The RISKS Digest
Volume 18 Issue 22

Tuesday, 18th June 1996

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Minor real-world spelling-checker story
Mark Seecof
About the American Hyphen Society
Bob Masson via others
Mike's TV is kind of funny...
Michael F. O'Connor via Richard Cook
Click *here* to lower the fuel rods
Chris Rebholz via others
More AOL censorship ["And it reaches new lows..."]
Barry Shein via K.Bostic
Software products certification
Stephane Geyres
Warning!!! Cellular Cloning
Re: Magellan 2000/3000 GPS nightmare
Boyd Roberts
"Piece of Plastic" Used to Detect Drugs
Jerry Marco
Re: "Child Molester Database" on the Web
Bear Giles
Thomas Insel
Re: Physical barriers in the cockpit
Chiaki Ishikawa
Some Info on Space Flight
Derek Lyons
Re: Ariane 5
Erling Kristiansen
Re: The European Space Agency's little problem
Prevelakis Vassilis
Info on RISKS (comp.risks)

Minor real-world spelling-checker story

Mark Seecof <>
Thu, 13 Jun 1996 13:07:14 -0700
The *Los Angeles Times* recently completed a project to improve automatic
spelling-checking and hyphenation for news copy (work made necessary when
the paper dispensed, several years ago, with proofreaders).  The automatic
spelling checker previously used a both a dictionary and an algorithm that
tested words against a root and a (fairly) arbitrary arrangement of common
prefix and suffix strings.  The algorithmic check passed many invalid words.
Now it has been eliminated and only the dictionary--much expanded--is used.
It took more than a month of concentrated effort to expand the dictionary to
include common words previously covered by the algorithmic check.  To
improve dictionary-based hyphenation (the algorithmic hyphenator has also
been disabled) two people spent much time over months re-hyphenating 135,000
dictionary entries.  The system still makes no effort to detect words that
are in the dictionary but that do not belong in context.

Mark Seecof

About the American Hyphen Society

"Peter G. Neumann" <>
Mon, 17 Jun 96 11:58:59 PDT
Date: Mon, 2 Oct 1995 08:35:04 -0400
>From: (Keith Bostic)
To: /dev/

  [>FROM: Yucks Digest Wed, 12 Jun 96 Volume 6 : Issue 6] (Gene "Chief Yuckster" Spafford), to whom it was
  Forwarded-by: (John P. Kole)

>From: (Bob Masson)

About the American Hyphen Society

The American Hyphen Society is a community-based, not-for-profit,
grass-roots consciousness-raising/education-research alliance that
seeks to help effectuate the across-the-board self-empowerment of
wide-ranging culture-, nationality-, ethnicity-, creed-, gender-,
and sexual-orientation defined identity groups by excising all
multiculturally-less-than-sensitive terminology from the English
language, and replacing it with counter-hegemonic, cruelty-, gender-,
bias-, and, if necessary, content-free speech.  The society's motto
is "It became necessary to destroy the language in order to save it".
Its headquarters are in Wilkes-Barre, Pennsylvania.

  [Walla-Walla would do nicely for a west-coast mail-drop.
  Readers who recall my 1 April 1996 excerpt from my Hyphenater's
  Handbook (RISKS-17.95) may find this old item interesting.  PGN]

Mike's TV is kind of funny....

