The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 18 Issue 19

Monday 10 June 1996


o Janet Reno Wants Protection from Cybercrime
o Martinair B767 Aircraft suffers EFIS failure
Peter Ladkin
o HTTP cookie privacy risk
Howard Goldstein
o Autodeletion
Bradley K. Sherman
o RISKs of dumb string searches
Gianfranco Boggio-Togna
o Matra made software for Ariane 5 AND Taipei subway system
Frank Rieger
o Re: The European Space Agency's little problem
James Brady
Marc Horowitz
o Re: L-Vis Lives
Matt Ackeret
o Virtual image tinkering, a positive side?
Mike Gardiner
o Digital unreality
Harold Asmis
o Re: College Paper Sued Over Quote
Nevin Liber
o Confusing cost with worth
Mike Albaugh
o 1-week course on Internet Security, 29 Jul-2 Aug, at Stanford
Arthur Keller
o Formal Methods Europe Conference: Call for Papers
Cliff B Jones
o Info on RISKS (comp.risks)

Janet Reno Wants Protection from Cybercrime (Edupage, 6 June 1996)

Edupage Editors <>
Thu, 6 Jun 1996 18:48:55 -0400 (EDT)
Attorney General Janet Reno has told the FBI, CIA, and Commerce, Defense,
Energy, Transportation and Treasury Departments that she wants to create a
federal computer security emergency response unit to counter physical or
network attacks against the federal computer infrastructure (*Computer
Industry Daily*, 6 Jun 1996).  And some U.S. senators want to allow the FBI
to combine forces with the CIA and other intelligence agencies to deal with
international criminal and terrorist activity conducted on the Net.  Senator
Sam Nunn (D-Ga.) says that "if we're going to live in this kind of world,
we're going to have to link the intelligence world with law enforcement."
Vanderbilt business professor Donna L. Hoffman, whose work is focused on the
Internet, says: ''There are not dead bodies in the street.  It just doesn't
make sense to rush into legislation.''  (San Jose Mercury News*, Center, 6
Jun 1996)

Martinair B767 Aircraft suffers EFIS failure

Peter Ladkin <ladkin@TechFak.Uni-Bielefeld.DE>
Fri, 7 Jun 1996 21:25:13 +0200
Flight International (5-11 June 1996, p8) reports that the crew of a
Martinair B767-300 registration PH-MCH `faced blank flight-instrument
displays' near the US coastline on a flight from Amsterdam to Orlando, FL on
28 May 1996. Apparently it had suffered an EFIS failure (EFIS is the
industry acronym for the system which displays the flight data on screens in
front of the pilots -- a feature of most modern transport aircraft.

The EFIS failure itself was not such a big issue. The plane continued on the
electro-mechanical standby instruments and diverted to Boston, where it
landed safely -- but very fast, with no flaps, spoilers, autobrake or
anti-skid. It burst 8 mainwheel tires and the brakes caught fire (neither
event unusual in a fast landing and heavy stop) and the fire was quickly
extinguished. Martinair said the crew employed `flaps one', which extends
leading-edge spoilers only, and that they had no reverse thrust.

Martinair said the aircraft had a partial DC-power failure, but an unnamed
767 captain apparently said that such an event would not cause an EFIS
failure.  Boeing said reports of a complete power failure are `not

Peter Ladkin

HTTP cookie privacy risk

Howard Goldstein <>
8 Jun 1996 01:38:13 GMT
I recently installed Netscape 3.0b4, a beta version, to try out the new
(compared to 1.1N) features and see how well FreeBSD runs foreign binaries.

One of the new features, a security feature strangely categorized as a
'network' feature, queries the user before allowing "cookies" to be set.
Out of curiousity I set it so as to find out how often this feature was
invoked.  Cookies (discussed in earlier RISKS volumes, I seem to recall)
[YES: RISKS-14.36, 17.89.  PGN] are documented at .

