The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 14 Issue 75

Wednesday 14 July 1993


o Bugs in the computer [Ant-ics in the Sun]
Clive Feather
o Re: Important words in other fonts
Frederick G.M. Roeber
o IEEE Computer Magazine Article Analyzes Therac-25 Accidents
Jim Haynes
o Medical Reimbursements and Computer Glitches
Sanford Sherizen
o Software Safety Workshop: Call for Papers and Participants
Lon D. Gowen
o Application of Software Metrics and Quality Assurance in Industry
Pete Mellor
o "Russian Day" in St.Petersburg
Klaus Brunnstein
o Incident Response Workshop info
Gene Spafford
o Info on RISKS (comp.risks)

Bugs in the computer

Clive Feather <>
Wed, 14 Jul 93 11:11:11 BST
The following appeared in Unigram.X (a UK newsletter) and Market Watch
(an electronic news clippings service). On my request, permission has been
granted to reproduce this item in RISKS provided that the full text,
up to and including the line beginning with several = signs, is included.
Clive D.W. Feather, IXI Ltd, Vision Park, Cambridge   CB4 4ZR  UK    Phone: +44 223 236 555    Fax:   +44 223 236 466

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


  Computergram via First! — Sun Microsystems Inc knows why Brazil is known
to its native inhabitants as the kingdom of the ants - it got an electronic
mail message from its local representative down there asking how to get rid
of bugs - ants nests to be precise: seems a user had turned his workstation
off for a few days and on returning to power the thing up was greeted by
some nasty crunching and popping sounds; opening the lid he was greeted by
an army of ants whose nest-building had been rudely interrupted by his
machine's Sparc CPU and disk subsystem coming to life; pest control was
hurriedly dispatched and the system was soon up and running - Sun knows its
stuff when it comes to bug-fixing.

[07-08-93 at 14:38 EDT, Copyright 1993, Apt Data Services., File: g0708183.437]

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Entire contents (C) 1993 by INDIVIDUAL, Inc., 84 Sherman Street, Cambridge,
MA 02140 - Phone: 617-354-2230, FAX: 617-864-4066.  Unauthorized electronic
redistribution without prior written approval of INDIVIDUAL, Inc. is
prohibited by law.  Any authorized copy must carry in full the copyright
notice of the information source, if any, of First! and of INDIVIDUAL, Inc.
==============[The End - First! (TM) - Your Smart News Agent]===============

Re: Important words in other fonts

Frederick G.M. Roeber <>
Wed, 7 Jul 1993 09:44:07 +0200
Recently I have been working with the "World Wide Web," a project
designed to unite the various data resources on the internet into
a common web of information.  The Web began a few years ago at
CERN.  I am working at CERN as well, and some people who saw my
work or articles thought I was an official web project member.

So, on my 'signature' page ( )
I included a disclaimer:

  Please note: <b>I am <i>not</i> an official member ...</b>.

The lingua franca of the web is HTML, or hypertext markup language, which is
based on SGML.  The codes in angle brackets above are SGML, and stand for bold
and italics.

I looked at my page with my whiz-bang X-based web browser (NCSA Mosaic), and
sure enough the line appeared with nice bold and italicised words.

A short time later, I got a call from a somewhat annoyed web project guy,
demanding to know why I was claiming to be an offical member.  It seems that
on his NeXT browser, the word "not" was mysteriously absent.

The problem was that his browser didn't support italics.

Why?  Well, when the Web began it was "hypertext" based.  Everything was
supposed to be simple, plain text accessible by everybody.  Though HTML was
based on SGML, this was more to be "standard" than to support fancy markups.
The core team had a nice plan as to how they would expand, slowly and in step.
Then the NCSA came along, with their elegant multimedia X-based browser.
Suddenly the web became "hypermedia," and (as it supported much more of SGML),
even plain text could be marked up in much fancier ways.  So people started
writing documents depending on the capabilities of NCSA Mosaic, leaving the
earlier browsers behind.  In this case, that lapse changed the entire meaning
of a rather important sentence.

