The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 15 Issue 64

Thursday 10 March 1994


o Irony & embarrassment
Gene Spafford
o Another twist on Harding e-mail breach
John C. Rivard
o Maybe appalling grammar is bad language design
Don Norman
o Wrong credit card in the mail
Stephanie Leif Aha
o Troubled water crossing bridge
Harald Hanche-Olsen
o Calling-Number-ID catches obscene caller
Richard R Urena
o X windows makes patient breathless
Govinda Rajan and Mathew Lodge
o Trouble in comicland?
Arthur Goldstein
o Getting help on the Internet
Phil Agre
o Re: Clipper
Keith Henson
Carl Ellison
Stanton McCandlish
o COMPUTER RISK! [Early April Fooling?]
Simon Travaglia
o Info on RISKS (comp.risks)

Irony & embarrassment

Gene Spafford <>
Tue, 08 Mar 94 20:15:54 -0500
Twice in the last 6 months I have received a rather interesting brochure in
the mail.  Before I comment on it, let me describe it.

The first page is bright yellow, with the picture of a small guinea pig.  In
big letters, it proclaims "Microsoft would like to use your company as a test
site for the 4,000,000 lines of new code in NT."

Inside, it states "SunSoft would like to offer you a leading-edge operating
system with 10 years of fine-tuning behind it: Solaris."  It then goes on with
other "ad-speak".

I find this amusing in several respects:
  1) It plays on a long-standing perception of many computer users
     that Microsoft does a poor job of testing their code (I am
     enclosing a humorous posting that circulated on the Usenet
     recently that also points this out);
  2) It underscores one of the major, major concerns about using
     large software artifacts (e.g., NT) — they are often poorly
     tested, and the consumer is usually the one to suffer;
  3) Sun's Solaris has been the subject of several very public, very
     significant bugs and security lapses over the past several years.
     It is hardly something to crow about in comparison to NY.

When the first round of these ads came out a few months back, a great many of
the engineers inside Sun were very chagrined by it.  Several were even angry
-- they got a lot of comment from people outside Sun struggling with bugs in
tar, sendmail, lpr and other utilities.  It makes Sun appear to be unaware and
uncaring about existing bugs and problems.

Now, for a second round of mailing to appear is almost the height of
cluelessness by the advertising folks.

  1) Advertising folks who don't talk to the software engineers or
     customer support people.
  2) Companies that spend more money and effort getting problems out
     the door than they do on design and testing.
  3) Using your company as the test site for 4 million lines of
     Windows NT.  Or X million lines of Solaris.
  4) If you develop a reputation for poor testing and poor customer
     service, it can be used against you in advertising.

   [Spaf also included an item on People for the Ethical Treatment of
   Software (PETS).  Because that item has already been widely circulated
   on the net, I have removed it here.  But if you did not see it, you
   might ask spaf for a copy.  PGN]

Another twist on Harding e-mail breach

John C. Rivard <>
Thu, 10 Mar 1994 11:44:47 -0500
In the March 9-15 1994 issue (Vol XIV, No. 23 p.9) of the Metro Times, the
freely distributed alternative newspaper in Detroit, Dennis Rosenblum reports
on yet another ethically-questionable activity ironically associated with the
violation of Tonya Harding's e-mail at the Olympics.  <"E-Mail blunder at
Olympics" RISKS 15-58>

Both the Detroit News and the Detroit Free Press reported that Free Press
sports reporter Michelle Kaufman--with two other reporters from other
papers--broke into Harding's account, but did not read any mail. The Free
Press story was printed on page 8D in the sports section, but the News printed
its story on page 1A, the front page, and portrayed it as much more

The News and Free Press operate under a Joint Operating Agreement (JOA), a
controversial arrangement which allowed the two supposedly editorially
independent papers to combine their business and production facilities to cut
costs, with a 100-year federal antitrust exemption. Both papers argued
successfully in federal court that the Free Press would go out of business if
not for this agreement.

The twist comes in when the Detroit News ran a photo of Kaufman with their
front-page story. The digital image was stolen from the production facilities
in the News building, which both papers share. According to Rosenblum:

"It turns out that a photo of Kaufman which the News ran with its story came
from Free Press computer files. A News editor had a composting room worker
sneak along a copy of the digital photo file, without the knowledge of the
Free Press."