I was surprised to find that every night for the last two weeks after
enabling this I've been handed a "cookie" by a site I never knowingly
visited, at .

Upon visiting this site I discovered they engage in attempts to collect
various data about web users including their o/s.  Why they feel it
necessary to 'ping' me each night to set a cookie I do not know, but it
seems they are also collecting data about browser usage.  Such a statistic
regarding times online while in a browser would seem valuable from a
marketing standpoint.

While cookies may be useful when voluntary and insofar as they may be
helpful to the user (as I feel the cookie I'm handed that avoids an access
validator for a particular newspaper's site).  Cookies from marketing
companies benefit me not.

Categorize this as a risk to users of older netscapes lacking the
conditional-cookie setting?  Or to advertisers who will find their targets
are hidden behind "mini" HTTP firewalls that hide the users from cookies
along with advertisement filter such as the one being tested by a North
Carolina startup?

Howard Goldstein   <>

  [And you'd probably be surprised to know how many people are affected.
  But you *know* there has to be a gotcha with free web sites and free
  browsers, and lots of folks are selling lists.  Always look a gift
  Trojan horse in the mouth (and everywhere else too).  PGN


Bradley K. Sherman <>
Mon, 10 Jun 1996 15:36:15 GMT
[found at]


  Irvine, California-based DVD Software has a new product that
  automatically deletes games from networked computers, freeing
  up limited computing resources for students and business folks.
  Oregon State University's business school manager says, "I had
  a problem with games," noting that some students spent hours
  playing games while others were waiting their turn at the
  keyboard to complete assignments.  UnGame scans the hard drive
  for any of 4,600 games every time the computer is turned on or
  logged on to the network.  The list of games is updated every
  month.  More than 20 colleges and universities are using the
  software now.  (*Chronicle of Higher Education*, 7 Jun 1996, A24)


     [So, be careful how you name your programs.
     Here are 4,600 UnNames not to use!  PGN]

RISKs of dumb string searches

Sun, 9 Jun 96 20:50:20 GMT
The RISKs of relying on dumb string searches are not confined to the
mangling of respectable British town names ("AOL censors British town
names!", RISKS-18.07).  Today I accessed the FAQ archives at Imperial
College, London ( to check the date of the
alt.usage.english FAQ.  Looking at the directory listing I was astonished to
see that the 250K+ file had shrunk to 1K. I downloaded the alleged FAQ and
found that it contained an article posted to alt.usage.english. The author
suggested that, because of its size, the FAQ should no longer be posted to
the newsgroup, since "it is available on the WEB, by e-mail, and by ftp".
The message subject line was, not surprisingly, "alt.usage.english FAQ":
apparently it was enough to fool the archiving program into assuming that
the article *was* the FAQ.

This would seem to open up interesting possibilities for anyone objecting to
the contents of a FAQ and wishing to have it removed from the archive.

Gianfranco Boggio-Togna    Milano, Italy

Matra made software for Ariane5 AND Taipei subway system (R 18.17)

Frank Rieger <>
Fri, 7 Jun 1996 10:58:23 +0100
The German newspaper *Tageszeitung* reports in its issue from 6 June 1996
(6/6/6!) that the software for the engine-controlling in Ariane 5 was made
by the French company Matra Corp.  This is the same company that made the
software for the Taipei subway system that crashed on 3 June 1996

First statements from DASA, ESA and ArianeSpace say, that there were 37
seconds after the start an movement of all engines in one direction, causing
the Ariane 5 into an extreme flight position. This disrupted the main
structure of the vehicle and triggered an automated destruction mechanism.
Some seconds later the manual destruction from ground control was triggered
by the flight security officer for redundancy.  According to German press
agency Deutsche Presse Agentur, one manager of the French space agency CNES
stated that the computer has tried to compensate a nonexistent problem in
flight control by making this massive move.

