The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 18 Issue 31

Friday 9 August 1996


o "Buffer overload" crashes network bridge
Jeff Anderson-Lee
o Re: America Offline
David Kennedy
David Cassel
o Re: AOL outage: risks of scaling inappropriately
Jeff Hayward
o Re: Kirk Enterprises: What's in a name?
Jeffrey Mogul
o Novel: Slow River
Steve Kilbane
o Re: The increasing complexity of everyday life
Barry L. Brumitt
o Re: Department of Motor Vehicle records
Lauren Weinstein
Steven Bellovin
C. Titus Brown
A.E. Siegman
Kevin Johnsrude
o Info on RISKS (comp.risks)

"Buffer overload" crashes network bridge

Jeff Anderson-Lee <jonah@shiva.CS.Berkeley.EDU>
9 Aug 96 17:16:35 GMT
End of summer... time for the floors to be buffed before the students come
back.  So the custodians bring out their heavy duty floor buffers and plug
'em in.  Given the old, out-of-date wiring in this building they blow a
circuit.  Instead of resetting the breaker however they just try another
outlet and keep going.  The result: the network bridge on that circuit is
put out and half the net is cut off from the other half.

Of course we had trained the custodian NOT to do this in the past, but that
particular custodian is off on sick-leave, and their replacement had not
been so briefed.  Fortunately someone remembered the previous time this
happened and found the problem.  But what happens if they go away too?

Jeffrey Anderson-Lee

      [You shuffle off to buffer-low,
      without getting too big for your bridges.  PGN]

Re: America Offline (RISKS-18.30)

David Kennedy <76702.3557@CompuServe.COM>
09 Aug 96 12:56:47 EDT
Courtesy of the Dow Jones News Service via CompuServe's Executive News Service:

AOL's Blackout Eclipses Jump In Fourth-Quarter Profit
By Thomas E. Weber and Jared Sandberg, Staff Reporters of
The Wall Street Journal (Dow Jones, 9 August 1996)

<>  It wasn't until late yesterday that AOL provided a detailed
<>explanation for the outage to supplement Chairman Stephen M.
<>Case's on-line apology, which AOL posted late Wednesday night.
<>The company cited a "coincidental" series of events it said are
<>unlikely to recur. The problem centered on routers,
<>computerized switches that serve as traffic cops for
<>information on AOL's complex network.

<>  Computers at an AOL unit fed these switches with an erroneous
<>"roadmap" of the Internet just as engineers were upgrading
<>them. When problems cropped up, the engineers mistakenly
<>thought their upgrade was to blame -- not the roadmap. That
<>misunderstanding delayed discovery of the source of the
<>problem. Compounding the confusion, diagnostic software that
<>could have helped track down the problem had been turned off
<>during the upgrade, AOL said.

o     AOL is compensating customers with one free day's worth of connect time.

[DMK: I pay US$9.95/mo for AOL and get 300 min-->10min/day or US$0.33/day.
Give me a break!]

o   In a letter to subscribers, Mr. Case said:

<>I would like to be able to tell you that this sort of thing
<>will never happen again, but frankly, I can't make that
<>commitment, as we are building a new medium and breaking new ground.


<>This was a very unfortunate occurrence and I don't want to make
<>light of that.  But it did have an interesting side effect:  it
<>reminded all of us how important AOL is becoming in our
<>everyday lives.

and closes with

<>Today's outage reminds us that despite the recent progress
<>we've made in expanding our AOLnet network and enhancing the
<>responsiveness of our Member Services team, we still have a
<>long way to go to make AOL as reliable as must-have utilities
<>such as electricity and the telephone.  But that's what we
<>intend to do.

Dave Kennedy [CISSP] InfoSec Recon Team Chief, National Computer Security Assoc

  [MODERATOR'S CORRIGENDUM: Typo (should have been 6 million subscribers)
  in RISKS-18.30 fixed in archive copy.  Oddly, no one remarked on it,
  but I stumbled onto it myself!  PGN]

Re: America Offline (RISKS-18.30)

David Cassel <>
8 Aug 1996 15:27:28 -0700
AOL issued a statement early Wednesday saying service would be restored
Wednesday afternoon. In fact, it didn't go up until 11 pm.

