The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 17 Issue 20

Weds 26 July 1995


o Woman electrocuted using hotel card-key
Karl W. Reinsch
o My Grammar is a Dame?
PGN from The New Yorker
o Pushbutton ignition code blamed for NY City bus theft
George Mannes
o New Pittsburgh Jail
Alan Tignanelli
o Bell Atlantic Goofs
Mich Kabay
o Risks of misreporting risks?
Jeremy Epstein
o No laughing matter: hospital database misuse
Jan Joris Vereijken
o Automated performance reviews
Geoff Kuenning
o Runaway E-Mail
Mich Kabay
o Two Short-Courses on Software Engineering
Dave Parnas
o ISOC Symposium on Network and Distributed System Security
Clifford Neuman
o Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc.

Woman electrocuted using hotel card-key

"Karl W. Reinsch" <>
Sat, 8 Jul 1995 00:25:34 -0400 (EDT)

The Washington Post on Tuesday, 27 June 1995, tells of an 18-year-old Cincinnati woman who was electrocuted Friday at a New Carrollton hotel. Police said that she was barefoot, wet, and standing on wet concrete. The door was apparently charged with electricity from a faulty air-conditioning unit in the wall near the door. An electrical engineer inspected the room. Police spokesman Sgt. Rick Morris said, ``They found a faulty air conditioner emitting some sort of electric charge, and the charge was transcending to the door." Steiner Oftgard, vice president of VingGuard, the manufacturer of the door lock, says the system uses only 9 volts, which is supplied by six 1 1/2-volt batteries. Anthony G. Marshall, who writes the ``At Your Risk" column for Hotel and Motel Management magazine, said, ``This has to be right out of 'Believe It or Not'." The hotel removed all guests from rooms that open directly outside, pending further investigation.

I'm sure there are plently of risks to discuss. I don't think this happened with old-fashioned door locks. I also can't decide if Sgt. Morris really said that, or if some "intelligent" software made a substitution.

Karl Reinsch,

My Grammar is a Dame?

"Peter G. Neumann" <>
Tue, 25 Jul 95 8:28:57 PDT

_The New Yorker_ issue of 10 Jul 1995 has a cute squib on page 33, quoting the output from the grammar checker in Microsoft Word for Windows in response to the sentence, "I graduated from the University of Notre Dame."

Sexist expression. Avoid using Dame except as a British title.

TNY's traditional retort was quite worthy:

They don't call them P.C.s for nothing.

Pushbutton ignition code blamed for NY City bus theft

George Mannes <>
13 Jul 95 16:53:10 EDT

According to an article by Garry Pierre-Pierre in the July 8, 1995, New York Times (p.23), two unidentified youths stole a parked 38,000-pound, 40-foot NYC bus and took it on a six-block joyride, colliding with seven cars and smashing the bus into a subway station entrance. The bus, which cost the city $235,000, suffered "extensive damages." The bus was vulnerable, the article says, because it was parked on the street in front of the depot in which it was supposed to be parked. In the article, a Transit Authority spokesman theorizes that the thieves pried open the bus door and pushed a sequence of buttons necessary to start the bus; the vehicle needs no ignition key. "It's not top-secret information," the spokesman is quoted saying about the ignition code. "It's certainly information that can be obtained from watching operators start the buses." As a New York City taxpayer, resident and vulnerable pedestrian, I'm somewhat concerned when a T.A. spokesman admits that the ignition code is an open secret. Several questions come to mind. How many city buses use pushbutton ignition and not a key? To make it easier on drivers, do all the pushbutton buses use the same code? Are the codes changeable? How often, if ever, does the T.A. change them? Who decided that buttons were better than keys? The article notes that the bus was built in 1994 and is among the newest in the city's fleet. So much for progress.

George Mannes

New Pittsburgh Jail

Alan Tignanelli <>
03 Jul 95 09:06:47 EDT

Summarized from the Pittsburgh Post-Gazette, July 2, 1995 (Direct quotes from the article are in [ ]):

The new jail in Pittsburgh took 2 and a half years and $147 million to build, and has been open since early May. But, there are apparently tons of problems with the new facility, including:

