The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 18 Issue 44

Thurs 12 September 1996


o GAO criticizes White House database controls
o Galileo Glitch
Peter Ladkin
o Recent KAL 007 discussion
Peter Ladkin
o Keeping Your Mouth Open: re: F-15 shootdown
Peter Ladkin
o Removal from Lexis' Ptrax database
Betsy P
o Encryption's debate-chilling effect on universities?
Lance J. Hoffman
o Re: Hidden file info that you do not know about
Edward Reid
o Fax machines that tell too much
Christopher J. Bell
o Unsolicted e-mail == unsolicited faxes ?
Edward N Kittlitz
o "Free Speech" == "Free Speech" ?
Barry Jaspan
o Re: AOL curbs incoming spams
Stanton McCandlish
David Allen
Dave Porter
o Re: RISK: Dangerous core dumps
Matthew Hunt
o Update 3 on GPS battery explosion
David Kennedy
o Info on RISKS (comp.risks)

GAO criticizes White House database controls

"Peter G. Neumann" <>
Wed, 11 Sep 96 14:38:49 PDT
The White House maintains a database of some 20,000 people, and is used for
sending greeting cards at Thanksgiving and Christmas, invitations to WH
events, and other purposes.  The GAO has criticized this database for its
inadequate safeguards relating to access controls and lack of audit trails
-- making usage monitoring very difficult.  Apparently 150 White House
employees have authorized access, although only 25 are regular users.
[Source: *San Francisco Chronicle*, p.A2, 11 Sep 1996]

  [I presume the White House staff puts in a few bogus addresses
  so that they can tell when and how it is being used.  I suppose
  they now also need to worry about a Dick Morris Worm attack.  PGN]

Galileo Glitch

Peter Ladkin <ladkin@TechFak.Uni-Bielefeld.DE>
Thu, 12 Sep 1996 16:27:31 +0200
In `Galileo team Wrestles To Keep Second Flyby', Aviation Week and Space
Technology, 2 Sep 1996, p56, Michael A. Dornheim reports that `The Galileo
orbiter went into "safe" mode on 24 Aug because of a computer error [..]
Controllers began sending commands [to restore full operation] on 28 Aug,
and the spacecraft and its computer were operating normally again on 29 Aug.
[..] The error occurred in a CDS-A processor [..] some [..] data compression
software had taken too long to execute, which shut all of CDS-A down.  [..]
Galileo then automatically entered the safe mode, which put CDS-B in charge
and suspended all but basic engineering activities.  [..] The cause of the
error was not clear [at the time of reporting] [..] Galileo was resending a
[Ganymede] image when the problem occurred [..] There are several pieces of
data on the [..] recorder that have not been sent yet, and they will be
overwritten by the second flyby.'

Peter Ladkin

Recent KAL 007 discussion (Re: RISKS-18.42)

Peter Ladkin <ladkin@TechFak.Uni-Bielefeld.DE>
Thu, 12 Sep 1996 16:24:11 +0200
Prompted by a query from a colleague, I searched for "KAL 007" on Altavista
to see what recent information had appeared on this major world incident.
In this note, I report sources and views of others and add some comments of
my own.  I am not specifically endorsing any view or assertion here of *what
happened* during the incident or its aftermath.

Lt. Col. (retd.) Lester W. Grau, of the Foreign Military Studies
Office, Ft. Leavenworth, KN, reviews a book on US-USSR relations
from 1983-1990 by Don Oberndorfer, a diplomatic correspondent for the
WP from 1976, at
Grau says that `Izvestia conducted a further investigation
of the KAL 007 aircraft downing [..] Mr. Oberndorfer apparently has not
read it since his book continues the Soviet myth about warning shots
being fired in front of the passenger plane.'

The Izvestia article has been translated by Roy F. Cochrun and is
available as a zip file at
The translation as well as the Izvestia original is contained in a
number of files.  (I got this URL from the last line of
of which the main contents are a couple of messages from rec.aviation.military
that do not seem to contain definitive information.)

