The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 14 Issue 58

Monday 10 May 1993


o 2 Women Accused in Sale of Adoption Information
John C Slimick
o Caller-ID mistakes
John H. Dale
o A RISK of Mailing Lists?
James Garven
discussed by Cal Jewell
o Census imposters invading Cary
George Entenman
o Analog vs Digital Speedometers
Martin Minow
o Computer Problem reveals tax details
John Gray
o Videoconferencing Bridge Likes Muscular Lungs
Shyamal Jajodia
o AIS BBS Capture log
o Re: Pyramids in space
Wayne Throop
o Re: Epilepsy and video games
Antonella Dalessandro
o Re: Humans NOT needed to save NASA
Flint Pellett
o Re: Junk mail reduction request can add to your junk mail, too
Steve Mick
o Re: China executes hacker
Jonathan Bowen
o Re: Evading 1-900 blocking
David A Willcox
o Re: Utility-derived information
Phil Agre
o Info on RISKS (comp.risks)

2 Women Accused in Sale of Adoption Information

John C Slimick <>
Mon, 3 May 1993 23:53:16 -0400 (EDT)
Abstracted from an AP item in the Buffalo News, May 2, 1993:

Two women accused of selling confidential information about adoptions have
pleaded innocent to computer trespass, grand larceny, and other charges.
State police and Department of Health officials allege that one of the women,
a departmental employee, looked up confidential adoption records in state
computers, then passed them onto the other defendant.  The other defendant,
who ran an adoption group called Birth Parents Network, then allegedly sold
the information for $800 a listing to people seeking their birth parents or

  Comment: It is notoriously difficult to break the sealed records in adoption
  cases. Many people use private detectives to find out what the court doesn't
  want them to know. Why not an end run around the records, and, at $800, it's
  probably cheaper than the detective.

john slimick  university of pittsburgh at bradford PA

Caller-ID mistakes

John H. Dale <>
Tue, 4 May 1993 23:12:22 GMT
The other evening, I received a number from an upset woman.  It appears that
her caller-id box told her she had just received a call from my number.  The
only call I had made that evening yielded me a pizza, and the number did not
resemble hers.  I did not ask her to described the call, because she seemed
upset.  But I gather I would not have wanted to be accused of making it.

Anybody know whether this happens often?  Does the caller-id report include an
error check?  Are all boxes required to verify the check?

A RISK of Mailing Lists?

Cal Jewell <jewell@Data-IO.COM>
Wed, 5 May 93 11:39:40 PDT
Appended to the end of this message is an announcement I received today.
There's a new mailing list in town, the Risk Management and Insurance Mailing
list. The new mailing list is named RISK.

Perhaps this is an example of a RISK associated with the growing use of
mailing lists.

I wonder how many people, intending to subscribe to a mailing list version of
the RISKS digest, will accidentally subscribe to the RISK mailing list.

Cal   ...!pilchuck!jewell

# Date:         Wed, 5 May 1993 11:14:55 CDT
# Reply-To: garven@UTXVM.CC.UTEXAS.EDU
# Sender: NEW-LIST - New List Announcements <NEW-LIST@VM1.NoDak.EDU>
# From: "James R. Garven" <garven@UTXVM.CC.UTEXAS.EDU>
# Subject:      NEW: RISK - Risk Management and Insurance Mailing list
# RISK on LISTSERV@UTXVM.CC.UTEXAS.EDU    Risk and Insurance Issues
#    RISK is an electronic discussion list also known as RISKnet that will
#    allow persons around the world interested in Risk and Insurance
#    Issues to discuss matters of mutual concern.  Although RISK is a
#    moderated list, it is the intention of the moderator to facilitate a
#    "no holds barred" discussion of Risk and Insurance issues.
#    Submissions to RISK are posted and redistributed around the world to
#    all who subscribe, subject to the following constraints:
#    1) submitted materials must not be copyrighted;
#    2) submissions must be (at least remotely) related to the purposes of
#    the list as outlined below;
#    3) basic rules of email etiquette are expected;  i.e., character
#    assassination and/or profanity are not allowed, and neither are
#    anonymous submissions.
#    Possible topics for discussion on the list might include any of the
#    following:
#    1) Substantive discussion over topics such as corporate risk
#    management, underwriting cycles, insurance solvency and regulation,
#    insurance pricing, insurance economics, economics of legal rules,
#    liability issues, political risk, environmental risk, interactions
#    between insurance and finance, globalization of insurance markets,
#    risk perception and assessment (to name a few).
#    2) Comment and contributions on curriculum questions;  suggested
#    texts, new articles of common interest for course-related adoption.
#    3) Circulation of draft articles for comment and discussion.
#    4) Personal exchanges in the effort to develop a greater sense of
#    community among RISKNet colleagues.
#    To join RISK, send electronic mail to
#    (or on BITNET to LISTSERV@UTXVM) and include the following message in
#    the body of your mail:
#       Sub RISK John Doe
#    (in the above command, please substitute your own name for John Doe).
#    If you have any questions, please free to contact the owner.
#    Owner and Editor:  James R. Garven
#                       Department of Finance
#                       University of Texas at Austin
#                       Austin, TX  78712
#                       USA
#    Editor's Note:  Do not confuse the RISK list described above with
#    the RISKS list peered at several sites.  The RISK list is about
#    insurance.  The RISKS list is on issues related to the public use
#    of computer systems.  mgh