  1. Dozens of computer terminals that are unusable because, while the data jacks were connected and wired, nobody bothered to put electrical outlets in.
  2. A computer system to track inmate information is still off-line for two reasons. One, the software is from a Canadian company and is not formatted to the American justice system (whatever that means - AT). Two, nobody has been trained on how to use the system.
  3. Guards carry an electronic personal alarm. These alarms are supposed to send out signals when there is a security problem, but are prone to false alarms. [A few weeks ago, one of the personal alarms accidentally went off and almost every light and audio alarm on the nuclear sub-like control panel lit up, said Bruce Helt, a guard who is the union vice president. As a result, there was no way to locate where the crisis would have been if the alarm had been a real emergency, he said.] In another incident with these alarms, a female guard had to work an entire shift last week without an alarm because her battery went dead and there were no spares.
  4. There was another electrical malfunction which left jail employees unable to unlock the doors to three pods, leaving one guard isolated with 56 inmates in each pod. (According to a TV report, the malfunction not only locked the guards in, but the cells were left _unlocked_!) The president of the jail guards' union, John Pastor, said ["Fortunately, there was no type of altercation. But if there had been, we couldn't have gotten help to anybody."] The malfunction lasted about two hours and knocked out the air circulation system on half of the second floor.
  5. [The ventilation system occasionally shuts off for no apparent reason.]
  6. [The fire alarms go off at all hours for no apparent reason.] (I guess that means there's a faulty switch somewhere, but they haven't been able to figure out how to find it.)
  7. The employee elevator in the high-rise jail only works sporadically.
  8. [In an emergency, guards could use the pod phones to dial 911. But it wouldn't do them any good. The outside lines to each pod have been disconnected. In fact, jail officials mistakenly had the phone company block all but a few phones from being able to place or receive outside calls] said Allegheny county Director of Criminal Justice Bob Coll.
Perhaps the most incredible quote of the entire article was attributed to James J. Gregg, Jr., the deputy warden for operations. He said ["Everything is working as scheduled."] (Who the hell approved that schedule????- AT)

The guards' union president attributed some of the problems to political maneuvering. He charged that County Commissioners Tom Forester and Pete Flaherty rushed the new facility into at least partial use two months early to show they were tough on crime. Incidentally, they were both defeated in the Democratic primary.

I don't think the risks need to be pointed out. I'm certainly glad I'm not a guard in this place. Fortunately, I don't know of any friends or relatives who are guards there either. It always makes me shake my head in wonderment when I see a project finish up like this. Makes you wonder who supervises this stuff.

Alan Tignanelli

Bell Atlantic Goofs

"Mich Kabay [NCSA Sys_Op]" <>
25 Jul 95 05:50:56 EDT

From the Washington Post news wire via CompuServe's Executive News Service, 25 July 1995:

Three Little Digits, One Big Goof; Bell Atlantic Errs in Telling N.Va. Residents of New Area Code

By Mike Mills
Washington Post Staff Writer

Sorry, wrong number.

In a gaffe that would give any public relations manager intestinal trouble, Bell Atlantic Corp. late last week sent notices to 388,000 Northern Virginia homes and businesses, telling them that their 703 area code would soon be changed to 540.

"Welcome to 540 Country, from Bell Atlantic" read the cheerful notices, which included little stickers for people to place on their phones as a helpful reminder of the impending change.

The problem is, they told the wrong people.

It seems the Bell Atlantic staff should have sent the notices to the more westerly region of VA. A company spokesperson blamed a programming error for the $100,000 blunder. The writer defines the correct area as follows:

The real boundaries of the new 540 area code stretch from the southwestern tip of Virginia northeast along both sides of the Blue Ridge to the Potomac River and east to Fredericksburg. Prince William County — which is served by GTE Corp. and did not receive the mailing — remains in 703, as do eastern Loudoun County and Leesburg; western Loudoun County and Stafford County join Fredericksburg in the new 540 area. Leesburg also had been originally included, but the map was modified to exclude the town after many residents complained that they wanted to remain in the 703 code.

The article mentions gleefully that Bell Atlantic could have done worse; after all, AT&T recently used the number of a sex-line instead of its own toll-free information line.

[Comment by MK: Another illustration of why quality assurance is needed in everything. Also an example of the tendency to blame the I.T. staff: "programming error" indeed! I wonder how many people approved this farce before the mail got out the door?]

M.E.Kabay,Ph.D. / Dir. Education, Natl Computer Security Assn (Carlisle, PA)

Risks of misreporting risks?

Jeremy Epstein -C2 PROJECT <>
Tue, 27 Jun 1995 11:34:51 -0400

The Washington Post Monday business section has a regular "shorts" called "Digital Flubs", in which they report on interesting goofs. Many of them appear to be culled (without attribution) from RISKS.

The June 26 edition reads as follows: A piece of security software widely used on computer networks has a hole in it. [CERT] said it has distributed instructions on how to correct the problem in FreeBSD, a program created by a software engineer in the Netherlands. In some circumstances, the hole lets people tapping into a computer see and alter information that should be off-limits to them. FreeBSD is an "enhancement" to S/Key, a program that controls password access to networked computers. S/Key itself does not have the problem.

