The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 17 Issue 08

Monday 24 April 1995


o Patched software threatens $26b federal retirement fund
Ed Borodkin
o Church Cordless Phone Abused
Mich Kabay
o Hollywood and Hackers
Mich Kabay
o FTC Warns Of High-Tech Swindles
Mich Kabay
o Floating-Point Time
Robert J Horn
o Re: Barcode provides picture of burglar
Elizabeth D. Zwicky
o Defamation by E-mail
David Dixon
o Digital libraries and the great library at Alexandria
George McKee
o Police use of "EMP" weapons?
Laurence R. Brothers
o Parachute Automatic Activation Devices
Barry Brumitt
o RISK of using MIME quoted-printable encoding
Hans Mulder
o Extension of Registration for Security and Privacy
Catherine A. Meadows
o Mathematics of Dependable Systems
Victoria Stavridou
o Info on RISKS (comp.risks)

Patched software threatens $26b federal retirement fund

Ed Borodkin <Borodkin@DOCKMASTER.NCSC.MIL>
Thu, 20 Apr 95 14:15 EDT
The following, from the 17 April Government Computer News, highlights the
risks from inadequate configuration control:

"An audit of the $26 billion federal employees' Thrift Savings Plan found
that ineffective control of software development has left the plan
vulnerable to processing interruptions and may have compromised its data

The article notes that the audit found:
"- Between 1990 and 1993, more than 800 changes were made annually to
   the software.
"- About 85 percent of 1993 updates, mandated or emergency changes,
   bypassed upfront quality assurance database testing.
"- Comprehensive quality assurance testing was rarely performed.
"- Six programmers, 17 percent, accounted for more than 40 percent of all
   1992 and 1993 TSP software changes, for which there was little

Ed Borodkin

Church Cordless Phone Abused

"Mich Kabay [NCSA Sys_Op]" <>
23 Apr 95 09:26:03 EDT
Irish church discovers hot line to sex service
(Reuters, 13 Apr 1995, via CompuServe's Executive News Service)

    DUBLIN, April 13 (Reuter) - A remote Irish Roman Catholic church
    ran up an 800 pound ($1,300) bill to a telephone sex service, but
    the local cleric says none of his priests was involved.

The article explains that someone stole dial tone from the cordless phone
and placed the calls from outside the church.  The cordless phone is no
longer on line.  The church had to pay the phone bill.

M.E.Kabay,Ph.D., Mgmt Consultant, LGS Group Inc. (Montreal, QC)
Director of Education, Natl Computer Security Assn (Carlisle, PA)

    [Some LISP-hacker outside the church said, "Let us play?"  PGN]

Hollywood and Hackers

"Mich Kabay [NCSA Sys_Op]" <>
23 Apr 95 11:50:36 EDT
Starring Gene Hacker, Sissy Cyberspacek; Hollywood Has Plugged
Into Computers, and Entertainment May Never Be the Same
(Kara Swisher, Washington Post, 23 Apr 1995, via
CompuServe's Executive News Service)

  What do you get if you cross Hollywood with Silicon Valley?  Siliwood?

  Last summer, Keanu Reeves and Sandra Bullock romanced each other as they
  foiled terrorists in the blockbuster action film "Speed." But this year,
  the two sex symbols are starring in big-budget movies cozying up to
  computer chips.

  Tinseltown is churning out a slew of cyberspace films and television shows
  built around people and computers. The slate of offerings grows daily, as
  the industry's creative minds focus on making the Internet worldwide
  network of computers thrilling, the illegal exploits of a notorious hacker
  gripping and hard disks sexy.

The author explains that Hollywood can't resist taking advantage of the
growing media hyperbole explosion about cyberspace.

Some of the upcoming releases to watch [out] for:

    ..."Johnny Mnemonic," based on the William Gibson novel about a
    high-tech courier — played by Reeves — with a memory chip
    embedded in his head.

    Columbia Pictures Entertainment Inc.'s "The Net," ... will star
    Bullock as a shy computer systems analyst tossed "headlong
    into the middle of a murderous web of corruption and conspiracy"
    after she takes her keyboard where it shouldn't go.