Subscribers trying to log on received the following series of messages.

   "The system is temporarily unavailable. Please try again in 15 minutes."

   "The system is temporarily unavailable. Please try again in 30 minutes."

   "The system is temporarily unavailable. Please try again in an hour."

   "The system is temporarily unavailable. Please try again in 90 minutes."

This kind of thing is going to get AOL a reputation for dishonesty.  The
Wall Street Journal wrote, "AOL put out a puzzling press release claiming
that [newly-hired Chief Operating Officer] Razzouk had chosen to resign
largely because he didn't like 'the prospect of relocating his family to the
Washington, D.C. area.' Never mind," the Journal added, "that Mr. Razzouk
had, in truth, just sold his Memphis home -- and that he had already closed
on the purchase of a new $1.7 million showplace in McLean, Va."

But technical misstatements will always come back to haunt you.  Earlier
this week an AOL rep told the *San Francisco Chronicle* that AOL's computers
were "immune" to the kind of outage that occurred yesterday.  And days after
AOL told a content provider they'd fixed a security hole, hackers used it to
take the stage during an on-line celebrity appearance, taunting the regular

The day after they came back on-line, their system was automatically
displaying the worst possible messages. The mandatory-viewing ad pitching
more time on the system began, "We know that many of you have been reluctant
to fully explore the diverse offerings..."  The "Top News Story" in their
Reuters headline area turned out to be "AOL Apologizes for Massive Outage."
And the sign-off ad: "This week: 'Gravity Kills' ".

"We can't definitively state the root of the problem," AOL's Vice President
told Reuters that night.  The ultimate irony: just last month AOL took out
help-wanted classified ads saying "At America Online, we not only dominate
the programs we design...."

    David Cassel

  [David, "dishonesty" sounds a little harsh.  How well can anyone
  predict how long it is going to take to fix a problem that has not
  yet been identified and understood?  PGN]

Re: AOL outage: risks of scaling inappropriately (Snyder, RISKS-18.30)

Jeff Hayward <>
Fri, 9 Aug 96 12:08:29 CDT
Joel Snyder writes of the widespread effects of the AOL outage on mail
systems throughout the Internet.

While I agree that there are some interesting risks in putting so many
user's eggs in the "" mail basket, the severe consequences of an AOL
outage on (other) mail systems can be looked at as different sort of
inappropriate scaling risk - the inability of the majority of mail systems
in the net today to handle the large queues and outages that are the reality
of today's Internet.

The vast majority of mail systems in the Internet rely in one way or another
on mail transfer software that was never designed to scale well - often the
much maligned but mostly essential "sendmail" program.  Among sendmail's
well know faults are its handling of the backlog queue as a single batch,
and its lack of ability to schedule retries for unreachable hosts on any but
the most simple-minded basis.  In the event of an outage creating a large
queue this can effectively deliveries for everyone as the system tries and
tries to deliver undeliverable messages.

Fortunately for me, for the week prior to the AOL outage I had been running
the outbound mail from one of my mail servers through a system running
qmail, a mail transport system designed as ground-up replacement for
sendmail. (See for more information).  The
two features of qmail that kept the mail flowing for me during the AOL
outage are (1) delivery attempts are scheduled independently for each
message in the queue, and (2) delivery attempts are scheduled following a
backoff algorithm that prevents the retries from consuming the mail system
as the backlog grows.  So for my site, the AOL outage was a non-event.  The
backlog for AOL grew and grew but mail for other sites continued to flow
expeditiously and load on the server was nearly constant.  When AOL became
available again, there were no major load spikes delivering the backlog
because the delivery retries were well spread out in time.  I had to do
nothing extra to keep things going - a new experience for me!

So I don't see the risk(s) as necessarily one-sided.  AOL has some
whale-sized scaling problems to overcome to be sure, but sites that depend
on simple-minded mail delivery software should consider their own exposure,
and investigate software designed with modern conditions in mind if they
want to keep delivering the mail.  -- Jeff Hayward

Re: Kirk Enterprises: What's in a name? (Koenig, RISKS-18.30)

Jeffrey Mogul <>
Thu, 08 Aug 96 17:50:23 MDT
Andy writes:
   I went to Lycos and did a search for `Kirk Enterprises.'  What
   came back was a flood of references to Star Trek.