I'm not sure what this is actually trying to say, but whatever it is, it's wrong. FreeBSD is an operating system, not security software or an enhancement to S/Key. FreeBSD wasn't developed by an engineer in the Netherlands, although it's possible that S/Key was ported to FreeBSD by some such person.

The risk is that someone might read this, think it actually describes a weakness, and mistakenly take action (or not take action) without knowing that the article is confused.

No laughing matter: hospital database misuse

Jan Joris Vereijken <>
Tue, 27 Jun 1995 11:28:47 +0200 (MET DST)

The 13-year-old daughter of a hospital records clerk in Jacksonville, Fla., used her mother's computer during an office visit and printed out names and numbers of patients previously treated in the hospital's emergency room. According to police, she then telephoned seven people and falsely told them that they were infected by the HIV virus. One person attempted suicide after the call. Upon arrest, the girl told police the calls were just a prank.

Source: _Communications of the ACM_, Volume 38, Number 5, May 1995.

Automated performance reviews

Geoff Kuenning <geoff@ficus.CS.UCLA.EDU>
Wed, 28 Jun 1995 10:10:25 -0700

An article by Richard O'Reilly in the business section of the June 28, 1995, Los Angeles Times describes and evaluates two products intended to help managers write performance reviews of their employees, Performance Now! from Knowledge-Point and Employee Appraiser from Austin-Hayne Corp. Given the time spent on this task in the typical company, and its (non-)popularity among managers, I am sure that both products will quickly find a marketplace niche. But I am very concerned about the RISKS of hype and legal liability.

The article describes both products as being expert systems, but to me they sound more like a collection of canned phrases and paragraphs with a little bit of software to select them. Each product asks you to numerically rate the employee in a number of different categories, then suggests an evaluation paragraph. Convenient menu buttons allow you to "tune" the paragraph by making it slightly more negative or positive. Both products allow post-customization of the text. Performance Now! will also combine some categories into a single paragraph when they are related. It also warns you when you give a negative review, so that you can add supporting material.

This is bad enough, with its tendency to encourage lazy managers to give an employee exactly the same review, word for word, in successive years. But much more worrisome are the extended features offered by the two programs. Performance Now! will combine all the numerical categories into an overall 1-through-5 rating of the employee, with no chance for the manager to specify which categories are more important for that particular job. This is a classic example of using computers to dehumanize underlings. Employee Appraiser skips this feature, but instead invents evaluations out of whole cloth. For example, according to O'Reilly:

If you choose "generally understands job," the program proposes an evaluation that says, "You generally understand the duties and responsibilities of the job. As a result, you are often able to act on your own initiative."

As O'Reilly notes, the manager has not given the program any indication that the employee has initiative, and the manager must remember to remove this sentence if it is false. One can well imagine the glowing review that might be given Beetle Bailey by this software!

To be fair to these programs, I am sure that many savvy managers already have canned paragraphs stored in their word processors to ease the task of writing reviews. In that sense, these programs are probably an advance, because they can integrate multiple factors into their prepackaged writing. (Besides, one can at least hope that they will use good English!) But RISKS readers will be most unhappy about Performance Now!'s attempt to squash all of this information into a 1-5 numerical rating, and about Employee Appraiser's tendency to insert things that managers never intended to say. Especially with the latter, I predict that a wrongful-discharge suit a few years from now will be quoting a glowing automatically-written performance review that a manager never intended to be so positive.

Geoff Kuenning

Runaway E-Mail

"Mich Kabay [NCSA Sys_Op]" <>
13 Jul 95 02:50:52 EDT

From the Associated Press news wire via CompuServe's Executive News Service:

Pilot-Electronic Mail

WASHINGTON (AP, 11 July 1195) — To the embarrassment of the Pentagon, a detailed account of the June rescue of Capt. Scott O'Grady in Bosnia — sprinkled with salty language and a dig at the United Nations — found its way onto the global Internet computer network. It was written by Air Force Capt. Scott Zobrist, an F-16 pilot based with O'Grady at Aviano, Italy, just hours after O'Grady's rescue by Marines. Zobrist was flying an F-16 on the periphery of the operation; he listened in on the rescue team's conversations and tape-recorded them.

The article explains that Zobrist sent his personal thoughts on the events to friends, and ZOT! it ended up in wide distribution through AOL. DoD officials were embarrassed by Zobrist's language and hostility to the Bosnian Serb forces. However, there was apparently no classified information at all in the document.