     [ugh.  pgn]

Analog vs Digital Speedometers

Martin Minow <>
Tue, 4 May 93 09:50:41 -0700
I'm not sure if this is worth a Risks posting, but it's an interesting
bit of information.

(From alt.folklore.computers, posted by
In article <> (Mauricio
Antonio Lopez Gutierrez) writes:
>Paul Raveling ( wrote:
<>In article <>, (Guy Dawson)
<>> In our race car we use an analog tach for the driver and record
<>> the telemetry data digitally.
<>> As for accuracy, the unit is VERY accurate. Internally the system is
<>> digital and drives a stepper motor to which the needle is attached.
<>> This is factory calibrated. The stepper motor mans that the needle
<>> does not bounce around when the driver clips a curb or generally goofs.

<>    Much of this debate is based on opinion only and has little
<> data to back it up.

In the case of a watch it doesn't matter whether it is analogue or digital,
for most people most of the time a quarter hour counter will do.  In fact the
minute hand is really not needed and was omitted from early clocks, the time
between the hours was estimated.

In the case of a speedometer the speeds to which one is driving (eg usually
the limit) do matter.  I was involved in research (yes the evil deed of
getting real data) for Ford in Britain and we found that a digital, numeric
readout, even in poor seven segment characters was uniformly at least as good
and most times better than an analogue display.  We found this effect in
photographic presentations, a simulator and on the road with a $100,000
prototype.  We knew from the "ergonomics" literature that an analogue display
was supposed to be better for check reading and estimation but we failed to
find what we expected even though the tests were sometimes biased to find out
if such an effect occurred.  Furthermore, older people preferred this display
because the numbers were now so large that it was not necessary to focus on
them as much as was necessary to see a needle (especially at night).  The time
taken to interpret the numeric display was "swamped" by the ease of reading it
allowing people to look back at the road during the interpretation time.  When
we presented the results to a conference the German and Japanese auto
researchers rushed back to their labs to do the research which only we had
"bothered" to do.  Never assume that "common sense" is enough when people's
lives may be at stake.

Call the Institute of Consumer Research (ICE) in England (phone
011-44-509-236161 or fax 610725) for further details.

Census imposters invading Cary

George Entenman <>
Fri, 7 May 93 08:32:50 -0400
I found this article in the newspaper last week.  It's obvious that the story
describes an attempt to "fish for information" on us, but I would like to know
what questions you netters think these "census takers" might be asking.  The
simplest answer is that they are casing the joint to find out how many VCR's
and how much jewelry people own, when they are at home, etc.  But is there any
other data that would have less tangible risks?  SSNs, for example?
George Entenman

  Census imposters invading Cary, by Beverly Brown, Staff writer
  The News and Observer, Saturday, May 1, 1993, Page 7B [Abstracted by PGN]

Cary [NC] - Beware of nosy people at your door claiming to be census workers.
They probably aren't.  Police Chief David Fortson said several residents have
complained about people identifying themselves as census employees and
proceeding to ask questions.

