The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 15 Issue 63

Monday 7 March 1994


o Yet Another Mistaken Identity
Mike Zehr
o Philadelphia 911 Crash
Steve Pielocik
o Service a computer, go to jail
Kriss A. Hougland
o Court Case casts doubt on cashpoint credibility
Brian Randell
o `Hacker' alters Drug Protocol in British Hospital
Peter B Ladkin
o Will Australia be doomed to repeat Clipper?
Rhys Weatherley
o A Well Oiled Mac
Jon Golob
o SCIENCE article critical of computer models
Jon Jacky
o Re: Autopilot landings in `zero visibility'
Peter B Ladkin
o The risks of user ID's
Jason Haines
o RISKS RISKS: Bug in mailing RISKS-15.61
Mike Sullivan
o Info on RISKS (comp.risks)

Yet Another Mistaken Identity

Mike Zehr <>
Mon, 7 Mar 94 08:21:02 EST
Boston Globe, Monday, March 7 -- (Summarized)

For the past 4.5 years, Clinton Rumrill 3rd has been trying to clear his name
of financial and criminal problems caused by One of Rumrill's childhood
friends, John Mudge.  Mudge apparently started by taking a department store
credit card in Rumrill's name, has since racked up traffic charges, and been
charged with ticket scalping, all in Rumrill's name and with Rumrill's social
security number.

Although he's been able to clear up each case so far, because Rumrill and
Mudge have very different appearances, new cases keep springing up.  Rumrill
has been told it would be easier to change his name and SS number than to keep
trying to clear his name.

Rumrill now has another problem.  Police have been made aware of the fact that
Mudge is using Rumrill's ID, and now police computers think they are the same

The difficulties are made worse by the fact that in Massachusetts it
is not a crime to give false information to the police.

-michael j zehr

Philadelphia 911 Crash

Fri, 04 Mar 94 10:26:28 EST
KYW Radio reports that the 911 emergency service for almost the entire city of
Philadelphia was out of service last night for several hours resulting in
dozens of emergency calls not going through.  Callers got a "try again later"
message.  The outage was reportedly due to a "software problem".  Service has
apparently been restored but the station reports that the authorities are
still trying to correct the source of the problem.  Nothing in the early
edition of this mornings Inquirer but this sounds like a mini version of the
ATT collapse of '90.......

Steve Pielocik  Glenside, Pa.

Service a computer, go to jail

"Kriss A. Hougland" <>
Thu, 3 Mar 1994 20:41:20 -0700 (MST)
I came across this report of a really nasty computer risk....

>From Electronics Now, April 1994, page 6
(I contacted the magazine to confirm this is NOT a joke and permission to
post the article.  Many thanks for Evelyn Rose, editorial assistant.)

NESDA Challenges U.S. Copyright Act
  The National Electronics Service Dealers Association (NESDA) has come
to the aid of Peak Computer Corporation in its legal battle with MAI
Systems Inc.
  NESDA and its associated organizations filed a friend-of-the-court brief
in Washington DC last November on behalf of Peak which has been sued by
MAI Systems for alleged violations of the U.S. Copyright Act.
  MAI says the software which operates its computers is licensed only to
the owners of those computers, and only licensed owners should be allowed
to turn them on.  Its suit charges that Peak and other service companies
are breaking the law by turning on the computer for service.
  Two lower courts agreed with MAI that by turning on a computer a "copy"
of the operating program is made in the computer's RAM.  This, MAI says,
violates Sec. 117 of the U.S. Copyright Act.
  NESDA believes that if the ruling is allowed to stand, manufacturers
of such products as appliances, audio and video equipment, and heating and
air-conditioning controls could claim a similar exclusive right to their
"intellectual property."  According to NESDA Executive Director Clyde
Nabors, "NESDA has no choice but to oppose" the lower court's ruling,
which he views as "another of a long string of thinly-veiled attempts
by some manufactures to eliminate competition from independent service
  The NESDA brief challenges the ruling on several points of law.  In its
brief, NESDA referenced a previous Supreme Court ruling that concluded
that a market for the service of a product exists after the sale of the
product.  In effect, the Court said that even if a manufacturer does not
monopolize the sale of its product, it can still be charged with illegally
trying to monopolize the service of those products.
  The NESDA brief entitled the "Service Industry Signal," is being filed
by attorney Ron Katz of the San Francisco office of Coudert Brothers, a
New York law firm.  To recover the cost of the brief as well as the cost
of future "signals' from the service industry, NESDA has requested
contributions to the "S.I.S" legal defense fund from concerned service
dealers and technicians.  The contributions are to be sent to the SIS
Fund, c/o NESDA, 2708 West Berry Street, Fort Worth, TX 76109.