This incident _could_ have happened if Zobrist had sent printed messages to his friends, but it might have taken longer to spread the photocopies of photocopies of photocopies to an audience of millions.

Anyone sending any information that should remain moderately confidential should include a warning in their message so that the author's intentions can be clear to all; e.g., "Please do not copy this message to anyone else and do not post it publicly." This, too, would not prevent the information from going out of control, but it might slow down the explosion of copies.

The following section of the article was particularly interesting:

A separate question for the Pentagon is whether it can control the spread of sensitive or embarrassing military information on the Internet computer network.

"We need to either control it ourselves or figure out some way to control it," Brig. Gen. Ron Sconyers told the Detroit Free Press, which reported on the case in Tuesday's editions. "It's growing faster than we can keep up with."

The Internet originated in ARPANET, funded by the Defense Advanced Research Projects Agency 30 years ago. Maybe the piper wants to start calling the tune again.

M.E.Kabay,Ph.D. / Dir. Education, Natl Computer Security Assn (Carlisle, PA)

Two Short-Courses on Software Engineering

Dave Parnas <parnas@triose.crl.McMaster.CA>
Mon, 3 Jul 95 21:47:34 EDT

McMaster University Faculty of Engineering presents Two Short-Courses on Software Engineering

August 8-12, 1995

August 15-17, 1995

instructed by
Prof. David L. Parnas
Department of Electrical and Computer Engineering

McMaster University's Faculty of Engineering is pleased to present two courses on Software Engineering. "Inspecting Critical Software" was presented last summer and was well received by all who attended. "Software Development: An Engineering Approach" a course previously taught on-site at several development organizations, provides a broader, more basic, introduction to software design principles and will be useful for those developing software that does not require critical inspection. It is aimed at engineers who want to know how to design software well.

Inquiries should be directed to

Jan Arsenault
McMaster University
Phone: (905) 525-9140, ext. 24910
Fax: (905) 577-9099
[Dave is one of the earliest contributors to RISKS, and internationally known for his work in software engineering. He pioneered many concepts of modularity, information hiding, object orientation, etc. This is a rare opportunity for any of you seriously interested in software engineering, system design, and critical software.

The full course information is also available for FTP in the UNIX.SRI.COM risks ftp directory, as risks-17.parnas . PGN]

ISOC Symposium on Network and Distributed System Security--Second CFP

Clifford Neuman <bcn@ISI.EDU>
Wed, 19 Jul 1995 07:05:37 -0700

Submission deadline is 14 August

The Internet Society Symposium on Network and Distributed System Security

February 22-23, 1996
San Diego Princess Resort, San Diego, California

GOAL: The symposium will bring together people who are building hardware and software to provide network and distributed system security services. The symposium is intended for those interested in the practical aspects of network and distributed system security, focusing on actual system design and implementation, rather than theory. We hope to foster the exchange of technical information that will encourage and enable the Internet community to apply, deploy, and advance the state of available security technology. Symposium proceedings will be published by the IEEE Computer Society Press. Topics for the symposium include, but are not limited to, the following:

Jim Ellis, CERT Coordination Center

David Balenson, Trusted Information Systems
Clifford Neuman, USC Information Sciences Institute

Thomas Hutton, San Diego Supercomputer Center

Steve Welke, Institute for Defense Analyses

Donna Leggett, Internet Society

PROGRAM COMMITTEE: [deleted for space]

SUBMISSIONS: The committee invites technical papers and panel proposals for topics of technical and general interest. Technical papers should be 10-20 pages in length. Panel proposals should be two pages and should describe the topic, identify the panel chair, explain the format of the panel, and list three to four potential panelists. Technical papers will appear in the proceedings. A description of each panel will appear in the proceedings, and may at the discretion of the panel chair, include written position statements from each panelist.

Deadline for paper submission: August 14, 1995

Submissions must be received by 14 August 1995. Submissions should be made via electronic mail. Submissions may be in either of two formats: PostScript or ASCII. If the committee is unable to print a PostScript submission, it will be returned and hardcopy requested. Therefore, PostScript submissions should arrive well before 14 August. If electronic submission is difficult, submissions should be sent via postal mail.

All submissions and program related correspondence (only) should be directed to the program chair:

Clifford Neuman
University of Southern California
Information Sciences Institute
4676 Admiralty Way
Marina del Rey, California 90292-6695
Phone: +1 (310) 822-1511
FAX: +1 (310) 823-6714

Dates, final call for papers, advance program, and registration information will be made available at the URL:

[Contact Clifford for further info. This is a shortened announcement. PGN]

Please report problems with the web pages to the maintainer