The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 18 Issue 43

Weds 11 September 1996


o IRS drops Internet tax filing plan
o RISKS of newspaper publishing
Rachelle Heller via Lance Hoffman
John Schwartz
o Safety of real-time systems (PC versus SPS)
Andreas Huennebeck
o Re: Accidental shootdown of F15 plane revisited
Robert Dorsett
o Lexis-Nexis personal information database
Larry Hunter from Privacy Forum
o Nebraska Automobile Title/Registration Records
Paul W Schleck
o Re: RISK: Dangerous core dumps
James Bonfield
o Re: Locating the position of cellular phones
Peter Campbell Smith
o Re: AOL curbs incoming spams
Fred K Herr
o AOL spamming case and direct e-mail in general
Lance J. Hoffman
o Info on RISKS (comp.risks)

IRS drops Internet tax filing plan

"Peter G. Neumann" <>
Wed, 11 Sep 1996 11:42:11 PDT
The IRS has apparently pulled the plug on its plans for Cyberfile, an
electronic system that would have enabled taxpayers to file their returns
directly without going through third-party service providers.  An earlier
launch of Cyberfile for April 1996 was put on hold when the Government
Accounting Office identified some security weaknesses.  The decision to
abandon the project was evidently made in July.  A GAO report just released
blamed mismanagement and shoddy contracting practices.  It also noted that
the central computer was located in a dusty subbasement of the Agriculture
Department subject to flooding, the computer-room doors had locks installed
backwards (to keep the bad guys in?), and sprinkler pipes were too low.  The
report also observed that use of the World Wide Web (rather than toll-free
direct dialups) represented security problems for taxpayers and for the IRS
alike.  At a 10 Sep 1996 hearing of the Senate Governmental Affairs
Committee considering the Tax Systems Modernization effort more broadly,
Senator Ted Stevens said, "It's an absolute fiasco."  [Source: a *Los
Angeles Times* article in the *San Francisco Chronicle*, 11 Sep 1996, p.A3]

RISKS of newspaper publishing

"Lance J. Hoffman" <>
Tue, 10 Sep 1996 19:20:36 -0400 (EDT)
> Date: Tue, 10 Sep 1996 17:14:19 -0400 (EDT)
> From: Rachelle Heller <>
> Subject: What do you know about the WP Sunday break-in?
> To: (Lance J. Hoffman)
> Matt tells me that the Style section for Sunday's WP had a break-in and
> someone changed the masthead prior to publication and it was published
> without anyone's knowing it.  [...]

Yep, I have it in front of me, freshly rescued from the recycle bag.  The
Sunday Style Section of *The Washington Post* for 8 Sep 1996 has in its
masthead at the upper right corner of page F1:

  "Published for You by a Large, Uncaring, Conglomerate".

Lance Hoffman

RISKS of newspaper publishing

schwartj <>
Tue, 10 Sep 1996 19:33:23 -0400 (EDT)
The Sunday Style editor, Gene Weingarten, does this every week. It is a
deeply subversive act, but it comes from within.

Weingarten is a deeply twisted man, and a treasure.

Sorry if this disappoints you.

A few favorite previous "ears," as they are called:

 * Mitnick was here
 * 25 Years of Error-Free Journalism
 * It's Not Very Good This Week
 * As Unbiased As the Next Pinko Rag
 * The Only Thing In This Newspaper That is On The Far Right
 * One was printed upside down and it said, "Hey, Why Am I on the Bottom?"
 * Another one printed upside down said, "Number One in Quality Control."
 * Another personal favorite: "Nice Bathrobe."

In fact, 90-95 percent of them are submitted by readers as part of the
ongoing Style Invitational, the *Post*'s weekly, off-color humor
competition.  The Ear author is thanked in the fine print. It's a great
thing -- a big corporation that (at least in one corner of one page one day
a week) laughs at itself.

John Schwartz, speaking only for myself here at *The Washington Post*.

