The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 16 Issue 29

Tuesday 26 July 1994


o Let me off the Information Superhighway!
Nancy Leveson
o Risks of assuming standard interfaces
Clive D.W. Feather
o Airport codes
Clive D.W. Feather
o Embezzlement at Beijing Hotel
Mich Kabay
o Remote reading of gas meters
Mich Kabay
o Hack FAQ (summary)
Martin Minow
o Risks of being unable to clear records
Marcus J Ranum
o More inadvertent mail list "spamming"
Phillip Finch
o Two kinds of risks
Robert Morrell Jr.
o Risks of hot lines
Philip H. Smith III
o Info on RISKS (comp.risks)

Let me off the Information Superhighway!

Nancy Leveson <>
Sat, 23 Jul 1994 18:56:17 PDT
I have started to get strange email requests wanting to chat with me about
security, DES encryption standards, and advice on how to get rid of hackers
who are intruding on their machines.  When I reply that I am not a security
expert, the replies have been equally as weird.  I found out that somebody has
published a book called "Email Addresses of the Rich and Famous" (of which I
am neither) and that I am listed on the center of page 8 as a security expert.
Apparently, my entry is not the only error in this book.

    Godin, Seth "E-MAIL addresses of the Rich & Famous"
    Copyright 1994 by Seth Godin Productions, Inc.
    Addison-Wesley Publishing Company Inc.
    ISBN: 0201408937

This book appears to be on the same level as those who sell maps and addresses
to the stars homes in Hollywood (and about as accurate), and I am appalled
that a reputable publisher like Addison-Wesley would be involved in such an
obviously unchecked invasion of privacy.  The time involved in dealing with
this unwanted mail is starting to interfere with my work.  Can I sue?  Is this
happening to other readers of the RISKS Forum?

I wrote to the editor of my software safety book at Addison-Wesley and asked
him to get me the name and email address of the $!&^%# editor at
Addison-Wesley responsible for this so I can post his/her address on the bboard :-).

Nancy Leveson

Risks of assuming standard interfaces

"Clive D.W. Feather" <>
Mon, 25 Jul 1994 10:54:52 +0100 (BST)
[Taken from Ford UK's (free) magazine for drivers, without permission.]

Car thieves who broke into a Ford driving event at Oulton Park in Cheshire,
has a nasty surprise when the car they pinched turned out to be a specialised
reverse steer Fiesta equipped with an upside down steering rack.

Used normally to improve driver's co-ordination and concentration, it is an
exceptionally difficult vehicle to drive, requiring the driver to think in
opposites. However, the thieves were not to know this.

Attempting to turn left out of the main exit, they turned instead straight
into a concrete bollard on the right. Dazed but unhurt they escaped on foot.

Clive D.W. Feather, Santa Cruz Operation, Croxley Centre, Hatters Lane, Watford
WD1 8YN, United Kingdom   +44 923 816 344    Fax: +44 923 210 352

Airport codes

"Clive D.W. Feather" <>
Mon, 25 Jul 1994 11:13:52 +0100 (BST)
Seen on a BBC news item last night, a baggage tag with the code:

    LUN - Port Armstrong, Moon

My database says that LUN is Lusaka, in Zambia. *What* an opportunity
for your luggage to get lost.

Clive D.W. Feather, Santa Cruz Operation, Croxley Centre, Hatters Lane, Watford
WD1 8YN, United Kingdom   +44 923 816 344    Fax: +44 923 210 352

Embezzlement at Beijing Hotel

"Mich Kabay [NCSA Sys_Op]" <>
26 Jul 94 10:00:52 EDT
Reuter (94.07.24 @ 23:19 EDST) via CompuServe's Executive News Service


  BEIJING, July 24 (Reuter) - In one of China's first officially reported
  cases of computer crime, four Beijing hoteliers have been jailed for
  cheating guests by manipulating computerised billing records.
    Beijing Friendship Hotel managers Jiang Zheng and Du Yize, were sentenced
  to seven years, the state-run Legal Daily reported on Sunday. Two
  co-defendants were given three- and one-year terms."

Key points in the article:

o   Computer fraud a growing problem in China.

o   Two managers embezzled about U$9,000 from guests from Feb-May 93.

o   "They connived to use the computer to cancel or change hotel accounts,
alter the records of 39 cash receipts and make fraudulent reports of daily
hotel accounts," the report said.

[MK: This is clearly a case where Peking at your hotel bill is a good idea
before you pay.][Apologies to PGN.]

