The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 15 Issue 08

Thursday 7 October 1993


o Control faults cause train crash
Hank Cohen
o WSJ report on potential problems with 757/767 Autopilots
o Typing error causes stock to fall 20% for `a few moments'
Lorenzo Strigini
o Epitope suit uses computer bulletin board
Tom Hanrahan
o Libraries
Phil Agre
o The Panoptic Sort
Phil Agre
o "Change" and October 1993 CACM
Jim Huggins
o Mailing list fun
Mark Brader
o Virus distributed during college computer sale
Jim Huggins
o Re: Bank of America fires employee ...
Robert Ellis Smith
o Re: RISKs of trusting e-mail
Bob Frankston
o Re: The FBI investigating college pranks
Valdis Kletnieks
o Separating parts in privileged applications
Yves Royer
o A reference on Ethics
Peter B Ladkin
o Re: Cancer Treatment Blunder
David Crooke
Jerry Bakin
o Info on RISKS (comp.risks)

Control faults cause train crash

Thu, 07 Oct 93 03:29:42 EDT
Excerpted from The Japan Times October 7,1993

Osaka- Osaka Prefectural Police suspect control faults caused a train to crash
here Tuesday, injuring 178 of the 290 passengers on board.  They suspect the
driverless train was traveling at about 30 kph when it crashed into a safety
buffer at Suminoekoen Station, judging by the number of broken glass panels on
the train.
    The train derailed after smashing into the buffer at the end of the track.
Had it passed through the buffer, it would have crashed down on to a major
street which was filled with rush-hour traffic.  [The train was elevated
approximately 20 meters judging from TV pictures.  It would have had to crash
through both the buffer and a short concrete wall at the end of the track
before it could have fallen to the street. HKC] Of the 178 injured passengers,
48 were hospitalized.
    It was the first time the New Tram has been involved in an accident
causing injury since it began running in 1981 The train, which carries about
60,000 passengers each day, makes about two-thirds of its runs without a
driver or conductor aboard.
    Similar computerized transport systems are being introduced in Kobe,
Saitama and Yokohama. [A similar train is already in operation near Nagoya.
    Malfunctions of the train's two control systems led to the crash,
police said.  The automatic train operation system, which decelerates the
train in four stages when it is within 200 meters of a station, failed, and
the automatic train control system, which stops the train in an emergency
situation worked inadequately, they said.
    The control system applied an emergency brake only 45 meters from the
safety buffer by using an emergency circuit, police said.

Hank Cohen, Concurrent Nippon Corp., Shuwa yanagibashi Bldg. 5F, Yanagibashi
2-19-6, Taito-ku Tokyo 111, Japan  Denwa: 03-3864-5714  Fax: 03-3864-0898

WSJ report on potential problems with 757/767 Autopilots

Peter G. Neumann <>
Thu, 7 Oct 93 11:26:59 PDT
WALL STREET JOURNAL (October 7, 1993) - Federal safety investigators said
autopilot problems have caused certain Boeing jets to change direction for no
apparent reason.  The National Transportation Safety Board has asked the
Federal Aviation Administration to warn pilots that autopilots on Boeing 757
and 767 airplanes have engaged and disengaged on their own, and to take
precautionary measures.  The FAA said it would put the matter under
"high-priority review."  The autopilots of Boeing 757s and 767s are made by
Collins Avionics, a division of Rockwell International.  Collins officials
couldn't be reached to comment.