Safety of real-time systems (PC versus SPS)

Andreas Huennebeck <>
Fri, 6 Sep 1996 14:12:48 +0200 (MESZ)
In the German newspaper "Elektronik" no. 18/1996 from 3 Sep 1996, intended
for professional electronics hardware and software developers, appeared an
article containing the views of several companies regarding the usage of PCs
(personal computers) running Windows NT versus SPS (Speicher-Programmierbare
Steuerung = programmable control unit) for real-time applications.  One of
the views from the CEO of a company selling PC-based systems said (I
translate and make shortcuts):

   "Regarding the poor safety of a system running under Windows,
    my point of view is that every system has limited safety.
    Even the praised SPS will eventually cease to work - maybe not as
    soon as a PC, but sometime or other there is an end.  But in most
    application cases the safety of a PC based system is high enough."

I think this is a strange kind of safety judgement.

Andreas Huennebeck  Bruker Analytische Messtechnik GmbH

Re: Accidental shootdown of F15 plane revisited (Mills, RISKS-18.42)

Robert Dorsett <>
Wed, 11 Sep 1996 14:04:06 GMT
 > There are several reasons why just airplane disasters are exceptional.

All good reasons.  However, one also has to deal with the political dynamics
of a crash, both good and bad.  The fact is, public safety can be affected
by the results of a crash investigation.  Therefore, to coin an old phrase,
"the public has a right to know."

Even premature information can be accurate, and even, if misleading or
wrong, can have unintended beneficial effects by putting pressure on both
manufacturers and investigators to address specific public concerns.


- The early grounding and microscopic probing after the American Airlines
DC-10 crash at ORD in 1979 resulted in everyone in the industry becoming
very familiar with the technical issues at hand.  I doubt if anyone will
ever use a forklift to mount an engine ever again.

- The author of _Unheeded Warning_ notes his concerns (as a pilot) of the
safety of the ATR-72 in icing conditions long prior to the eventual October
1994 crash.  His book notes explicit steps taken to keep the issue alive in
the media and thereby bringing political pressure to bear on the NTSB and
FAA to maintain appropriate perspective in both the investigation and
regulation of the aircraft.  This pressure arguably resulted in FAA mandates
to adjust the design of the anti-ice system on the airplane.  Similar
pressure was absent after a similar crash in 1988 in the Italian Alps.

- Each A320 crash ignites intense discussions on software reliability.  No
A320 has crashed as a result of a flight control system failure, but even
incorrect speculation helps educate budding and practicing software
engineers and discussion of the pros and cons of this implementation, which
reflected the state of the art at the time, will hopefully help encourage a
sense of pragmatism when it comes to installing and developing
safety-critical systems.  In addition, since everyone has a personal
computer these days, and therefore considers themselves experts, USENET
discussions also have the effect of educating the lay public.  An educated
public is the enemy of political and corporate opportunists everywhere.

- I think we can all agree that the microscopic examination of ValuJet will
have the eventual effect of making it the safest airline in the air, even
though the scrutiny is politically motivated and arguably very unfair when
compared to the operational reality of other airlines.  That is, ValuJet
will be safe if the airline isn't driven out of business.

- The NTSB frequently holds open hearings on major crashes.  In at least one
situation recently (in regards to the UAL 737 crash at Colorado Springs)
they invited public comment.  It's difficult for even the technical public
(in this industry, several million people in and affiliated with the field)
to comment if they aren't provided with "premature" factual information.

Lastly, let's keep in mind that the TWA crash, which I suspect may have
helped shape your comments, is kind of exceptional.  It crashed over the
media capital of the United States, and likely of the world.  Individuals
coordinating the "victims' families" press conferences involved members
associated with "victims rights" movements in other contexts, thus imparting
some of their special skills and thus helping influence the political
dynamics of this crash (compare family coverage of this crash with any other
in recent memory).  This extraordinary combination actually resulted in
officials stating that the crash/crime investigation would be put on hold
until bodies were all recovered.  In the mean time, public safety was
potentially compromised as physical evidence was lost: nobody *knows*
whether a bomber might be running around.  In addition, since terrorism
seems very likely, the crash provides a longer-term interest than is typical
for our usual mass-media reporting, which is designed for a 45-second
attention span.