Michel E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn

Remote reading of gas meters

"Mich Kabay [NCSA Sys_Op]" <>
26 Jul 94 10:00:47 EDT
>From the Washington Post newswire (94.07.23) via CompuServe's Executive News

  D.C. Residents Shocked by Gas Bill for $2,248
  By Daniel Southerland, Washington Post Staff Writer

  Rachel Carlson, a law student on a tight budget, was shocked when she
  opened the mail recently and found a monthly gas bill for $2,248.28.
  Carlson, 23, and four others sharing a brick house in the District had been
  paying bills ranging from $50 to $60 a month."

The story continues with the explanation.  Seems the gas-meter reader had been
unable to get into the house to read the meter, so the Washington Gas
estimated usage for three years.  When they finally got a reading, they
invoiced the tenants for the unpaid difference between reality and estimation.

The mildly interesting portion of story for RISKS and NCSAFORUM readers is
that the company will be installing low-intensity FM transponders "by March
1995 in all of the homes that currently are receiving estimated bills....  A
van drives by the house and sends a `wake-up' signal to a unit attached to the
gas meter.  The meter reading is transmitted to the computer in the van and
then to the company's billing department."

Now, this scenario brings up a couple of RISKS that correspondents in the
Washington, DC area might like to investigate (and report back to RISKS or the

1) Integrity: what is the reliability of the system?  How is a low error-rate
ensured in the transmissions?

2) Confidentiality: how easy would it be for Nasty People Interested in
Robbing Houses to tap the gas-meter signals?  For all the automated timers
attempting to camouflage the residents' absence, a gas meter showing little or
no usage would indicate that absence for extended periods.  I think this is a
minor threat, but fun to think about for a few seconds.

3) Robustness: how easy would it be for Nasty People Interested in General
Havoc to jam / spoof / corrupt the data transmissions?  For that matter, is
there any other source of interference which might cause faulty readings?  One
can imagine bills for $22,482.80 if Rotting Rotifer the local criminal hacker
decides to have his bit of fun while the Gas Van is roaming about the

RISKS readers tired of real-world security will seize the opportunity to have
a gas investigating this new threat to world peace and prosperity <g>.

Michel E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn

Hack FAQ (summary)

Martin Minow <>
Sat, 23 Jul 94 19:16:04 -0700
A friend recently sent me a copy of the "Hacking FAQ" (Frequently Asked
Questions) that was posted to alt.2600 on July 9, 1994. (I wasn't able to find
it in our Usenet archives, but we purge often.) It was posted by
" (Will Spencer). It's too long to include in Risks, but
may be copied from the Risks ftp archives as [[***]].  This note summarizes
the 20 page, 30,000 byte original.

The FAQ has two main sections: hacking computers (mostly Unix) and telephone

Hacking Computers:
-- A list of programs for guessing passwords for Unix and VMS (both store
   passwords in a one-way encrypted fashion).
-- Getting the list of encrypted passwords, even if they are shadowed or
   otherwise hidden on Unix. Getting the list of encrypted passwords from VMS.
-- Breaking out of restricted Unix shells. Becoming root on Unix (an 8 line
   program), erasing yourself from the Unix logs (a 1 1/2 page program).
-- Faking mail by using Telnet. Faking News postings.

Phone system hacking:
-- Description of red, blue, and black boxes. These are (traditionally),
   small boxes with components that defeat telephone security, letting you
   make calls for free. For example, a red box mimics the sounds that money
   makes when coins are deposited in a pay phone. You can make one by
   changing the crystal in a tone dialer, or by recording the tones on
   a Hallmark "record your message" greeting card.
-- A list of every "box" color, and a brief description of what it does.
-- Finding the number of the telephone you're calling from. Traditionally,
   this is done by calling telephone-company provided services that were
   created for phone workers. The new method is to use the ANI service that
   delivers the calling phone number to 800 and 900 service providers:
   call (800) 471-8859. "It is an 800 phone sex line. The system will give
   you an account number. The first 10 digits of the account number will
   be the telephone number from which you are calling." (I haven't tested
   this since I don't particularly want my home phone number in their
-- Ringback numbers: these ring the phone from which it's called.
-- Loop numbers: a loop is two telephone numbers linked together. if you
   call one number and your collegue calls the other number, you will
   be able to talk to each other.
-- Reverse directory numbers: given a (listed) number, it returns the
   subscribers name and address. Two companies provide this information
   via 900 numbers, charging about one dollar per minute.