    United Artists Entertainment Co. in the fall will release
    "Hackers," which is being flacked as a "cyberpunk thriller"
    whose protagonists have "awesome power at their fingertips."

    Walt Disney Co. reportedly is developing "f2f (face to face)"
    about an on-line serial killer.

    Fox Television recently launched "VR.5" and "Sliders," whose
    heroes are sexy computer geeks.

It seems John Markoff is deluged with requests for movie rights to his
forthcoming book about Kevin Mitnick.

[Comments from MK: Oh, good, just what we needed: "Mommy, mommy, I wanna
grow up to be like Kevin Mitnick!"  Readers of RISKS and participants in the
NCSA Forum on CompuServe may want to limber up their typing fingers and get
ready to protest the glorification of criminal hackers that will likely be
part of Hollywood's portrayal of people like Mitnick.  It would be useful to
be in the early showings of the films and write reviews for newspapers
countering the errors of fact and emphasis we are likely to see.]

M.E.Kabay,Ph.D., Mgmt Consultant, LGS Group Inc. (Montreal, QC);
Director of Education, Natl Computer Security Assn (Carlisle, PA)

FTC Warns Of High-Tech Swindles

"Mich Kabay [NCSA Sys_Op]" <>
23 Apr 95 11:50:58 EDT
FTC Warns Of High-Tech Swindles; Agency Gets Restraints Against 3 Companies
(By Sharon Walsh, Washington Post Staff Writer, Washington Post, 21 Apr
1995, via CompuServe's Executive News Service)

  When Baptist youth minister Chris High of Tuscaloosa, Ala., put his
  inheritance into communications technology, he thought he was getting in
  on the ground floor of a fast-growing industry.  He didn't know it is also
  the fastest growing area for fraudulent investment pitches.

Key points from the article:

o   Federal Trade Commission (FTC) reports tripling in complaints about
    scams related to wireless licenses:  195 complaints in 1994 vs 63 in

o   Criminals run telemarketing operations sucking investments from
    victims; spend money on lavish lifestyle and more telemarketing,
    leaving little for licenses and equipment.

o   Most victims will lose their investments; total of $33 million
    stolen so far.

o   Beware of investment opportunities touting mobile radio, digital
    radio, wireless TV data interchange, interactive video and data
    services (IVDS).

o   Some of the criminals even call their victims back "and offer to
    help get lost money back — for a fee. These "recovery room" scams
    are up 400 percent over the last two years, according to
    the FTC.

o   The three cases announced by the FTC yesterday were:

    Chase McNulty Group Inc. of St. Petersburg, Fla., and its
    officers allegedly offered consumers partnerships in IVDS
    licenses for $5,000 to $6,000. The FTC contended that the
    majority of the money the group collected was going to
    the marketers, not to buying licenses.
    Digital Interactive Associates Inc. and Market Logistics
    Group Inc. of Florida and Colorado, ... [NOTE: On 8 May 2000, THE
        IN RESPONSE TO A REQUEST FROM Robert T. McAllister of the lawfirm of
        McAllister and Murphy in Denver CO.  Mr. McAllister's letter
        asserts that the original item in *The Washington Post* regarding
        DIA and MLG was incorrect in essentially all details, although his
        letter added that
          "The FTC did file a lawsuit against Digital Interactive
          Associates, Inc. and Market Logistics Group Inc., but that
          lawsuit was settled for nuisance value in April of 1999."
        As always, the Risks Digest makes every possible effort to ensure
        that information is factual, and requests that all mirrored copies
        of this issue be updated to correct the record.
    Satellite Broadcasting Corp. of Irvine, Calif., and its
    officials falsely represented that it was applying for a
    license and had the rights to distribute direct broadcast
    satellite television programming in Georgia, the
    FTC said. The company solicited investments of $10,000
    to $25,000, the commission said.
    Consumers with complaints should call the national telemarketing
fraud hot line at 1-800-876-7060.

M.E.Kabay,Ph.D., Mgmt Consultant, LGS Group Inc. (Montreal, QC);
Director of Education, Natl Computer Security Assn (Carlisle, PA)

Floating-Point Time

Robert J Horn <>
Sun, 23 Apr 1995 22:02:42 +0059 (EDT)
The opponents of floating-point representation for time have done an
insufficient analysis.  About twenty years ago I was part of a research
group doing extensive time series analysis of weather and related data.  We
needed a good way to represent time.  Fortunately we had a few astronomers
on the team, so time was reasonably well understood.