It's a political world, not a technical one.  Unfortunately, the real risk
comes from a cultural propensity to encourage the ignorant to speak loudly
and assertively. That does not mean basic data should be restricted, only
that those who glibly assert expertise from fluff seen on the nightly news
should be shushed.

Robert Dorsett  Moderator, sci.aeronautics.simulation

Lexis-Nexis personal information database (PRIVACY Forum Digest 05 17)

PRIVACY Forum <>
Tue, 3 Sep 96 12:01 PDT
 [PRIVACY Forum Digest   Tuesday, 3 September 1996   Volume 05 : Issue 17]

Date:    Tue, 3 Sep 1996 11:22:15 -0400 (EDT)
>From:    Larry Hunter <>
Subject: Lexis-Nexis personal information database

Lexis-Nexis sells a commercial database called "Ptrax" which holds detailed
personal information on nearly all Americans (L-N claims it contains 300
million names).  This database includes name, current address, up to two
previous addresses, phone number, birth-date, social security number,
mother's maiden name and possible other personal information.  This database
is kept quite current.  Through the Nexis Express service, this information
could be available to any individual with a credit card.

As most readers will are aware, such information could easily be used for
theft of identity and other frauds.  It is possible to have one's name
removed from this database by making a telephone request.  Call
(800)543-6862, select option 4 ("all other questions") and tell the
representative answering that you wish to remove your name from the Ptrax
database.  You may also send a fax to (513)865-7360, or physical mail to
LEXIS-NEXIS / P.O. Box 933 / Dayton, Ohio 45401-0933.  Sending physical mail
to confirm your name has been removed is always a good idea.

As word of the existence of this database has spread on the net, Lexis-Nexis
has been inundated with calls, and has set up a special set of operators to
handle the volume.  In addition, Andrew Bleh (rhymes with "Play") is a
manager responsible for this product, and is the person to whom complaints
about the service could be directed.  He can be reached at the above 800
number, selection option 4 and then ask for extension 3385.

The information in this note has been been confirmed by me, and was
originally provided in forwarded messages from Russell Whitaker, Jason
Werner, Vern Winters, Katherine Florman and Reuben Snipper.

Larry Hunter

   [For info on Lauren Weinstein's PRIVACY Forum Digest, see or risksinfo.html, or .  PGN]

Nebraska Automobile Title/Registration Records

"Paul W Schleck KD3FU" <>
Fri, 6 Sep 1996 15:09:57 -0500 (CDT)
Here in Nebraska, automobile titles and registrations are handled at the
county courthouse level by the county clerk's and treasurer's offices.
Residing in the city of Bellevue, I received a renewal notice for a car of
mine that I've owned for a number of years (I bought it for cash, so I've
always had clear title).  Strange thing was, the postcard had already been
returned by the post office as undeliverable, finally reaching me after
being resent.  The name and address on it was:

Sarpy County
(my address)

This was curious, but I didn't think much of it at the time.  Near the end
of the month, I went down to the Sarpy County courthouse in Papillion,
paperwork in hand, expecting this to be a routine renewal.  The clerk at the
renewal counter noted amusingly that my name had been changed to "Sarpy
County."  She apologized for this, saying that they had recently gone to a
statewide system and a lot of records were in error.  She then noticed that
the title number of my last year's registration card did not match the title
number on my renewal notice.  Attempting to look up my records on-line found
that I was not listed as the owner of this car, Sarpy County was.  The date
of the new title was February of 1993.  She called someone at the state and
after a brief phone conversation, turned to me and asked:

"Was this an abandoned vehicle?"