So, for me there are two possible reasons for the crash:

* there was an sensor failure, transmitting false data about the external
  conditions (wind, flight position) to the control system, or

* there was an real Software "glitch" causing the critical failure.

On the base of the information available now, I ask myself, why was there no
mechanism to avoid the control computers' attempt to go into this extreme
flight position?

Frank Rieger

   Added note, Date: Fri, 7 Jun 1996 17:39:19 +0100
   As I have read now, the leading European TV-Satellite corporation ASTRA
   has chosen Matra Corp. as hardware/software supplier for their next
   generation of digital broadcast satellites...  (Source: Deutsche Presse
   Agentur).  I think we will have a lot of fun watching TV in the next
   years...  Frank

      [They seem to be developing a real Matra-archy!
      Next they might do a Matra Metro.  PGN]

Re: The European Space Agency's little problem (Wood, RISKS-18.18)

"James Brady" <>
10 Jun 1996 11:17:05 -0400
David Wood suggested some form of parachute ejection and recovery system for
payloads.  The usual problems with this scheme are weight, cost, and
complexity.  Mercury and Apollo had launch escape systems to pull the
capsule off the top of the launch vehicle either on the pad or during early
flight.  These systems were jettisoned on the way up to improve flight
performance (get rid of the weight penalty.)

The Challenger disaster reminded us all of how useful such systems are for
saving crew.  Launch escape mechanisms to get the shuttle away from the
external tanks and solid boosters on the pad and in flight were scrapped
early due to the weight and complexity penalties, not to mention some valid
safety concerns.  (The Space Shuttle can actually abort during launch under
specific conditions and return to the landing strip at Kennedy, or go on to
a down-range site, or ditch in the ocean.  Had sensors been available to
tell the crew or ground controllers of the burn-through problem, one of
these abort modes might have been employed with the chance of saving the
crew if not the vehicle.)

To my knowledge, no launch vehicle intended to orbit an unmanned payload has
carried a launch-phase recovery system.  Ariane 5 is a heavy lift vehicle,
making a structure to hold the payload through a separation event, thrusting
away from the vehicle, chute deployment, and splashdown in the
Caribbean/Atlantic would be a marvel of a vehicle itself.  I am not
convinced parachutes could even be made to handle the weight of an Ariane 5
payload.  And individual recovery systems for the "n" individual satellite
payloads just multiplies the complexity by "n."

Adding launch-phase recovery systems to expendable launch vehicles would
further increase launch costs not only for the mechanisms but for the
down-range recovery personell and facilities that would be required for each
flight, just in case.  Launch costs are already so high as to stifle
commercial development of space.  Re-usable, robust launch vehicles like the
DC-X, X-33, etc. promise to reduce launch costs and offer some advantages in
these areas....  Witness the successful landing of the DC-X after an engine
explosion (my memory fails me as to when in the flight test program this

Launch vehicle failures will occur, as do failures in any complex system.
Until someone finds a way to get into space other than by riding atop a
controlled explosion, there is only so much risk avoidance you can do.  And
from then on it's risk management. Taking a "free" ride on a new launch
vehicle is a higher risk than buying a ride on a "proven" launch vehicle.
But if you can't afford the ticket, you must decide if the risk of failure
is worth the scientific/commercial/political rewards of success.

On the other extreme, I remember NASA taking heat in the Apollo days for the
fact that the first Saturn launch carried a few tons of sand into orbit
rather than risk any useful payload on an unproven vehicle.

Jim Brady  Raytheon E-Systems

Re: The European Space Agency's little problem (Wood, RISKS-18.18)

Marc Horowitz <marc@MIT.EDU>
Sat, 08 Jun 1996 21:31:59 EDT
I'm not sure if they had a parachute did or not, but there was planning and
engineering work done to try to rescue the crew under certain failure modes,
although this did not help the Apollo 1 astronauts.

