The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 15 Issue 21

Tuesday 2 November 1993


o Investment program turns into doomsday machine
Meine van der Meulen
o Direct E-Mail: J.S. McBride & Co.
o "RSI does not exist"
Gavin Matthews
o Public relations
Phil Agre
o Procrustus
Bob Frankston
o Re: Magnetic Fields in Subway Cars
Peter Debenham
Andrew Marchant-Shapiro
o Re: Fiber Optic Cable Hazards
Bonnie J Johnson
o Re: Breakdown in computerised voter support, Oslo
H?vard Hegna
o Re: Ethernet addresses as port ids
Bob Rahe
o Virus Security Instituate VSI '94 Announcement
A. Padgett Peterson
o ESORICS 94: Call for Papers
Yves Deswarte
o Info on RISKS (comp.risks)

Investment program turns into doomsday machine

Tue, 02 Nov 1993 13:43 +0100 (MET)
>From the dutch newspaper "De Volkskrant", 2 November 1993:

The investment fund Groeigarant put the "Black Box" out of order. It was
designed by Ton Jongbloed, former president of Staal Bankiers, to advise
investors. He claimed on long term it would be twice as profitable as
investing in public loans. However the expert system EIS (Electronic
Investment Sector) proved to be a "doomsday machine". Only by disconnecting
it from the mains larger damage could be averted.

Roughly, the principle of the program was: buy when prices go down, sell
when prices go up. This policy was used for several funds selected by
Groeigarant. Several months already, prices on the Amsterdam stock market
are going up. Therefore, EIS issued orders to sell only. It sold almost all
the stocks Groeigarant had, and would have sold even more. The latter would
have led to a very risky situation. Selling stocks not available can lead
to severe losses when forced to deliver (and having to buy at even higher

Groeigarant says it will base its future investments on fundamental and
technical analysis of the stock market. Luckily, the consequences for the
fund have been kept to a minimum. Severe losses have been prevented. At the
moment the fund mainly possesses money, rather than stocks.

Meine van der Meulen, The Netherlands Organization for Applied Scientific
Research TNO, Department of Industrial Safety,

Direct E-Mail: J.S. McBride & Co.

Mon, 1 Nov 93 10:11:21 xST
According to the Internet Business Report 1.3 (page 4), J.S. McBride and
Company are selling access to a database of Internet addresses, including
demographic information.  They claim over one million entries.  The net
address is, and I am sure they would enjoy hearing
from anybody who would like to be removed from the list.

    [Equifax revisited?  PGN]

"RSI does not exist"

Gavin Matthews <>
Tue, 02 Nov 1993 00:44:16 -0700 (PDT)
The Guardian, 1993-10-29 Friday

Keyboard injury does not exists, judge rules.  Angella Johnson

Thousands of keyboards workers suffering the effects of what they believe to
be Repetitive Strain Injury were told by a High Court judge yesterday that the
condition did not exist.  He suggested that keyboard users forced to give up
their jobs because of aching muscles and joint were ``eggshell personalities
who needed to get a grip on themselves''.

In a test case ruling that has implications for compensation claims by RSI
victims, Judge John Prosser, QC, declared in the High Court that RSI was
meaningless and has ``no place in the medical books''.  He said the condition
was more psychosomatic than physical and rejected a claim for damages by
journalist Rafiq Mughal against his former employers Reuters news agency.

  [There's twice as much again and a followup article `Rulings may only
  delay claims avalanche' the same length.]