A short summary and endorsement of R.W.Johnson, Shootdown: Flight 007 and
the American Connection, Penguin, 1987, is at
Johnson was a young politics Don at Magdalen College, Oxford (where I was in
the early 70's).  He basically read all the NYT and WP reports concerning the
incident and aftermath to piece together a coherent story of who knew what
and when in the US executive after the shootdown.  The references alone form
an essential bibliography for political scholars.  I was impressed ten years
ago both by his method, and that there was a newspaper which really did
contain so much useful information on a regular basis.  But I was so much
younger then.....
is a review by Jacob Levich of Incident at Sakhalin: The True Mission of KAL
Flight 007, a recent book by Michel Brun (Four Walls Eight Windows press).
Levich says Brun claims that KAL 007 was still airborne 46 minutes after the
`officially accepted' shootdown time, and crashed several hundred miles to
the south of Sakhalin, not where it was reported to have crashed.  `[..] its
destruction was not the result of a single botched encounter with Soviet
fighters, but part of a two-hour air battle in which at least nine U.S.
military planes were shot down; the subsequent cover-up required the covert
collaboration of at least four national governments.'  Levich thinks this is
`firmly grounded in reality' and `accounts for more of the known facts than
any "simple" explanation offered so far'.  Based only on the above quote,
one could really doubt it.

However, a much more sober and thorough review of Brun's book appears at
Edward R. Chase is former Editor-in-Chief of NYT Books and senior editor at
Scribner, and was approached by Brun initially to see if there was interest.
Chase introduced Brun to Richard Witkin, former NYT aviation editor, and
David Pearson, author of KAL 007: The Cover-up.  Chase, via Pearson, put
Brun in touch with John Keppel, a retired Foreign Service officer, who
collaborated with Brun.  According to Chase, Brun's thesis was that KAL007
was a decoy posing as an innocent off-course flight, but was intending to
cause the Soviet radars to light up.  Such a thesis, I seem to remember, was
proposed also by Pearson in a series of articles in The Nation and in his
book.  Brun's assertion of an air battle is new.  Chase says: `Brun's book
largely demolishes the U.S. propaganda line.  Yet it is impossible for me to
agree with all its conclusions.  Although I respect his and John Keppel's
intent, admire their industry, their skills, and their tenacity, I feel that
their work could mislead the public by positing a conspiracy theory that is
not credible in key particulars.'

Chase continues: `Brun's book makes very onerous reading for the layman.  To
follow his meticulous analysis of navigational and minute time discrepancies
among the various transcripts and reports is a daunting task, rivaling in
difficulty interpretations of texts by Kant or Derrida.  However, his
argument does demolish the official single-intrusion, single-deception,
single-shootdown theory.  [..] The two black boxes Yeltsin submitted as from
KAL 007 in late 1992 and early 1993 are passing strange, apparently phonies,
says Brun [..]  Brun's proof of the falsity of these black boxes is one of
the compelling sections of his argument.  [...]  the evidence Brun uses to
demonstrate that [the] air battle occurred is all circumstantial,
painstakingly argued, but, for me and for experts I have queried,
unconvincing to say the least.  Nor do Brun and Keppel ever clarify the
connection between the KAL 007 flight and the intrusion of U.S. military
planes around the same time and place.

One wishes Brun and Keppel had confined their charge to the persuasive facts
they elicit that there was a deliberate intrusion of breathtaking
recklessness and stupidity that has been lied about ever since, and that the
episode demands full, truthful disclosure.'

Chase also reviews: `Another recent book, Warriors of Disinformation by
Alvin A. Snyder, an excellent work highly praised by Mike Wallace and Marvin
Kalb among others, powerfully supports Brun's charge of government lying in
the KAL 007 disaster.  [..] Snyder is the official who organised and
presented the T.V. account of the shootdown of KAL 007 at the United Nations
and then the world, using tape recordings of the Soviet fighter pilot's
radio transmissions [..] What Snyder reveals is that the tapes were
doctored.  [..] Snyder reports that the full transcripts of the tapes show
that, contrary to the U.S. allegations at the U.N., the Soviet pilot did
fire warning shots, did circle 007 to get its attention, and tilted its
wings to force the plane down, after being asked repeatedly by his ground
controllers to do so.  The Soviets never realised that the airliner was a
commercial plane.  [..] He also labels as a whopper the lie by U.N.
Ambassador Jeanne Kirkpatrick that at no point did the [Soviet] pilots raise
the question of the identity of the target aircraft.  Snyder's whole book is
first-rate, and his integrity comes across as unquestioned.'