I am aware that some companies (Borland) have a "book" type of license.
I would hate to have to bail out my car mechanic when the SPA busts
him/her for turning on my car to try and fix it.

Court Case casts doubt on cashpoint credibility

Brian Randell <>
Mon, 7 Mar 94 14:02:35 GMT
Court Case casts doubt on cashpoint credibility, by Mark Ward
*Computing* (UK weekly), 3 Mar 1994

ATM's are in the news again after the Halifax Building society's court-rrom
defence of their reputation.

Almost all high-street financial institutions are now facing a combined
lawsuit brought by Denis Whalley of Liverpool solicitors, J Keith Park, on
behalf of 66 clients who claim they have been victims of phantom withdrawals
from automated teller machines.  The case follows that of Suffolk policeman
John Munden. He was convicted of attempting to obtain money by deception when
he queried the Halifax over a series of transactions he claimed he had not
made but which appeared on his bank statement (Computing, 24 February).  The
Halifax - the UK's biggest building society - decided to prosecute.
Curiously, though, when the trial was convened it was adjourned because the
building society could not offer any expert testimony on its security
procedures. The case came to court late last month and led to Munden's
conviction. He is due to be sentenced in the next couple of weeks.  During the
trial, the somewhat ramshackle nature of the Halifax's security procedures
came to light. The central personal identity number (PIN) validation
application was first developed in 1978 and reworked in 1981, when the Diebold
series of cash machines were bought. It doubtless it has been tweaked since,
but it is still a system built for a less demanding era.  Banks and building
societies alike are trying to patch up the failing security procedures of
their cash machines by putting in cameras and looking at other ways to prove
users are who they claim they are.  But the Halifax is not alone in trying to
use old technology to meet changing customer needs. Every high-street bank and
building society is closing branches or working out how to turn them into
selling spaces rather than service points. And one man at least is convinced
that this and other trends will make the cash machine a museum piece by 2010.
A book, published next month, by author Bryan Clough, Cheating At Cards: Sharp
Practice and Naive Systems, takes a long look at cashpoint crime.  Clough
believes the high pnce of ATMs in terms of pounds and pain could force a
banking revolution.  He says in many US states, so many people are mugged and
murdered while using ATMs that state governments are forcing banks to fit
safety devices that nearly double the cost of holes in the wall. And this is
before any consideration is given to making the machines less fallible.  The
UK's first recorded incident of a person murdered after using a cash machine
occurred in Hampshire this January. Clough is sure there have been others,
though no one is collecting figures.  He is convinced that retailers have an
enormous opportunity to take business away from the banks, with the secure
environment they offer people for getting cash when using debit cards to buy
their shopping. That advantage is compounded by the fact that the cost to
supermarkets of being able to offer the service is only that of a (pounds)50
swipe terminal and the connection to the bank's computer.  Certainly, there is
a real contradiction between banks and building societies trying to turn a
branch into a space through which to sell more services, and their putting a
machine on the outside that means customers have no contact with branch staff.

Regulatory bodies regard cash machine fraud as small beer. According to the
Association for Payment and Clearing Services, the body that comments on
security, ATM fraud in 1992 cost banks and building societies (pounds)3m,
compared with the (pounds)165m cost of plastic card fraud.  Apacs sees cash
machines as a relatively secure method of dispensing money.  Some are even
looking at extending the PIN concept to plastic cards to cut the level of
fraud at the point of sale.  An Apacs spokesman said there are various studies
being conducted that will result in technology to aid decisions at the point
of sale. He said one problem lies in limiting false rejections - turning away
genuine customers.  He suggested a false rejection rate of one in 100,000 as
acceptable. No technology on trial has yet demonstrated anything like this
rate.  What is clear is that crunch time is coming for the humble cash
machine.  Will it go the way of all flesh, or become the preferred method of
dealing with your bank-only this time with the banks paying for their

`Hacker' alters Drug Protocol in British Hospital

Dr Peter B Ladkin <>
7 Mar 94 18:22:32 GMT (Mon)
In the German news magazine Der Spiegel 1994(9) 28/2/94 p243 is a story
concerning Dominic Rymer, who obtained a doctor's password by looking over his
shoulder, and then edited the drug protocol of a nine-year-old meningitis
patient to something that might have killed her. This all happened at the
Arrowe [sic] Park Hospital in Wirral, Lancs. I didn't see any article about it
in a British newspaper.

Peter Ladkin

Will Australia be doomed to repeat Clipper?