Public relations

Phil Agre <>
Mon, 1 Nov 1993 22:10:23 -0800
A new article by Oscar Gandy sketches the role of computers in the shifting
place of public relations in policy formation in the US, together with some
instances of PR affecting policies about information technology.  His very
useful central concept is the "information subsidy".  He points out that many
organizations, from the press to the Congress, run on vast amounts of
information, but their ability to generate their own information is limited by
their budgets.  PR people and lobbyists, funded by whoever has enough money
and a perceived stake in the outcome, fill the vacuum by supplying information
that is customized to fill the organization's needs while simultaneously
serving the interests of their patrons.  The result is a growing
commercialization of the public discourse and the political process, a
development with worrisome implications for the cause of democracy.  The full
reference is:

Oscar H. Gandy, Jr., Public relations and public policy: The structuration of
dominance in the information age, in Elizabeth L. Toth and Robert L. Heath,
eds, Rhetorical and Critical Approaches to Public Relations, Hillsdale, NJ:
Erlbaum, 1992.

Phil Agre, UCSD


Tue, 2 Nov 1993 04:15 -0400
Two minor incidents this week.

Twice I tried to leave my Sky-Gram phone number as a contact number. Once
when getting my car serviced and the other at Children's Hospital. In both
cases the data entry field knew what a phone number was and didn't like this
silly pin and other commentary. Of course, it would allow any extension
number. Or international number. The dark side of data validation and
unimaginative implementations.

My kids have hyphenated names. The hospital's system can't, of course, hack
hyphens. Neither can airline reservation systems. Can anyone explain this?
It's not as if hyphenated names are new. Do systems in the UK exhibit this
kind of silliness?

These observations aren't profound. They just point up the many petty bad
design decisions these systems are rife with.

Of course, my trip to the ER pointed out many other disappointments with the
DP departments. Analog X-Rays that I had to carry from the pediatrician's to
the hospital. The residents on duty had to ask for the same information that
the pediatrician already knew. In fact, since I relieved my wife midway
through the process, I didn't know the answers as well. If the details were
significant they would have affected the treatment. I won't even complain
about the amount of time wasted shuffling around. I'll just chalk this up to
the risks of nontechnology.

Many readers will, I am sure, applaud the hospital's cautious approach to
implementing technology and will point out that I didn't a prescription for a
lethal dosage of the wrong medicine. True. But a lack of knowledge can also
be dangerous. And wasting time is not a feature.

Re: Magnetic Fields in Subway Cars

Peter Debenham <>
Tue, 02 Nov 1993 13:36:48 +0000 (GMT)
Following on from the item in Risks15.20, parts of London's Underground system
has (or at least 2 years ago had) the same problem of the electromagnetic
fields from the trains wiping data from floppy disks.  One or two lines were
especially bad where the trains differed from the rolling stock on the other
lines. Whether the new rolling stock being introduced has solved the problem
or made it worse someone else will have to tell.  Awareness of the problem was

Peter Debenham, Rm165, APR, Meteorological Office, London Rd., Bracknell,
Berks., UK. RG12 2SZ   +44 (0)344 856974

Re: Magnetic Fields in Subway Cars (Drzyzgula RISKS-15.20)

2 Nov 93 08:45:00 EST
In RISKS-15.20, Bob Drzyzgula <> notes his experience
with a paperclip while riding on the Washington Metro.  While I was in
DC last spring, I didn't have much opportunity to move disks around,
but I did notice the Metro's emissions.  We have a compass in our car
(after living in Chicago, navigating in the East requires one!) and I
could see it jump all over the place when we were traveling near the
Metro; the worst case was when passing OVER the metro tracks.

I'm not at all certain how strong a field is required to change data
on a floppy disk; but I will try an experiment this spring, just to
satisfy myself that it's safe to travel with my notebook!

I must confess that I used to have the same sort of question about the
Chicago Elevated system, and that I never had data erased while I was
using that to commute;  In fact, I've never experienced floppy failure
at all; but it sounds like the Metro may be using a different
technology in its motors than the El, so it bears investigation...

Andrew Marchant-Shapiro, Depts of  Sociology and Political Science, Union
College, Schenectady  NY  12308   (518) 388-6225

Fiber Optic Cable Hazards

Bonnie J Johnson <>
Tue, 02 Nov 93 09:55:53 EST
I read with interest the story about the Telecom Worker who had died from
accidentally getting a piece of fiber into his bloodstream.  Since I didn't
see much activity on this list about it, I sent out messages to a Telecom and
Safety list.