Chase hopes that Brun's book will trigger Congressional hearings, else we'll
have to wait until 2008, when the classified documents will be disclosed.

I object to Chase lumping Derrida with Kant.  But that of course has nothing
to do with KAL 007.

In summary, Pearson and Brun seem to agree on the agent provocateur
interpretation.  Seymour Hersh's idea was an innocent INS missetting in
Alaska (plus a lot of consequent coincidences), but I recall he also
documented that parts of the USAF knew it had been an accident when it
happened, contrasting unfavorably with what Kirkpatrick asserted at the UN.
Johnson agrees with this, as far as I remember, and assembles circumstantial
evidence that this was known at higher levels.  Snyder confirms this
interpretation. (I have not read the ICAO report, nor did I find WWW info on
it.)  Roll on 2008.  Or write to your Congressperson.  And let us all hope
that nothing like this incident ever happens again.

Peter Ladkin

Keeping Your Mouth Open: re: F-15 shootdown (Mills, RISKS-18.42)

Peter Ladkin <ladkin@TechFak.Uni-Bielefeld.DE>
Thu, 12 Sep 1996 16:26:42 +0200
I sympathise with Dick Mills's (RISKS-18.42) desire to try to keep
inaccurate information on airplane crashes out of the public domain.  Robert
Dorsett (RISKS-18.43) notes that public discussion is a given, and that even
inaccurate discussion can be beneficial.  To control disinformation, Mills
proposes that people should keep silent until the final accident report is
published.  I don't see how that could help, and I do think it would hinder.

First, the NTSB itself does not follow that procedure.  It issues documents
at regular intervals.  There are frequent press releases, and various
information such as CVR transcripts is available before the docket is
released.  When the docket is complete, it is generally released to the
public.  This is usually many months before the final report appears.  For
example, the public docket for the AA965 accident near Buga, Colombia on 20
Dec 1995 was released on 16 Apr 1996.  I quote: `The enclosed material
contains: factual reports only; no conclusions; no determinations of
probable cause.  Analysis of the accident will occur at a later date.'
(Punctuation mine).

Second, any NTSB information may be considered definitive, as may
information from many other accident investigation boards.  Such authorities
do not `speculate'.  Valid conclusions may be drawn from this definitive
information.  A *valid* conclusion cannot be negated by further information,
so there is little chance that this will contribute to spreading

Third, the most common source of invalid conclusions is some sort of
`closed-world assumption' (as the logic programmers would call it).  That
is, assuming that the information one has is *all* the relevant information.
For instance, knowing the AA965 pilots didn't know where they were and
drawing the conclusion that that was the sole cause of the accident.  That
is, of course, mistaken reasoning.  Better reasoning is to accept that this
is one of probably many causal factors and expect others to be discovered.
Discussion of the accident on that basis is not inappropriate.

At some point, a closed-world assumption must be made (we usually don't
consider gremlins hammering bits off the wing as potential causes, pace The
Twilight Zone).  Such assumptions can be made explicit in any reasoning, as
they should be in final accident reports.  One should also not forget that
much `far-out' speculation bases itself on *not making* the closed-world
assumption that others have made (most conspiracy theories, for example).

Fourth, `peer review', that is, earnest discussion amongst interested
people with various sorts of competence, including dissident opinions,
is an accepted method of improving knowledge, both in academia and outside,
in many societies.  Consider it a psychological or social fact if you will,
but it's a fact nonetheless.

Fifth, accident investigation boards are necessarily composed of a small
number of the available experts in the field.  I don't see any reason why
other competents should be enjoined to keep quiet if there are things to
say.  In particular, journalists are in general not technical experts and
newspaper reports *will* appear that require discussion - and all too often,
it seems, refutation.  I don't see why, for example, a timely comment which
includes such a refutation should wait until after an accident report.