Rhys Weatherley <>
6 Mar 1994 08:55:07 GMT
I was looking through "The Sunday Mail" here in Brisbane, Australia on Sunday,
March 6, when I noticed an article on page 20 titled "New Phone Stumps Oz Spy
Group".  I'll paraphrase it and give a few excerpts.

The key point was that the new digital Telecom Talkabout system which has been
deployed here in Brisbane "cannot be traced or bugged using current
technology".  Talkabout is a "small cell" mobile phone system: there are now
Talkabout poles all over the CBD and most suburbs, and people can buy a cheap
small mobile phone to take advantage of the system.  It is quite popular.

What the above quote probably means is that the police, ASIO (domestic
security) and ASIS (Australia's CIA), don't currently have scanners that
can decode the digital signals, although I suspect that Talkabout probably
also uses the GSM encryption system which was introduced here recently,
over the objections of the afore-mentioned agencies.

Of relevance to the Clipper debate is the following quote: "Telecom corporate
public relations spokesman, Mr John Tucker, said it was a requirement of the
federal Attorney General's department that all telecommunications be capable
of being intercepted by intelligence and police agencies".  Telecom have
special dispensation from the Attorney General to run Talkabout as a trial
as long as it is contained to the Brisbane network.  The future of the
system would be discussed after the trial and a decision would be made as
to who would fund the cost of developing means of tracing calls.

So, it looks like Australia is doomed to repeat the same battle for strong
encryption that is currently raging in the United States.

The usual RISKs of "buggable" encryption systems apply, but an additional
RISK for Australia is that the Attorney General will buy the US government's
line on Clipper and put our telecommunications at risk with all of the keys
stored in databases held by a foreign power, no matter how friendly that
power may currently be.  Either that or the Attorney General will commission
the development of a similar system here.  Another RISK is that once a
tracing mechanism is developed, the "small cell" nature of Talkabout might
permit the tracking of a user's every move.

The cynical members of the Clipper debate will put this down as yet another
power that the US government seeks over its citizens and the rest of the
world.  The NSA for one would have no restrictions against monitoring the
Clipper-ised internal communications of another country: that is part of
their purpose for existence.

Probably the only good sign is that since Talkabout is very popular (and
Telecom have been pushing it very aggressively), Telecom will probably fight
tooth and nail to keep their investment, and the concerns of the above
agencies will be overridden.  The agencies will then be forced to recognise
that wiretap surveillance is coming to the end of its useful life whether
they like it or not, and they will have to develop alternative means.
We can only hope.

Rhys Weatherley, University of Queensland, Australia

A Well Oiled Mac

Sat, 05 Mar 94 16:04:53 EST
    Lurking in a computer lab in a High School is a Macintosh, a Macintosh
that wasn't well oiled, a Macintosh that ended its existence abruptly during a
High School music class.  It was a Macintosh SE and like its many other
brothers in the lab it had a little hole in the back of it in which oil was
placed.  The brilliant administrators at the school found out that when a
computer is left on 24 hours a day, seven days a week and 365 days a year for
seven years a computer gets worn out.  An unsuspecting student sat down at his
table, flipped on his keyboard and turned on his Macintosh SE like he always
did.  The Mac slowly came to life, he clicked on the MIDI program and all hell
broke loose.  At first it started rather benignly, a gentle tap but, far worse
things were about to come.  Soon the Macintosh was going BUMP BUMP BUMP and
was jumping on the desk.  The student yelled for his teacher and the teacher
proceeded to click on the mouse in a vain effort to fix the ailing computer.
Next the Mac began to emit a grinding noise not unlike a garbage disposal.
    The teacher screamed "DID YOU OIL IT!!!!."
    The student replies "YES I DID, YES I DID."
The Macintosh is now rapidly convulsing on the table.  The screen began to
flash black and white.  Next the Mac started to emit a high pitched whine.
All of the other students began to flee from the room, several female students
began to cry and the Mac, like an animal slowly dying of blood-loss, began to
spurt oil out of the little hole on the back of the computer coating several
other computers.  There is a gigantic BANG as the student runs for his life
out of the room and pieces of glass slide out into the hallway.  The moral of

Jon Golob (after March 30)

SCIENCE article critical of computer models

Jon Jacky <>
Mon, 7 Mar 1994 10:04:55 -0800
RISKS readers may be interested in:

"Verification, Validation and Confirmation of Numerical Models in the
Earth Sciences" by Naomi Oreskes, Kristin Shrader-Frechette and
Kenneth Belitz, SCIENCE 263, 4 Feb 1994, 641 -- 646.

This article is a critique of computer modelling applied to such
public policy issues as global warming and nuclear waste disposal.

  >From the abstract:
  "Verification and validation of numerical models of natural systems is
  impossible ...  The primary value of models is heuristic."

