Netcom, Inc; one of the largest retail ISP's [450,000 subscribers, 230 POPs] went down for 14+ hours this week. In what strikes me as "shades of Mariner II" Netcom President David Garrison, appearing on KGO Radio said it was an extra "&" in the "border gateway protocol code" in the MAE-East router in DC area that killed the system. They had to bring down all 100+ routers & flush each one to recover, he reported. The parallel to the Bell Atlantic STP bug of about five years back strikes me. The routing nut has gotten so tough that the tools used on it can be [VERY!] rapidly fatal.
An article by Peter H. Lewis in *The New York Times*, 24 Jun 1996, p. D1, noted the Netcom problem ("for 12 hours") noted in RISKS-18.23 by David Lesher. The article also noted these other problems: * Microsoft shut down its nationwide network on Sunday (presumably 23 Jun 1996) for 10 hours as part of an intended backup power-supply upgrade, but the upgrade failed and they will have to try again. * America Online was out of service for an hour on 19 June "1996, when a planned system software upgrade backfired." * AT&T will shut down its Internet access for up to 8 hours each week, for maintenance.
There was a nice article surveying the pachinko bogus-card fiasco noted in RISKS-18.15 and 16, and the risks of believing in technological solutions to not-just-technological problems. Printed-version title: Counterfeiters of a New Stripe Give Japan One More Worry; Fake Cards Thwart Efforts to End Pinball Scams By ANDREW POLLACK, *The New York Times*, 20 Jun 1996, D1 On-line-version title: A Case Study of the Hazards of Electronic Cash By ANDREW POLLACK, c.1996 N.Y. Times News Service, 20 Jun 1996 [Text seemingly identical in both versions.]
Special note: I work for the IRS and have a work-related vested interest ============ in _not_ having the Department of Defense involved in contracting for IRS software and systems. Therefore, despite any claims of non-bias below, I am clearly "interested" in the classical sense of the word. That part out of the way, I'd like to say (as a private citizen, a tax-and-spend liberal, and an almost-always defender of free speech and the right of the citizen to privacy) that the present initiative by Congress to have DoD become the contracting agent for IRS system and software development is a clear and present danger to privacy in the Republic in which we stand. The initiative referred to above is in the "Subcommittee Mark" of the proposed next year's budget. It's just a House Subcommittee so it's not law, but it's a bad idea in my mind, even to consider it seriously. Is the Department of Star Wars and the $700 toilet seat really so excellent a contracting agency that they are the clear choice to handle IRS business? Well, that's my biased opinion, and I'd like very much to hear from others who may have a more valid claim to disinterest! Dick Wexelblat, Acting Lead Architect << asa APbA IRS
An entertaining part of Windows 95 is the time-zone chooser in its control panel. As well as being able to select time zones like (GMT+01:00), users who don't know or care about their meridan-relative time zone can just click on a map of the world. The appropriate time zone is then highlighted and -the cute bit- the whole world smooth scrolls round so that the user's country is in the centre of the map. In the latest beta of Windows NT 4.0, the map is still there but is disabled: no mouse clicks are responded to and no highlights appear. The smooth scrolling still works, but with timezone selection via a list it is nowhere near as cute as it used to be. What is interesting is the reason it doesn't work. It is not, as one would expect, a technical problem, but a political one -and thus a lot harder to fix: >From "Windows NT 4.0 Beta 2 Commonly Reported Problems", Version 3.0 June 15th, 1996: > 3.7.1: Time zone map does not respond to mouse and display highlight > Status: Due to international border disputes we have removed this > functionality There are numerous timezones that follow international > borders that are not universally agreed upon. In order to satisfy all > parties involved in these disputed areas we chose not to display any > borders at all. We are aware it is a feature that many people miss.
