The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 17 Issue 17

Weds 7 June 1995

Contents

o Placing the blame, Part N+1: New York City subway crash
PGN
o Former IRS employee indicted
PGN
o The Internet is a Dangerous Place
Mycal Johnson
o Telecom records non-privacy at Ameritech
Lauren Weinstein
o *California Lawyer*, June 1995
Martin Minow
o Copyright infringed via WWW?
Gregor Ronald
o User-friendly E-mail systems
o Re: Ariane-5 test aborted
Erling Kristiansen
o Re: Drug Addicted Geniuses Built Cyberspace
Carlton Hogan
o Re: New Yorker Article on The 59-Story Crisis
Bob Frankston
o Compuserve addresses and a sparse name-space
Erik Corry
o Europe - Central Air Traffic Control
Mike James
o Re: The standard notion of a `field'
Peter Ladkin
Rob Horn
o Telematic Sculpture 4
T.S.4
o Privacy Digests
PGN
o Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc.

Placing the blame, Part N+1: New York City subway crash

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 7 Jun 95 9:07:09 PDT

A NYC subway train on the Williamsburg Bridge crashed into the rear end of another train on 5 June 1995. The motorman apparently ran through a red light, and was still applying power at the time of the crash. The safety system is supposed to apply emergency brakes whenever a train runs a red light, but it seems that did not happen. (Subway officials said they had never seen that failure mode before.) So, we must add to the RISKS annals yet another case in which human error and system failure acted in combination. Here, neither of the two sets of safety measures was able to rely on the other. [Source: various news services on 6 and 7 June 1995.]


Former IRS employee indicted

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 7 Jun 95 11:45:11 PDT

A former employee of the Internal Revenue Service, Walter C. Higgins of Salem, NH, has been indicted on wire-fraud charges for illegally browsing through IRS computers to gather information on Thomas Quinn, a candidate in an election for the House of Representatives. (Quinn lost the election to Martin Meehan, D-MA from Lowell; Meehan says he knew nothing about Higgins.)

A current IRS employee, consumer representative Richard W. Czubinski, of Dorchester, MA, was indicted for misusing his computer access privileges to obtain information on 30 taxpayers, including members of the campaign committee of South Boston City Council President James Kelly. He apparently also accessed the tax files of a Suffolk County assistant district attorney who had unsuccessfully prosecuted Czubinski's father. Disciplinary action is being considered by the IRS. (Czubinski was also described as a sometime political candidate and a member of the Ku Klux Klan.)

[Source: The Boston Globe, 3 June 1995, pp. 1 and 15.]

[Recognizing the importance of preventing and monitoring both browsing and improper data modification, the IRS is making a considerable effort in its Tax Systems Modernization efforts to base the new system designs on stringent privacy and security requirements. I wish them luck! PGN]

The Internet is a Dangerous Place

Mycal! <mycal@netacsys.com>
Wed, 7 Jun 1995 09:27:50

I just learned yesterday that the Internet is a dangerous place. It seems someone up in Canada posted a message about a bomb and made it look like I wrote the message. Well, guess what happened, I got a visit from the U.S. Secret Service. It seems that they don't quite understand the Internet and think that, just because my name and E-mail address appeared in the text of the document, I wrote it.

If anyone knows of any `bomb' files that have my name on them, would you please tell me what archive they are stored at, because I didn't write them and I want my name off them?

Thanx,

Mycal Johnson mycal@netacsys.com

Telecom records non-privacy at Ameritech

Lauren Weinstein <lauren@vortex.com>
Tue, 6 Jun 95 21:38 PDT

In a recent issue of the TELECOM digest, it was reported that Ameritech now allows anyone to obtain bill payment information for any Ameritech line (unless blocked by specific subscriber request)--a true bonanza for snoops
in general and for folks trolling for big bill customers to target for marketing.

Obviously, this is a terrible policy. It is unfortunately not a unique situation. Ameritech's explanation (as reported in TELECOM) has been spouted by numerous other utilities, banks, and other entities. If a subscriber complains, they are frequently told that "hardly anyone else has complained about the system". If 1000 people complain, they may each individually be told that they're essentially the "lone wolf".

The "solution" is obvious. Ameritech should return to a "random" passcode system, and allow customers who have a problem remembering the code to either choose something simple ("0000") or opt for no code at all. But such a choice of no security should be made by the individual customer--to make it the default condition for all customers is very bad policy.

