character to 128, which
effectively disabled the in-band escape feature, and to use DTR to control the
modem state. Not only is this completely reliable, it's faster too. And it
avoids Hayes' stupid patent on the "+++" sequence, a worthwhile goal in
itself.

Phil

Please report problems with the web pages to the maintainer

x
Top