There are a few points here:

  1) In important sentences of electronic documents, don't put
     important words (like "not") in other fonts or representations.

  2) In fact, avoid needless font and representation twiddling.

  3) Don't assume everybody has the same advanced tools you do.

  4) If you're going to use a standard, use *all* of the standard.
     HTML is based on SGML.  The <i> code is legitimate SGML.

  5) If you can't represent a requested font, for pete's sake don't
     just ignore the text!  Put it up however you can.  In this
     case, when I protested my innocence, the other guy loaded up
     the page on the old line-mode browser on the VM system.  This
     browser ignores virtually all markup commands, so the unadorned
     sentence — including the 'not' — appeared.

  6) If you launch a project in to the public, be prepared for
     someone to take the ball and outrun you.  You can't stay
     firmly in control.  This emphasizes point 4 — the whole point of
     "standards" is so that when this happens, things are still compatible.

Frederick G. M. Roeber, CERN/PPE, 1211 Geneva 23, Switzerland or | work: +41 22 767 31 80

IEEE Computer Magazine Article Analyzes Therac-25 Accidents

Jim Haynes <haynes@cats.UCSC.EDU>
Tue, 13 Jul 93 13:19:55 -0700
by Nancy G. Leveson, Professor of Computer Science and Engineering at
University of Washington, and Clark S. Turner, doctoral student at
University of California, Irvine.  Pages 18 through 41 of the current
(July 1993) issue of Computer.

   [The report from which this paper is drawn was noted in RISKS-14.04.  PGN]

Medical Reimbursements and Computer Glitches

Sanford Sherizen <>
Thu, 24 Jun 93 10:45 GMT
I have been handling some of my elderly mother's bills after her recent
hospitalization. Since she is in an HMO (Health Maintenance Organization), she
should not have had any bills other than for personal incidentals (tv, etc.).
Yet, she kept getting bills from one medical testing lab.  When I made an
inquiry, the lab told me that the bills should have been paid by the HMO and
that I should notify them, which I did.  Several more bills came from the lab
and several more inquiry calls were made.  Yesterday, a letter came indicating
that the account is delinquent and that it will be turned over to a collection
agency unless paid immediately.  I called and was told that their records
indicated that the bill had not been paid.  After pushing them a lot to review
their records, they suddenly discovered that the bill had been paid by the HMO
s more than a month ago.  The clerk told me that there had been a *number of
cases* recently where the computer had not recognized that a payment had been
made and bills were automatically sent out.  He told me that the computer
problem ws being worked on.  When I complained that the lab continued to send
out bills even though they knew that some of them were false, he told me that
all people had to do was to call the accounts department (it was an 800
number) and any errors would be corrected.  However, if I had not insisted
several times that the HMO had been notified and that they had paid the bill,
the money would be owed by my mother.

The end result is that this lab knows that there is a billing problem and they
have continued to send out bills, some of which are erroneous.  Their solution
is that (often ill) people will know that the bill has been paid, will contact
the billing office, will fight to ensure that the correct information is in
the computer, and all will be resolved.  Unfortunately, what will really
happen is that some people will pay the bill even if they do not owe the money
and others will have their credit history threatened if they cannot afford to
pay the money.

While this does not seem to fall under the legal definition of fraud, it may
be illegal if the lab is billing with knowledge of a computer problem of this
sort.  I suspect that this problem is more common than recognized and that the
lab is only one of a number of organizations that have decided that orderly
processing of accounts is more important than correct billing of people.
Computer glitch has become an excuse for financial manipulation and harming of

Software Safety Workshop: Call for Papers and Participants.