Eighty legitimate census workers - carrying red, white and blue identification
cards - won't start going door-to-door until May 20, when the town begins
conducting a special census.  Cary, at odds with the Census Bureau over the
town's 1990 census, commissioned a special head-count last year.  The latest
census says the fast-growing town has a few more than 43,000 residents.  But
the town estimates that at least 48,000 people call Cary home.  At stake are
millions of dollars in state funding, allocated on the basis of population.
For a new count, which will involve a week-long canvass, census workers will
limit their questions to name, age, race, sex, national origin and
relationship to the homeowner.

Fortson said the imposters most likely are opportunists, using public
knowledge about the town's forthcoming count as a chance to fish for
information.  "There are all kinds of things going on in terms of scams," he
said.  "Perhaps this is another way for folks to pull off a scam.  I just
don't know."

Computer Problem reveals tax details

John Gray <>
Thu, 6 May 93 15:45:40 BST
"The Scotsman", 6th May, reports an incident affecting possibly as many
as "a couple of thousand" households in East Kilbride, near Glasgow.
Residents have received information on council tax rebates (for low
income and invalidity benefit claimants) relating to their neighbours.

Apparently, the computer "broke down" midway through printing the 900,000
bills being issued, and after the computer was restarted, the problem
occurred. Apparently, the rebate information on the FRONT of the bill was
correct, but that the calculation on the BACK related to the next
household (apparently the bills are issued in order of address).

Presumably, when the computer crashed, it ejected one half-printed bill, and
proceeded to pair the front and back pages wrongly for the remainder of the

A council official said that most families would not be directly
identified [though if you know that they live next door....]. The only
names in bills would be those of "non-dependents" such as lodgers.

  [We had an almost identical case a few years back.  PGN]

Videoconferencing Bridge Likes Muscular Lungs

Shyamal Jajodia <>
Mon, 03 May 93 14:29:21 EDT
In the April 1993 issue of the MIT Information Systems magazine there is a
description of a videoconferencing system.  Apparently, in a multi-site
conference, each site must call a bridge, or hub, which then acts as the
traffic controller for transmission to and from the participating sites. The
risk is in the bridge design:

  The bridge relies on voice activation to determine which site to show
  more or less on the principle that whoever talks the loudest gets seen"

Does this system contravene the Americans with Disabilities Act? I never
knew that lung power would some day make me more visible.

Shyamal Jajodia (MIT)

Anonymous <>
Fri, 7 May 93 11:18:17 -0500
This text was forwarded to me by a friend and professional colleague in the
UK. I am dismayed that this type of activity is being condoned by an American
Governmental Agency. I can only hope that this operation is shut down and the
responsible parties are reprimanded.  I am extremely disturbed by the thought
that my tax money is being used for, what I consider, unethical, immoral and
possibly illegal activities.

             ---- begin forwarded message -------------

AIS BBS Capture log.

To:  all interested parties, especially Americans who may wish to ask
relevant questions of relevant people.

Capture log from a BBS that claims to be run by the US Treasury Department,
Bureau of the Public Debt. Notice - I have not verified that the US government
is actually running this BBS, only that the BBS claims that it is.

The capture was made live. I have cut out parts where the same area was
visited twice, and the information is identical. Also cut out, is any
information that could lead to the caller being identified, as the caller
wishes to retain privacy. If indeed this is being run by the US Government,
the caller would not wish to be harassed by that organisation.

Also omitted are the "More" prompts for paging the display. And, after the
first few displays of the main menu, some of those have also been omitted for

The file 27-ASM.ZIP was downloaded, to check that there really were source
codes. In fact, there were mostly recompilable disassemblies, some good, some
bad. I've included, at the end of this file, the beginning of 512.ASM, a
disassembly of Number of the Beast. But I've only included the header, the
first couple of instructions (discover Dos version) and the end (the '666').
All the meat of the code, I've omitted for brevity, and because this capture
is likely to become publicly available.