"Ed Wendover, a leader of Citizens for an Independent Press, which opposed the
JOA in court, considered it predictable. 'This is perhaps only a precursor of
what happens when they move in together,' said Wendover, a suburban

"In a memo to editors at the News, Editor and Publisher Robert Giles termed it
a 'clear breach of the security that is critical to maintaining editorial
separation and required by the joint operating agreement.'"

The irony of this story is obvious, but the RISK involves the impact of lax
computer security on the First Amendment issues concerning the distinct
editorial voices that were promised under the JOA.

(Quoted with permission of the author.)

John C. Rivard, JCR Design and Consulting

Maybe appalling grammar is bad language design

Don Norman <>
Mon, 28 Feb 1994 18:41:14 -0800
A recent flurry of articles in RISKS talks about poor spelling and
punctuation, including the common problem of confusing "it's" and "its".  Let
me try the argument that these errors, like so many so-called "human errors"
are in actuality design errors — language design.

English is well known for its peculiarities in spelling, in part due to its
multiple origins that give rise to words with different historical roots, in
part because so many reformers have tinkered with it, sometimes successfully,
sometimes not (Ben Johnson, George Bernard Shaw and Noah Webster come to mind,
and I am sure that RISKS readers can name others). As a result, the spelling
is so inconsistent on the surface that it takes a Halle & Chomsky to write a
learned book explaining that there is an underlying deep consistency.  If it
takes a complex book to explain it, then maybe spelling isn't "designed" with
the user in mind.

Now take punctuation. One problem is that English uses the symbol ' for at
least two separate meanings (not counting its use in quotations): contraction
and possession, as in "that's my dog's ball." With words that are homonyms, so
the same spelling indicates contraction and possession, the rule is that
contraction wins use of the '.  Hence, "It's not its fault," where "it's" is a
contraction and "its" is a possessive.

Try explaining that to a non-native speaker of English.  Hell, try explaining
that to a native speaker.

If English weren't so stingy with symbols and used different symbols for
possession and contraction, then we wouldn't have any problem.  English
doesn't use symbols to mark parts of speech such as subject, or indirect
object (or, in a case-based framework, agent or recipient): why use a symbol
to mark possession?

Anyway, some human error in spelling and punctuation is really a system or
design error: blame evolution — or those early typographers who transformed
the spoken language into its printed form.

Don Norman, Apple Computer, Inc. MS 301-3UE, 1 Infinite Loop, Cupertino,
CA 95014 USA    +1 408 862-5515    Fax: +1 408 255-7045

Wrong credit card in the mail

Stephanie Leif Aha <>
Tue, 08 Mar 1994 10:30:38 -0800
I just received my new credit card in the mail, only it wasn't mine.  The
paper enfolding the card had my name and account number but the card had a
different name and account number.

The credit card company claimed that this had _never_ happed before, blocked
both accounts as having lost/stolen cards and is sending me a new card.

I was really surprised to be the first one having this problem.  I would
assume that this could happen if the entire run of cards mailed was off by one
and we all received the right paper with the wrong cards.

Compounding the problem, they have redesigned the card this year so that the
names are printed in the same color as the card, making them hard to read.
Only by chance did I look closely enough to notice that it wasn't my card.
Perhaps the entire line did go astray after all.

Stephanie Aha   grad student  ICS Dept.  U.C. Irvine

Troubled water crossing bridge

Harald Hanche-Olsen <>
Tue, 8 Mar 1994 17:29:06 +0100
No computer risks in this one, but a nice example of an unexpected failure
mode:  When a water mains broke in downtown Trondheim yesterday, a basement
was flooded.  No big surprise, except the basement was across the river!
The drains were all plugged with ice and snow, so the water ran across the
nearby bridge.

- Harald Hanche-Olsen <>
  Dept of Mathematical Sciences,  The Norwegian Institute of Technology

Calling-Number-ID catches obscene caller

Richard R Urena <>
Tue, 08 Mar 1994 10:48:00 -0500 (EST)
An article by the Associated Press notes that a woman in Pembroke,
Massachusetts, used the CNID feature to track down an obscene caller who had
been bothering her since 1991.

After years of harassment, the woman signed up with her phone company for the
CNID service, compiled a map with the numbers and addresses of public phone
booths in her vicinity, and obtained a second telephone line to alert police.

Her efforts paid off last Saturday at about 2:30 AM, leading to the arrest of
a 28 year old suspect, who was still on the phone when the police arrived.