Apollo carried more valuable cargo than any commercial rocket.  Remember, it
was the apollo astronauts who forced NASA to design a window into the
capsule, at a very high cost.  The political and psychological costs of
losing anyone, especially highly, expensively trained astronaut-heroes, are
very high, and can therefore support safety features which would not make it
into an unmanned craft.

<> What a risk - millions of (pounds, dollars, whatever - big in anyone's
<> currency) and all that work.

Designing a "separate and chute" mechanism into the Ariane 5 would be a neat
engineering feat, but is it cost-effective?  All rocket cargo is insured
(and I'm sure the insurance is not cheap).  If there was an advantage to
this system, I expect either the insurance companies would fund it so they
would have to pay off less often, or the aerospace companies would fund it
to lower their premiums.  It all comes down to economics in situations like

It is, as they say, only money, even if its quite a lot of it.


Re: L-Vis Lives (RISKS-18.18)

Matt Ackeret <>
Sat, 8 Jun 1996 01:23:39 GMT
I'm not saying that they won't be able to perfect the system, but at the
moment, from the demo I saw on a news report about this system, it's _really
lame_.  The idea is fairly impressive -- presumably they're doing 3D
rotations and scaling of their advertizement in real time to then be shown
on the ad area.  The basic "how to get it on the screen" technology is
simply regular old green screen chroma key that has been around for a long
time.  The impressive part is, repeating myself, making sure the ad "looks
right" depending on the angle the camera is seeing it from.

Yet even with this, the ad placed in the green area was jittering all over
the place.  I was laughing at how cheezy it looked.  It just looked horribly
fake.  Technically, it was actually that the ad _wasn't_ jittering exactly
with the camera, so for example the logo wouldn't be completely centered (or
offset appropriately depending upon the angle) perfectly.  "Jittery" really
is the best word to describe it when you see the demo.  I could also see the
tell tale lines on the boundary showing it was chroma key. (They also showed
the wall without the ad.. definitely regular old green screen color.)

By the way, the idea that subliminal advertising actually works is a
pernicious urban legend.  Check out
  subliminal.advertising/subliminal_messages_sources.html for several
references to books that fail to find any evidence that subliminal
advertizing works.  You may want to peruse
itself for info on lots of other things you probably believed to be true but
aren't.  (alt.folklore.urban's another good place.)

Virtual image tinkering, a positive side? (Re: L-Vis, RISKS-18.18)

Mike Gardiner <>
Sun, 9 Jun 1996 20:13:42 -0400 (EDT)
With my mind always trying to find real uses for questionable technology, I
find myself wondering if a home version of this technology could be used in
reverse to delete those obnoxious logos that have done so much to cut down
on how much TV I watch.  Or better yet: Carl Sagan's AdNix chip could
finally exist.  Program it with every major corporate logo and most ads
could be blacked.  (Turnabout is fair play.)  It would make a mess of most
sporting events, though.

Mike Gardiner

Digital unreality (was L-vis Lives in Virtual TV, RISKS-18.18)

Harold Asmis <>
Mon, 10 Jun 1996 10:17:08 -0400
This is merely an extension of a recent trend in digital photography.
Articles in Scientific American, and others, have shown that still pictures
can no longer be believed, since they are so easily altered.  Computer
technology now extends this to video (and live video, at that).

Now with digital camcorders, who will believe the next "Rodney King" video
clip?  Not enough cops?  Add some more!  It will probably boil down to the
integrity of the picture-taker.  We shall soon see all those paragons of
virtue --tabloid TV&print, network television, etc-- swearing that their
images have not been digitally altered in any way, except when it brings in
more revenue.  :-)

Harold W. Asmis  416.592.7379  fax 416.592.5322

Re: College Paper Sued Over Quote (Wisneskey, RISKS-18.18)

Nevin ":-]" Liber <>
Sat, 08 Jun 1996 07:27:40 -0700
> The risks?  If you're going to have a generic template, make it generic.
> And if something bad happens once, it's going to happen again so fix it
> after the first occurrence.