Internet sites of interest:
-- FTP sites; many seem to have encryption software.
-- Usenet newsgroups. alt.2600, alt.dcom.telecom, alt.hackers, etc. comp.risks
   is not mentioned, but perhaps we're not that interesting.
-- WWW sites, including what appears to be two belonging to Gene Spafford,
   who is a computer security expert.
-- IRC (Internet Relay Chat) sites. IRC is an internet broadcast facility.
-- Hacking IRC to hide your username, and to hack ChanOp.
-- one BBS site

I don't think that giving the Hack FAQ greater publicity in Risks is a serious
risk in itself: the bad guys know this stuff, and it is useful for the rest
of us to realize just how limited, for example, Unix security really is. For
example, I hadn't realized that it was so easy to get the encrypted password
list on VMS, and that it was so easy to get system privileges on Unix.

Martin Minow

Risks of being unable to clear records

Marcus J Ranum <>
Mon, 25 Jul 94 14:27:35 EDT
[From the Baltimore Sun, July 23, 1994]

    This scares me a lot. We all know the power of innuendo -- when
it's combined with computer databases (which never "lie") it is even
worse. I've edited out the noise/filler with [...].

----Article Begins----

Couple mistakenly listed as abusers lost in court
No rights violation found by judges
By Anne Haddad, Sun Staff Writer

    David and Marsha Hodge were mistakenly listed as child molesters in a
state database for two years without a chance to know it or to correct the
    But that did not violate the Taylorsville family's civil rights or
invade its privacy, three judges in the 4th US Circuit Court of Appeals in
Richmond, VA., ruled this week.
    The decision overturns one by Judge Herbert F. Murray in US District
Court in Baltimore in September, 1992.
    "While it is true that such records may be expunged," the appeals
court ruled, "there is no *automatic* right to expunction once an individual's
name has been cleared."
    Mr. Hodge says he plans to appeal the ruling.
    "There is no constitutional right ro have the state destroy records of
an investigation," Ms. Cannon [MD Attorney General's Office] said. "The fact
that the records exist does not hurt them. That's the key." [...]
    In January, 1989, a misdiagnosis of 3-month-old Joseph Hodge's swollen
arm led a pediatrician to report possible child abuse. The doctor thought it
was a fracture, bu the swelling was a bone infection later diagnosed and
treated surgically at Union Memorial Hospital in Baltimore.  [...]
    David and Marsha Hodge, both scientists who hold national security
clearances for their jobs, said the listing in the state database could harm
them, but the court said that claim was not tangible.
    The judge said that because of the confidentiality of records in abuse
investigations, "we see no avenue by which a stigma or defamation labelling
the Hodges as child abusers could attach."

----Article Ends----

    The judge's finding is particularly amusing in the light of recent
revelations of widespread accesses of IRS databases by curious employees [Sen
Glenn announced some 1300 IRS employees are being disciplined for "browsing"
databases.]  -- any database that is not properly secured, which contains
personal information, can cause someone problems. What's frustrating about
these stories is that the technologies exist today to provide "need to know"
access and good audit trail for confidential databases. Moral: Don't trust
someone else to keep their facts about you straight.


More inadvertent mail list "spamming"

Phillip Finch <pffinch@CERF.NET>
Fri, 22 Jul 1994 20:32:34 -0700
Here's another instance of how careless use of a listserver produced an
unintended deluge in subscribers' mailboxes.

An associate editor of the American Journalism Review (a paper magazine) was
researching an article about the plagaristic practice known as
"rip-and-read"; i.e., radio reporters reading print articles over the air,
sometimes verbatim, without giving credit. The AJR editor posted a message
on a professional journalists' mail list called SPJ-Online, asking print
reporters to send him "rip-and-read" anecdotes.

However, the editor neglected to include a private address for replies.
Apparently, many respondents sent their messages to the SPJ-Online
listserver, which dutifully posted them to every subscriber.

I ran across this story in a humorous weekly on-line newsletter, BONG BULL
(Bulletin of the Burnt-Out Newspapercreatures' Guild), which described the
spamming as "an avalanche" and added this comment:

> Which is no way to protect a scoop.
> But that's AJR's problem, isn't it?

Phillip Finch (

Two kinds of risks

"Robert Morrell Jr." <>
Mon, 25 Jul 1994 11:26:39 -0400 (EDT)
Bill Donahue harassment by an automated caller is simply a new version of
the old problem of bad data inputs attached to systems that did not take
into account the possibility of such erroneous inputs. Workers in
hospitals have long been aware that the tiniest of erroneous keystrokes
can have grave consequences, as have (though with less concern,
apparently) workers in large bureaucracies (the old stories of people who
had "died" in the Social Security System comes to mind).
I recently had the idea that any output "downstream" of a manual input be
presented to all user interfaces in cursive script, so that the user is
aware that keystroke errors are a possibility.

