The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 15 Issue 71

Tuesday 29 March 1994


o Risks of washroom automation
Paul Colley
o Pay-per-View failure lets adult station go unscrambled
Mike Carleton
o Role-playing Addiction
Mich Kabay
o Software theft statistics
Mich Kabay
o Risks of spelling checkers
John Girard
o Busy-waiting woes
Darren Senn
o Recent useful newspaper pieces on crypto policy
Lance J. Hoffman
o Re: L.A. Phone Fire
Nevin Liber
o Re: Canadian Poodles using 911
Shawn Mamros
o Re: Banknotes and photocopiers
Mike Sullivan
o Re: IRS persistence
Robin Kenny
o Preliminary Program: 7th IEEE Computer Security Foundations Workshop
Li Gong
o Info on RISKS (comp.risks)

Risks of washroom automation (Erma Bombeck)

Mon Mar 28 14:22:02 1994
Here's one paragraph of Erma Bombeck's humour column, The Kingston
Whig-Standard, 28 March 1994.

    "I dropped by an airport washroom.  In my stall, I wrestled
    with my jumpsuit, and in doing so the belt fell into the
    commode.  Before I could retrieve it, the automatic flusher
    sucked it away and into the sewers of San Jose.  I held my
    hands under the automatic water tap and went for a paper
    towel.  I turned in time to see my handbag fall into the
    sink and activate the water.  It proceeded to drown."

The column also enumerates many other more familiar problems with

- Paul Colley     +1 613 545 3807

          [Beware of the automatic handwringer.  PGN]

Pay-per-View failure lets adult station go unscrambled

Tue, 29 Mar 94 13:37:20 EST
Cable company adds unexpected Spice to subscriber's dinner hour.

A problem with a pay-per-view system caused all customers of the Greater
Media Cable TV service in Worcester Massachusetts to receive the unscrambled
broadcast of an Adult cable cannel offered by the system.  The Spice cable
channel was unscrambled for 90 minutes between 6:00pm and 7:30pm on Monday
March 28th.

    According to a representative of the cable company, Ed Goldstien, the
cause of the glitch was not known and an investigation was in progress.
Goldstien presented the cable company's apology and promise that it would not
happen again to subscribers over the local radio station WXLO.

The Greater Media Cable system uses a call in voice response system to allow
customers to activate the pay-per-view stations offered by the system.  The
activation code for the customer's cable box is broadcast over the cable
system to unscramble the selected pay-per-view offering.  RISKS readers could
speculate that this incident is an indication that a universal activation
code must exist for all cable decoders in the system.  We could further
speculate that the voice response system could have broadcast this code in
response to a pay-per-view request of a single subscriber if internal tables
were faulty.

The RISK here is dependence on an automatic system to save cost when the cost
of its failure is not taken into account.

Mike Carleton

Role-playing Addiction

"Mich Kabay [NCSA]" <75300.3232@CompuServe.COM>
29 Mar 94 12:59:07 EST
Washington Post Staff Writer John Schwartz has published a moving and
insightful article entitled, "Game Boy."  It explores the life and death of
an eighteen year old man addicted to cyberspace role-playing.  I have asked
Mr Schwartz for permission to post the original article in its entirety.  For
the time being, here's a brief summary.


Software theft statistics

"Mich Kabay [NCSA]" <75300.3232@CompuServe.COM>
29 Mar 94 12:59:16 EST
>From the Associated Press newswire via Executive News Service on CompuServe

JEANNINE AVERSA, Associated Press Writer, reports on the Software Publishers
Association's statistics concerning software theft.  Key findings:

o   Worldwide losses of $7.4 billion for business software in 1993.

o   Rate is down 25% from $9.7 billion in 1992.

o   Business software (spreadsheets, electronic mail, accounting and
data base programs) sales revenues in 1993 were $6.8 billion.

o   Companies whose employees make unauthorized copies or put single-copy
programs on network servers account for the most frequent violations of
software copyright.

o   The SPA audited or initiated lawsuits against 245 companies, all of
which were resolved out of court.

o   Settlements totalled $3 million.

o   Manufacturers in the U.S. lost $1.57 billion; Japan lost $650 million;
France lost $435 million.

o   Software theft grew fastest in India and Pakistan (up 95%); Korea and
Brazil showed 89%, and Malaysia's theft grew 88%.

Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn

Risks of spelling checkers

John Girard <>
Tue, 29 Mar 94 23:32 BST-1
I was recently quite shocked (UK: gob-smacked) to find that an event
connected with my spell checker could have put me at risk of losing my job.
I was editing a publication to be sent to several hundred of my client
contacts, and had made a series of trivial spelling corrections, the last
being a  "replace".  Sitting poised over the replace button, I was presented
with the suggestion that the word "Goldman" (as in a large company we all
know) should be replaced with "goddamn". The word processor involved was MS
Word for the Macintosh.  I then tested this on Word for Windows, and got the
same result.  (I have the `always suggest' option selected)

This event scared me greatly, because it is easy to go unconscious in front
of the mouse and press "replace" one too many times without realizing the
result.  I contacted my support agency and was told that "goddamn" is in the
main dictionary, and that I could not delete it from the main dictionary.  It
was suggested that I program Goldman as a replacement to goddamn.

Of course, defining a replacement in this one case does not assure me that
the "bad" word will not be suggested in the future for other replacements.
And, I have not yet encountered other unprofessional and undesirable word
replacements which I would grudgingly agree that, in an academic sense,
belong in the dictionary, but are a risk to my job.  Yet, I wait in fear of
these discoveries.

My concern here is that products such as word processors that are sold for
use in "business" applications should either not freely suggest profane words
in the main dictionary, or should have an option to leave them out or supply
an extra warning.  Obviously, the problem is further complicated by words or
phrases that have different meanings in different countries even when the
language seems otherwise equivalent.

Has anyone else had problems similar to this?  Are there any alternative
"business-oriented" main dictionaries which can be purchased to eliminate the
risk?  And, should I be obligated to live-with/fix this problem when
purchasing a "business" product?

John Girard   New Science Associates, Ltd./ UK

Re: Risks of spelling checkers (Girard, RISKS-15.71)

"Peter G. Neumann" <>
Tue, 28 Mar 94 16:21:07 PST
The RISKS archives are full of cases such as transforming a Mafia "enforcer"
into an "informer", "payout" into "peyote", "back in the black" to "back in
the AfroAmerican", and many other garbles.  And I just happen to notice a note
from Abhijit Chaudhari <> in the YUCKS digest (from noting that NeXTSTEP 3.0 Webster's barfs on "UNIX", and
offers "unfix" instead.  That is not Unix-friendly, although I distinctly
recall Steve Jobs suggesting at the San Francisco birth announcement for NeXT
that NeXT was UNIX-emulatable and UNIX-friendly (but that nobody would care
once they had seen NeXT!).  I wonder what that spelling corrector does to
NeXT?  Maybe it gets turned into a NeWT.

Busy-waiting woes

Darren Senn <>
Tue, 29 Mar 1994 00:19:48 -0800 (PST)
A few years back, I was working as a student computer consultant at UC Santa
Cruz.  The San Diego Supercomputer Center was pulling itself up by its
bootstraps, and a few of the researchers at UCSC had won grants of CPU time

SDSC sent some of their tech. support staff up to Santa Cruz to give our
researchers a quick introduction to UNICOS (CRAY's flavor of SYSV UNIX) and
SDSC's special features.  Needless to say, they didn't want to leave their
tech support people in Santa Cruz, so they gave us a small grant for our
consultants to use while learning their system.  I was one of the lucky
consultants who got to participate.

So far so good.

At the same time, one of my friends was finishing up his physics thesis (a
weird little study of aerodynamic surfaces), and had written a small flight
simulator to do some of his calculations.  This study was weird enough that my
friend was calling his programs 'funny', 'goofy', 'damgoofy', etc.  It was a
simple program which simulated the flight of a plane for a short duration, and
the user couldn't adjust any control surfaces after the program started.

As a favor to him and as a convenient way to learn more about the Y/MP,
I ported his program over to UNICOS.