"Dr. Lon D. Gowen" <>
Wed, 23 Jun 1993 19:17:29 CDT

               The '93 International Software Safety Workshop

                            November 18-19, 1993
                        Computer Science Department
                        Mississippi State University
                             MS State, MS 39762

                            Tentative Sponsors:
                   The National Science Foundation (NSF)
                The Oak Ridge Associated Universities (ORAU)
                     Mississippi State University (MSU)

                            In Cooperation with:
              The American Society of Safety Engineers (ASSE)

This workshop's goal is to bring together researchers and practitioners from
academia, industry, and government in order to (1) enhance the transfer of
technology and communication, (2) examine current problems relating to
software safety research and practice, and (3) discuss and propose new
directions for software safety research and practice.  The workshop's
organizers desire participation from all software-safety-impacted sectors
such as aviation, medicine, transportation, manufacturing, the military,
chemical processing, etc.  The organizers also encourage participation by
both industrial and governmental individuals who manage, specify, design,
code, verify, or certify safety-critical software systems.

Additionally, this workshop seeks papers and presentations relating
specifically to software safety.  A partial list of topics follows:

          * Standards for developing and certifying safety-critical software
          * Techniques for static and dynamic verification & validation
          * Managerial issues and methods
          * Case studies in software safety
          * Experience reports dealing with software safety
          * Tools, techniques, and methodologies
          * Technology transfer between researchers and practitioners
          * Improving cooperation and communication between researchers
              and practitioners
          * Software hazard analysis and safety-critical requirements
          * Safety-critical designs
          * Long-range goals and plans for software safety, and how best
              to achieve them
          * Preliminary results from recent research or practice

Authors wishing to submit a manuscript for possible presentation and
inclusion in the workshop's proceedings must submit five copies by
3-SEP-1993 of full-length papers (20 single-spaced pages maximum) or topics
for presentation (2 single-spaced pages maximum) to the workshop's general
chair at the address below:

                         Lon D. Gowen, Ph.D.
                         ISSW '93
                         Computer Science Department
                         Mississippi State University
                         P.O. Drawer CS
                         MS State, MS 39762

          Phone:         (601) 325-7508
          Fax:           (601) 325-8997

     In addition to the refereed papers and presentations, there will be
several invited papers and presentations.  The organizers anticipate
presentations by the following organizations: FAA, FDA, FHWA, DoE, NASA, DLSF
Systems, McKinlay and Associates, plus others.  Additionally, there will be
presentations by various academic researchers.

Application of Software Metrics and Quality Assurance in Industry

Pete Mellor <>
Sat, 10 Jul 93 15:58:02 BST
The annual workshop of the Centre for Software Reliability will be held this
year in Amsterdam from 29th September to 1st October, co-hosted with the
Japanese Union of Scientists and Engineers.

The theme is "The Application of Software Metrics and Quality Assurance in
Industry". Keynote speakers are Vic Basili, University of Maryland, and
Yoshinori Iizuka, University of Tokyo.

Programme and application form can be supplied in paper or electronic form.

Under the Human Capital and Mobility scheme of the Commission for the European
Community, 100% support is available for up to 15 delegates to attend from
those areas of the EC which qualify for special support (which include Greece
and Portugal).

Applications are therefore particularly invited from people in these areas
(although naturally, all applicants are very welcome!).

Please respond preferably by e-mail. If you happen to know of anyone in one of
the supported areas of Europe who might be interested but who does not receive
e-mail or read the relevant lists, please pass the information on and ask them
to respond by fax or snail-mail.

Peter Mellor, Centre for Software Reliability, City University, Northampton
Sq., London EC1V 0HB, UK.  Tel: +44(0)71-477-8422 (Direct line to P. Mellor),
Tel: +44(0)71-477-8421 (Direct line to Ms. C.A. Allen, Centre Manager),
Fax: +44(0)71-477-8585,

"Russian Day" in St.Petersburg

Wed, 7 Jul 1993 18:36:46 +0200
In addition to the announcements in Risk Forum 14.60 (May 12,1993), concerning