X windows makes patient breathless

Tue, 8 Mar 94 13:51:32 GMT
The following article was posted to the USENET newsgroup comp.os.lynx
today. The group deals with a UNIX-style hard real-time operating system
called LynxOS. LynxOS' primary market is the real-time process control
market (which is also often a safety critical market).

I should explain that LynxOS threads are light-weight processes.

> From: (N Govinda Rajan)
> Newsgroups: comp.os.lynx
> Subject: Window move in X holds up other threads even of higher priority
> Date: Tue, 8 Mar 1994 10:43:50 GMT
> Organization: Dept Of Anesthesiology, Erasmus University, Rotterdam
> Message-ID: <>
> When I move a window or resize a window, all other threads in any process
> which has the X Main Loop [are] held up. For example, I have a process which
> has the X Main Loop which starts a thread. This priority of this thread is
> made higher than the process and it starts a count down timer and waits for
> the timer signal, which is SIGALRM. When the timer counts down it does some
> work (actually sends an analog signal through D/A convertor to an external
> instrument) and restarts the count down timer once more and sigwaits once
> more and so on. SIGALRM is supposed to be thread unique.

> All goes well, except when I move a window or resize, then the timer thread
> does not respond at all and as long as I have the mouse button pressed down
> it does not respond. When I release it everything continues normally again.

So far, so good. The problem can be explained by the fact that when an X
window manager wants to move or re-size a window, it "grabs" the X server to
prevent other X events from interfering with the window move.

Now the comes the RISKy bit:

> My external instrument is an artificial ventilator and if it does not get
> the signal in time the patient does not get any breaths.
[temporary technical solution from article deleted]

So the patient's life depends entirely the timely delivery of a software
signal (and nothing else)? The complete absence of any recognition that this
is a safety critical system that could kill people horrifies me.

I think I'll be staying away from Dutch ventilators if at all possible...

Mathew Lodge, Software Engineer, Schlumberger Technologies, Ferndown, Dorset,
UK, BH21 7PP  (+44) (0)202 893535 x276

Trouble in comicland?

Arthur Goldstein <>
Tue, 8 Mar 1994 03:40:30 GMT
>From the March 7th, 1994 Blondie comic strip (without permission):

Dagwood Bumstead speaking and looking at bills:

"I don't get it!  Why can't we keep up with all our bills?"

"We don't live high!  We don't splurge!"

"Yet somebody keeps sending me all these bills!"

"Could they have me mixed up with some other Dagwood Bumstead?"

Perhaps Dagwood should check out comp.risks for other cases of duplicate

Arthur Goldstein, Comp. Sci. Univ of IL, 1304 W. Springfield, Urbana, IL 61801   UUCP: {uunet,harvard}!uiucdcs!goldsten

Getting help on the Internet (Yurman, RISKS-15.57)

Phil Agre <>
Sat, 5 Mar 1994 16:37:30 -0800
In response to Dan Yurman's note in RISKS-15.57 about misguided teachers
instructing students to send basic questions to Internet discussion groups,
I've written a short article about how to ask people for information (on or
off the net).  The skills it describes are common sense to long-time net
dwellers, but they're definitely not common sense to beginners.  To fetch a
copy, send a message that looks like:

  Subject: archive send getting-help

Feel free to post it to any discussion groups that have had this problem,
or send it to teachers or students involved in courses that involve
Internet-based research.

Phil Agre, UCSD

Re: Clipper

Tue, 8 Mar 94 12:31:20 PST
If I may boil down the government's side of the Clipper debate, it is this:

    "We need to implement this encryption method so as to avoid problems we
think may be coming.  Trust us!  We promise not to abuse your privacy."
Except, of course, Clipper technology gives them a 'pen register' on every
phone.  Pen register give those in power a running list of every phone contact
made between two Clipper phones without the need to fill out even the minor
paperwork now required for this surveillance.

    I do not doubt the sincerity of Dorothy Denning or others who
defend Clipper.  And I would have fewer problems with Clipper/Capstone
proposal if the people who will be granting access to the keys and
those with legal access to the keys and call records were of Dorothy's

    However, people of good will are not likely to be the ones who apply for
these keys to your privacy in the future.  I am right in the middle of a case
which has remarkable similarities to a Clipper "request for keys."