We chose "second of century", using a double precision floating point
representation.  Analysis showed that this would preserve millisecond
accuracy for the span of interest.  (Actually for all of recorded history
and more.)  Since we usually were satisfied with one minute accuracy this
seemed sufficient.  There was a brief debate about using a better time base,
but 12:00:01 AM GMT, 1 January, 1901 was easy to explain to everyone.  There
are a few applications that need better than millisecond precision, but for
most of the worlds applications double precision floating point will provide
enough precision for the next few millenia.  (A simple test for those who
are unsure about their needs.  Do you compensate for the variations in the
rate of the Earth's rotation?  If not, you probably don't need millisecond

This notation had some interesting side effects.  At the time, floating
point turned out to be somewhat faster than 64-bit integers due to a
quirk of hardware.  It also led to excellent compatibility with the
other time series processing.  Time was just another well behaved
variable.  This notation eliminated a lot of the mistakes made by the
typical programmer who is ignorant of traditional time notations and
their problems.  There could have been some round-off issues, but we
rarely did any arithmetic other than addition or subtraction of two
times, where millisecond accuracy is maintained.  It even led to a
simple notation for interval time span data, e.g. "0.01 inches of rain
fell between 1633 and 1647 on ...", which is how many meteorological
measurements are made.

The difficult problems were in translation to and from local.  The most
severe problem was the inherent ambiguity of local time in recent decades.
There are two true times corresponding to each time in the one hour of
overlap when Daylight Savings shifts back to Standard.  Correctly
resolving this ambiguity was always a headache.  Fortunately most
professional measurements have been recorded in UTC, or GMT before UTC
was defined.

A word of caution, double precision floating point is suitable for an
internal representation of UTC, or "absolute" time.  You have to do your
own analysis if you are interested in timing relative to some event.

Rob Horn

P.S.  The turn of century problem has made The NY Times.  It may be so
widely hyped that almost all the problems are fixed by the time it comes.

  [Hmm!  According to you, it comes at 1/1/01 rather than 1/1/00.
  I wonder who agrees with that!  PGN]

Re: Barcode provides picture of burglar (Burns, RISKS-17.06)

Elizabeth D. Zwicky <>
Thu, 20 Apr 1995 10:04:10 -0700
> a barcode sticker was still attached to the pickaxe.

Talk about risky ways of going about things! Store barcodes don't identify
individual items. All you can determine from the barcode is that the
hardware store sold *a* pickaxe. You *might* know what hardware store sold
it (if it was a store barcode and not applied by the pickaxe manufacturer),
but you can't know which pickaxe it was.

Fundamentally, you'll only ever see barcodes that can identify a particular
instance if there would be something else that would identify that object.
For instance, truck axles have individual barcodes; those simply repeat the
individually tracked serial numbers truck axles have always had. Products
sold by weight, like cheese and meat, may also have individual barcodes that
incorporate the weight.

Normally, the barcode doesn't even incorporate all the available information
about the object. It's a pure product code. A can of green beans has a
barcode label that says it's a can of green beans, and the register tape
will reflect that. The same can also has a lot number, so if you drop dead
after you eat it, the canning company has some way of figuring out what
other cans of green beans might be poisonous. The lot number is *not*
encoded in the barcode, and you wouldn't be able to find it from the
register information, because the grocery store really doesn't care.

I assume that the article is leaving out a lot of information (for instance,
that the pickaxe had the name of the hardware store on it, too, and the
hardware store only sold one pickaxe recently). But I'm always amazed how
willing people are to present barcodes as magic identifiers, and believe
that they function that way. Perhaps it's because they look funny and aren't
readable by eye?

Elizabeth D. Zwicky

Defamation by E-mail

David Dixon <>
Fri, 21 Apr 95 08:42:50 BST
Thursday April 20, UK

Kathy Marks in the Telegraph reports that a large supermarket chain has paid
substantial damages to a policeman whose description was circulated between
stores by electronic mail after he complained about a joint of meat.