             IFIP WG 9.6 Working Conference, August 12-17, 1993
   Venue: the conference ship M/S Ilich between Stockholm and St.Petersburg

here is an updated program of the "Russian Day" (St.Petersburg, August
14,1993) To my knowledge, this is the first time where plans for "Russian
ITSEC" may be compared to other suggestions (ITSEC, FC/FIPS), eg in related
contributions of Marshall Abrams and one EEC speaker. Klaus Brunnstein (May
28, 1993)

      Saturday August 14: "Russian Day"

      Part I:  "IT and Security in Russia. Experts view"
      "IT and Security in Russia"
           E.V. Evtyushin (Russian Agency for New Information)

      "IT vs. Security in Russia"
           E.A. Musaev (Russian Agency for New Information Technologies)

      "Problems of information protection in the Northwestern region of Russia"
          P.A. Kuznetsov (Association for Information Protection "Confident")

      Part II: "IT and Security in Russia - Commercial sector"
      "Bank requirements for Information Security"
          TBD (Sberbank of Russia)

      "Insurance Companies and Information Security"
          TBD (Representative of an insurance company)

      Part III: "It and Security in Russia - Public Sector"
      "The current state of INFOSEC legislation development in Russia"
          A.P. Kurilo (State Technical Committee of Russia)

      "The legal aspects of Digital Signature standardisation in Russian
          V.V. Markelov (Federal Agency of Government Communications and

      "The Russian IT Security Evaluation Criteria"
          Y.A. Timofeev (National Sub-committee on IT Security Techniques

      Part IV: "Western Developments in IT-Security"
      R.Hackworth (U.K.): "The OECD Guidelines on IT Security"

      M.Abrams (USA): "From Orange Book to new US Criteria"

      P.White (U.K.): "Drafting Security Policies"

      TBD "INFOSEC Security Issues in the EC"

Incident Response Workshop info

Gene Spafford <>
8 Jul 1993 20:03:29 -0500
       5th Computer Security Incident Handling Workshop
Sponsored by the Forum of Incident Response and Security Teams (FIRST)

              August 10-13, 1993
                St. Louis, MO

TUESDAY, August 10, 1993  Full-day Tutorials

1.  Creating a Security Policy, presented by Charles Cresson Wood:
      [no abstract available at time of posting]

2.  Vulnerabilities of the IBM PC Architecture: Virus, Worms, Trojan
      Horses, and Things That Go Bump In The Night
    presented by A. Padgett Peterson:

  An intensive look into the architecture of the IBM-PC and MS/PC-DOS --
  What it is and why it was designed that way. An understanding of
  assembly language and the interrupt structure of the Intel 80x86
  processor is helpful.

  The day will begin with the BIOS and what makes the PC a fully
  functional computer before any higher operating system is introduced.
  Next will be a discussion of the various operating systems, what they
  add and what is masked. Finally, the role and effects of the PC and
  various LAN configurations (peer-peer and client server) will be
  examined with emphasis on the potential protection afforded by login
  scripting and RIGHTS.

  At each step, vulnerabilities will be examined and demonstrations made
  of how malicious software exploits them. Demonstrations may include
  viruses depending on time and equipment available.

  On completion attendees will understand the vulnerabilities and how to
  detect attempted exploitation using simple tools included with DOS
  such as DEBUG and MEM.

3.  Unix Security
    presented by Matt Bishop:

  Unix can be a secure operating system if the appropriate controls and
  tools are used.  However, it is difficult for even experienced system
  administrators to know all the appropriate controls to use.  This
  tutorial covers the most important aspects of Unix security
  administration, including internal and external controls, useful
  tools, and administration techniques to develop better security.

  Upon completion, Unix system administrators will have a better understanding
  of vulnerabilities in Unix, and of methods to protect their systems.