    Full details have been posted to and, but in
brief summary, a Postal Inspector from Tennessee is attempting (for political
reasons) to impose the obscenity standards of that region on an adult BBS run
from Milpitas (just North of San Jose).  To this end, he obtained a warrant to
take the BBS hardware.  Because of contained email and First Amendment
activities of a BBS, subpoenas, not warrants, are required under *two*
sections of federal law.  The laws are Title 42, Section 2000aa, and Title 18
Section 2701, the same ones which were applied in the well-known Steve Jackson
Games case.

    Pointers to these federal laws were *posted* on the BBS.  The postal
inspector downloaded this file and *included* it in his affidavit for a search
warrant to a Magistrate-Judge in San Francisco, along with a remarkably weak
theory of how he could avoid application of these laws to himself.

    To obtain a warrant to take email and 2000aa materials, the laws require a
number of judicial findings to be made.  None of these requirements were
considered by the court.  The postal inspector got his warrant, mailed child
pornography to the BBS, served the warrant, "found" the child porn and
obtained an indictment in TN.  The child porn charge is bogus because the
agent specifically described the material as "sent without his knowledge"
(referring to the sysop).  Of course the sysop has to defend himself from the
charges 2000 miles from home and shut down his business while doing so, and
everyone on the system had their email copied and passwords compromised.

    This example applies directly to the Clipper situation.

    The risk under Clipper is that your private communications will be
protected by the *weakest* link in the chain--one of the thousands of low
level Magistrate-Judges among whom corrupt or zealous law enforcement agents
shop for warrants and will shop for keys.  These magistrates (who are *not*
judges, but work for the US Attorney's office) tend to be busy, or lazy or
corrupt or all three. As in this case, even if the law is *directly quoted* in
search warrant affidavits or key requests, and these laws *expressly forbid*
granting warrants or key requests under the conditions cited, the magistrate
may not even read the supporting affidavit before approving it.  He is *very*
unlikely to read or consider the underlying laws when granting a request.  The
key escrow agents provide no protection whatsoever since they simply fill
orders from agents with approved applications.

    Judges ignore the law with impunity, and so do law enforcement
agents because one agency will almost never investigate another.

    As a practical matter, applications for search warrants are almost never
denied.  The same situation is certain to occur for Clipper key applications,
no mater how weak the justification happens to be, or what laws are being
violated by those seeking the keys.

Keith Henson

re: Bidzos on Clipper (RISKS-15.61)

Carl Ellison <>
Tue, 8 Mar 1994 13:59:03 -0500
Jim Bidzos submitted his reaction to the Clipper proposal.  I agree with
him for the most part, but would add a few notes:

[risks of Clipper]
>- Potential abuses by government and loss of privacy for all citizens.

I would add:

    increased vulnerability to Organized Crime (because they're
    not very experienced with cryptanalysis but they have lots of
    experience with bribery, breaking/entering, theft of machines
    and data, ... — in other words, all the talents you need to
    break the key escrow scheme).

>One approach would be to have NIST develop a standard with three
>levels.  The first level could specify the use of public-key for key
>management and signatures without any key escrow.  There could be a
>"Level II" compliance that adds government key escrow to message

What's wrong with just having the FBI, NSA, GCHQ, French bureau (whatever
it's name), ..., publish their own RSA keys (both PGP and RIPEM format)
so that individuals can voluntarily include those keys as recipients
when they encrypt, if they want to volunteer to give the gov't access?

This achieves exactly the voluntary wiretapping the NSA says it wants --
with no hardware and no special code.

>II products would be decontrolled for export. The market can decide;
>vendors will do what their customers tell them to.  This satisfies
>the obvious desire on the part of the government to influence what
>happens, as a consumer.

I disagree with any plan to control exportability based on the NSA's ability
to read traffic.  I believe nothing which is already available outside the US
should be restricted from export.  Anything else just makes the US government
look stupid.

EFF's Barlow v. Denning on Clipper - AOL March 10, 9PM EST LIVE

Stanton McCandlish <>
Tue, 8 Mar 1994 20:07:02 -0500 (EST)
[Cc:ed to a lot of groups]

Thursday, March 10, 9 pm eastern

Dorothy Denning, cryptologist and chair of the computer science department
at Georgetown University, will debate John Perry Barlow, cognitive
dissident and co-founder of the Electronic Frontier Foundation, in the TIME
Odeon on America Online this Thursday at 9 pm. Philip Elmer-DeWitt, TIME
senior writer, and Robert Pondiscio, TIME public affairs director, will
moderate. The floor will be open to questions from the audience.