Of course, the real "risk" here was that of using the wrong search engine.
I tried "Kirk Enterprises" (the '"'s are significant) in AltaVista, and
got exactly 20 responses, not one of which contained the work "trek".


Novel: Slow River

Fri, 9 Aug 1996 14:16:53 +0100
RISKS readers with a fondness for near-future sci-fi might like to check out
Nicola Griffith's novel "Slow River". Much of the plot is concerned with the
safe operation of a water purification plant, in the face of bad management
and staffing problems.


Re: The increasing complexity of everyday life (Shekerjian, RISKS-18.30)

"Barry L. Brumitt" <belboz@FRC2.FRC.RI.CMU.EDU>
Fri, 9 Aug 96 11:56:40 EDT asks "What if the electricity and telephones go kablooie at
the SAME time??", and posits that there are a myriad of activities which
human beings can engage in which are independent of these pursuits. However,
it remind me strongly of an episode of "Connections" by James Burke which I
believe was entitled "Technology Trap." In light of the famous power east
coast power outage in the late 60's, he examines carefully what might really
happen if such a disaster occurred.

Comp.risks is for a discussion of the risks from computers and technology. I'd
encourage anyone who is interested in this field who has *not* seen this
episode to seek it out and view it. It's scary, enlightening, and perhaps the
best presentation of how Risky our dependence on technology can be...

Barry Brumitt  Robotics Institute, Carnegie Mellon University

ps. It was originally a BBC program. Videotapes are available. Check your
    local library.

Re: Department of Motor Vehicle records (Ellermeier, RISKS-18.30)

Lauren Weinstein <>
Fri, 9 Aug 96 00:28 PDT
On the matter of Oregon DMV records being made available on the net, news
reports have indicated (I have not checked this personally) that the private
party who put them online has removed them, apparently after a very negative

However, this of course does not prevent others from doing so, and the
information already out there on those CD-ROMs can never be recalled (though
the accuracy will of course fade over time).

Of more importance in the long run is the incredibly bad policy of making
that data easily available at all.  Now that use of SSNs for DMV records has
been mandated nationally, easy access to DMV information poses even more of
a risk.

Down here in California, access to DMV records is now severely limited,
prodded mainly by a number of celebrity stalking cases where DMV records
were involved.  Oregonians might consider looking to California for
leadership on this topic.

--Lauren--  Moderator, PRIVACY Forum

Re: Department of Motor Vehicle records (Ellermeier, RISKS-18.30)

Steven Bellovin <>
Fri, 09 Aug 1996 07:27:21 -0400
There has recently been a great deal of outrage about someone putting the
Oregon license plate database on the Internet.  That's not the problem --
the real problem is that the data is available at all.  Many states make
such data available, and there have long been people with complete files of
such things.  The only thing different here is that it was more easily
available to the general public, with a fee.

In fact, more comprehensive services are already on the Web.  It took about
10 minutes with AltaVista to find several similar services, though in some
cases it wasn't clear if they actually did business over the Net, or simply
used it for advertising.

The Web has become a microcosm of our society.  If it's out there, it's on
the Web -- and if it suddenly shows up on the Web, it's probably because it
was already out there, but you didn't know it.

--Steve Bellovin

Re: Department of Motor Vehicle records (Ellermeier, RISKS-18.30)

C. Titus Brown <>
Thu, 8 Aug 96 22:19 PDT
While it may be a valid point that the Internet/WWW has not come to terms
with the limits of the freedom, I don't believe that issue can be linked
with the issue of the DMV making records available.

Simply, the DMV _should not_ have made this information available.  Whether
or not "the Internet" should have taken this information and distributed it
in such a manner is besides the point.

It is virtually inevitable that all information not strictly kept under
wraps will make it onto the WWW.  Blaming the WWW (or the Internet) for this
is senseless.

ObRisk: This sort of thought process (blaming the accessibility of information
on the medium used to transport, not the provider) is what leads to things
like the CDA: censorship too late & targetted on the wrong thing.