The program normally asked the user for its parameters when it started up,
printed the results to the terminal, and waited for the user to hit return
before quitting.  The program was almost entirely math, so all I had to do was
convert it to batch processing.  Simple: just change a few scanf()'s to
fscanf()'s, tweak a few paths, and we're all set....  Or so I thought.
(ominous background music, please).

I ftp'd the files over to the cray, compiled them, and made a few short test
runs.  No problems.  So I set it up to calculate 30 seconds of flight at 1ms
intervals, and to print out the time when it started and stopped.  Then I set
it loose.  It was truly impressive watching those columns of numbers scrolling
by.  But alas, my next class was starting, so I couldn't wait for it to
finish.  I was capturing the output to a file anyway, so I just disconnected
and went to my class.

That was Friday evening.

Sunday morning rolls around, and I get rudely shaken from bed by a phone call
at 7am!  Imagine the nerve!  hmph.  It was SDSC's support staff calling.  It
seems that a renegade program had eaten up all the consultant's time grant
by running continuously (100% CPU usage) for 35 hours in the interactive
`batch` queue!  Clearly this program was intended as some warped prank,
considering it was called 'damgoofy'!  Uh-oh.  I was sure there was some kind
of mistake, so I rushed up to campus to see what had happened.

It turns out that I had forgotten to remove the program's last gets(): that's
the line which made the simulator wait for the user to hit return before
quitting.  That shouldn't have been a problem in itself, since the function
should've immediately returned with an error after it discovered it had lost
it's terminal (when I logged out).  It didn't.  No problem, right?  The
program should've just stopped waiting for input, consuming no CPU resources.
Nope.  Under that version of UNICOS, the program was waiting in a busy-loop,
uselessly using the CPU while it waited for input.  :(   Ooooops!

Luckily SDSC was nice to us, and the Y/MP was underutilized back then anyway,
so they just refunded the money, my friend got an impressive simulation, and
I got an anecdote.  :)

Darren Senn          Phone: (408) 988-2640      Snail: 620 Park View Drive #206                       Santa Clara, CA 95054

Recent useful newspaper pieces on crypto policy

"Lance J. Hoffman" <>
Tue, 29 Mar 1994 14:01:51 -0500 (EST)
Two interesting newspaper articles on encryption policy recently appeared:

In The Australian, an influential national newspaper similar to The Guardian
in the U. K. or The New York Times in the U. S., a large article describes
the Clipper chip controversy including a bit more technical detail than is
common for U. S. newspapers.  Professor Bill Caelli of Queensland University
of Technology's School of Data Communications is quoted as saying "Is Clipper
the start of a more onerous agenda?  Does Clipper represent attempts to
outlaw the use of encryption in any form by the public unless he or she uses
an 'approved' (and breakable) cipher system such as Clipper?  This last
question is a far darker scenario and goes to the very heart of freedom and
privacy in a democratic society."  — All this in The Australian of 29 March

In the New York Times of 26 March 1994, on the first page of the second
section and wrapping around to page 26, there is an article "Collisions in
Cyberspace on Data Encryption Plan" which starts "To paraphrase Oscar Wilde,
the Clinton Administration threw a couple of its lions into a den of savage
Daniels here this week" (now last week).  That refers to the Fourth
Conference on Computers, Freedom, and Privacy in Chicago, and the article
appears under a wonderful photo of Emmanuel Goldstein, editor of 2600, clad
in T-shirt, etc., taling with Frank Carey of Bell Labs, replete in coat and
tie, but holding beer bottle.  The article goes on to describe an arrest of a
man in the conference hotel (actually a conference attendee) who fit the
description of fugitive hacker Kevin Mitnick and the rough go Dave Lytel of
the President's Office of Science and Technology Policy had as the keynote
speaker trying to defend Clipper.

Professor Lance J. Hoffman, Department of Electrical Eng. and Computer Science
The George Washington University, Washington, D. C. 20052     (202) 994-4955

Re: L.A. Phone Fire (Weinstein, RISKS-15.67)

Nevin Liber <>
Tue, 29 Mar 1994 02:32:49 -0700 (MST)
We felt the effects here in Tuscon, Arizona, 500 miles and another state away
from Los Angeles.  I went to the local grocery store to do some shopping and,
you guessed it, they couldn't take my charge card because of that fire (they
had notices posted throughout the store).