Richard Cook <>
Mon, 17 Jun 1996 15:28:39 -0600
>Mime-Version: 1.0
>Date: Mon, 17 Jun 1996 06:13:33 -0600
>Subject: Mike's TV is kind of funny....
>        Appreciating as I do, your preaching about the perils of automation
>- I thought I'd forward this piece to you.  Please understand that this is
>a more understandable portrayal of your concerns than any of your current
>examples.  It would also engender substantially more political support....
<>.c The Associated Press
<>CHICAGO - I'll take "embarrassing mix-ups" for $1,000, Alex.
<>Jeopardy viewers in 22 Chicago suburbs recently found themselves suddenly
<>watching cavorting, naked women rather than the usual three contestants
<>phrasing answers in the form of a question.
<>About 10 minutes of the Playboy Channel was inadvertently broadcast during
<>the time slot normally reserved for Alex Trebek's show.
<>"Some equipment we use to cablecast was having some problems," Continental
<>Cablevision spokeswoman Susan Bisno said.
<>She gave no details. "There's no defense," she said. "It was awful."
<>The mix-up affected scattered suburbs from Evanston just north of Chicago to
<>Burbank, to the southwest. Continental said it will apologize in writing to
<>customers who complain.
>Michael F. O'Connor, M.D. ph: (312) 702 - 6700  DACC Univ of Chicago

Click *here* to lower the fuel rods.

David C Lawrence <tale@UU.NET>
Mon, 17 Jun 1996 19:15:36 -0400 (EDT)
Forwarded-by: Keith Bostic <>
From: "Rebholz, Chris" <>

A true war story:

I used to work for the dearly departed Ingres, a relational database
company.  One day, the folks in Tech Support wandered up the stairs to
the floor I worked on.  They looked particularly ashen-faced.  Someone
finally asked them what the problem was.

Apparently, Edison Power and Light (the New Jersey equivalent of PG&E)
had called our East Coast support office in Saddlebrook, NJ, a half-hour
earlier.  They used Ingres to keep track of the rods moving around in the
nuclear cores on a DEC VAX.  Somehow, the database had become corrupted.
If it didn't get fixed in four hours, when the next core rotation began,
a meltdown was likely.

Fortunately, (1) our Saddlebrook office was a half-hour from their site,
and (2) all VAXes had the ability to have remote hardware diagnosis
performed by their world-wide support center in Colorado Springs, CO,
through a piece of firmware built into every VAX.  Not surprisingly, the
folks at DEC gave this problem a rather high priority.  After about an
hour and a half, it was determined that a disk sector was corrupted.  It
was repaired, and life as we continue to know it went on.

Welcome to Product Land, folks!  It's got a different set of problems than
Academia taught us all.

Remind me to tell you about answering questions about how we at Ingres
said we would provide support during nuclear wars at a sales call to the
Strategic Air Command some time...

More AOL censorship ["And it reaches new lows..."]

Keith Bostic <>
Fri, 13 Oct 1995 16:05:02 -0400
  [Appeared in Yucks Digest V6 #7,
  from (Gene "Chief Yuckster" Spafford)]

From: (Barry Shein)

So I just get a "spam" complaint from an AOL postmaster threatening:

>Subject: Fwd: cc:Mail UUCPLINK 2.0 Undeliverable Message
>Date: Thu, 12 Oct 1995 16:49:01 -0400

> Repeated offenses of this nature will result in AOL taking action to
> prevent further problems.


I look down at the message in question (they enclosed it) and it's just a
few mail bounces through a mailing list out of World to some customer (look
at the subject line above, some kind of cc:Mail lossage and unfortunately
cc:Mail bounces back to the From: address and ignores stuff like Errors-To:
and Replies-To:, constant nuisance), a list to which their customer is
explicitly subscribed and apparently has been for a while.

I guess the customer didn't like the bounce message, and I guess the AOL
postmaster has decided that bounce messages are "unsolicited mail". The
message from the postmaster also made the point that their customers have to
pay for all their e-mail so this is a problem (well, THEN *YOU* EDIT THEIR

This is why we also have to be careful with this anti-spam crap, there are
people out there, some of whom work as postmasters for the largest online
services on the planet, who, are, get my point, can't quite fog a
mirror, I guess is the expression.

I took the guy off the list and told the postmaster to tell him and tell him
that it's ok if he re-subscribes as far as I'm concerned but perhaps that
will remind him that HE SUBSCRIBED.

Morons. I may just mass unsub all AOL addresses from all lists here. I mean,
this is their postmaster threatening, not some random.