You see, we pull, rehab and terminate our own fiber here and I certainly want
to warn our guys of possible hazards.

Some of the feedback I have received so far includes these:

"This sounds like a hazard which would be encountered in glassblowing shops.
Do you have a chem dept. with a glassblower on staff".

"I have been warned that your body does not see glass as a foreign object in
the same way that it sees wood for example.  So a glass splinter will not itch
or irritate, and so it will work into your body.  Once there it may meander
around and cause fatal problems.  I frankly have no idea if this is true, it
was a warning given out at a reputable fiber optic termination class.  It
certainly sounds like a good urban legend material".

"In my graduate fiber optics class, we were warned about this when the prof.
passed around some fiber.  He told us to be careful to not stick our fingers
with the glass, because it was small enough to get into the bloodstream and
stop your heart.  Now whether this is actually true or just a fiber optic
myth/ledgend, I'm not sure.  However, I do trust that paticular professor
quite a bit.  I don't think he told us that just to hear himself think.....".

Anyone one else get any pertinent personal replies they can pass along?

Re: Breakdown in computerised voter support, Oslo

H?vard Hegna <>
Tue, 2 Nov 1993 15:15:04 +0100
Just some comments and clarifications to the message of Reidar Conradi
of Nov.1 1993 (RISKS-15.20). Basically the message is correct, but:

1) In Norway voters are automatically "registered" and eligible to vote from
the year when they reach 18. They do not have to "pre-register", as is common
in the US. The turn-out normally approaches 80 % of the registered voters in
the general election. "Electorate management" then is the check at the local
polling stations that the voters are in the electorate and that they have not
voted before, there or elsewhere.  Most polling stations are placed in the
local public schools.

Oslo is one of 19 constituencies electing several Members of Parliament (MPs).
There are 165 MPs in all, Oslo's 360 000 registered voters elect 16 of them.

2) Two computer based electorate systems were used in this election. Both used
the schools regular PCs to save costs. The system that failed in Oslo was
based on a centralized register, with the PCs acting as terminals.  The other
system, used in Bergen (the second largest city) was based on local PCs with
copies of the full register. This system worked well, but with some unexpected
costs. The Norwegian Data Ombudsman insisted that all the PC hard-disks be
replaced after the election, so that no copies or shadow disk images of the
register could escape. It is basic to Norwegian election laws that no-one
shall know who voted.  The register itself should, of course, also be under
lock and key.

3) The Oslo voters had received a voting card shortly before the election.
This contained light-pen readable code that greatly simplified checking,
provided the system was running. One could of course vote without the card.
Proof of one's identity may have to be presented.

4) The breakdown in the communication from the schools to the central register
occurred because of what was variously called "a programming error in the
communication equipment", " a configuration error", "a last minute change for
reasons of better performance or functionality", and "a missing full-scale

The communication was based on X.25 and the trouble seems to come from a wrong
setting of X.3/X.29 PAD parameter 3, "Selection of data forwarding character".

A municipal commission of independent experts now studies the organisation,
procedures, user education, and systems of the election from "every angle".
It is not yet clear who commissioned the PAD setting, at what time, for what
purpose and under which control and testing scheme.

5) The Oslo municipal election board did not in fact unanimously recommend a
re-election. Based in particular on the fact that 700 votes cast at one of the
polling stations, had disappeared, they unanimously voted against sanctioning
the result. This left the decision on the question of re-election, to the
Parliament. The 700 votes were not lost as a direct result of the computer
failure, but probably disappeared in the general confusion after the polling
station closed and the counting started.

6) All in all, the election was basically under control. Although the
municipal administration was clearly too optimistic with respect to the
blessings of computer technology, there were enough communication and computer
logs, manual backup routines, paper ballots, and envelopes around, to check
whether the final results where within generally acceptable error bounds.
Except for the one large loss of votes mentioned above, the errors were small
and of the size also expected in a manually run election, according to the
administration. They did not add up to an amount that would influence the
selection among the candidates.