I guess it's not just earthquakes anymore that have a rippling effect all the
way to Arizona...

Re: The RISKs of Canadian Poodles using 911 (RISKS 15.70)

Shawn Mamros <>
Tue, 29 Mar 94 10:55:27 EST
John Oram <>, in RISKS 15.70:
>They had 911 on speed dial?  Come on - that's inexcusable, given how easy it
>is to accidentally hit the wrong button on a phone.

Not when the phone manufacturer provides speed dial buttons explicitly
labelled for that purpose.  I own a General Electric phone (purchased about
five years ago) that has three buttons on it labelled "Fire", "Police", and

There are other risks associated with such a phone, in addition to
that of pets (or small children) accidentally hitting one of those
buttons.  The buttons need to be programmed with the correct number,
since 911 is not (yet) universal in the US.  If the owner of a phone
does not set the numbers for those buttons - or worse, moves without
changing the numbers (where one of the old or new locations does not
have 911) - one could picture a scenario where a guest is present, the
phone's owner is incapacitated, and the guest tries to use the "Ambulance"
button to contact same...

-Shawn Mamros

   [RISKS received a large number of messages on this topic, including those
      Jay Schmidgall <jay@VNET.IBM.COM>,
      Jeff Nelson <>,
      Nevin Liber <>,
      Tom Russ <tar@ISI.EDU>)
      Andrew Duane <>
   who noted built-in emergency features.  The risks therein seem quite
   widespread.  Also,
      Bob Peterson <>
   noted the risks of defaults returning when batteries are replaced.  PGN]

Banknotes and photocopiers

Mike Sullivan <74160.1134@CompuServe.COM>
29 Mar 94 00:12:24 EST
In RISKS-15.70, Tom Standage noted that some color photocopiers prevent
forgery by reacting to the color shift in the ink.  This seems similar to how
our Xerox black-and-white copiers react to an American Express card.  The
cards apparently use two different inks for the pattern filling the face of
the card, one of which is invisible to the copier, although both inks look
identical to the eye.  When photocopied, the card image bears the word VOID
all over its face (this is the green card; haven't tried it with a gold or
platinum one).  Perhaps a similar technology is involved in preventing copying
of currency.

Re: IRS persistence (Methvin, RISKS-15.70)

Robin Kenny <>
Wed, 30 Mar 94 10:16:25 +1000
This is not a good idea. What happened to me, basically, was that I closed my
old VISA account with the State Bank Victoria (Australia) with 4 cents
credit, <CREDIT, not debit>, believing I was a good guy for not trying to get
the money out - after all, it probably costs VISA $x per transaction.  Some
years later I had occasion to apply for another VISA card...

When trying to use my bank DEBIT card to pay for petrol a security alert was
flashed to the operator and my card was seized. Using my ATM card showed no
funds and my ATM card was seized. My PASSBOOK account had a security trigger
fire when I presented it at the local branch... It was all caused by the
previous VISA account; the four cents was never allowed to be reabsorbed by
the bank and my application for a new card found a bug in the validation
software that said "there is a problem with this applicant".  This
automatically put a hold on all my finances! Even the home loan joint account
was frozen.  It took TEN WORKING DAYS for a human to finally backtrack to the
root cause (the security re-asserted itself each night) I did get an official
letter of explanation (I was beyond accepting apologies) on letter-head so
future repercussions could be minimised.

What may happen to "dwm" could be something bizarre like being arrested by
the IRS for undisclosed income, not so improbable as a friend had his 1987
tax refund assessed as income for 1988!

(Did I read in RISKS about a person having $1M accidentally transferred into
 their savings account, now fighting it out with the bank over the $50,000
 funds-transfer tax?)

      [The original item was in RISKS-15.60.  I don't
      recall seeing the transfer-tax item before.  PGN]

Robin Kenny  (

Preliminary Program: 7th IEEE Computer Security Foundations Workshop

Li Gong <>
Tue, 29 Mar 94 10:33:56 -0800
[This workshop is by invitation of the General Chair only.  To participate,
please contact Professor Ravi Sandhu at as early as
possible since the number of spaces is very limited.]