  [I have a friend who went to work for AOL and she was wondering why
  people picked on AOL all the time.  Sigh.  --spaf]

    [Hugh Davies <> shared with me a marvelous
    list of innocent place names that would cause AOL great grief, along the
    lines discussed in RISKS-18.07 and 18.08.  But including the list here
    would probably cause all our AOL subscribers — and RISKS — to be
    blacklisted.  PGN]

Software products certification

Stephane Geyres <>
Tue, 18 Jun 1996 11:07:26 +0100 (WET DST)
<> A new marking for all software products <<

Software quality is a fundamental challenge in our ever changing society, in
particular in the perspective of the use of computers and networks by all of
us and within all sectors of social and professional life.

Fully aware of what is at stake, the AFNOR (Association Francaise de
NORmalisation) General Executive Officer has just approved - in early May -
the publication of the rules of a new marking called "NF Logiciel".
("Logiciel" is French for "software".)  NF Logiciel is designed to be
applicable to any software, whatever its application domain, its
functionalities or its origin.

This adaptation of the general - and well known - NF marking is meant to be
an official statement of the actual quality of those software products being
marked.  This marking is both an alternative and a complement to more usual
quality system certification approaches:

- an alternative because it is not necessary to be certified
  to get the NF Logiciel marking for one's products,

- a complement because the marking requirements are based on
  those of quality system certification, which allows certified
  companies to get rather easily the NF logo for their products.

Based on sound and recognized international standards (NF ISO/CEI 12119 &
ISO 9001), the NF Logiciel is an unprecedented opportunity for software
providers to turn their investments in software quality into visible
evidence to the end user.

Several softwares are already undergoing an evaluation and
first formal markings are expected during next fall.

For more information, please contact

Another simple way to know much more is to send an e-mail message to our
server as follows: (Sorry, the documents are only in french so far...)

 Subject: cd nf-logiciel

Warning!!! Cellular Cloning

Bartle X-terminals <>
Mon, 17 Jun 1996 15:47:17 -0400
A year ago, I brought a cellular phone in my name for a friend, due to
his lack of proper documents.  A month later, my first bill reflected an
amount of $1300, as a result of a fraud.  I panicked and cancelled my
service right away.  I had to pay $250 for early termination fee (under
the contract) and an additional $400 for my cellular phone (to keep.)
    AT&T Wireless told me that they had put the case under investigation.
To make the story short, I received a letter from them (six months
later,) saying that the case was not a fraud.
    In the statement, more than 950 calls were made to many areas in NYC,
Long Island and New Jersey.  There were calls billed twice within the
same time and date, made to the same number as well.  Calls were made up
to 14 hours in a row (, which was IMPOSSIBLE to achieve without a car)
because we have a 2 hour battery.  Furthermore, on the night that I had
cancelled the service a year ago, my whole family, the co-user, family
friends all sat by me as I cancelled the service.  I was told to
document everything.  Well, according to the bill, my unused cellular
phone, that sat by my side, beeped a person 3 minutes before I got off
the phone with the cellular representative...3 MINUTES BEFORE MY SERVICE
WAS OFFICIALLY TERMINATED!!!  I know for a fact that NO ONE used the
phone.  So who did?
    This is the result of what is called cloning.  AT&T refused to take my
word for what happened.  At this point, my case is transferred to a
collective agency and it is terminated.  They sent me a letter saying
that there was no fraud.  No signature was on the letter and the only
reason given for their decision was that I had a co-user.
    The moral of the story is:
    1.  DO NOT buy anything for anyone else, for no matter what
becomes of this, I AM RESPONSIBLE for the "debt".
    2.  DO NOT trust cellular companies.  I was told many times that this
happens everyday.  I was unfortunate to get such a dramatic bill.
INVESTIGATION DOES NOT BRING JUSTICE.  I am now left with the option to
pay the money in full(with 20% off for God knows what reason,) or go to
court.  They warn me against it because it may cost me more...
    If you have any suggestions, comments, questions or advice, please
e-mail me, Veronica, at  I would appreciate it greatly.