Uh-oh.  Everything suddenly clicked in my mind.  My car was never abandoned,
but I did leave it parked on a city street during snow removal in January of
1993.  Though the street was not a snow emergency route, there is apparently
a rarely-enforced ordinance that cars parked on public streets must be moved
every 24 hours.  Mine hadn't been moved in at least a week (it's an
operational vehicle, I just don't drive it every day), and the small
collection of snow around it made this obvious.  I realized it had been
towed after noticing it missing the same evening after I got home.  After
promptly retrieving the vehicle from the impound lot the next day, I
received a letter in the mail from the Sarpy County Sherrif's office
indicating that the car had been towed and that I had 5 days to claim the
vehicle before forfeiting it to the county.  Concerned, I called the
Sheriff's office and was assured that as long as I had reclaimed the vehicle
such that the county was not in possession of it anymore, I had nothing to
worry about (Physical possession of the vehicle struck me as an obvious
sanity check against incorrectly initiating title claim proceedings against
non-abandoned vehicles.  For some unexplained reason, this sanity check was
not performed).  Operating under this assurance, and easily able to
re-register and (re-insure) my car in 1993, 1994, and 1995, I was happily
oblivious to the fact that the county claimed my title in error almost 4
years ago.  I only became aware of this now, in August of 1996, at the
registration renewal counter after the state finally synchronized its

Armed with this information, I was referred to the title counter, and then
the Sheriff's office, the upshot being was that I had to ask the Sheriff's
office to title the vehicle back to me.  Fortunately, they were willing to
do so without any hassles or significant delays.  I signed their "Duplicate"
title as "purchaser" and the Sheriff's office wrote out a $10 check to the
county treasurer (avoiding the insult that would have been added to injury
if I had actually had to pay the title fee as a result of their mistake).  I
now hold an "Original" Nebraska title on my vehicle, once again.  With this
new title safe in my hands, and following good legal advice regarding the
risks of having duplicate, and contradictory, "original" legal documents
lying around, I turned my original "Original" title over to be destroyed.

Identifiable Risky Behaviors:

- There seems to be at least a partial lack of obvious human sanity checks
in the procedures for taking possession of abandoned vehicles.  One would be
whether or not the county is actually *in possession* of the vehicle.  A
corollary to this is, having decided they did own the vehicle, that the
county did not seem to do a reasonable amount of tracking (and auditing
after the fact) regarding the disposition of (alleged) county property,
leaving the status of this vehicle indeterminate for years.  One has to
wonder if the same oversight would have happened if the title said "1996

- Keeping records in at least two different places, and subjecting them to
inconsistent, and rare updates, is just begging for trouble.  I'm not sure
how long the county and state records were out of whack, but I do know that
I was able to get registration renewals in 1993, 1994, and 1995, even though
the state records indicated that I was not the owner of the vehicle during
that time.  This suggests that at least part of the records have gone
unsynchronized for years.

- The implicit data flow in old the system was correct in principle
(propagate updates from the county level to a central clearinghouse, i.e.
the state, then propagating those changes back downward to the county), and
the move to a new, single, integrated statewide system was an appropriate
one.  However, the apparent inconsistency of, and long delays between,
record updates in the old system created the absurd situation where the
government agencies in buildings less than a few hundred feet apart (the
Sarpy County Sheriff's office, which took possession of the vehicle, and the
Sarpy County Courthouse, which tracked title and registration records) had
dramatically different versions of reality.

Risk Mitigations:

- Any sensible information system should save historical (i.e., "deleted")
records for auditing purposes.  Having historical title records on-line made
it very easy for the employees at the title counter to quickly track down my
old title and determine its disposition (issuance of a new title to Sarpy
County).  The date of the new title (early 1993) connected it in my mind to
the towing incident.

- The new system had an interesting (and perhaps unanticipated) soft failure
mode in that, even though the records showed that the car was not mine, I
still got a renewal notice which reminded me to go down to the courthouse.
I probably would have remembered anyway, but having a mismatch in title
number between my registration card and the renewal notice brought the error
to the attention of courthouse employees more quickly.

and, most importantly:

- Situations like these are often aggravated by customer service
representatives who do not understand that computer-generated data can ever
be in error, leaving the hapless customer to prove that it is incorrect.
Fortunately, the human employees at the Sarpy County Courthouse and
Sherrif's Office understood the limitations of their computer systems,
particularly in light of a move to a statewide system that introduced (or at
least brought to light) a lot of errors.  Sarpy County Clerk Debra
Houghtling, Captain Dan Jackson of the Sarpy County Sheriff's Office, and
many others got personally involved in working out this problem and reaching
a solution within an hour (The car was retitled back to me at no expense,
and minimal effort, within a few days).