[ portions deleted containing high-order ascii ]

Bureau of Public Debt, OnLine Information System, AIS Files System

Select: A

File Areas: ----------

 14 ... ABOVEGROUND-MISC                 15 ... ABOVEGROUND-NEWSLTR
 17 ... BULLETINS (Non-Current)

Select area: 7

                            U.S. Treasury Department
                       Current File Area : UNDERGROUND-VIRUS

           3   [A]  Area Change             [R]  Raw Directory      3
           3   [L]  Locate by Keyword       [W]  Wild Card Search   3
           3   [F]  File List               [B]  Browse a Txt File  3
           3   [N]  New Files               [*]  Main Menu          3
           3   [D]  Download (Global)       [G]  Goodbye            3
           3   [U]  Upload                                          3
            To request an access level upgrade leave a message for
                                Mary Clark

Bureau of Public Debt      OnLine Information System      AIS Files System

Select: F

Press P to Pause, S to Stop

27-ASM.ZIP    137207 18-02-93  27 ASM files, incl. 1260, 4096, etc.
541.ZIP         3321 25-08-92  541 in ASM
AIDS.ZIP        2065 25-08-92  AIDS in PASCAL
AIRCOP.ZIP      2081 25-08-92  Aircop in ASM
ANTHRAX.ZIP     3688 25-08-92  Anthrax in ASM
ASM.ZIP       183429 25-08-92  Source code for 51 viruses
BLOODY.ZIP      3037 25-08-92  Bloody in ASM
BOB.ZIP         3221 25-08-92  Bob virus in ASM
BOBVIRUS.ZIP    5812 25-08-92  Bob virus in ASM
BOOT.ZIP       25975 25-08-92  Source code for 13 viruses
CANCER.ZIP      1270 25-08-92  Cancer in ASM
CONTEST.ZIP     7680 11-02-93  M. Ludwig's Virus Writing Contest Rules
CRAZY.ZIP        514 25-08-92  Crazy in C
CVIR_C.ZIP      2621 25-08-92  Cvirus in C
CVIRUS.ZIP      3656 25-08-92  CVirus in ASM
DETH001.ROT     4661 08-03-93  Megadeth's Guide to Virus Research part I
DETH002.ROT     2662 08-03-93  Megadeth's Guide to Virus Research part II
GRITHER.ZIP     2393 25-08-92  Grither in ASM
GUIDES.ZIP     35541 25-08-92  "How-To" for the budding virus writer
ITALIANS.ZIP    4659 25-08-92  Italiano source in ASM
ITTI-A.ZIP      1589 25-08-92  Itti-Bitti A in ASM
ITTI-B.ZIP      1310 25-08-92  Itti-Bitti B in ASM
LEPROSY.ZIP     2983 25-08-92  Leprosy in C
LEPROSYB.ZIP    4024 25-08-92  Leprosy strain B in ASM
MARAUDER.ZIP    3511 25-08-92  Marauder in ASM
MTE-SRC.ZIP    14272 18-04-92  A supposed disassembly of the Mutation
MTE91B.ZIP     12719 29-06-92  Dark Avenger's Mutation Engine
MUSICBUG.ZIP    3322 01-01-93  Music Bug in ???
N1.ZIP          1986 25-08-92  Number One in PASCAL
NEWINSTL.ZIP  161536 25-08-92  Nowhere Man's Virus Creation Lab (PKUNZip
PEBBLE.ZIP      1454 25-08-92  Pebble in ASM
PS-MPC90.ZIP   41802 31-07-92  Phalcon/Skism Mass Produced Code Generator

SAT-BUG.ZIP    18158 25-02-93  Source Code of a poly-virus
SATNLH.ZIP      2137 25-08-92  Satan's Little Helper in ASM
SHHS.ZIP        2922 25-08-92  South Houston High School in ASM
STONEDII.ARJ    2377 26-03-93  The Stoned 2 virus w/ source
VBASEABC.ZIP  242816 05-02-93  New, accurate virus info database
VCL.ZIP       167472 21-07-92  Nowhere Man's GUI based Virus Creation Lab
                               <Chiba City>
VIRULIST.ZIP  168192 25-08-92  40-Odd Viruses in ASM
VIRUS.ZIP       3191 25-08-92  Virus source in ASM
WORM.ZIP        1110 28-10-92  Internet Worm source code in "C"
XMAS.ZIP         892 25-08-92  Christmas in ???
TPE11.ZIP       7747 23-12-92  Trident Polymorphic Engine ver 1.1

Press (Enter) to continue:

[ remainder deleted ]

           ------ end of forwarded text --------

I submit this text in an anonymous fashion for fear of reprisal.
I respectfully request that Ken van Wyk and Peter G. Nuemann allow
that it be posted to both VIRUS-L and RISKS Digests. I think the
risks of Government sponsored virus exchange are crystal clear.