Courtesy of Associated Press via CompuServe's Executive News Service, 19 Jun 1996 Espionage Suit By ANTHONY JEWELL, Associated Press Writer <> INDIANAPOLIS (AP) — Johnson & Johnson's diabetes products <>subsidiary encouraged workers to illegally spy on rivals and <>gave "Inspector Clouseau" and "Columbo" awards for those who <>got the most information, a competitor charged Wednesday. <> Boehringer Mannheim Corp., a German-owned drug and medical <>device company, made the allegations in a federal court lawsuit <>against J&J and its LifeScan Inc. subsidiary. Boehringer has <>U.S. offices in Indianapolis. [...] o Suit asks for Lifespan to cease using Boehringer's trade secrets and seeks unspecified damages. o J&J says both companies did it but its LifeScan received no competitive advantage from their activities. o Suit alleges that LifeScan used third parties as well as their own employees to collect information about Boehringer. And that LifeScan "infiltrated" private meetings at Boehringer. o A former LifeScan employee broke the news in May 94. <> Boehringer's lawsuit said two LifeScan employees <>"deliberately fostered an environment which made clandestine <>and illegal activities directed at competitors ... both routine <>and expected." <> Mannheim said David Van Avermaete and Daphne Flamer <>initiated the "Inspector Clouseau Award," the "Columbo Award," <>and the "Mrs. Fletcher Award," after the lead character in the <>TV series "Murder, She Wrote." <> The awards were allegedly "presented at meetings, with <>prizes, to members of the sales force who obtained the best <>information about competitors and their plans," the lawsuit <>said. [...] <> The suit claims a LifeScan employee stole a prototype of a <>diabetes monitoring system known as Accutrend DM. Oldham said <>the prototype was stolen in Europe, taken to a LifeScan <>California lab and returned to Europe. [...] <> Boehringer Mannheim, which had 1995 sales of more than $700 <>million, employs more than 3,500 people at facilities in <>Fremont and Concord, Calif., and Gaithersburg, Md. Dave Kennedy [CISSP] InfoSec Recon Team Chief, National Computer Security Assoc
A colleague just got a handheld cellular telephone. The device asks the user to enter a 4-digit PIN before it will permit outbound calling. The vendor (local cell-phone duopoly carrier, not an independent) has set the PIN to the last four digits of the assigned telephone number, which the phone displays upon powerup BEFORE asking for the PIN. This helps people with poor memories and people with no authority equally. The vendor's service staff state that they have a fixed policy of configuring all 'phones this way. A longer (5 or 6 digit) "security code" enables users to change the PIN, but the vendor refuses to supply that code to my colleague (presumably to retard his ability to switch carriers for which that code is also needed). The vendor will allow my colleague to bring the 'phone to an inconvenient location during limited hours at his own expense to have the PIN changed; if he does this he must tell his PIN to the vendor's staff (they already have the "security code," but he would be revealing his PIN-choosing habits). My colleague wonders why the phone has a PIN if it offers zero security!
>Somehow, the database had become corrupted. If it didn't get fixed in >four hours, when the next core rotation began, a meltdown was likely. This didn't make any sense to me from what I know about nuclear power plants so I checked with a friend who is an engineer at one of the U.S. nuclear power plants. It's hard to reconstruct what really might have been the case. The computer could have been computing control rod movements and printing them out for an operator to use to manually control the rods (this is not done automatically) and there might have been no contingency plan or the operators might not have been able to do the computation manually in the time required. Could that have caused a meltdown? No. At worst, it might have required the operator to reduce power or to shut down the reactor.
> "A true war story:" Just because someone says it, and others forward it does not make it true. This must be an attempt to establish a new urban legend. There are enough misconceptions about commercial nuclear power plants already, so we need to avoid creating fantasies that can be made into exciting movies. First, there is no Edison Power and Light. The two utilities operating nuclear plants in New Jersey are Public Service Electric and Gas (PSE&G) and GPU Nuclear Corp., operating plants in Salem NJ and Forked River NJ, respectively. There is also Consolidated Edison of NY, which runs a nuclear plant in Buchanan, NY. Second, rods do not move around in a nuclear core and there is no next core rotation. Third, Ingres and DEC VAXes are not used in safety systems in nuclear power plants, so neither could have any impact on whether a meltdown was likely. > Remind me to tell you about answering questions about how we at Ingres > said we would provide support during nuclear wars at a sales call to > the Strategic Air Command some time... Another urban legend?... My best guess is one of two possibilities: (1) One of these plants was shut down for refueling, during which time they remove spent fuel bundles and replace them with fresh fuel. During this process, they also move (rotate?) other bundles to new locations for the next year of operation. The offline computers are used to maintain records of the location of each bundle throughout its life in the core. If that database gets corrupted, the utility must revert to tracking everything by hand — a laborious and time-consuming process. The four-hour window could have been because the refueling is a critical-path item during an outage and delays can cost millions of dollars in lost revenue. (2) One of these plants was planning a control rod sequence exchange to maintain a uniform fuel burnout throughout the core. These rod patterns are precalculated in DEC VAX computers and may involve an Ingres database. Sometimes these exchanges are done at reduced power, so the four hour time limit may have been the time at which they had to be back at full power or they might have to shut down, again an economic decision that involves millions of dollars. In either case, there is no safety issue. In fact, there are very few commercial nuclear plants in the US that use computers or software in any safety system. Upgrades to safety systems that include digital technology is an ongoing area of development between the industry, research groups, and the regulatory agency (Nuclear Regulatory Commission). There are also safety-critical discussion groups on the Internet that exchange ideas. Because of misconceptions of how safety systems are defined and used in nuclear plants, I published a WEB page for the safety-critical group that may help understand the context of safety in nuclear power applications. Anyone who posts nuclear power plant examples should review that article at: http://www.netcom.com/~caprit/ctisafet.html. The risk of this article is the rapid spread of misinformation!