Apparently, the E-mail message was headed "Refund fraud — urgent, urgent
urgent" and gave an account of his complaint, together with details of his
appearance and car registration.  The policeman only found out about the
message when he visited a local branch of the store to give advice about
security.  A friend who works there showed him a print out of the message on
an internal noticeboard.

The policeman is quoted: "...If this had got out unchecked it could have
done me serious professional harm.  I am in a position of extreme trust and
there has got to be no doubt...that I am 100 percent trustworthy".

His lawyer said that the out-of-court settlement amounted to "thousands,
rather than hundreds" (of pounds).

--- David

Digital libraries and the great library at Alexandria

George McKee <>
21 Apr 1995 04:26:57 GMT
The April issue of the Communications of the ACM is all about Digital
Libraries.  More than one of the authors there alluded to the great Library
that was founded in Alexandria by the Egyptian king Ptolemy I.  One group
even calls its project "alexandria".  This library was one of the wonders of
the ancient world; it contained more than 700,000 volumes at its peak.  The
CACM writers are optimistic that digital technology can be as much of a
monument to the advancement of human knowledge as the Alexandrian Library
was in its day.

The other major topic of April's CACM issue is the ACM's new Electronic
Publication Plan, which details a carefully thought-out set of rules for
copying and citation of electronic documents and the status of hyperlinks to
World Wide Web documents as citations (the ACM's position) or plagiaristic
quoted inclusions (they rejected this view).  The transmission of an
electronic document from archive to reader poses important questions about
the nature of copying to authors and publishers who expect royalties from
the sale of their work, which the ACM appears to have succeeded in balancing
against the cultural and technical difficulties of applying a pay-per-use
paradigm to information resources released onto the Internet.

But the ACM policymakers appear to have missed one of the great lessons of
the Alexandrian Library.  According to my encyclopedia (*), the library was
kept in two buildings: one of these was a famous museum, which was destroyed
by fire during the siege of Alexandria by Julius Caesar.  The other part of
the library was kept in the temple of Jupiter Serapis, where during the
reign of Theodosius the Great, "a mob of fanatic Christians, led on by the
Archbishop Theophilus, stormed and destroyed the temple, together, it is
most likely, with the greater part of its literary treasures, in 391 A.D."

    The Alexandrian Library had endured for over 700 years, yet when it
was destroyed, it was an enormous loss to humanity since its contents
existed in only single copies, because of the difficulty in duplicating
them.  Some historians have gone as far as crediting its destruction as a
principal cause of the Dark Ages that afflicted Europe for the next thousand

The ACM Electronic Publishing Plan does not propose any measures to assure
the survivability or integrity of electronic publications against disaster
or terrorism.  Along with the ease of copying an electronic document comes
great ease in modifying its content undetectably.

Perhaps a greater risk comes from simple financial pressures.  Electronic
documents must be maintained on functioning computer systems.  When funds
run short, the temptation will be enormous to purge infrequently-accessed
documents from the database in order to reduce maintenance costs, or to
forgo copying them to new media when upgrade time arrives.

    I wrote the thesis for my Master's degree as an electronic document.
I still have the original, but it's on a PDP-10 format DECtape.  Where can I
find a machine capable of reading this tape twenty years later?  What's to
prevent this from happening to the contents of entire digital libraries?

George McKee   +1 713 890 8122

(*) "Alexandrian Library" (1922) Encyclopedia Americana, Albany, N.Y.
volume 1 [A to Annuals] p.373.

Police use of "EMP" weapons?

Laurence R. Brothers <>
Fri, 21 Apr 1995 10:09:25 -0400
The March issue of Security Management magazine reports that manufacturers
are testing some sort of nonlethal weapon designed to deliver a "high
frequency pulse" that would disable any unshielded electronic circuitry hit
by the beam — with the suggestion this would be used somehow by the police.

Presumably this would be used in a car chase to take out a car's control
circuits, possibly disabling its electronic ignition. I naively imagine a
car's electronics to be fairly well shielded — the steel shell, the engine
block itself, etc. — and so this may be quite a powerful pulse (perhaps a
microwave-savvy reader can comment?).