Milano: Typing error causes stock to fall 20% for `a few moments'

Lorenzo Strigini <>
Thu, 7 Oct 93 13:28:35 MET
Excerpted and paraphrased from "la Repubblica" (popular, "independent" Italian
morning newspaper), 28 September 1993, p. 54 (quotes, square-bracketed comments
and mis-translations of stock market jargon are mine):
"The day in Piazza Affari [i.e., the Milano Stock Exchange] was characterised
by a curious incident":  an operator  was ordered to sell 51000 'Generali'
shares at 39,500 Lire each; he mistyped the price as 35,000. "The mistake
prevented Generali stock from 'opening' and caused turmoil in the market: what
calamity was happening in Italy or the world so severe ... to make the price of
the best stock in the Italian market drop so quickly? A few moments of panic
followed, which caused a further drop of the price to 31,000 Lire. Then the
mystery was explained, and Generali closed at 39,991 Lire (+1.18 %) and at the
end of the day they were exchanged above 40,000 Lire"
As I understand it, the stock market is protected against snowball effects from
such mistakes by the fact that authorities can stop the dealing on an item
whose price changes too quickly; I wonder whether any of the software used by
individual dealers attempts to alert them about seemingly extravagant orders.

Lorenzo Strigini, IEI-CNR, Via Santa Maria 46  I-56126 Pisa - Italy
tel. +39 50 593495; fax +39 50 554342  E-mail:

Epitope suit uses computer bulletin board

Tom Hanrahan <>
Thu, 7 Oct 93 08:40:21 -0700
From The Oregonian (Portland, Oregon), October 7, 1993, by Vince Kohler

Epitope Inc. used information subpoenaed from the computer bulletin- board
service Prodigy to prepare a $5 million federal lawsuit against a Kidder,
Peabody vice president in Kansas City, Mo.

Lois Rosenbaum, a lawyer for Epitope, said the company used information from
Prodigy Services Co. to track down A. Karl Kipke, who works for Kidder,
Peabody in Kansas City, Mo.  The lawsuit claims that Kipke used a false name,
William Smith, to log onto a Prodigy electronic bulletin board on three
occasions in August.  Each time, the lawsuit contends, Kipke wrote lengthy
commentaries he knew were false and defamatory about Epitope, the company's
management practices and its attempts to gain federal approval of an oral
device used to detect the AIDS virus.

[...] "We certainly believe the price of the stock is lower than it would've
been but for these false allegations, Rosenbaum said.  "And I think it's clear
that the articles were written for the purpose of negatively influencing the
price of the stock."  [...] Epitope's lawsuit says Kipke and his clients were
holders of short positions in Epitope stock.  [...] Epitope's lawsuit seeks $5
million in punitive damages from Kipke and alleges defamation, manipulation of
security prices, securities fraud and intentional interference with business

Rosenbaum acknowledged that the lawsuit's electronic dimension is "a very
unusual situation."

Submitter note: The omitted sections of text basically say that Kipke was
unavailable for comment and explain what holding a "short position" means.

-- Tom Hanrahan,


Phil Agre <>
Wed, 6 Oct 1993 17:50:59 -0700
The Spring 1993 issue of the journal Representations (orange cover, widely
available on newsstands in college towns) is a special issue on the future
of libraries, taking as its point of departure the new national library
that Francois Mitterand is trying to build in Paris.  The whole issue is
interesting, but the main Risks-relevant article is by Geoff Nunberg:

Geoffrey Nunberg, The place of books in the age of electronic reproduction,
Representations 42, 1993, pages 13-37.

Nunberg argues (among many other points) that printed newspapers have served
to help create what Benedict Anderson called "imagined communities".  The
idea is that, since everyone in San Diego (say) gets more or less the same
version of the San Diego Union-Tribune, readers of the Union-Tribune are
aware that everyone else who is reading the paper sees the same articles.
Thus they can get a sense of what "everyone knows" about the day's events
that help to knit together a coherent concept of the community.  Of course
in San Diego people read the LA Times and the NY Times as well, and many
people get all their news from TV.  The point is that people get their news
from only a small number of sources that are the same everywhere, and these
provide a way of imagining what "we" know, think, read, have opinions about,
and so forth.

In the age of electronic distribution of information, though, it's quite
possible for everyone to get customized information which is filtered down
in various ways and then assembled from a patchwork of different sources.
The result might be greater difficulty in imagining communities, as opposed
to imagining professions or other specialized interest groups that would
tend to steer toward the same information sources.