A separate kind of computer risk is represented in several threads in
RISKS is the use of expert systems or near expert systems in scenarios not
envisioned by the designers (auto-pilots, safety and anti-theft systems
linked to airbag deployment, and others). Here is a much newer kind of
risk that will become more apparent as AI enters the mainstream,
particularly as the mainstream seems oblivious to the differences between
standard computer programs and AI. In one, all possible scenarios are
supposedly thought out by the programmer, and errors generally result from
inputs. Proper escape mechanisms (un-deceasing a Social Security
number, for instance) can be anticipated by simply analyzing input error
possibilities. In the other, all possible scenarios by definition cannot
be thought out. Yet more global escape routines or even better,
systems that automatically question human users about unusual scenarios
it finds itself in, have not been added to make the system sensitive to
its limitations. That is, people are designing, using and trusting AI and
quasi AI systems in the same way they have dealt with standard computer

In the case of Mr. Donahue's tele-nightmare a convergent solution might
be an expert system that alerts autocaller users to any phone number that
results in a certain number of failure to connect.

While readers of RISKS will continue to call for such common sense
measures, the real problem remains a public that has inappropriate
expectations and understanding of modern computer systems. We are still in
the era where chainsaws have been handed out without any clear explanation
of how they differ from axes.

Bob Morrell

Risks of hot lines

703) 506-0500 <PHILS@RELAY.RELAY.COM (Philip H. Smith III,>
Fri, 22 Jul 94 08:38:50 EDT
At our old building, we had a non-PBX line into the computer room.  It
was hooked to a Radio Shack environmental monitor, which would detect
high temp, noise, etc. and call a list of phone numbers until someone
responded.  That part worked fine.  But we started getting wrong numbers
-- we'd be in the room and hear the phone ring, and the robot would pick
up and start talking, but nobody who worked there would own up to it.
This happened several times per day -- too many even for telemarketing
-- and we couldn't figure it out for the longest time.  Then one day I
was driving home and heard an ad on the radio for a suicide hotline, in
nearby Maryland -- at number (301) 685-0525.  Our robot's line was
(703) 685-0525!  So some poor depressed person would get it together
enough to call the number, but without the 301, and would get a robot
saying "This is telephone number 6 8 5 0 5 2 5, the time is xx:yy,
temperature is OK, noise level is OK, alert 1 is OK, alert 2 is OK,
listen to the surrounding area for 15 seconds", after which it would
switch on a microphone so they could either uninterrupted hear machine
room noise or machine room noise with people saying "Hey, the robot's
talking" "Yeah, it does that" "Wow, weird" and the like.

I shudder to think of whether there were any lasting ill effects of this
problem.  The good news is that shortly after discovering it, we moved to a
new building with a new number.


Re: As the Worm Turns--Ant-icipating Problems (Kabay, RISKS-16.28)

Pete Mellor <>
Sun, 24 Jul 94 19:09:44 BST
On what species of ant are they modelling their software automata?

A few possibilities occurred to me:-

Army ants: These form nice quiet little colonies for a while, then (when
population pressure builds up to a certain level) they change their
life-style, and go on a random march through the jungle (read "usenet"? :-)
devouring everything in their path.

Leaf-cutter ants: These carve up leaves and take them back to their colonies
where they chew them into a mulch on which they grow an edible fungus.

Honey-pot ants: Some individuals "volunteer" (i.e., are "programmed" in BT's
terms) to hang from the roof of the nest and be fed by the others.  Their
abdomens become grossly distended with the digested food, which the other
members of the colony then suck out of them.

Pharoah's ant: A small variety emanating (as its name suggests) from Egypt,
which is notorious for being able to get into *anything*. There are reports
of surgeons opening sealed sterile dressings in the operating theatre, only
to be confronted by a cute little ant waving its feelers.

The common British black ant: This forms neat little nests, usually under a
crack in your kitchen floor, from where they make daily raids on your larder.
According to entomologists (see ref. [1] below), these follow well-trodden
trails each day, except that 10% of the individuals are more adventurous than
the others, and persist in discovering new places to find food, instead of
just following the rest. Every year, a set of winged fertile females is
hatched and fly off at random to mate and found new colonies in totally
unpredictable places (but probably under that other crack in your kitchen
floor! :-).