The article struck me as a philosophical essay on the limits of
modelling in general, rather than as a critique of particular models.

These authors do not use the term "verification" with its usual
meaning in computing, rather they use "verified" to mean "makes
predictions consistent with observations."   In fact, the article does
not consider computing issues specifically.  I think a better title
would have been just, "Validation and Confirmation ..."

- Jon Jacky,   University of Washington, Seattle

Re: Autopilot landings in `zero visibility'

Dr Peter B Ladkin <>
4 Mar 94 13:34:51 GMT (Fri)
In RISKS-15.62, Simson Garfinkel says:

> I was on one of the few aircraft to land in the Boston blizzard today. There
> was zero visibility. [...]
> And I wondered which would have been RISKier: landing on autopilot, or landing
> on human pilot.

It's well to wonder, but in this case there might not have been the option.
There are three categories of Instrument Landing System (ILS) approaches, Cat
I, II and III, and Cat III is further subdivided into A, B, and C. The
categories are differentiated according to the minimum weather conditions
required for landing. An ILS is, abstractly, a couple of radio homing beams.
One, the `localiser', beams down the centerline of the runway, so you can tell
if you're left or right of it, and another beams up at an angle, usually
between 3-5 degrees, from the touchdown point - the `glide slope'. You or your
favorite autopilot are supposed to follow the beams from 5-15 miles out. In
order to land legally for most Cat I Instrument Landing System approaches,
besides the usual visibility conditions, some part of the runway, its lighting
or its environment must be visible when you're roughly 200 feet above the
ground (and therefore a few more hundred feet from touchdown).  Cat II
`minimums' are lower, Cat III lower still.  Furthermore, for air carriers,
operation is only permitted with certain values of `Runway Visual Range'.
Special crew and aircraft certification is required for Cat II and III, and
certain modes of operation are mandatory.  It is possible that the landing
described was made under Cat IIIA, in which case use of some automated systems
is mandatory, and hand-flying is not an option.

A further question is: what form of safety analysis has been done to ensure
that the requirement to use automated landing systems rather than people is
appropriate for Cat III landings? Perhaps those RISKS readers who have
extensive dealings with the regulatory authorities and the airplane
manufacturers could tell us?

Peter Ladkin

The risks of user ID's

Jason Haines <>
Fri, 04 Mar 1994 16:04:01 +1100
At the end of each semester, my university publishes unit results by printing
out the student number of each pupil and their unit scores.  These results are
then posted in a public area in the university.  Since only the student ID
number (and not the person's name) is printed, it is impossible to find out
someone else's results unless you know their student ID number.

This was reasonable secure, as it was fairly difficult to find out someone
else's student ID number without obtaining their student card.  Unfortunately,
the computing unit at the university have introduced a new scheme for
allocating usernames to students.  The username is comprised of the first
letter of the user's surname, and the user's student ID number.

It is fairly easy to obtain someone else's username.  They may give it to you
for e-mail purposes.  Their username will often appear in a window title on
their physical terminal, or in their command prompt.  Tools like 'who' could
also assist in finding out another person's username without their permission.
The inclusion of the first letter of the person's surname into the username
makes such investigation even easier.

Thus, with only a small effort, any student with a computer
account could quite easily obtain the student number, and then
the results, of any other student who uses the system.

Of course the university may change it's policy on posting results in a public
place, but somehow I doubt it.

RISKS RISKS: Bug in mailing RISKS-15.61

Mike Sullivan <74160.1134@CompuServe.COM>
04 Mar 94 22:51:25 EST
I was surprised to discover that RISKS-15.61 arrived in my emailbox
with a list of well over 100 "Apparently-to: user@domain" headers that
appear to be a substantial portion of the mailing list.

Re: Bug in mailing RISKS-15.61

07 Mar 94 19:59:23 PST
In an effort to avoid the problem of MCImail RISKS recipients getting each
issue with the entire list of MCImail users on their sublist, for RISKS-15.61
I tried BCC on a sublist that at that time also included MCImail, CompuServe,
NetCom, and a few other so-called services.

CompuServe gets added to the MORON list of services apparently unable to
handle BCC, because they turned that into the long list of addresses that
apparently worked just fine when sent TO the sublist.  NetCom reportedly also
got wedged as a result of my attempt to use BCC.


In RISKS-15.62 I solved that problem by creating a BCC sublist just for
MCImail and reverting to TO for everyone else on the rest of that sublist.  I
feel like a three-TO:ed sloth.  But the degenerative "services" are really
causing me too much grief.  (I presume you recall the fact that several of
them bounce the entire list if one address fails.)


Please report problems with the web pages to the maintainer