Re: Magellan 2000/3000 GPS nightmare (RISKS-18.21)

Boyd Roberts <>
Tue, 18 Jun 1996 15:46:40 GMT
After my _brand new_ Magellan 3000 spent about 20 seconds submerged under
water, causing it to fail, I bought a Magellan 2000, because I felt the need
to navigate for the Housbot Escapade at the weekend.

However, the 2000 has an intermittent in it.  It's some sort of mechanical
problem with the receiver which causes it not to boot, switch off, reset and
generally annoy you — you have to nurse it like a baby.  Faced with this,
the level of confidence you place in it drops to zero — a bad thing for a
navigation instrument.

Just how easy is it to trigger this intermittent?  Well, any mild shock
will do; placing it on a hard surface, putting in the pocket of my CWU-36P
[Jacket, Flyer's, 100% Polyamide], handing it to someone.  All sorts of
high-G manoeuvers like that.  Fixing it requires another mild shock :-)
and some persistence with the on/off button.

You could say I'm less than happy.  Where is their Quality Control?

Boyd Roberts

"Piece of Plastic" Used to Detect Drugs

Mon Jun 17 11:13:27 1996
>From "News of the Weird," a syndicated column, published in the
Austin Chronicle on 14 June 1996:

In May, a federal judge in Beaumont, Texas, issued a permanent injunction
against the Quadro Corp. of Harleyville, S.C., which had been selling a
plastic box with an antenna on it to government agencies and schools for up
to $8,000 each as an illegal-drug finder.  FBI tests had found the device
merely a piece of plastic, utterly incapable of detecting drugs or anything
else.  However, several law enforcement officers and school principals swore
to the judge that the Quadro Tracker worked for them.

RISKS?  Where to begin?  Use of a device without any knowledge of its
workings.  Believing anything the sales guy tells you.  Failure to run
controlled tests on a device before placing it into service.  Believing that
a box with an antenna on it could possibly detect drugs in the first place.
Hiring credulous individuals as "police officers and school principals."
Placing near-dictatorial power in the hands of school principals.

Perhaps someone else has more detail.  I'm particularly interested in the
assertion that the Quadro Tracker "worked for them," and in the fate of
those whose supposed possession of illegal drugs was detected by the device.
Were the individuals searched?  Are those searches now deemed to have been
illegal?  Was action taken against anyone on the grounds of the Quadro
Tracker's results alone?  On what basis do the officials believe that the
Quadro Tracker worked?

  [PGN, I'll preemptively note that the judge made the "illegal-drug
  finder" an "illegal drug-finder."]

Jerry Marco  University of Texas General Libraries

Re: "Child Molester Database" on the Web (Brown, RISKS-18.21)

Bear Giles <>
Mon, 17 Jun 1996 22:05:48 -0600 (MDT)
The official registries maintained by states (which can hurt you in much
more serious ways than a web site) use information sources which are just as

As I recall, in Colorado therapists are required to report the name of any
patient reporting being a _victim_ of sexual child abuse, if the individual
is 27 or younger.  This stellar example of legislative reasoning was based
on the observation that many (most?) abusers were themselves abused.
Therefore "anyone who was a victim is likely to be an abuser and should be
tracked."  The cutoff age was apparently based on another statistic with
equally dubious pedigree.

This might not be so bad if the registry was well run, but it appears (from
the discussions in the local media) that once you're on the list there's no
distinction between people actually convicted of crimes and people who were
listed due to nasty divorce battles or therapy sessions.  Furthermore, it's
virtually impossible to remove your name from the list once it has been
added.  Cries of innocence are viewed with the same skepticism as we hear in
the cryptology debate — if you have nothing to hide, why are you so

Re: "Child Molester Database" on the Web (Brown, RISKS-18.21)

Thomas Insel <>
Tue, 18 Jun 1996 05:47:42 -0500
> ... In other words, they come right out and
> say that their information cannot be trusted.