Quis Custodiet Ipsos Custodes?

Pyramids in space (Mehlman, RISKS-14.57)

Wayne Throop <>
Tue, 4 May 93 12:36:43 -0400
: The pyramids are a poor example to bring into the argument about manned
: space exploration.  They cost more than just money.

It's not just cost.  After all, manned space exploration costs more than just
money, too.  It's that, with a few thousand years of hindsight, pyramids
*were* a remarkably stupid thing to do with those resources.  If I thought
that manned space flight was "like" building the pyramids, I'd immediately say
"flush it".  I mean, was it *really* sensible to build those structures, when
the only thing that the heirs of all this effort find practical to do with it
is to mine the dressing stones from the surface, recover the burial goods, and
promote tourism income?

Hmmmmmm.  Do you suppose there were those who said "well, just look at the
technological spinoffs!  We now can pile large stone slabs up with joints you
can't fit a knife into!  We can build structures of enormous size with
incredibly accurate right angles!"?

Bogus then.  Bogus now.

Don't get me wrong, I don't suppose that there are no adequate justifications
for manned space exploration.  It's just that the argument that "it'll turn
out to be just as good an investment as the pyramids" is a remarkably poor
one, roughly like saying that "He's evewy bit as good a wabbit hunter as Elmer

So what's the computer risk here?  Perhaps the oldest of them all.  The risk
of being impressed by spinning tape drives or blinking lights or neat rows of
numbers on printout.  Which is, after all, a variant of the very human risk of
being impressed by appearance rather than substance.

Wayne Throop

Re: Epilepsy and video games

Antonella Dalessandro <>
Thu, 6 May 93 16:25:42 METDST
There have been a few postings in the past on alleged pathological (esp.
neurological) conditions induced by playing video games (e.g., Nintendo).
Apparently, there have been reported several cases of "photosensitive
epilepsy", due to the flashing of some patterns and the strong attention of
the (young) players.  One poster to comp.risks reported some action from the
British Government.

A quick search in a database reported the following two published

1. E.J. Hart, Nintendo epilepsy, in New England J. of Med., 322(20), 1473
2. TK Daneshmend et al., Dark Warrior epilepsy, BMJ 1982; 284:1751-2.

I would appreciate if someone could post (or e-mail) any reference to
(preferably published) further work on the subject.  Any pointer to other
information and/or to possible technical tools (if any) for reducing the risks
are appreciated.

Many thanks,

Antonella D'Alessandro, Pisa — Italy.       

Re: Humans NOT needed to save NASA (Norman, RISKS-14.57)

Flint Pellett <>
4 May 93 14:31:15 GMT
>A contribution to RISKS (14.56) once again repeats the propaganda that it is
>only through human cleverness and ingenuity that complex space missions are
>saved. That is sheer propaganda.

Even though I'm personally in favor of sending men into space, I don't
think they are required or desirable for every mission, and this recent
example just cited, if anything, is hardly a strong case in favor of manned
missions.  Think: if you hadn't had the men there to bump the plastic part
and break it in the first place, you wouldn't have had any problem that
needed a man to fix.  You also need to be careful not to read too much
into the "cleverness/ingenuity" issues: a man on the ground could have
been just as clever and directed a fairly simple robot arm to insert
the felt tip pen.  There are examples where having a man there saved the
mission, but this wasn't one of them, and economically you'd be a lot
farther ahead if you had twice as many unmanned missions (costing half
as much) even if 25% of them did fail.

If you want some hard facts, consider the amount that we have spent
recently trying to get a working toilet, and how much time was spent
trying to fix it.  Without men there, you don't need toilets.

Flint Pellett, Global Information Systems Technology, Inc., 100 Trade Centre
Drive, Suite 301, Champaign, IL 61820  (217) 352-1165  uunet!gistdev!flint

Re: Junk mail reduction request can add to your junk mail, too

Steve Mick <>
Fri, 7 May 1993 12:22:46 -0800
Direct mail marketers are, of course, interested in "targeting" their mailings
to recipients in known categories such as Porsche owners or toad collectors.
I have long felt that if you request that the Direct Marketing Association put
your name on the "no unsolicited material" database, you would eventually be
categorized as a person interested in privacy issues and mailbox pollution.