The article only has a paragraph on this weapon and doesn't explain
the technology. I speculate about a police-car-mounted maser or
perhaps just a conventional microwave transmitter of sufficient power.

The risks here seem fairly obvious. First of all, risks in the actual effect
of the weapon during a legitimate high speed chase — can there be any
guarantee that it will only stall the engine? Supposing it takes out the
power steering or activates the air-bags or does some other bizarre and
dangerous thing? Then there is the question of the precise focus of the
beam, and whether it might affect nearby vehicles. Presumably there is no
"tracer" effect, so the shooter doesn't know if the target was hit or not.

Secondly, assuming that it is a good weapon, i.e., it has good targeting,
only has the effect of stalling the engine or simply reducing engine
performance, etc. then it seems there would be little to prevent any random
microwave-hacker from doing the same thing, relatively indetectably,
especially if the weapon consists solely of a powerful microwave

Oh, as a side note, the article mentions that the device would be able
to destroy any sort of computer equipment....

Laurence R. Brothers

Parachute Automatic Activation Devices (AAD's)

Barry Brumitt <>
Fri, 21 Apr 95 11:15:02 EDT
Modern sport parachute systems are frequently equipped with an automatic
activation device on the reserve parachute that will initiate deployment of
the reserve if the person descends through a certain altitude whilst
exceeding a certain velocity, i.e., if you're low and falling fast (no
parachute!) it will initiate deployment of your reserve.

Currently, the most popular AAD (and by far the best made technically) is
the CYPRES. When turned on, it performs a self check that tests the
repeatability of the pressure sensor (to compute altitude), the integrity of
the system, as well as reporting the battery voltage and testing the voltage
on a dummy load. The CYPRES can activate the reserve via a pyrotechnic
cutter, which, when current is applied, fires, and cuts a crucial bit of
line which allows the reserve container to open. The CYPRES has only one
button, and the self-test is performed each time it is turned on, with
feedback to the user of the success or failure of the test.

CYPRES mandates that batteries be replaced every 500 jumps, 2 years, or when
the self-test fails with a battery-low code, whichever comes first.

Recently (last two weeks), a CYPRES activated (i.e., the jumper was low and
falling fast), but failed to cut the loop,and the skydiver hit the ground with
no parachutes out. Current reports indicate that:
    1) The selftest was succeeding
    2) Battery voltage *as reported by the self test* was in the moderate
       to high range (6.2 of 5.8-6.3v)
    3) The batteries were 4 years old (2 years beyond their lifetime!)
    4) The unit functioned correctly when tested in a chamber with a new
    5) The battery apparently lacked sufficient power to heat the wire to
       ignite the charge

A full report by the manufacturer has *not* been issued, so it is possible
that there are errors in this report, however, it is correct the best of my

The question: Does violating the *written* guidelines constitute a situation
in which the self-test can *fail* to report the correct status of the unit
-- and should the user be aware of this failure mode?

The risk: if you build in a self-test that does not in fact cover all
failure modes, you are putting the user at increased risk, as people will
rely on the electronic self-test, rather than the written instructions on
how to use the device. In a life-or-death situation, it is RISKy to provide
a self-test that produces ambiguous results.

Caveat: CYPRES has been designed to be as user friendly and reliable as
possible. In the 3 years since it has been widely used in the sport,
CYPRES's has been responsible for saving approximately 50 jumpers who would
likely have otherwise died (true positives). There have been no
innapropriate activations (i.e., false negatives). There have (obviously)
been millions of uses where the device has not fired, and it wasn't supposed
to anyways (true negatives). This is the first incidence of a false
positive, where the unit should have fired, and failed to perform.

Conclusion: Read your manuals, and perform scheduled maintenance even *if*
the self test might imply that it isn't necessary.

Barry Brumitt, D-15427, Skydiving Instructor AFF/SL '95, CYPRES equipped

RISK of using MIME quoted-printable encoding

Hans Mulder <>
Fri, 21 Apr 1995 13:43:35 +0200
In RISKS-17.07 (James G Henderson) wrote:

> [...] that Notre Dame's organ is not suitable for concerts following
>a two year restoration costing =A31.3 million (Pounds Sterling) [...]