The same issue contains an article on the future of copyright:

Jane C. Ginsburg, Copyright without walls?: Speculations on literary property
in the library of the future, Representations 42, 1993, pages 53-73.

Phil Agre, UCSD

The Panoptic Sort

Phil Agre <>
Wed, 6 Oct 1993 16:52:46 -0700
The current Harvard Business Review contains an article telling business
people how to use massive databases of personal information in their
marketing.  Although generally somewhat weak, it does include some special
moments, like the observation that most businesses can't yet afford enough
disks to store tens of millions of bytes (including, for example, purchase
histories) on tens of millions of customers.  The most useful bit is a
sidebar on pages 154-155 explaining that privacy restrictions on uses of
personal information only hurt small businesses, since the big ones can
afford the added costs they induce.  This lame argument is a good example of
the current big fashion in lobbying, "showing how it hurts the little guy".
The reference is:

  Jim Bessen, Riding the information wave, Harvard Business Review 71(5),
  September-October 1993, pages 150-160.

The same issue includes an equally vague article on enterprise integration.

The good news is that a really interesting new book on personal information
has appeared:

  Oscar H. Gandy, Jr., The Panoptic Sort: A Political Economy of Personal
  Information, Boulder: Westview Press, 1993.

It's helpful to consider the book at three separate levels:

(1) It includes an impressive catalog of phenomena related to personal
information.  Most of these will be familiar from Risks, but here they're
all collected in one place with references.  It also includes a remarkable
survey of the relevant critical literature, for a total of about 700 useful

(2) It also includes some empirical studies, some of which I found more
useful than others.  The best by far is a study of the conditions under
which people become concerned about threats to privacy from the collection
of personal information.  It has all the limitations of survey and focus
group based research, but it's an important starting point.

(3) Finally, it attempts to develop a theory of the political economy of
personal information.  It is a pessimistic theory, laying out the forces
that tend to cause personal information to be collected and centralized.
As such, this theory will not please conservatives, with their faith in
markets, or progressive activists, with their faith in people's capacity to
resist oppression.  But hey, maybe he's right.

Phil Agre, UCSD

"Change" and October 1993 CACM

Jim Huggins <>
Thu, 7 Oct 1993 14:08:22 -0400 (EDT)
How ironic.

In the October 1993 issue of CACM, the "Inside RISKS" column contains a long
litany of computer systems which were proposed as new and better alternatives
to existing systems, but rarely were completed "on time, within budget, and up
to spec."

In the same issue, the "Newstrack" column reports on the recent announcement
of plans to build an IBM supercomputer with 512 processors at Cornell.  New
York Governor Mario Cuomo comments, "I really don't understand it, but I know
it means change; and from change comes strength."

Perhaps -- but as "Inside RISKS" demonstrates this month, change which is not
carefully planned and carefully executed may bring weakness, too.  The
attitude that "if I do it on a computer, it's better, and if it's on a bigger
computer, it's better yet" still seems far too prominent.

Mailing list fun

Thu, 7 Oct 1993 19:39:58 -0400
The "Rich Bastard" bank mailing list blooper (RISKS-14.89) was also posted to
alt.folklore.computes, where it spawned a thread on incorrect transformations
of personal and other names in mailing lists.

The following are collected from articles by John Miller, John Switzer,
Jeff Hibbard, Jay Maynard, Joel Sumner, Jeff DelPapa, Hugh JE Davies,
Terry Kennedy, Jake Richter, Kevin Stevens, Scott Telford, and Brad Heintz.
Remarks in ["..."] are from the above people and not me.

    Georgia-Pacific Corporation
    -> Georgia P. Corporati
    -> Dear Ms. Corporati  ["So how long have you been an Italian
                 transvestite and how did the bank find
                 out about it?"]
    Bradley University
    -> Mrs. Bradley Un, IV
    -> Dear Mrs. Un

    James R. Maynard III
    -> Mr. Iii          [but in the same software...]
    James R. Maynard, III  [but "I've always signed my name without the comma"]
    -> Mr. Maynard

    Lambda Chi Alpha
    -> Alpha, Lambda C.