I see the RISKs as more social than technical.  Will this kind of thing
happen in the future?  Of course.  Was it appropriate?  No.  Was the
response of an $850K lawsuit appropriate?  Absolutely not.  It reminds me a
lot of the Carl Sagan vs. Apple Computer lawsuit, and we all know how that
turned out (or, if you don't, check out

Nevin ":-)" Liber       nevin@CS.Arizona.EDU    (520) 293-2799

Confusing cost with worth (Re: Koenig, RISKS-18.18)

Mike Albaugh <>
Mon, 10 Jun 1996 10:01:00 -0700 (PDT)
In RISKS-18.18, Andrew Koenig <> writes:

> Occam's Razor suggests a more general explanation: Images contain much more
> information than text, regardless of content.

I wouldn't quibble with his point that images contain more _data_. I do have
a problem with the proliferation of a popular confusion that I am surprised
to find coming from ATT. Claude Shannon long ago gave an excellent
definition for "information" that relates it to "surprise" or perhaps
"useful news". I submit that the average picture, especially on the Web, has
a great deal _less_ information than the accompanying text, in the sense
that the picture rarely contains anything a) worth much to the viewer or b)
not deducible from the text. In the case mentioned, with 695K (400 pages?)
of "text" versus 306K of image data, I find it truly astonishing that the
_author_ would state:

> In this case, a picture is worth much more than a thousand words.

Does anybody really believe that someone would shell out the price of a very
nice dinner (assuming without real basis that this is a _technical_ book,
and thus priced in the neighborhood of 50 USD :-) for these two pictures?
"Worth" must be used in some sense with which I am unfamiliar. Although the
two pictures _cost_ as much about 51000 words, or about 25K words apiece,
they aren't _worth_ as much.

As for RISKs, when the technical community buys into popular misconceptions,
such as "data == information" or "No more could be done about the abysmal
reliability of commodity software", we are helping bring about the disasters
we read about. An informed populace will be vital in the shaping of
government response to the changes brought by computing. Repeating the
mistakes of the un-informed will not bring this about.

Mike Albaugh ( Atari Games (now owned by Williams)
675 Sycamore Dr. Milpitas, CA 95035     voice: (408)434-1709

1-week course on Internet Security, 29 Jul-2 Aug, at Stanford

Arthur Keller <ark@DB.Stanford.EDU>
10 Jun 1996 09:00:57 GMT
The Western Institute of Computer Science announces a week-long course on
INTERNET SECURITY to be taught at Stanford University 29 Jul to 2 Aug 1996,
headed by Arthur M. Keller (Stanford University), with 9 well-known folks.
Try URL or contact
ark@DB.Stanford.EDU (Arthur Keller) for details.

Formal Methods Europe Conference: Call for Papers

Cliff B Jones <>
Fri, 7 Jun 96 07:48:06 BST
           International Symposium and Tutorials

               15--19 September 1997
         The Technical University of Graz, Austria
      Sponsored by the Commission of the European Communities

               Call for Submissions

The Technical University of Graz will host the fourth FME Symposium from 15
to 19 September 1997. It is being organised by Formal Methods Europe which
is the advisory panel of the Commission of the European Communities. This
will be the successor of six previous VDM and FME symposia which have been
notably successful in bringing together users, researchers and developers of
precise mathematical methods for software development.

The theme of FME'97 is Formal Methods: Their Industrial Application and
Strengthened Foundations.

Symposium contributions will report advances in the field from developments
in applicable theory to experiences in commercial application. The
conference will also follow the previous successful pattern of offering
tutorials, tools demonstrations, reports of industry usage and research

Categories of Papers: three kinds of full-length paper are solicited:

  1.  reports on industrial usage;
  2.  research papers on existing methods (for instance: extensions,
     innovative case studies);
  3.  articles on stimulating theoretical research with clear
     potential applicability.