You need an America Online account to participate. Call America Online at
703-448-8700 to subscribe.

Philip Elmer-DeWitt
TIME  Magazine

COMPUTER RISK! [Early April Fooling?]

Simon Travaglia <>
Wed, 9 Mar 94 15:34 +1300
            Computer Risk Bulletin #478

            Warning Notice M.U.D-1

On the 3rd of September, 1992 the computing world was rocked by the horror of
a new computer-originated illness and the life it claimed.

Eldred Squires, a 26 year old Operator/Administrator at major British Chemical
Company was the first victim.  At  approximately  9:03am,  Squires logged into
his  personal account,  ees, and sent some email to a friend at a remote site.
Logging out, he then proceeded to log into the  operator  account  to clean up
some  problematic  printing  queues.  Following this, he logged out and logged
into  a  test  account to check that his print queues were accepting data from
normal  users.  Finding that  all was well, he logged out then logged into the
root account to create a new username to receive  helpdesk mail, not realising
the  mortal  danger  he was in.   Wanting to test this new username, he logged
out from root and proceeded to login to his new account.  Barely three letters
into  his  twelve  letter alphanumeric password, he slumped forward across his
keyboard, dead.

Investigators, on arriving at the scene could find no reason for his death and
elected to wait for further information from the outcome of the Autopsy.

        The Autopsy revealed that the victim's cerebral cortex suffered damage
consistent  with  heating  of  the brain to approximately 120 degrees celsius.
Still no nearer to the solution of the death,  Computer and  Workplace  Safety
Officers  decided  to  recreate,  using  accounting  logs and user audits, the
circumstances leading up to the  tragedy.   Shielding the testing officer from
the  equipment with leaded glass, the team commenced their tests.  Within five
minutes,  another  victim  lay  sprawled across the keyboard, a fine patina of
sweat on their brow.

   Admitting defeat, the Safety Office called in an expert in Computer Related
Deaths,  Dr Brian Analpeeper.  Within minutes of examining the logs and audits
Analpeeper was able to  correctly  diagnose  the  cause  of  death.   Multiple
Username Disorders.

  Multiple Username Disorders, Analpeeper explained, are a dangerous new
side-effect of the current computing mindset.  People become encumbered with
several usernames until, ultimately, their brain fries out.  Analpeeper also
explained that for years the Social Sciences had been aware of the existence
of Multiple Personality Disorders (commonly mis-referred to as Split
Personalities) and that in a small way, M.U.Ds were in fact a computer
replication of this.

 "People are required to maintain several accounts for various purposes, One
for say, an Administration function, One for their own personal use, Another
for normal work, and perhaps yet another for financial and charging matters.
Sooner  or  later  the  combination of what is required of the user of these
accounts will wreak it's havoc on the brain, causing mass cerebric hysteria.
Of course some people have a higher tolerance to this than others, yet there
is *no* way of accurately judging how far we can push a user."

     Later, in a harmless demonstration, Dr Analpeeper, took a volunteer and
assigned him 5  usernames  for  different purposes.  Victim number 3 fell to
the floor in a lifeless heap.

"I lied about it being harmless"  Analpeeper said.  "So sue me."

       Months later scientists are still no nearer finding a solution to the
problem, mainly because they're to scared to login to the research computers.
Life goes on, or sometimes it doesn't.

Are you in danger?

     In an effort to reduce the deaths and crippling side effects of Multiple
Username  Disorder,  the  Computer  Risk  Committee has compiled this list of
warning symptoms:

Victim may:
    - Wonder whether they've read their mail today
    - Wonder which account they're logged into
    - Complain of feeling hot and bothered in front of their terminal
    - Complain that the room appears to be getting warmer
    - Slur words, especially after consuming large quantities of alcohol
    - Repeatedly forget passwords
    - Ask to see the wine list at restaurants for no apparent reason
    - Pause for a few seconds before entering their password.
    - Talk to themselves whilst logging in or executing everyday
    - Fail to notice everyday events, such as telephones ringing,
        power failures, being struck about the head etc
    - Fall to the floor dead.

Should one or more of these symptoms be present, STOP USING YOUR ACCOUNT NOW!
Logout and walk away.  Life is, after all, too precious..

Simon Travaglia,   University of Waikato Computer Centre
Hamilton, New Zealand   +64-7-8562889 Ext 8347, FAX 838-4066

Please report problems with the web pages to the maintainer