Sixth, there are various interested parties (airplane manufacturers,
airlines, pilot associations, air traffic control authorities, other
government authorities) who have sensitivities that may conflict with a
dispassionate explanation of the accident.  Airlines must keep public
confidence to continue in business.  Pilots and air traffic controllers are
sensitive to their statutory responsibility, and pilot unions may feel that
they are thereby subject to disproportion blame.  Regulatory agencies may be
pressured by executive and regulatory branches of government, who can react
precipitously to the public's precipitous reaction.  Manufacturers are keen
that the design and construction of their airplanes cannot be faulted.
These alternative goals may skew views of accident causes.  I should have
thought that careful public discussion should be welcomed from those with
some competence and no other goal than to try to clarify what happened.

Peter Ladkin

Removal from Lexis' Ptrax database (Re: RISKS-18.43)

Wed, 11 Sep 1996 16:28:42 -0400 (EDT)
Spurred by RISKS-18.43, I called Lexis's 800 number to request removal from
the Ptrax database.  I had to spend about 15 minutes on hold to do so; while
I was on hold, a sweet-voiced recording assured me [PGN has inserted here the
direct quote, provided by mwexler@Adobe.COM (Mike Wexler):]

    The Ptrax database contains publically available information.
    It does not contain any private institution information such as
    credit card numbers, bank account information or mother's maiden
    names of individuals.  You can not view social security numbers.

When I reached a human being and explained that I wanted to be removed,
guess what was the only information he requested?

All those who said "Your Social Security number" get a prize.  Whether or
not the SSN is hidden, it seems to be a primary key as far as Lexis is
concerned.  The SSN is both necessary and sufficient; Lexis makes no attempt
to verify that the person calling actually owns the Social Security number.
The RISKS, alas, are obvious to everybody except our friends in the database

  [REMARK: The SSN information is actually in the database; a given SSN
  can be used in queries, but SSNs allegedly cannot be retrieved.  PGN]

  [The 800-number message was reported and commented on variously by
    mwexler@Adobe.COM (Mike Wexler), (Art Delano)
      (although Art was asked for his name, but not his full name!),
    Jim Babka <>.

Encryption's debate-chilling effect on universities?

"Lance J. Hoffman" <>
Tue, 10 Sep 1996 20:06:58 -0400
  [Lance sent me a long copyrighted article that could be of
  possible interest to some of you.  I omit all of the article.  PGN]

    Copyright (c) 1996 by The Chronicle of Higher Education, Inc.
    Title: Internet Users Irked by U.S. Restrictions on Encryption:
      They think the rules compromise academic freedom
      and hinder efforts to combat on-line forgery
    Author: David L. Wilson
    Publication date: 13 Sep 1996
    Source: The Chronicle of Higher Education
    Section: Information Technology
    Page: A27

Re: Hidden file info that you do not know about (McElhearn, R 18-41)

Edward Reid <>
Thu, 12 Sep 96 11:24:40 -0400
> ... you can save a document under Word which includes previous versions.
>        [I think this problem has appeared previously in RISKS.  PGN]

Several times I think ... but the misunderstanding persists.

When Word does a "normal" save with minor changes, it does not rewrite the
entire document.  Instead, it simply appends the changes and whatever
information it requires to place them in the document.  When working with
large documents, especially on slower computers and disks, this makes an
enormous difference in the time required to save a file -- a couple of
seconds vs half a minute, for example.  And since these same small computers
adhere to the "save often or lose it" user-hostile paradigm, a faster save
means fewer unhappy users.

The result is that interpreting a raw dump of a Word file can be quite
difficult, and that many third-party programs that read other word processor
files cannot read Word files unless you first do a "slow save".  Also,
deleted text may at times appear in the raw dump.  This is mostly
unpredictable, and does not consist of a "previous version" being included
in the file.