7) The Government proposed last year that a wholly computerized voting system,
with Direct Recording Equipment and no paper ballots, could be tested in the
1993 general Election. This was rejected by the Parliament, partly as a
consequence of pressure from computer specialists, pointing to the US
experience, as reported in RISKS and elsewhere (thank you, all of you). The
1993 experience has done a lot to confirm that rejection.

8) An account of the expectations of the project leader for the Oslo election,
can be found in the "New Scientist" of Sept.11, 1993. One of the high-lights
is the following quote: "An election with only electronic voting can be much
more secure and correct than a paper-based one. But we feel the
(Parliamentary) commitee did not have the necessary knowledge to trust such an
advance in the use of technology."

9) A personal note: I consider the Oslo election a success, in the sense that
it demonstrates wonderfully the necessity of a system of control routines
_outside of_ the computer voting equipment. In particular that some form of
manually controllable paper ballots be available.  A ballot that the voter can
read before it is placed in the urn, and that the counting personnel can count
manually as a precaution, or if necessary due to a close race, or an equipment
failure, or public scepticism. All other forms of control have to be based on
computer trust, and on total trust of the computer specialists involved.

As some-one wrote in an Oslo newspaper (Arbeiderbladet, Sept. 28), after the
Parliament decided against a re-election:

"Casting one's vote is as close to a sacred act as one can get in a modern
democratic secular society. The high-priests of modern technology should be
kept at arms length from the more sensitive parts of that act."

Havard Hegna, Norwegian Computing Center, Oslo, NORWAY (A
semi-governmental non-profit computer science research institute)

Re: Ethernet addresses as port ids (Peterson, RISKS-15.20)

Bob Rahe <>
Tue, 2 Nov 1993 07:55:08 EST
In RISKS-15.20 (A. Padgett Peterson) writes:

|>While Mr. Rahe is correct as far as a PING is concerned, the actual packets
|>*must* contain the actual hardware address of the sender in order for
|>the host/server to respond. The fact that the real address may be buried
|>a bit in the packet does not mean that it is not there.

  Well, no, not true.  The actual REAL ethernet address of the sender is
lost, from the receiver's point of view, once the packet passes through a
router (as another poster mentioned in the same digest).  The address that IS
passed along inside the packet is the next layer up - the IP address.  That
address is TOTALLY software driven and thus useless for identifying a port
in your scheme.

  This discussion sort of assumes TCP/IP over ethernet. As was mentioned,
DEC does some things differently and I'm sure there are other schemes, but
the ethernet address isn't there past a router.  (And lots of systems can
change their ethernet address anyway).

  I'd suggest Comer's book on TCP/IP for a good discussion of the basics of
ethernet and TCP/IP nets.

Virus Security Instituate VSI '94 Announcement

A. Padgett Peterson <>
Tue, 26 Oct 93 10:19:59 -0400
                     CONFERENCE ANNOUNCEMENT
                             VSI '94
                Philadelphia, Pennsylvania - USA
                        March 29-30, 1994

            Presented by the Virus Security Institute
      "A Different Kind of Information Security Conference"

     VSI '94 -- two intense days of interactive collaboration focused on the
development of a working information security model appropriate to both the
management and technical challenges of the mid-90s.

     Security is not a book of rules; it is an organic and dynamic process.
This principle will be expanded through an agressive combination of speakers,
scenarios and solutions.

     VSI '94 is not a hit-or-miss conference.  The program is carefully
structured to provide not only state-of-the-art information but practical
techniques that "push the envelope".

     DAY ONE: In the morning, industry experts will present a limited number
of papers dealing with state-of-the-art considerations divided into three
areas: scientific, technical, and managerial. This will provide a primer for
what is to follow.