Experience has shown that the only effective way to deal with these types of situations is to complain loudly to the highest level you can reach. In the case of Ameritech, complaints (and suggestions for "fixing" the problem, as mentioned above) should be made to the billing supervisor level at least--better yet, speak to the managers. And while it means taking the time to put it down in written form, letters to state PUCs are *extremely* important with such matters.

I'm sure there are just a *few* Ameritech subscribers reading this now. If each of you expressed your opinion (one way or another) to the PUC and Ameritech regarding their system, I suspect you could have considerable impact.

--Lauren--

*California Lawyer*, June 1995

Martin Minow <minow@apple.com>
Wed, 7 Jun 1995 12:09:13 -0700

*California Lawyer*, June 1995 is a "High Tech" issue that RISKS readers might find moderately interesting, if for no other reason than to see another view of the computer field. Here's a brief summary of the contents:

Readers may also find the proliferation of computer-based legal tools interesting: as usual the advertisements are often more fascinating than the articles.

A few random quotes:

Electronic Arts: ``Securing the rights [to rock music] took almost as long as producing the game.''

Hate speech: ``The first time you get a first-run film sent over the Internet, you'll get lots of lawyers involved." "The First Amendment allows hate speech [on the Internet] to persist.''

Cybercrimes: ``For the most part, the computer has not introduced any new types of crimes, but it has introduced new methods, time frames, and languages for committing theft, manipulation, destruction, and espionage.''

Digital Piracy: ``Today's ability to create perfect copies over the Internet has frightened people.''

Intel: Disclosing bugs gains advantage in public-relations, but that doesn't take into account the business ramifications, including product replacement, numbers of customers, .... ``Legal ramifications are often secondary to corporate concerns.'' ``The Intel case study offers more public-relations lessons than legal ones, attorneys agree.'' ``The legal effect ... is about nil, Vendors have protected themselves with so many warranty clauses ... that they can get away with anything.''

From California Lawyer, June 1995. 1390 Market St., Ste 1210, San Francisco, CA 94102. (415) 252-0500. The issue may be difficult to find, as I obtained the last one available at my doctor's office.

Martin Minow minow@apple.com

Copyright infringed via WWW?

"Gregor Ronald, Wanaka, New Zealand" <GRONALD@rivendell.otago.ac.nz>
Wed, 7 Jun 1995 13:22:32 +1300

New Zealand Press Association carried this story on Wed 7 June 1995:

INTERNET COPYRIGHT FEARS

Internet users could be breaking the law every time they transfer a file from the global computer network to their own computer, said Ross Johnston, a copyright lawyer of Kensington Swan, speaking at a seminar in Wellington. He said that as well as printing copies or storing them on a computer disk, simply browsing articles on the Internet using a computer screen could be infringing the law. He described the World Wide Web part of the Internet as a giant copying machine.

New Zealand's Copyright Act defines copying to include "storing the work in any medium by any means". When a computer user browses information on the Internet, an electronic copy is temporarily created in the computer's memory. Mr Johnston said a copy did not have to be permanent.

Copyright specialist Ken Moon, of A.J.Park & Son, in Auckland, echoed this view: "I believe that transient copying is an infringement," he said.


User-friendly E-mail systems

<[identity withheld by request]>
Wed, 7 Jun 1995 12:00:10 (xxT)

Our organization has a mail system which permits a "user-friendly" addressing scheme. Mail can be addressed to either a userid or part of a user's full name. If there are multiple users with the same last name, mail to that last name will be bounced, with the bounce message listing the names, departments, and userids of all matching users.

The following [sanitized] message was recently posted by someone in the Payroll department to an internal group for departmental administrators.

I request that all administrators sending me XXX E-mail specifically list my user ID (XXXXX) on the E-mail address. Several E-mail messages addressed to my last name have gone to other XXXX's on the XXX system. Because both my wife and son have E-mail addresses, some of the messages have gone to them. If your request contains specific data relating to an employee, please be sure it is addressed properly. [...]


Re: Ariane-5 test aborted (RISKS-17.16)

Erling Kristiansen <erling@wm.estec.esa.nl>
Wed, 7 Jun 95 08:36:55 +0200

The accident that caused the death of two technicians was not exactly "failure of the main cryogenic motor".

I excerpt from the ESA press release:

I have not seen any announcement of a delay of tests, so I cannot comment on whether, and how, that may be related to the mentioned accident.