    Undergraduate Lounge
    -> Dear Mr. Ung Lounge,
    -> Just think what the neighbors will think when they see you and the
       other members of the Lounge family riding around the neighborhood in
       your new Cadillac. ...

    Lord xxxx
    -> Dear Mr. Lord

    St. Peter's College
    -> Saint Peter S. College
    -> Dear Saint College  ["It's amazing that they actually parse for a
                salutation of 'Saint'.  How many of those are
                still receiving mail?"]
    -> Pending Deletion, Citibank

    Department of Computer Science
    -> Dear Mr. Science,

    Nuclear Physics Department
    -> Dear Mr. Nuclear    [The recipient "put it on his door, thus buying
                himself an instant nickname."]

And finally

    ["I had been sharing a house rental for several months, a few years back,
      when we received a dunning notice from a collection agency.  ...  Took
      a bit of the pace off that it was personalized to 'Resident', though."]

Mark Brader, Toronto        utzoo!sq!msb

         [PGN adds that the RISKS archives include bunch of others
         that could be included in this list, the most amusing of which
         were probably these:

    Friedman Wedd etal
    -> Etalfried Wedd  [a letter offered the recipient a pre-approved loan
                       for $750.  A follow-up spoof story given in RISKS-10.16
                       had "Etalfried" complaining about the paltriness of the
                       amount, and being offered an unsecured cash loan for

    Mail sent to Switzerland
    -> wound up routed to Switzerla ND (North Dakota).   ]

Virus distributed during college computer sale

Jim Huggins <>
Thu, 7 Oct 1993 13:48:08 -0400 (EDT)
The University of Michigan annually holds a "Computer Kickoff Sale", an
opportunity for students to buy personal computer systems through UM for
reduced prices.  This year, a few students got an added bonus: a virus.

Four hundred Macintosh systems sold on the first day of the sale had the nVIR
virus included on the standard distribution disks prepared by the Information
Technology Division (ITD).  The source of the virus is currently unknown.

"We're still investigating where the virus may have come from ... We
don't know if it's the duplicating company that we used, it's a possibility.
It's a possibility that even though our master disks here were scanned
for viruses before it went out to the duplicator, it could have been
infected here," said Phil Harding, manager of the sales program.

The standard distribution disks include a copy of Disinfectant, a Macintosh
anti-viral program, which can be used to remove the nVIR virus.  ITD
warned new users about the possibility of viral infection even before this
problem came to light.  ITD has removed the virus from all remaining
distribution disks and will replace any old distribution disks free of charge.

Ryan Goble, a first year student who bought a Macintosh through the sale,
commented, "I assumed everything would be sterile because the disk came in a
plastic bag."

Harding again: "Next year we'll have tighter controls and testing.  I'm
assuming responsibility for this because it was under my jurisdiction.  We
just have to do tighter testing once the disks come back from the duplicator."
Later: "It's a bad situation, but we're trying to make the best of it.  I'm
sure this incident will make people more aware of viruses and to get the right
applications to eradicate and prevent them from occurring."

[Source: cover story in _The_Michigan_Daily_, UM campus student newspaper,
7 Oct 1993.]

Re: Bank of America fires employee ... (Jones, RISKS-15.06)

Robert Ellis Smith <>
Thu, 7 Oct 93 02:24 GMT
David Jones in Montreal asked about a report that Bank of America fired an
employee after snooping in his e-mail and discovering that he worked as a male
stripper at night.  It is true that Bank of America fired the man, Michael
Thomasson of San Francisco after it discovered his moonlighting, but they
discovered it by going through his desk, not his e-mail.  This case and 500
other invasions of privacy are written up in WAR STORIES, a collection
published by Privacy Journal and selling fo r $17.50.  Call 401/274-7861 or
write MCI Mail, rsmith 510-1719, or PO Box 28577 Providence RI 02908.