In the afternoon, participants will restructure a traditional organization to
reflect the information security needs of the mid-90s.  The Management Track
will address requirements for executives, financial and legal considerations,
operating parameters, policies and procedures, re-engineering, communications
requirements and a five-year plan.  The Technical Track will explore tools and
techniques currently available, define requirements and techniques to preserve
vital information that may come under attack from any quarter, automation of
support functions, necessary networking and risk assessment.

Industry experts in each field will be present to make suggestions and offer
examples. The afternoon will be divided into segments for each of the tracks
with a focus provided for each. If the participants fail to reach a concensus
within the segment's alotted time, the legacy baseline will be used on the
next day.

Further planning is encouraged in the bar and at the reception.

     DAY TWO: Each of the elements of the restructured model will be examined
and challenged, both by speakers and participants.  Management will be given
legal, financial, and stockholder concerns to address.  Technical will defend
against attack scenarios ranging from viruses to terrorists to incendiary cows
& leaking tunnels.

     PLENARY: A recap of the proceedings analyzing strengths and weaknesses of
the model as developed, challenged, and improved.

     PAPERS: We solicit papers/speakers focusing on the subjects of fiendish
attacks, brilliant solutions, organizational indifference, and
prognostication. The focus will be on salvation from the Networks (both
interpretations apply).

     SITE: The entire conference floor of the Philadelphia Airport Hilton has
been reserved for VSI '94.  Rooms for Birds-of-a-Feather meetings may be
reserved in advance, subject to availability.  Facilities will be available
for larger, lengthy formal meetings on Monday, March 28.  The hotel is
designed to facilitate "H" (hall) track sessions.
    Room Rates: $72/night, single or double.  Contact the Hilton (302)792-2700
The Hilton provides a complimentary continental breakfast to all hotel guests.
     TRAVEL: Philadelphia International Airport (transportation from airport
provided by the Hilton) is served by most major airlines.  Drive time from
either Washington, DC or New York is approximately 2 hours.  AMTRAK serves
Philadelphia's 30th Street Station (local train available every half hour to
airport for Hilton pickup).  Discounted airfares are available from Sand Lake
Travel (800)535-1116 / (407)352-2808 / FAX (407)352-2908

     AMENITIES & AMUSEMENTS: Philadelphia is rich in attractions, from the
Liberty Bell to the Franklin Institute to the Art Museum to the bustling 9th
Street Market.  Excellent shopping in both Philadelphia and tax-free Delaware.
Nearby is the famous Brandywine Valley, home of Winterthur, Longwood Gardens
and Andrew Wyeth.  A full activities packet will be available to all

     INFORMATION:  For more information, E-Mail or Fax:
          EMAIL:  (case sensitive)
          FAX:    (302)764-6186 (include E-Mail address, please)

 Honorary/Convening Chairman - Dr. Harold Joseph Highland, FICS

Conference Chair:  Pamela Kane     Program Chair:  Padgett Peterson

  Founding Members and Directors of the Virus Security Insitute

     Vesselin Bontchev
     Dr. Klaus Brunnstein
     Dr. William Caelli
     Jon David
     Christoph Fischer
     Ross Greenberg
     Dr. Harold Joseph Highland, FICS
     Pamela Kane
     A. Padgett Peterson, P.E.
     Yisrael Radai
     Fridrik Skulason
     Dr. Alan Solomon

ESORICS 94: Call for Papers

Yves Deswarte <>
Tue, 2 Nov 1993 11:25:07 +0100
::::: Yves Deswarte - LAAS-CNRS & INRIA - 31077 Toulouse (France) :::::
:::: - Tel:+33/61336288 - Fax:+33/61336411 ::::

        European Symposium on Research in Computer Security
         Brighton, United Kingdom, November 7th-9th, 1994

ESORICS-94 (European Symposium on Research in Computer Security) is organised
by The IMA in cooperation with AFCET (creator), BCS Security Special Interest
Group, and CERT-ONERA.