Re: Department of Motor Vehicle records (Ellermeier, RISKS-18.30)

AES <>
Thu, 08 Aug 1996 17:29:39 -0700
Let me disagree:

1) There are important reasons (law enforcement, traffic accidents)
   for making this information rapidly available to police officers
   down to very low (small community) levels.  Once you do this, the
   information is so easily compromised (I can overhear this kind of
   information on a police scanner any evening) that it's better that
   it be just plain public, and let everyone know that it is.

2) If RISKS 2 and 3 above are the best that can be cited for not
   making such information available, they seem to me pretty negligible.
   When my car is at the airport, several other people and two large
   dogs are likely still at home -- if this thief drives the 30 minutes
   to my house, he'll pretty disappointed.  "Road rage", especially
   in combination with CD-ROM ownership, I suspect is statistically
   insignificant, if not mostly an urban legend.

3) There are certainly other legitimate reasons for making this data
   available.  If some clever inventor comes up with an add-on that
   will lower the pollution and raise the mileage (currently 12 mpg)
   of my beloved classic '67 Mustang, for example, I'd love to have
   him scan the DMV database and send me a sales message.  One can
   think of many other health and safety as well commercial reasons
   for being able to find the owner of a car rapidly.

Re: Department of Motor Vehicle records (Ellermeier, RISKS-18.30)

"Kevin Johnsrude" <>
Fri, 9 Aug 1996 10:23:04 PST-8
With regard to informational privacy and the state of Oregon's
selling of DMV data, the Cyberspace-Law list indirectly makes a
number of interesting points:

      Consider 4 cases:

     (1) Your local supermarket offers a "No-coupon discount card" for
customers who fill out an application. On the application, you list your
name, your sex, your income, your employment, and the company gives you a
card. Using the card, you then make purchases for the next year.  The
supermarket then compiles the data about your purchases, and sells it to
marketers. You have not been notified that they intend to use the
information like this; nor have you explicitly consented to this use.

     (2) Your credit card company has the same information about you -- you
supplied it when you got your credit card. Imagine it now collects the data
about your purchases, and then sells it to marketers.

     (3) Your local video store keeps data about the videos you rent. It
then sells to marketers your name and address, along with list of films that
you have rented.

     (4) A credit card company enters into an agreement with the IRS, to
report to the IRS people whose spending habits change dramatically. The IRS
then uses that data to help it decide which returns will be subject to

All four cases raise the problem of *informational privacy* -- the question
how much control, if any, does the law give you over the collection, and
dissemination, of information about you that you have willingly given over
to someone else. The answer in general is quite simple: Not much. American
law in the main gives individuals very little control over what others can
do with the information collected about them.

     This lack of protection distinguishes American law from most European
democracies.  "Data protection" is an important part of European human
rights law. But with slight exceptions, it is not an important part of our
tradition. The exception is case (3): Because of the outrage over the
publication of Judge Robert Bork's video rentals when he was nominated for a
seat on the Supreme Court, Congress passed the Video Privacy Protection Act
of 1988, which makes it a crime to release individualized data about the
videos any individual may rent or buy.

     At least that part of your "record" is protected: but not what books
you check out at the library, or what your purchases at the grocery store
are, or what movies you use your credit card to buy tickets for. These
remain unregulated by the law.

     Consider 4 more cases:

      (1) On a local university network, users can read USENET news stories
-- stories posted on the USENET bulletin boards by users from across the
world. The stories range from discussions of technical material about
computer operating systems, to highly controversial political discussions,
or to discussions about sexuality.  Imagine now that network users can use a
simple command to list all other users logged onto the system at that time,
as well as what those users are doing. If the users are reading news stories
from the USENET new server, then the command will report to the users what
news stories they are reading.