WEDNESDAY, August 11, 1993

 8:30 -  8:45  Opening Remarks - Rich Pethia (CERT/CC)

 8:45 -  9:30  Keynote Speaker - Dr. Vinton Cerf (XXXX)

 9:30 - 10:00  Break

10:00 - 12:00  International Issues - Computer networks and communication lines
               span national borders.  This session will focus on how computer
               incidents may be handled in an international context, and on
               some ways investigators can coordinate their efforts.
         Harry Onderwater (Dutch Federal Police)
         John Austien (New Scotland Yard)
         other speakers pending

12:00 -  1:30  Lunch with Presentations by various Response Teams

 1:30 -  3:00  Professional Certification & Qualification - how do you know if
               the people you hire for security work are qualified for the
               job?  How can we even know what the appropriate qualifications
               are?  The speakers in this session will discuss some approaches
               to the problem for some segments of industry and government.
         Sally Meglathery ((ISC)2)
         Lynn McNulty (NIST)
         Genevieve Burns (ISSA)

 3:00 -  3:30  Break

 3:30 -  6:00  Incident Aftermath and Press Relations - What happens after an
               incident has been discovered?  What are some of the
               consequences of dealing with law enforcement and the press?
               This session will feature presentations on these issues, and
               include a panel to answer audience questions.
         Laurie Sefton (Apple Computer)
         Jeffrey Sebring (MITRE)
             Terry McGillen (Software Engineering Institute)
         John Markoff (NY Times)
         Mike Alexander (InfoSecurity News)

 7:00 -  9:00  Reception

THURSDAY  August 12

 8:30 - 10:00  Preserving Rights During an Investigation - During an
               investigation, sometimes more damage is done by the
               investigators than from the original incident.  This session
               reinforces the importance of respecting the rights of victims,
               bystanders, and suspects while also gathering evidence that may
               be used in legal or administrative actions.
         Mike Godwin (Electronic Frontiers Foundation)
         Scott Charney (Department of Justice)
         other speaker pending

10:00 - 10:30  Break

10:30 - 12:00  Coordinating an Investigation - What are the steps in an
               investigation?  When should law enforcement be called in?  How
               should evidence be preserved?  Veteran investigators discuss
               these questions.  A panel will answer questions, time permitting.
         Jim Settle (FBI)
         other speakers pending

12:00 -  1:30  Special Interest Lunch

 1:30 -  3:00  Liabilities and Insurance - You organize security measures but
               a loss occurs.  Can you somehow recover the cost of damages?
               You investigate an incident, only to cause some incidental
               damage.  Can you be sued?  This session examines these and
               related questions.
         Mark Rasch (Arent Fox)
         Bill Cook (Willian, Brinks, Olds, Hoffer, & Gibson)
         Marr Haack (USF&G Insurance Companies)

 3:00 -  3:15  Break

 3:15 -  5:30  Incident Role Playing — An exercise by the attendees
           to develop new insights into the process of
           investigating a computer security incident.
           Organized by Dr. Tom Longstaff of the CERT/CC.

 7:30 -  ?     Birds of a Feather and Poster Sessions

FRIDAY  August 13

 8:30 - 10:00  Virus Incidents - How do you organize a successful virus
               analysis and response group?  The speakers in this session have
               considerable experience ans success in doing exactly this.  In
               their talks, and subsequent panel, they will explain how to
               organize computer virus response.
         Werner Uhrig (Macintosh Anti-virus Expert)
         David Grisham (University of New Mexico)
         Christoph Fischer (CARO)
         Karen Picharczyk (LLNL/DoE CIAC)
         Ken van Wyk (DISA/Virus-L)

10:00 - 10:15  Break

10:15 - 11:15  Databases - How do you store incident, suspect, and
               vulnerability information safely, but still allow the
               information to be used effectively?  The speakers in this
               session will share some of their insights and methods on this
         John Carr (CCTA)
         Michael Higgins (DISA)
         speaker pending

11:15 - 12:15  Threats - Part of incidence response is to anticipate riska and
               threats.  This session will focus on some likely trends and
               possible new problems to be faced in computer security.
         Karl A. Seeger
         speakers pending