7th IEEE Computer Security Foundations Workshop (CSFW-7) (Preliminary Program)
        Franconia, New Hampshire, June 14-16, 1994

Tuesday, June 14

8:50-9:00am — Welcoming Remarks
Ravi Sandhu (George Mason University, General Chair)
Li Gong (SRI, Program Chair)

9:00-10:30am — Non-Interference and Composability
Session chair: Jose Meseguer (SRI)

* Unwinding Forward Correctability
    Jonathan Millen (MITRE)

* A State-Based Approach to Non-Interference
    William Young and William Bevier (Computational Logic, Inc.)

* Combining Components and Policies
    George Dinolt, Lee Benzinger and Mark Yatabe (Loral)

11:00-12:00pm — Formal Methods and Semantics
Session chair: Simon Foley (University College Cork)

* Formal Methods for the Informal World
    Carol Muehrcke (Secure Computing Corporation)

* Formal Semantics of Rights and Confidentiality in Deductive
  Databases with General Integrity Constraints
    Adrian Spalka (University of Bonn)

12:00-2:00pm — Lunch Break and Croquet Tournament

2:00-3:00pm — Modeling
Session chair: Stewart Lee (University of Toronto)

* Confidentiality in a Replicated Architecture Trusted Database System:
  A Formal Model
    Oliver Costich, John McLean and John McDermott (Naval Research Lab)

* Conceptual Foundations for a Model of Task-based Authorizations
    Ravi Sandhu and Roshan Thomas (George Mason University)

3:30-5:00pm — Panel on "The General Write-Up Problem"
    Panel moderator: John McDermott (Naval Research Lab)
    Panelists: to be confirmed

Wensdesday, June 15

9:00-10:30am — Cryptographic Protocol Analysis
Session chair: Virgil Gligor (University of Maryland)

* A Model of Computation for the NRL Protocol Analyzer
    Catherine Meadows (Naval Research Lab)

* AUTLOG — An Advanced Logic of Authentication
    Volker Kessler and Gabriele Riemer (Siemens, AG)

* Nonmonotonic Cryptographic Protocols
    Aviel Rubin and Peter Honeyman (University of Michigan)

11:00-12:00pm — Security Policies
Session chair: John McLean (Naval Research Lab)

* Formal Specification of Information Flow Security Policies and Their
  Enforcement in Security Critical Systems
    Ramesh Peri and William Wulf (University of Virginia)

* A Taxonomy of Security Properties for CCS
    Roberto Gorrieri and Riccardo Focardi (Universita di Bologna)

12:00-2:00pm — Lunch Break and Croquet Tournament

2:00-3:00pm — Access Control
Session chair: Joshua Guttman (MITRE)

* One-Representative Safety Analysis in the Non-Monotonic Transform
    Ravi Sandhu and Paul Ammann (George Mason University)

* Reasoning about Confidentiality Requirements
    Simon Foley (University College Cork, Ireland)

3:30-5:00pm — Panel on "Reconsidering the Role of the Reference Monitor"

* Redrawing the Security Perimeter of a Trusted System
    Dan Sterne and Glen Benson  (Trusted Information Systems)

    Panel moderator: Dan Sterne
    Panelists: Len LaPadula (MITRE), Ravi Sandhu (GMU),
               Carl Landwehr (NRL), and Glenn Benson (TIS)

Thursday, June 16

9:00-10:30am — Protocol Security
Session chair: Michael Merritt (AT&T Bell Labs)

* Development of Authentication Protocols: Some Misconceptions
  and a New Approach
    Wenbo Mao and Colin Boyd (University of Manchester)

* A Taxonomy of Replay Attacks
    Paul Syverson (Naval Research Lab)

* Cryptographic Protocols Flaws
    Ulf Carlsen (Telecom Bretagne, France)

11:00-12:00pm — Workshop Business Meeting

12:00pm — Workshop Adjourns

Please report problems with the web pages to the maintainer