     (2) An activist group is angry about pornography on the net. It decides
to attack the problem in a somewhat unique way. It opens up an erotic web
site, and then as individuals access the web site, the group collects the
information about who accessed the site. On a separate web site the group
then publishes a list: "Known consumers of pornography" and then lists the
information it has about people who have accessed its site. Or imagine the
same case, with slightly different facts: Imagine the activist group is an
anti-gay activist group, and it puts up a web site on resources for gay and
lesbians, and then publishes the lists of who accesses the site. Or an
anti-abortion group, that publishes information about access to abortion

     (3) Some World Wide Web browsers collect a list of the web sites that
you have accessed.  This list is kept on your machine. When you access a web
site, the software makes it possible for the web site to read the list of
web sites that you have previously accessed.  Imagine that a web site has
implemented a procedure to read your list of web sites, and then decides
whether to admit you based on what other places you've been. (In a sense,
the system is discriminating in granting access, but what is important for
our purposes is that it is making that discrimination by accessing "your"
information about where you have been.) For example, if it determines that
you don't frequent sufficiently "posh" places, it bumps you; or if it
surmises from your list that you are a Republican, it bumps you.

     (4) As we explained in case (1), USENET is a cooperative that
distributes messages in the form of discussion threads, on wide range of
topics, to millions of people across the world. People can participate in
these discussions, simply by replying to a particular message. This reply
then gets published across the world, with the email address of the person
replying to the message attached to the reply. Ordinarily, these messages
disappear after a few weeks on the net.  [Not RISKS and many others...  PGN]
But imagine a company starts collecting these messages, and begins
organizing them in a data bank. This company then makes it possible for
anyone, through the Web, to search the database of USENET messages, for a
particular word, or phrase, or for the name of a particular user.  This
search then collects all messages that have that word, or phrase, or name,
and displays the list of messages, along with their senders. The user of
this service can then click on the name of the senders, and get a profile of
all the messages that person has sent. For example the user can discover
that the sender of a particular messages has regularly contributed to a
discussion of leftist politics, or a pro-life discussion group, and then
access all of the messages this sender has sent to these groups.

All four of these cases raise no legal problem at all, given the present
state of United States law. Examples (1), (3) and (4) already exist.
(Netscape would support a function like example (3); for example (4), check
out; we don't know of an example of case (2), but
there is nothing in the law to stop it. Again, as we indicated in our last
message, the law does very little to protect individuals against the use of
data that they make available to others. Each of these 4 cases is just an
example of this same point.

     It is not hard to understand why the law has been so unprotective. For
the most part, historically, it has been relatively difficult to get access
to data like this.  Perhaps one could hire a spy to follow an individual
around and collect information about his habits, or purchases -- no doubt
some people did. But for the most part, people didn't pay much attention,
since it was very costly to pay attention. The dramatic change in data
technology has changed this. Now it is quite easy to collect a vast amount
of data about individuals. More importantly, now it is quite profitable to
collect such data. Cyberspace will only make this more so. We are living in
a time when the law has not caught up with the technology.  While the
inefficiency of technology provided some sort of protection before, now
nothing -- neither law nor inefficiency -- protects us today.

     Do we want protection? Not clear. There are interests that pull the
other way: Some have argued that there is a first amendment right to report
to others true facts they have found out about you. Others have argued that
this information would be a real gain to the efficiency of the market:
Imagine, for example, advertising that was perfectly targeted to those, and
only those, who would be likely to buy a particular product.

Cyberspace law WWW page:
  To SUBSCRIBE to Cyberspace-Law, send a message to
  with the command
         SUBSCRIBE CYBERSPACE-LAW Firstname Lastname
  in the body of your e-mail, (replacing "Firstname" and
  "Lastname" with your first and last names -- or such
  pseudonyms as you prefer).

**** Back to Kevin Johnsrude: Clearly the OR DMV is not doing anything
illegal under the law.  Your phone company does the same thing: when you pay
your US$0.25/month not to get telephone solicitations, you are, among other
things, recompensing your phone for not *selling on a list* your name, phone
number and address to telemarketers.  Your VISA company also does the same
thing and gives marketers your complete personal and financial profile.

We in the US desperately need better data privacy protection or we will
effectively not have any privacy at all.


Kevin Johnsrude, Software Design Developer, Rogue Wave Software, 850 SW 35th
St., Corvallis, OR 97333 Email: Voice: (541) 754-3010

Please report problems with the web pages to the maintainer