Edward Reid

Fax machines that tell too much

"Christopher J. Bell" <>
Thu, 12 Sep 1996 11:26:32 -0400 (EDT)
I was recently the recipient of a large number of faxes from potential job
applicants.  Many of the applicants were students and as such used
university department fax machines where, presumably, they were required to
use their own calling cards to make the long distance call.

In a number of cases, the originating fax machine had an automatic field
displayed at the top of each page showing the number called.  Presented to
me quite clearly was a large number of calling card numbers with each user's
PIN.  Not only is this information displayed to the recepient, but the
sender likely has no idea it's being made available.

Christopher J. Bell  Pivot Computing

Unsolicted e-mail == Unsolicited faxes ?

Edward N Kittlitz <>
Thu, 12 Sep 1996 11:50:29 -0400 (EDT)
According to my rusty memory and 2 minutes of Altavista searching, there is
a U.S. Telephone Consumer Protection Act of 1991 which requires: 1)
identification of the sender at the top or bottom of the first transmitted
page; 2) that unsolicited advertisements shall not be sent without
invitation (which can implicitly be based upon the existence of a business

If this Act is not unconstitutional, then it seems that the same type of law
can be written regarding e-mail.  The motivation is the same: 1) senders
should be identified, not allowed to roam ISPs anonymously; 2) the receiver
is paying for the cost of the advertisement, both in real terms (paper or
message charges) and lost opportunity to receive desired items
(out-of-paper, busy phone, mailbox size limits, time required to download
junk e-mail which could have been spent looking for online smut or even
online shopping at a competitor's web page).

"Free Speech" == "Free Speech" ? (Herr, RISKS-18.43)

"Barry Jaspan" <bjaspan@MIT.EDU>
Wed, 11 Sep 1996 18:08:58 -0400
After reading Fred Herr's statement,

<> The judge's injunction ... seemed to rest on a comparison of free speech
<> expressed via the USPS as against free speech expressed via on line
<> message services, with the assumption, ... that there is no essential
<> difference.

I had an interesting thought.  Won't it be interesting if the US government
(via its combined legislative and judicial authority) declares that
"guarantee of free speech" applies to commercial advertisements at the cost
of the unwilling recipient but does not apply to non-commercial but
"indecent" communications among consenting adults?

Somehow, such an outcome does not seem even the slightest bit improbable to
me; "inevitable" seems more like it.  How depressing.

Barry Jaspan

Re: AOL curbs incoming spams (Giles, RISKS 18.42)

Stanton McCandlish <>
Wed, 11 Sep 1996 13:03:41 -0700 (PDT)
None of that may ever come up. There is already a large pile of case law
destroying the notion that First Amendment rights can be cost-shifted.  No
one owes you a printing press, you cannot send junkmail and expect it to be
delivered postage due, and you can't junkfax people.  Spamming cost-shifts
most or all of the expense of advertising on the receiver.  There's no First
Amendment issue (other than AOL's right to exercise editorial control over a
private service, something the TRO rather runs counter to.)  I may not be an
attorney, but AOL's case seems very strong.  The First Amendment protects
expression from interference by government, almost exclusively (there are
exceptions, such as private schools having some limits on the censorship
they may do of student publications, but these exceptions are very narrow,
and are few and far between).  AOL isn't the government, and their system is
not a public space in the legal sense.

The philosophical question of whether AOL ought to have anything to do
with restricting email in any way, even on their own service, is an
important one - even AOL's internal forums have something of the
character of a public, rather than a private, space - but such questions
should probably be consciously and clearly separated from discussion of the
legalities involved, which don't map very well to the theoretics.

Lastly, I think one should applaud AOL for shifting gears toward an
individually-customizable filtration model.  It's far better to have the
choices in the hands of the end user, than in the hands of some
intermediary, even if AOL offers some overridable defaults to filter out,
like Cyber Promotions.