Re: Drug Addicted Geniuses Built Cyberspace

Carlton Hogan <carlton@gopher.ccbr.umn.edu>
Mon, 5 Jun 1995 15:20:15 -0500 (CDT)

In RISKS-17.15, Daniel Frankowski comments on the moronic thrill-piece "Cyberstoned", Originally from Boston Magazine, and reprinted in the
Minneapolis Star Tribune. I too noticed this offensive piece of fluff, and sent the following letter to the editor:

To the Editor:

"Cyberstoned", in Monday's opinion section is just the latest attempt to
demonize the Internet for all of Mankind's pre-existent woes. In the last couple of months, people with no great liking or understanding of the net have cited such spectres as kiddie porn, drug dealing, and even the Oklahoma bombing as compelling reasons to dramatically limit the operation of the net, often in a ham-handed manner. Senator James Exon's (D-NE) recently defunct "Digital Decency Act" would have required all Internet providers to read and censor each of millions of messages a day.

Early denizens of the Internet created a benign anarchy, where free speech was it's own best remedy. Ironically, pressure to change the net comes from newcomers, who bought a modem specifically because they heard that there was something new happening on the net. This dynamic reminds me of the process of gentrification, where artists and other fringes types will reclaim urban wasteland. Once the quality of the neighborhood improves, more genteel types move in, and systematically erase all signs of bohemia. Our response to the possibilities offered by the net should not be the neanderthal reflex of killing it because we don't understand it.

Carlton Hogan, Editor, PWAlive

Community Programs for Clinical Research on AIDS Statistical Center, School of Public Health, University of Minnesota, Minneapolis MN 55414 1-612-626-8899


Re: New Yorker Article on The 59-Story Crisis (RISKS-17.16)

<Bob_Frankston@frankston.com>
Mon, 5 Jun 1995 00:33 -0400

I do recommend reading the Citicorp article. The scary part is that this problems were only uncovered by accident. Also, while the idea of a 1 in 700 year event is considered far-fetched, the midwest floods, which partially recurred this year, Mt St Helen's and imply that somewhere, a very unlikely event will occur. And then there's the World Trade Center.

The John Hancock building in Boston, AKA The Plywood Palace, is another example. It got that nickname because its windows were falling out and had to be replaced with plywood. Eventually the problem was solved by simply making the glass a little thicker.

But the problems caused some additional attention to be paid to the building including further wind tunnel testing. The building is a flat rectangle (almost) and designers assured it wouldn't fall over on its short side. The
surprise was that the building was in danger of collapsing on its long axis! Considering the height, it does make sense that the center of gravity can go far out of alignment, at least, in hindsight. The solution was to be put an active damping system at the top -- pioneered in the Citicorp building. The Citicorp article noted that the damping provides stability but not safety since the power supply is a point of vulnerability.

The main lesson is that despite all the writing in this forum about proper procedures, things will go wrong. The question is not so much how to prevent problems but how to respond and recover. Prevention is only an optimization of this process and shouldn't overwhelm the process. A full discussion of this topic is a large topic in its own right, but I'll limit my self to riling the audience in this missive.

As a PS, there was an article in the Sunday New York Times (May 29th) about lawyers descending upon Norplant, a long term contraceptive. The article noted that these are the same lawyers who got rich on Silicone (not to be confused with Silicon!) implants. While the Citicorp article emphasized the exemplary behavior of all those involved, reality, if anything, is becoming more problematic. Responsible behavior is often severely punished. If you take any responsibility, you might be liable for punitive damages. It is better not to investigate an area at all, than to learn of a problem and calculate the tradeoffs of dealing with it. Again, this is another topic which would take too much space to fully address in a short not. I've also got to add that I'm not a lawyer and probably don't look much like one either.


Compuserve addresses and a sparse name-space

Erik Corry <erik@kroete2.freinet.de>
Mon, 5 Jun 95 22:33 MET DST

Don Faatz relates that his boss regularly gets E-mail at his Compuserve account that is destined for somebody else whose account differs by only digit.

This is another case of a namespace not being sparse enough. It is too simple to hit another real Compuserve address by hitting one wrong number. The risk could be reduced with checksum digits like those used for ISBN and credit card numbers. Other small-namespace culprits include the telephone system (especially when used by semi-automated systems like faxes) and some computer languages (changing a random piece of punctuation in a C program has a chance of resulting in a different, valid program. APL is probably much worse.)