While we are at it, Privacy Journal also publishes a special report on uses and
abuses of Social Security numbers, including the current laws covering the use
of SSNs.  It sells for $15.

Robert Ellis Smith Publisher, Privacy Journal

Re: RISKs of trusting e-mail

Wed, 6 Oct 1993 23:35 -0400
Forgeries of resignations and the like are the norm during the novelty phase
of a service. Of course many people will treat it as a very serious crime.

My concern is more with the issue of closed loop vs open loop mechanisms.
There will always be some imperfections in the system that people will
exploit on purpose or by accident. While we can string offenders up by the
thumbs, accidents will still happen. For example, one needs to send a quick
message and uses the nearest terminal forgetting that it will be from the
currently logged in user.

People need to remember that reality checking is a key part of any system be
it technical or social. If one receives an unexpected letter of resignation,
one should check it out instead of playing the role of a droid and just
following through. There will still be the serious crimes in which one sets
the stage so the letter seems real, but casual pranks should have bounded
repercussions. Of course, if people verified, we'd lose too many book and
movie plots.

In a world where legal communication is via Fax the problem is not just
"computer" fraud but one of assuring a degree of trust.

I do recall a store where some students at MIT submitted an order for a 747
from Boeing. They got a call asking where to deliver it...

The report on the error in radiation dosage also emphasis the open-loop
phenomena. Why doesn't a life critical system meter the actual dosage given
instead of assuming that everything is working perfectly. Then there was the
BART Train that couldn't determine it was going at 40mph when it thought it
was stopped.

Re: The FBI investigating college pranks (Cohen, RISKS-15.07)

Valdis Kletnieks <>
7 Oct 1993 21:10:33 GMT
>It's a sad state of affairs when the FBI investigates a college prank but
>doesn't investigate murder and rape running rampant through the nation.

On the other hand, the FBI is only chartered to investigate certain categories
of crimes.  In particular, they can only initiate action on violations of
*federal* laws, or assist in state or local actions *on invitation only*.
Now, if a "college prank" involves the violation of one of the federal
statutes regarding electronic activity, they can take action.  Murder and rape
are state actions and handled at the state level (hint - read the papers about
ongoing trials, and see if they are being held in the state court system, or
in the local Federal Circuit courts).

The legal basis for this setup goes back to the Constitution and the
delegation of powers to the federal and state governments.

Does anybody have a reference to which federal statutes the FBI used as a
basis for the investigation?

ObRisk: Do we, as a nation, *want* the FBI sticking its nose into every murder
and robbery case?  I'm sure there's a Big Brother problem lurking there..

   Valdis Kletnieks, Computer Systems Engineer, Virginia Tech

Separating parts in privileged applications

Thu, 7 Oct 1993 15:43:13 -0400
   When an application runs with more than one privilege state, care should
be taken to isolate the privileged portion from the untrusted code. This is
well done with ring protection schemes:

   Address space is organized in "rings", from the inner kernel (lowest ring
number, highest privilege) to the unprivileged application (highest ring
number, lowest privilege).

   A program can only CALL routines of same or HIGHER level of privilege. A
routine of lower privilege is considered untrustable: You call the operating
system, don't expect it to call you. Hardware enforces that the routines
are called only at special entry points called "GATES".

   When a routine executes in a more privileged state, it's address space and
stack is isolated from access by less privileged routines by being placed in
another ring space. A program can ACCESS data of same or LOWER privilege. Of
course, a privileged program should not really trust what lies (pun intended
;-) ) in less privileged spaces.

   Some routines can conform to the ring of the caller. For example a well
debugged string manipulation routine is very trustable and can be used by the
operating system as well as the application, but should not be granted
increased privilege when running.

   Code has three ring attributes:

   a) Least privileged ring where it can execute. The code is not accessible
      from programs which lack this access level.
   b) Least privilege granted. If this value differs from the first one,
      the routine is said to be "GATED", and can execute with a higher
      privilege than the caller. If the caller uses the routine at
      a privilege level equal or higher, then the execution ring do
      not change.
   c) Most privileged ring where it can execute (ie: Trust level)
      The routine is untrustworthy of usage by a more privileged application.