Worse still, the author realizes the possibility that listed people
may be upset and reports recent experience with false listings.
Nevertheless, according to the dispute resolution procedures at
the only authentication required from an accuser is a valid e-mail address,
and if the poster claims to be a victim, relative of a victim, or friend of
a victim, a disputed listing will stand, even without a conviction.  He
claims that a posted rebuttal will provide "more than equal opportunity" for

I'm not a lawyer, but surely these policies leave the listings' proprietor
open to an incredible (and probably justified) libel suit, during which it
may be impossible to identify the original accuser.


Re: Physical barriers in the cockpit (Re: Reinsch, RISKS-18.21)

Chiaki Ishikawa <>
Tue, 18 Jun 1996 21:30:29 +0900 (JST)
I admit that placing plastic cap, or even a paper coffee cup(?)  is a great
way to remind pilots not to touch certain levers and/or buttons. I often do
something similar if I want nobody to touch certain computer keyboard while
some important tests are under way on the machine.

What bothered me in the shooting down of F-15 and its subsequent
investigation is that the investigation team didn't go down to the bottom of
the real cause of why the main firing system became active despite the main
switch being turned off. Static electricity was rumored to be the cause
initially, but in the final report, as far as I read in newspaper articles,
no clear culprit was mentioned.

This means that there might be, albeit with very small possibility given
that F-15s have been flying in the sky all over the world for so many years,
a rare bug such that the firing system may spontaneously fire missiles no
matter what the main switch position is and whether trigger button is
pressed or not.  (Am I getting paranoia these days?)

Placing a plastic cap may be useless if such rare (still possible) bug lurks
in the system, and I felt disappointed that the investigation team let the
bug go unnailed. It would indeed be comical if a poor pilot finds one day a
missile is launched while the plastic cap is firmly in place... Well, not so
comical, come to think of it.

BTW, I am eagerly waiting for the initial words regarding the cause of
shooting down of American plane by a Japanese navy boat.

Chiaki Ishikawa      Personal Media Corp.     Shinagawa, Tokyo, Japan 142

Some Info on Space Flight

Derek Lyons <>
Mon, 17 Jun 1996 12:59:27 -0700
Some serious misconceptions here, pardon me while I clear them up.

>From: (Frank Rieger, RISKS-18.19)
>Subject: Matra made software for Ariane5 AND Taipei subway system (R 18.17)

>On the base of the information available now, I ask myself, why was there no
>mechanism to avoid the control computers' attempt to go into this extreme
>flight position?

Why would you want to?  The Control Computers *job* is to control the
position of the engines.  Redundant hard/software to correct for possible
errors in the primary computers costs horribly in terms of weight and
reliability, as well as being difficult to engineer and test.  In addition
is is extremely unlikely that a redundant system would detect a software
glitch in time to prevent such a failure.

Study the STS/Orbiter flight control systems for an object lesson in this.

>Date: 10 Jun 1996 11:17:05 -0400
>From: "James Brady" <> (RISKS-18.19)
>Subject: Re: The European Space Agency's little problem (Wood, RISKS-18.18)
>(The Space Shuttle can actually abort during launch under ...)

No, the SRB's cannot be separated while burning.  The stresses would tear
the whole stack apart.  (Uncontrolled separation (the only kind available at
that point in flight) is what caused the Challenger to break up.)

All STS abort modes require that the SRB's be ridden to burnout, and the
that ET be nearly empty prior jettisoning it.

>Date: Sat, 08 Jun 1996 21:31:59 EDT
>From: Marc Horowitz <marc@MIT.EDU> (RISKS-18.19)
>Subject: Re: The European Space Agency's little problem (Wood, RISKS-18.18)
>Apollo carried more valuable cargo than any commercial rocket.  Remember, it
>was the apollo astronauts who forced NASA to design a window into the
>capsule, at a very high cost.

This objection could only possibly be applied to the Mercury program, as a
window was required for the objectives of both the Gemini and Apollo programs.