``=A31.3 million Pounds Sterling'' sounds like quite a lot of money.
On closer inspection, the restoration cost was only 1.3 million: `=A3'
is the MIME quoted-printable encoding for the Pound sign (a script L).

The theory behind MIME quoted-printable encoding is that it leaves 99%
of the text alone, thereby allowing users with older software to grasp
the essence of the message.  That may be true, but it also means that
the recipient of such a message will not be aware that the message he
read was almost, but not quite, the same as the message the sender sent.

Incidentally, MIME quoted-printable provides three codes for currency
signs and all three end in a digit: the dollar sign is `=24', pound is
`=A3', and yen is `=A5'.

Hans Mulder

Extension of Registration for Security and Privacy

Catherine A. Meadows <>
Fri, 21 Apr 95 16:46:15 EDT
Originally, the deadline for registration for Security and Privacy was
today, April 21.  However, we still have a number of openings still
available, and we have extended the registration period through May 5.
Instructions for registration are in the advance program and registration
form.  Cathy Meadows  Program Co-Chair

  [The full program and registration information are included in
  RISKS-16.80.  Please contact Cathy for further information.  PGN]

Mathematics of Dependable Systems (conference announcement)

Victoria Stavridou <>
Fri, 21 Apr 1995 16:34:10 -0700
4-6 September 1995, University of York, England
Sponsored by Nuclear Electric


The construction of dependable systems, by which we mean systems providing
high levels of reliability, availability, safety and/or security, is a
problem of considerable concern to both providers and users of information
processing systems of all types.  Historically, different aspects of system
dependability (e.g. reliability and security) have been studied quite
independently, albeit that many of the goals are similar.  For example, the
notion of certifying functionality assurance levels applies equally to
reliable systems and secure systems.  In addition, users will often require
some combination of security and fail-safe operation.

The purpose of MDS 95 is to consider the mathematical aspects of the
provision of dependable systems, one goal being a comparison and possible
unification of mathematical techniques for providing safe, reliable and
secure systems.  A number of different mathematical approaches have been
taken to the overall problem, including probabilistic/statistical reasoning,
formal models of safe, secure and reliable systems and logics of
authentication and access control/privilege delegation.  Papers on all these
areas are solicited, the unifying theme being the application of
mathematical techniques to the overall dependability problem.  Hence papers
will be particularly welcome that cross-fertilise the application domains.
The conference will consider dependability for both hardware and software

PROGRAMME AND PROCEEDINGS: The conference will consist of three days of
presentations by contributing authors.  The programme will also include
invited lectures by prominent researchers and practitioners in dependable
systems theory and practice.  Time will be made available for discussions.
A digest of papers will be available to participants during the meeting and
the proceedings will be published after the conference.

PANEL DISCUSSION: The Panel will be chaired by Dr B Wichmann (National
Physical Laboratory and The Open University) and led by Professor J Rushby
(SRI).  Other members will be announced later.  The main topic will be the
contribution of Formal Methods to certification.

INVITED SPEAKERS: Monsieur P Chapront (GEC Alsthom, France), Professor J
Knight (University of Virginia, USA), Professor B Littlewood (City
University, UK), Professor D L Parnas (McMaster University, Canada),
Professor F Piper (Royal Holloway, University of London, UK) and Dr C T
Sennett (Defence Research Agency, UK).

SUBMISSIONS: Five copies of complete papers (in English) should be sent to
Mrs Pamela Bye, Conference Officer, The Institute of Mathematics and its
Applications, 16 Nelson Street, Southend-on-Sea, Essex, SS1 1EF, England
(Tel. +44 1702 354020, Fax +44 1702 354111, Email
by 17 May 1995.  [...]

  [For the rest of the announcement, submission standards, registration info,
  etc., contact Victoria Stavridou <>.  PGN]

PROGRAMME COMMITTEE: Programme Chair : V Stavridou (Royal Holloway,
University of London), D Gollmann (Royal Holloway, University of London), M
Ingleby (British Rail Research), J Jacob (University of York), N Jefferies
(Vodafone Ltd), B Littlewood (City University), R Shaw (Lloyd's Register), B
Wichmann (National Physical Laboratory).

Please report problems with the web pages to the maintainer