Steve Mick,

Re: China executes hacker (RISKS-14.57)

Jonathan Bowen, Oxford University <>
Fri, 7 May 93 12:14:34 BST
From the front page of "Computing", a weekly UK newspaper, 6 May 1993:

  China executes hacker over #122,000 [UK pounds] theft

  The Chinese government said this week it had executed convicted hacker
  Shi Biao as a warning to others that computer crime does not pay.
  Biao, who worked as an accountant at the Agricultural Bank of China,
  embezzled more that #122,000 [UK pounds] over three months in 1991 by
  forging bank-deposit slips.  He was caught when he and an accomplice tried
  to transfer some of the money to the province of Shenzhen in southern China.

Re: Evading 1-900 blocking (Carr, RISKS-14.57)

David A Willcox <>
Tue, 4 May 1993 16:25:29 GMT
I think that if the owner of a phone line wanted to communicate with sexually
explicit services (whether 900 numbers or anything else), he or she should be
required to request, in writing, that those services be enabled.  (Hey, the
phone company could charge for the service!)  If you've got kids and don't
want to talk dirty on the phone yourself, you do nothing.  If you don't have
kids, then you can sign up.  If you have kids and sign up, then it is up to
you to deal with keeping your kids out of it.  But the bottom line would be
that services would be obligated to reject calls from any line that had not
explicitly requested access to such services.

>In my opinion, they were trying to blame technology for a social problem...

There are technological issues here.  My own son got involved with
one of these "services" recently, and am glad to hear that others are
upset about it.  A couple of points:

(1) When you call this supposedly free 800-number, you don't have
    to "leave your phone number", the company gets it automatically
    when you call.  You get a recorded number telling you to hang up.
    You then get an automatic, collect callback.

(2) The callback apparently doesn't require any explicit response to
    enable the collect call.  If you stay on the line for more than
    a few seconds, you are charged.  There is no mention of
    how much the call will cost.

To answer your last question:

(1) There is nothing wrong with "talking about sex."  However, I
    do think that there is something wrong with adults describing
    explicit sex acts to a preteen child.  We do discuss sex with our
    kids, and assume that they discuss it with their friends (in terms
    rather different than we do with them :-) ), but I certainly
    wouldn't take any of them to a hardcore porno movie.

(2) There is pretty much a consensus in our society that children should
    not have free access to sexually explicit materials.  I may be
    overstating this, but consider what would happen to an "adult"
    bookstore owner who sold materials to minors (or at least young
    minors).  I feel that anyone distributing such materials, whether
    in a store, by mail, or electronically, has the obligation to take
    reasonable steps to ensure that the recipient is of "reasonable" age.

(3) We will take responsibility for what our son knew he was doing.
    called, that we (and he) will take responsibility for.  (He called some
    other, regular long distance numbers with recorded messages, and has
    repaid us for them.) However, I am not happy about this end run around
    900-number blocking that turns a supposedly-free phone call into a
    charged call.

(The company in question did eliminate the charge, by the way, when
informed that they had made a collect, obscene phone call to a minor
child.  I kind of wish that they hadn't been so accommodating.  I was
ready to make a very big stink.)

An interesting side effect to all of this.  Since our little incident, I
have been getting some very unusual mail, not even in a "pain brown
wrapper."  I had never realized that calling a 1-800 number could put
you onto a mailing list!

David A. Willcox, Motorola MCG - Urbana, 1101 E. University Ave., Urbana, IL
61801  217-384-8534   ...!uiucuxc!udc!willcox

Re: Utility-derived information

Phil Agre <>
Mon, 3 May 1993 17:38:46 -0700
Here is the reference for a detailed San Jose Mercury on the use of utility
information by the police to detect marijuana growers etc.  The article is
more generally about the highly developed practice of informal personal-data
sharing among various public and private organizations in the San Jose area.

  Gary Webb, Utilities give cops data on their customers, San Jose Mercury
  News, 27 December 1992, pages A1, A21.

Please report problems with the web pages to the maintainer