The red ant: Similar to the black ant, but capable of biting through the skin
and injecting painful amounts of formic acid if disturbed. Members of a colony
recognise each other by smell. A colony that gets too large splits in two, and
the members of the break-away colony develop a different smell, so that, if
they come across members of the parent colony, there is a fight to the death.

The termite (and before any entomologist jumps down my throat, let me say I am
well aware that termites, although colloquially referred to as "white ants"
are not "ants" at all): This builds truly impressive hills of chewed and
hardened mud up to 20 feet tall. They are averse to light, and very skillful
at building covered tunnels to get to where they want to be, i.e., to the
nearest available source of cellulose (read "software library"? :-) which they
devour with unbelievable voracity. When my father served in India during the
war, everything had to be kept in steel trunks, otherwise the little darlings
would make short work of your spare uniform! :-) Termites come in various
forms: the queen is an enormous sluggish thing whose sole function is to lay
eggs to make new termites. The soldiers are ferocious things with big jaws
which rush to any breach in the nest and fight off the attacker. The workers
are sterile females whose job is to tend the eggs and larvae and build the
nest and tunnels by chewing and piling up pellets of mud which harden like
concrete when mixed with their secretions.

QUESTION: Which species could BT be thinking of?

Returning to the key points from the article (as presented by Mich):-

> o  "Our system is made up of small, autonomous, reactive, mobile
> blocks of computer code that interact in a way derived from ant behavior,"
> said scientist Simon Steward. "The control system that emerges from all of
> these mobile software agents working together is inherently adaptable and
> robust unlike normal computer programs."

Must be worker termites. Entomologists have developed models of termite
building behaviour which allow for the construction of large nests from
very simple rules, e.g., "pile up mud pellets on top of one another, unless
the worker nearest to you has made a taller pile than you have, in which
case, stop working on your pile and help her to build hers".

OK, termites don't need to be too bright to build fancy nests, but is the
resulting structure of any use to humans? If the requirement for the overall
system is simply "I want big towers of chewed mud stuck at random over the
landscape", then the "termite worker" model might just be the one we want.

> o  The goal of the work is to prevent system crashes when an
> unanticipated [...] condition occurs.

Must be modelled on warrior termites. Simply rush to the hole in the nest
(read "system") and chew the head off anything in sight!

> o  The distributed computing model uses message-passing to coordinate
> computation.

Like using smell to communicate messages such as "Follow me to the food!"?

> o  "The programs are mobile like ants, moving from one computer to
> another, when needed."

Army ants? The flying form of the common black ant?

> o  After making software or parameter changes, the "mobile programs"
> would "leave messages for other programs on how the system has been
> adapted."

"The fungus garden is over here!" "Nip up that rose-bush and milk those

> o  Modules will display "a certain amount of random behavior...."

Really? There's a surprise! :-)

> o  The system will display heuristic, goal-seeking behaviour.

Whose goals? The statement is correct. An ant colony *does* display exactly
such behaviour, and the behaviour of the colony is more complex than the
behaviour of the individual. A colony of social insects behaves more like
a single organism than a collection of individuals. This is due to the
distribution of genes among the colony (all workers are half-sisters of
the queen [ref. 2 below]). Next time you dig a wasps' nest out of a pile
of garden rubbish (as I once made the mistake of doing) you could make
sense of the consequences by reflecting that you have just been attacked
by an animal the size of a small dog with 3,000 venomous teeth! :-)

The "goals" of an insect colony [ref. 2], however, are:-

1. Feed  2. Breed (or vice versa)

Can we be sure that our software "ant colony" would stick to *our* goals?

> All this is fascinating, and I naturally wondered about the implications
> for system reliability.

So did I! :-)

Reliability is defined as: The probability that the system (i.e., the
environment in which the "ant colony" "lives") will perform a required
function for a given period of time under given conditions.

If the system is continually modified by software "ants" the implications
are not obvious, and my gut reaction is that chaotic behaviour could manifest
itself. Could the ants actually modify the required system behaviour?
If so, will they also rewrite the functional spec.? :-)

> It will be interesting to follow this work and see how concerns for
> reliability are worked into this evolving field.

I agree that the implications for reliability are interesting, but that
is all that I can be adam-ant about at the moment! :-)


[1] For general ant behaviour: Derek Wragge-Morley: "The Book of the Ant",
Penguin, 1958 (?)

[2] For the genetic basis of behaviour of social insects:
Richard Dawkins: "The Selfish Gene"

Peter Mellor, Centre for Software Reliability, City Univ., Northampton Square,
London EC1V 0HB   +44 (71) 477-8422,

Please report problems with the web pages to the maintainer