AIM AND TOPICS: The aim of this symposium is to further the progress of
research in computer security by bringing together researchers in this area,
by promoting the exchange of ideas with system developers and by encouraging
links with researchers in areas related to computer security, information
theory and artificial intelligence.

Papers are solicited in the following areas:

- Theoretical Foundations of Security-

security models and specifications, contribution of formal logic and
information theory, formal development techniques

- Secure Computer Systems-

operating system security, network security, security management,
virus and worms, contribution of artificial intelligence, contribution
of new architectures and new technologies

- Security in Data and Knowledge Bases-

- Security in other Applications-

transaction systems, process control, real time, distributed

- Cryptography Applications-

authentication, key management, signature

- Security Verification and Evaluation-

formal methods, measure and evaluation of risks, measure and
evaluation of security, criteria, protocol verification

- Software Development Environments for Security-

- Operation of Secure Systems-

management, intrusion detection

- Security versus other requirements

Security and costs, performances, dependability, safety, reliability,...

All application fields are welcome (medical, industrial, financial,
copyright,...) as long as the proposals remain in the scope of
research in computer security.

This list is not exhaustive. Research papers, position papers and panel
proposals will be welcomed.

SUBMISSIONS: Six copies of papers or panel proposals should be submitted
to the program chair by March 25th, 1994 at the following address:

                         Gerard Eizenberg
                      CERT-ONERA   ESORICS 94
                        2, avenue E. Belin
                            B.P. 4025
                       31055 Toulouse Cedex

The texts must be submitted in English. Papers should be limited to
6000 words, full page figures being counted as 300 words.  Each paper
must include a short abstract and a list of keywords indicating
subject classification. Notification of acceptance will be sent by
June 24th, 1994, and camera-ready copies will be due on
September 1st, 1994.

Panel proposals should include title, proposed chair, tentative panelists,
a 2 or 3 paragraphs description of the subject, format of the presentation,
and rationale for the panel.

For further information and/or copy of the advance program when available,
send E-mail to Dieter Gollmann at the next address:
or write to:
                          Pamela Irving
                        Conference Officer
        The Institute of Mathematics and Its Applications
                         16 Nelson Steet
                          ESSEX SS1 1EF
                         United  Kingdom

Submission deadline: March 25th, 1994
Acceptance notification: June 24th, 1994
Camera-ready copy due: September 1st, 1994

GENERAL CHAIR: Roger Needham (University of Cambridge, United Kingdom)

CHAIR: Gerard Eizenberg (CERT-ONERA, France)
VICE-CHAIR: Elisa Bertino (Universita di Milano, Italy)
Bruno d'Ausbourg (CERT-ONERA, France)
Thomas Beth (Universitaet Karlsruhe, Germany)
Joachim Biskup (Universitaet Hildesheim, Germany)
Peter Bottomley (DRA, United Kingdom)
Yves Deswarte (LAAS-CNRS & INRIA, France)
Klaus Dittrich (Universitaet Zuerich, Switzerland)
Simon Foley (University College, Ireland)
Dieter Gollmann (University of London, United Kingdom)
Franz-Peter Heider (GEI, Germany)
Jeremy Jacob (University of York, United Kingdom)
Sushil Jajodia (George Mason University, USA)
Helmut Kurth (IABG, Germany)
Teresa Lunt (SRI, USA)
Giancarlo Martella (Universita di Milano, Italy)
Catherine Meadows (NRL, USA)
Jonathan Millen (MITRE, USA)
Emilio Montolivo (Fondazione Ugo Bordoni, Italy)
Roger Needham (University of Cambridge, United Kingdom)
Andreas Pfitzmann (Technische Universitaet Dresden, Germany)
Jean-Jacques Quisquater (UCL, Belgium)
Einar Snekkenes (NDRE, Norway)


Dieter Gollmann (University of London, United Kingdom)
Pamela Irving (IMA, United Kingdom)

Please report problems with the web pages to the maintainer