Authors are requested to mention the category (1, 2, or 3) of their papers
when they submit.


The scope of the symposium includes, but is not limited to, the following

   *  Practical use, case studies
   *  Comparisons of existing formal methods, extensions, improvement
   *  Theoretical foundations
   *  Tool support
   *  Specification and refinement techniques
   *  Verification against specifications
   *  Development process
   *  Linking formal and informal methods
   *  Concurrency, real-time and reactive systems
   *  Secure or/and safety-critical systems
   *  Object orientation
   *  Education and technology transfer

Submissions are encouraged from the full range of application areas
including medical systems, aerospace and avionics, telecommunication,
traffic modelling and transportation systems, nuclear safety, process and
off-shore industries.


There will be eight Tutorials, each lasting a half-day. They will be
organised in two parallel tracks during 15 and 16 September.  Proposals for
tutorials are welcome.


Tool demonstrations will take place during the Symposium, with the
opportunity for presentations to be made about each tool (video
projectors will be available). Proposals for tool demonstrations are
welcome and should be made to the Organising Chair, with whom
provision of necessary computing facilities should be discussed.


Organising Chair: Peter Lucas, IST, Technical University of Graz, A-8010
Graz, Muenzgrabenstrasse 11/II, Fax: +43 316 841 7566, Tel: +43 316 873
5712, Email:

Programme Co-Chairs:
* Cliff Jones, Dept. of Computer Science, The University of Manchester, UK,
* John Fitzgerald, Centre for Software Reliability, The University of
Newcastle, Newcastle upon Tyne NE1 7RU, UK, Fax: +44 191 222 8788,
Tel: +44 191 222 7999, Email:

Programme Committee:

Manfred Broy            Technical University, Munich
George Cleland          Harlequin
John Fitzgerald (co-Chair)  CSR, Newcastle University
Peter Froome            Adelard
Chris George            United Nations University IIST
Shinichi Honiden        Toshiba
Daniel Jackson          Carnegie-Mellon University
Cliff Jones (co-Chair)      Manchester University
Carlos Jose Pereira de Lucena   Computer Science Department
                    PUC Rio de Janeiro
Doug McIlroy            Bell Laboratories
Brendan Mahony          Defence Science and Technology Organisation
Lynn Marshall           Northern Telecom (Nortel)
Dominique Mery          University Henri Poincare & IUF
Peter D. Mosses         BRICS, University of Aarhus
Jose Oliveira           University of Minho
Nico Plat           Cap Volmac
Andrzej Tarlecki        Warsaw University
Martyn Thomas           Praxis, Deloitte & Touche Consulting Group
Rob Witty           GEC
Joakim von Wright       Abo Akademi University

Organising Committee:

Andreas Bollin (Tools Exhibition), Brigitte Froelich, Gabriele Leitner,
Richard Messnarz, Gerhard Pail (Accounting), Petra Pichler

Local Organization: Graz Tourismus Ges.m.b.H


All papers and proposals for tutorials should be sent the Programme
Co-chair, John Fitzgerald, at the address given above.

Proposals for tool demonstrations should be sent to the organising chair.

Submissions by electronic mail are not accepted.

Format of submissions:

* Full, original papers mentioning one of the three above categories
  (5 copies, 20 pages max; following the LNCS format is mandatory; a
  description of the format and Latex style files are available
  by anonymous ftp at in directory
  /pub/tex/latex/llncs or via the world-wide web in

* Proposals for tutorials (1/2 day, maximum 50 pp of notes)

* Proposals for tool demonstrations (2 pages of presentation plus
  hardware and software requirements)

Important dates:

   * Deadline for submission: 17 January, 1997
   * Notification of acceptance sent to authors: 25 April, 1997
   * Camera-ready copy due to publisher: 20 June, 1997 (latest date of
    arrival in Newcastle)

Please report problems with the web pages to the maintainer