      In ring numbers, the relation a >= b >= c is always true.

   Data has two ring attributes:

   - Read attribute: Least privilege needed to read the information.
   - Write attribute: Least privilege needed to write it.

     The write ring level is always lower or equal than the read level (same
   or higher privilege)

   Files possess ring attributes. In such a system, the password file could
be world readable and writable, but in rings which normal users cannot normally

   The separation of address spaces ease the debugging of system problems:
When data integrity is compromised in an address space, the lower-privileged
routines and programs are not likely causes for the problem, unless the address
spaces manager is itself in error in some way.

   Of course, there are drawbacks. The over-utilisation of ring mechanisms
augment context switches (which are costly), and the processor needs more
registers to manage the rings. The only operating system I know that uses this
protection scheme fully is NOS/VE.[*] I know that the 80x86 (x > 1) have a
built-in ring mechanism and that OS/2 uses it to some point, but I do not know
of any UNIX system that uses rings.

   A network implementation using this scheme could be interesting, but
hardware address space separation should be replaced by cryptographic
certificates. A client-server implementation would be slow compared
to the hardware solution, but it would be more portable.

Yves Royer, Universite du Quebec a Trois-Rivieres  (819) 376-5100

    [Never heard of Multics, eh?  Well, that was almost 30 years ago. ... PGN]

A reference on Ethics

Dr Peter B Ladkin <>
6 Oct 93 18:44:45 BST (Wed)
Readers concerned with ethical issues in computing might be interested in the
article: Is There an Ethics of Computing?  by Geoffrey Brown in the J. of
Applied Philosophy 8(1), 1991.

Peter Ladkin

Re: Cancer Treatment Blunder (Smee, RISKS-15.06)

Wed, 6 Oct 93 15:20:23 BST
Paul Smee asked if the radiation machine operator forgot to RTFM -- apparently
the hospital didn't receive the manual until several YEARS after they started
using the machine!

David Crooke, Department of Computer Science, University of Edinburgh
JCMB Rm 3310, King's Bldgs, W Mains Rd., Edinburgh EH9 3JZ. 031 650 6013

Re: Cancer Treatment Blunder

Tue, 05 Oct 1993 22:36:11 -0800 (PST)
What kind of testing did they do?

I would hope that testing this device would include a test to make
sure it was calibrated.  That if the machine is supposed to operate at
so many roentgens for so many seconds, that it actually does so!

This would not be a built-in-test, but would involve an external,
precalibrated measuring instrument.

Let's get real, when I buy bananas and gas, those scales are required
to be inspected in such a manner!

I would have hoped that this test would have been performed:

  By the manufacturer:
  o   after every relevant hardware or software change
  o   on each machine before it is shipped

  At the clinic:
  o   upon delivery and acceptance of the machine by the radiologists
  o   whenever maintenance is performed
  o   at periodic intervals (annually, quarterly?)

Who built this, the same dolts who tested the Hubble mirror?

Dare I suggest some official body regulate such devices, or would that
be an example of government over regulation of private industry?

Jerry Bakin.

Re: Cancer Treatment Blunder

RISKS Forum <>
Wed, 6 Oct 93 8:41:07 PDT
Yes, but regulation is not enough.  You must have seen the item in RISKS about
the gas station that had Trojan horsed its computer and was systematically
charging for gas that had never been pumped.  PGN

Re: Cancer Treatment Blunder

Wed, 06 Oct 1993 11:07:56 -0800 (PST)
You're right.  But regulation would raise the issue, and create paper trails
to show some compliance.  There's not much motive to charge for radiation
that hasn't been pumped, although I guess that IS exactly what had been
occurring.  My hope is that was unintentional in the cancer treatment case. :)


Please report problems with the web pages to the maintainer