Stanton McCandlish, Electronic Frontier Foundation, Online Activist,

Re: AOL curbs incoming spams (Herr, RISKS-18.43)

David Allen <>
Thu, 12 Sep 1996 06:53:32 -0400 (EDT)
Fred Herr makes some very good points about the negligible costs of spam
versus conventional junk mail, but I think the court erred in its comparison
in a critical way when it cited First Amendment protection for spam.  While
advertisers (and common citizens) have a right to speak, *nobody* can compel
us to PAY to listen.  While the court would certainly find that corporations
have a right to send junk mail or engage in telephone solicitation, they
would rule quite differently if the corporations sent mail postage due, or
tried to call us collect.  The court would rule that we have every right to
refuse to pay.  Since on-line time costs money to the recipient (no matter
how little), the comparison to regular junk mail is not appropriate.  More
appropriate is the FAX, where the owner of the FAX pays for the paper.
Anti-Junk Fax laws were passed to stop "FAX-spamming" if you will, and so
far have been found constitutional.

I think that legislation along the same lines would be appropriate and
constitutional.  Personally, I have a *major* problem with corporations
being afforded constitutional protections as if they were people, but that
is another debate entirely

David Allen , Contributing Editor, Internet Underground.
Columnist, Plan 9 from Cyberspace.  See PCNet/MacNet,

Re: AOL curbs incoming spams (RISKS-18.41 et al.)

dave porter <>
Thu, 12 Sep 1996 13:18:43 -0400
This is a mind-numbingly trivial point, but I haven't actually seen it
mentioned anywhere in print: if the spammers are so keen on their "right" to
freedom of communication, why is it that the spam I receive seldom has a
valid return address?

Maybe AOL should reject mail not "because it is spam" but "because it does
not contain a valid return address" ?

   [You should note that rejecting mail just because its return address is
   bad will lose some mail you really wanted.  If RISKS rejected every piece
   of mail whose FROM: address is not a valid address, I would have fewer
   legitimate contributions to choose from.  But many would-be subscribers
   get bounced immediately, because I remove their new-subscription address
   as soon as the acknowledgment bounces.  As noted in RISKS-18.39, I am
   looking forward to the new version of Brent Chapman's majordomo, which
   will do that automatically.  PGN]

Re: RISK: Dangerous core dumps (Bonfield, RISKS-18.43)

Matthew Hunt <>
12 Sep 1996 07:35:49 -0400
> I don't know of any systems that will do this without also changing umask
> for all your other files.

Linux does:

mph124:~$ uname -a
Linux mph124 2.0.18 #6 Sat Sep 7 12:49:09 EDT 1996 i486
mph124:~$ umask
mph124:~$ sleep 10 &
[1] 9679
mph124:~$ kill -11 9679
[1]+  Segmentation fault      (core dumped) sleep 10
mph124:~$ ls -l core
-rw-------   1 hunt     users      278528 Sep 12 07:34 core

Update 3 on GPS Battery Explosion

David Kennedy <76702.3557@CompuServe.COM>
12 Sep 96 02:35:59 EDT
>Extracted by Dave Kennedy [CISSP] National Computer Security Assoc from
>C4I-Pro-Digest       Tuesday, September 10 1996       Volume 02 : Number 463
>Date: Tue, 10 Sep 96 09:39:00 +6
>From: Potter B MSgt ACC/SCXX <>
>Subject: c4i-pro Update to PLGR Battery Venting Event (Update #3)

>  Please pass to portable lightweight GPS receiver (PLGR) users.  Bottom
>line: Shorted diode (or NO diode due to wrong battery), external power, and
>lithium battery can be a DEADLY combination.  Short-circuit is usual diode
>failure mode.
>  Stay tuned.  I'll pass-on updates as I receive them.  Please direct
>queries to Maj Lockhart, below.  [MSgt Bob Potter]
> - - - - - -
>From:     Lockhart, David E., Maj  CZU[]
>Sent:     Monday, September 09, 1996 6:37 PM
>                              9 September, 1996
> [...]
>When operating PLGRs on external power do not use lithium batteries in the
>prime power battery compartment.
>Develop a process that allows operators to use lithium batteries when
>operating in the stand-alone or internal power mode, but ensures the removal
>of lithium batteries prior to connecting to external power.

Please report problems with the web pages to the maintainer