To make matters worse, he probably has to pay for the incorrectly sent mail (I have heard this is how Compuserve works, but am not sure).

Erik Corry, Freiburg, Germany, +49 761 406637 erik@kroete2.freinet.de

Europe - Central Air Traffic Control

Mike James <mike@hamble.demon.co.uk>
Mon, 05 Jun 1995 22:15:35 GMT

Here in Europe we have had central Air Traffic Control for a couple of months. A few weeks back , I was on a flight from Preveza (Western Mainland Greece to London Gatwick). First the flight was delayed by an autopilot that refused to permit the flight from London earlier in the day from climbing above 10000 feet (something to do with fuel load trimming), so they had to turn back, and change the 757 for a Lockheed L1011 (impressive landing on short runway - almost aircraft carrier performance, as the runway wasn't really long enough).

Then we sat in the L1011 and waited while the crew tried to:

Contact Athens ATC - couldn't give a slot to take off, as Brussels was uncontactable.
Contact Brussels Central ATC direct by phone - no answer.
Contact London , and get their airline headquarters to phone Brussels - no answer.

So we sat for 3 hours until the crew nearly ran out of hours in charge of the plane, until Brussels ATC came back on line.

Question : What happens if the ATC goes off-line while you are in the air ? How does the system fall back ? Does it go off-line regularly ?

-- Mike James G6IXE

Re: The standard notion of a `field' (Re: Horn, RISKS-17.15)

<ladkin@techfak.uni-bielefeld.de>
Tue, 6 Jun 1995 19:05:05 +0200

Rob Horn's article in RISKS-17.16 misuses the concept of `field'. Horn was talking about commutative rings with unit. The standard definition of `field' trivially entails that a division operation is available. The
integers don't form a field. However, the integers modulo p, for p a prime number, under addition and multiplication, do.

Fields have been studied in mathematics for a long time, well over a century. The standard terminology is at least a half-century old. The definition is given in the following widely available texts: B. van de Waerden, Algebra, a standard reference for a half century and still in print (the oldest reference I could find today is to the 3rd edition in 1950; see p39 of the Springer German edition); S. Lang,
Algebra (3rd edition p93); S. Maclane and G. Birkhoff, Modern Algebra (1967, p133); and T. Hungerford (1973, Springer edition 1980, p116).

Peter Ladkin

Re: The standard notion of a `field'

Robert J Horn <rjh@world.std.com>
Tue, 6 Jun 1995 21:19:34 +0059 (EDT)

Sorry, you're right. Somewhere along the years I did a mental slip. I should have been using the term commutative ring. I've probably left behind a few years of confused people. Actually computer integers are suffer further in that they are not actually a ring either, because there is a maximum value beyond which addition or multiplication fail.

I should not have been using the term finite field, it should have been commutative ring. And my apologies to the readership.

R Horn

Telematic Sculpture 4 (T.S.4)

<ts4@piis10.joanneum.ac.at>
Thu, 07 Jun 95 19:35:55 GMT

A mobile sculpture (length 21,8 meters, weight 1800 kg) by R. Kriesche is physically positioned in the Austrian Pavilion during the Venice Biennale.

T.S.4 is driven by the data flow in the Internet, according to the ratio of the worldwide COMPUTER newsgroups versus worldwide ART newsgroups. According to this relation, T.S.4 is expected to transcross the Austrian pavilion during the time of the biennale and might even break through the wall of the pavilion.

You are invited to become part of T.S.4 by:

Your participation will slow down the movement of T.S.4 and prevent it crashing.
[The risks of such an event are left as an exercise for the reader. PGN]

Privacy Digests

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 7 Jun 95 12:05:09 PDT

Periodically I remind you of TWO useful digests related to privacy, both of which are siphoning off some of the material that would otherwise appear in RISKS, but which should be read by those of you vitally interested in privacy problems. RISKS will continue to carry general discussions in which risks to privacy are a concern.

There is clearly much potential for overlap between the two digests, although contributions tend not to appear in both places. If you are very short of time and can scan only one, you might want to try the former. If you are interested in ongoing detailed discussions, try the latter. Otherwise, it may well be appropriate for you to read both, depending on the strength of your interests and time available.
PGN

Please report problems with the web pages to the maintainer

Top