I love war stories, but alas, the story from: "Rebholz, Chris" <email@example.com>, is not true. As a resident of New Jersey, I am unaware of any Edison Power and Light. There are also four nuclear power plants in New Jersey, and I have worked at all four, in groups responsible for the process computers. >A true war story: As the former Principal Engineer for Digital Systems at PSE&G's (California's equivalent of PG&E) three nuclear plants, I assure you there are no computer moving control rods. There are computers used to compute rod worth for future fuel loads, but no nuclear plant in this country entrusts computers to move rods in such a way as to cause a meltdown. Most of the rod moving components and systems are old analog systems. The closest a computer comes to actual fuel movement is through a computer - a "rod-worth minimizer" - that will stop an operator from pulling control rods out of the prescribed, analyzed, approved "pull sheet." The real problems with computers at nuclear plants are actually much more interesting. I'll submit an example I posted in another group a few months ago if I can find it on my archive tape. But for now, let's get real. Charles Waite, Kemper-Masterson, Inc., c/o 38 Fox Run Mount Laurel, NJ 08054 (609)235-4275
A lot of people beat up on AOL for good reasons. At least as many beat up on AOL without knowing what they are talking about. I have no love for AOL, but I see no reason to attack them for things they didn't do. > >From: Postmaster@aol.com This is suspicious to start with. I've corresponded with AOL admins on numerous occasions, including David O'Donnell, who normally acts as AOL postmaster. I've never received a message indicating it was from firstname.lastname@example.org. The admins all use their individual e-mail addresses. In fact, AOL actively discourages e-mail to postmaster because it delays the response while someone sifts through the volume of e-mail to forward it to the responsible individual within AOL. They provide other addresses for reporting abuse, etc. > message from the postmaster also made the point that their customers have to > pay for all their e-mail so this is a problem (well, THEN *YOU* EDIT THEIR > MAIL — YOU'RE GETTING THE @$%#^ MONEY, NOT ME!) This clinches it. AOL customers do not pay to receive e-mail and never have. Many people make this mistake; it was Compuserve that once charged to receive e-mail. The AOL postmaster would of course know this, so the message is a clear and unmistakable forgery. I suggest that the original recipient examine the message headers more closely. Someone who can't even get the basic facts about AOL right probably didn't forge the headers very well either. > This is why we also have to be careful with this anti-spam crap, there are > people out there, some of whom work as postmasters for the largest online > services on the planet, who, are, well...you get my point, can't quite fog a > mirror, I guess is the expression. Yes, world.std.com is a large online service and someone who works there can't detect an e-mail forgery ... well, you get my point. > Morons. I may just mass unsub all AOL addresses from all lists here. I mean, > this is their postmaster threatening, not some random. On the contrary, it *is* some random. On the other hand, the posting to comp.risks didn't show the full headers of the message from email@example.com, so maybe that was a forgery too. Not to mention that I have no way of knowing whether bzs actually works for world.std.com. I hope not; this posting is so rude that I hate to attribute it to anyone working for any service provider. Edward Reid <firstname.lastname@example.org>
This was posted on SPAM-L, a list devoted to ending spam, by an AOL Assistant Postmaster. He gave his permission for me to send it to you. Date: Wed, 19 Jun 1996 23:12:09 -0400 >From: Ray Everett-Church <IFRITRay@AOL.COM> Subject: Re: Interesting AOL message >From: email@example.com (Barry Shein) >So I just get a "spam" complaint from an AOL postmaster threatening: <>From: Postmaster@aol.com <>To: firstname.lastname@example.org, email@example.com <>Subject: Fwd: cc:Mail UUCPLINK 2.0 Undeliverable Message <>Date: Thu, 12 Oct 1995 16:49:01 -0400 <> Repeated offenses of this nature will result in AOL taking action to <> prevent further problems. I'd be *most* interested in seeing the ENTIRE original message from AOL. I'm quite surprised to see mail bouncing off a server being called "SPAM"...unless it's a junk mail list (replies to the junk mailers usually bounce as a normal course of events). In full disclosure, some