12:15 - 12:30  Closing Remarks - Dennis Steinauer (NIST/FIRST)

12:30 -  2:00  Lunch

 2:00 -  3:00  FIRST General Meeting and the Steering Committee Elections

 3:00 -  4:00  FIRST Steering Committee Meeting

^^^^^^^^^^^^^^^^^^^^^Registration Information/Form Follows^^^^^^^^^^^^^^^^^^^^^


Direct questions concerning registration and payment to:  Events at 412-268-6531

Direct general questions concerning the workshop to:  Mary Alice "Sam" Toocheck
                                                      at 214-268-6933

Return to:   Helen E. Joyce
             Software Engineering Institute
             Carnegie Mellon University
             Pittsburgh, PA  15213-3890
             Facsimile:  412-268-7401

Please make checks or purchase orders payable to SEI/CMU.  Credit cards are not
accepted.  No refunds will be issued, substitutions are encouraged.

The registrations fee includes materials, continental breakfast, lunches (not
included on August 13), morning and afternoon breaks and an evening reception
on August 11.  Completed registration materials must be received by the SEI no
later than July 10, 1993.

A minimum of 7 attendees are needed for each tutorial and there will be limit
of 50 attendees. You MUST indicate which tutorial you would like to attend and
an alternate if your first choice is full.


If your organization has not made prior arrangements for reimbursement of
workshop expenses, please provide authorization (1556) from your agency at the
time of registration.


Workshop................................. ..............$300.00
All registrations received after July 10, 1993..........$350.00
Tutorials (Must be registered by July, 10, 1993)........$190.00
      [Yes, I know ...   If you call today, tell them a RISKS issue with
      this info did not come out until today.  Maybe they can bend.  PGN]












CITIZENSHIP:  Are you a U.S. Citizen?    YES/NO

Identify country where citizenship is held if not the U.S.:

(Note: there will be no classified information disclosed at this workshop.
There is no attendance restriction based on citizenship or other criteria.)


RATES: A block of rooms has been reserved at the Hyatt Regency at Union
Station, One St. Louis Union Station, St. Louis, Missouri 63103.  The hotel
will hold these rooms until July 10, 1993.  Hotel arrangements should be made
directly with the Hyatt, 314-231-1234.  To receive the special rate of $65.00
per night, please mention the Fifth Computer Security Incident Handling
Workshop when making your hotel arrangements.

ACCOMMODATIONS: Six-story hotel featuring 540 guest rooms, including 20
suites.  All rooms have individual climate control, direct-dial telephone with
message alert, color TV with cable and optional pay movies.  Suites available
with wet bar.  Hotel offers three floors of Regency accommodations, along with
a Hyatt Good Passport floor, and a special floor for women travelers.

LOCATION/TRANSPORTATION FACTS: Downtown hotel located in historic Union
Station one mile from Cervantes Convention Center and St. Louis Convention
Center and St. Louis Arch.  Fifteen miles (30 minutes) from St. Louis Zoo.

DINING/ENTERTAINMENT:  Italian Cuisine is features at Aldo's, the hotel's
full-service restaurant.  Enjoy afternoon cocktails in the Grand Hall, an
open-air, six-story area featuring filigree work, fresco and stained glass
windows.  The station Grille offers a chop house and seafood menu.

RECREATIONAL/AMUSEMENT FACILITIES: Seasonal outdoor swimming pool.  Full
health club; sauna in both men's and women's locker rooms.  Jogging maps are
available at the hotel front desk.

SERVICES/FACILITIES/SHOPS:  Over 100 specialty shops throughout the hotel,
including men's and women's boutiques, children's toy shops and train stores.

Gene Spafford, COAST Project Director
Software Engineering Research Center & Dept. of Computer Sciences
Purdue University, W. Lafayette IN 47907-1398
Internet:   phone:  (317) 494-7825

Please report problems with the web pages to the maintainer