In addition, the window proved its worth again and again during the Mercury
program as any cursory study of the flights will show.

Re: Ariane 5

Erling Kristiansen <>
Tue, 18 Jun 1996 09:37:21 +0200 (MET DST)
Excerpt from ESA press release 22-96:


> Investigation of the flight 501 failure has been under way
> since 4 June.  In particular, a large part of the equipment
> contained in the vehicle equipment bay has been recovered
> and inspected.  This has revealed the existence of a malfunction
> relating to the inertial platforms in Ariane-5 operating mode.

Erling Kristiansen (
European Space Research and Technology Centre (ESTEC)

Re: The European Space Agency's little problem (Brady, RISKS-18.19)

Prevelakis Vassilis <>
Tue, 11 Jun 1996 12:59:41 +0200
> [...]  (The Space Shuttle can actually abort during launch under
> specific conditions and return to the landing strip at Kennedy, or go on to
> a down-range site, or ditch in the ocean.  Had sensors been available to
> tell the crew or ground controllers of the burn-through problem, one of
> these abort modes might have been employed with the chance of saving the
> crew if not the vehicle.)

There are two errors in the above paragraph. The first concerns the ditching
into the Atlantic. It has been said again and again that the Shuttle does
NOT have the ability to ditch into the ocean. The airframe is not sturdy
enough to withstand the impact and the external surface (mostly made of
fragile tiles) will disintegrate.

It is true that in the pre-Challenger era if the astronauts found themselves
in a position where ditching was the only alternative they were doomed.
Nowadays they will be able to bail out using the extensible pole and
parachutes while the Shuttle is kept on a level flight.

The second error concerns the survivability of the Challenger failure.
There was and there is no way to detach the Shuttle from the external tank
while the SRBs are firing. So abandoning the failing external tank was not
an option. What can be argued is that since the astronauts were not rendered
unconscious from the violent separation, if they were wearing pressure suits
instead of air packs they might be able to find their way out of the cabin
and bail out. While this cannot be ruled out it is unlikely because the
inside of the shuttle cabin is not exactly spacious and it must have been
tumbling. Next, at this stage we are not talking about the shuttle, but
about a part of the shuttle with bits hangling from it, no power and no way
to keep it stable. If the pilots had ejector seats (like they had for the
first test flights back in the early eighties) they could try ejecting, but
I just can imagine the Challenger crew finding their way out in time to
avoid the crash.


Now about the Ariane discussion. If the payload is irreplaceable, you don't
send it aboard the first test flight of a new rocket. You pay for a normal
flight which is also insurable (assuming the test flights are successful).
Insurance in the satellite business is a hedging of the risk.  If an
operational launcher blows up then the premiums paid for all subsequent
launches go up so that insurers can recoup their costs. So the launch
clients collectively pay for the failure anyway. Insuring is thus a way to
evenly spread the cost of failure.

Remember that the Ariane failure mode is not that common. In most cases it
is upper stages that fail, the satellites get placed in the wrong orbit or
simply disappear. Parachutes will not save them in these cases.  Also a
launch vehicle will either evolve to be unlikely to blow up during launch or
it will not be used. So putting parachutes will guard against an event that
will have a steadily decreasing probability of occurrence. So we have to
argue that we should put the ejection mechanism only on the first few
flights (the Shuttle approach). In this case we have to balance the cost of
developing the escape system against the cost of the cargo that will be
saved IF the launcher fails. To this we have to add the cost of the
replacement launcher and the cost of refurbishing the cargo after its
recovery and preparing it for the next launch. You don't just pick it up and
stick it back into the next Ariane.

Now the developers of the first Ariane 5 payload didn't have enough money
for buying space on a commercial launcher, so they wouldn't have money for
the escape system anyway. Maybe the falacy of the whole situation is that
they were allowed to spend $500 million without budgeting the $65 million
launch costs.

Vassilis Prevelakis  CUI  University of Geneva

Please report problems with the web pages to the maintainer