time last month I had an e-mail conversation with Mr Shein that ultimately ended in a stream of obscenities from him. We were talking about the fact that "world.std.com" gives a home to DEMC, a major junk mail outfit. They spam from throw-away accounts at ISPs, but point replies back to their autoresponder firmly ensconced at DEMC.COM, which is served by world.std.com. I sought to explain that by providing a stable return address, he is aiding DEMC in its spamming activities. [Strong response omitted. PGN] Ray Everett-Church, Asst. Postmaster (firstname.lastname@example.org, IFRITRay@aol.com) America Online's Internet Development Outreach and Technology Team http://www.everett.org/~everett AOLers misbehaving? mail: email@example.com
In RISKS-18.22, Mark Seecof notes that spelling checkers that use prefix and suffix tables can find nonwords. I saw a paper by Doug McIlroy a number of years ago that noted two such nonwords that have a good chance of appearing in actual documents: thier and presenation. After all, if you can derive flier from fly, you can derive thier from thy. And if you can derive relation from relate, you can derive senation from senate, hence presenation. Incidentally, Doug noted that the most frequently misspelled word in his sample was `accommodate,' which he found seven ways to misspell. Andrew Koenig firstname.lastname@example.org
A few years ago, an author in the UK's PUNCH shared the most interesting phrases that made it past his spellchecker, but were caught by his editor. My personal favorite: a reference to the Prime Minister "Margret Hatchet". - Kevin N. Haw email@example.com
Martin's posting reminded me of something I found while researching health risks associated with computers some time ago. Please bear with me: the original article was not a formal review of the study, and I haven't got a reference for it. Going strictly from memory, this involved an Australian company. The data entry/query clerks, almost universally, were suffering from facial skin rashes and attributed it to radiation from the monitors. A physician, consulted about the problem, prescribed a barrier cream, and the skin rashes disappeared. Someone knew enough about physics to note that 1) monitors don't produce that much radiation and 2) barrier creams wouldn't stop radiation anyway. An investigation was launched into the real cause. The work of the department involved looking up long columns of numbers. The workers were in the habit of running their fingers down the screen in order to pinpoint the item they needed. Static attracted dust, make-up, and other pollutants to the screen, and the fingers transferred these to the workers' faces. Hence the rash. The barrier cream provided some protection against the pollutants. More than that, however, it was greasy. Workers who ran their fingers down the screens found they were making streaks on the monitor. Therefore, they learned not to touch the screen--and no longer picked up pollutants.
I took part in this study, and got some interesting information from the guy from the Physics Department of Oslo University who did the field measurements on my machines: With modern low-emission crt displays, i.e. like the Nokia 21" MultiGraph 445X screens in my office, the keyboard can (and did, in my case) radiate more than the crt! The crt was the predominant source of static electricity, however. The computer enclosure as well as crt and keyboard was grounded, not the hard disk. - <Terje.Mathisen@hda.hydro.com>
KCRG, A local TV station in Cedar Rapids went into some detail on the story because the local school district almost bought the widget, and another local district did, and was satisfied with what they got. The Tracker had an empty plastic "electronics box" you wore over your shoulder, connected by a coiled telephone-style cord to a pistol grip. The antenna was hinged to the pistol grip so it could swing very freely from side to side, and the operating instructions were to hold the grip so that the axis of the hinge was exactly vertical. As a result, like a classic dousing rod, very slight subconscious hand movements can cause wild changes in where the antenna points. The result, in the hands of a skilled practitioner can be as gratifyingly accurate as a dousing rod, but of course, what it's doing is uncovering subconscious guesses on the part of the practicioner, not pointing at water or drugs. Perhaps I should start selling forked birch sticks to police departments? Doug Jones firstname.lastname@example.org
Please report problems with the web pages to the maintainer