Later discussions with Sarpy County Treasurer Rich James (both by me and by
a friend of mine with courthouse contacts) indicated that this is a known
problem with the new statewide system.  Sometimes the error is with the
government (as in my case), sometimes the error is with the owner (as the
old system tracked driver's license, registration, and title information in
multiple places, and sometimes the motorist forgot to update all of them).
The new statewide system will at least catch these errors, and prevent new
ones from happening in the future.  Though he noted that mine was a rare
case, he did acknowledge that it is possible that similar ones are lying
around in the records and won't be discovered until the motorist tries to
re-register the vehicle.

Warning to Nebraska Residents:

The recent transition to a single, integrated statewide system for tracking
automobile title and registration information has either introduced errors,
or brought to light incorrect title actions and inconsistent updates that
have been lying undiscovered at the state level for as much as several
years.  If the ownership of your vehicle is in *any* doubt (such as if it
was towed like in my example), or you have changed your name or address and
failed to notify all appropriate government agencies, check with your county
courthouse.  Any errors won't be brought to your attention until you try to
renew your registration.  My experiences in Sarpy County seem to indicate
that they will acknowledge the error and promptly correct it with the
issuance of a new title, if necessary (If it was the county's or state's
fault, and you are politely assertive about it, it appears likely that the
agency responsible will pay any fees involved in correcting the records).
Your registration can't be renewed until this new title is received, so go
down early in your renewal month to avoid possible interruption in your
vehicle registration.

Paul W. Schleck

Re: RISK: Dangerous core dumps (Abigail, RISKS-18.42)

James Bonfield <>
Wed, 11 Sep 1996 09:53:08 +0100 (BST)
If the core file is in a users own directory then it's almost certain that
telnet crashed, not the server (ftpd). As such a telnet core is likely to
contain buffers of recently typed actions including your password.

It is perhaps preferable for core files to be dumped with mode 600. I don't
know of any systems that will do this without also changing umask for all
your other files.

On a related topic, really crashing the ftpd can also be dangerous. On our
Solaris 2.5 box connecting via telnet and simply typing 'pasv' causes a core
dump to be dumped to the remote systems root directory. This has two effects -
it overwrites any existing core even on systems where you have no login (or
root) access. Secondly it uses more disk space which may have implications for
system logs if they're not on a separate file system.

James Bonfield, Medical Research Council - Laboratory of Molecular Biology,
Hills Road, Cambridge, CB2 2QH, England.  01223 402499

Re: Locating the position of cellular phones (Stover, RISKS-18.41)

Peter Campbell Smith <>
Mon, 09 Sep 96 17:41:31 GMT
There is an interesting article in Traffic Technology International, Aug/Sept
96 issue about a system called CAPITAL that uses cellular phone calls as a
probe to monitor road traffic around Washington DC.  It describes an
experiment which has been running for two years and which has demonstrated
that this is an extremely cost-effective alternative to conventional means of
traffic monitoring.

The system is independent of the cellular phone system per se, but has
antennae on the cellular phone masts which listen to the cellular frequencies.
Every time a call is initiated, CAPITAL locates the caller by a combination of
directional multi-element antennae and time-of-arrival analysis between
different masts.  The geographical accuracy is reported to be to about 115m,
and subsequent tracking allows the speed of the vehicle to be established
within 30 to 50sec to an accuracy of 5mi/h.

At any time only less than 5% of vehicles are making calls, but this is a
sufficient sample for analysing the traffic speed (though not presumably the
traffic density).  Moreover, when the traffic slows down even more people make
calls, so there is a better density of data from the areas most interesting to
those monitoring traffic flows.

It is claimed that the boxes ignore the voice content of the call and that the
data they deliver has randomly assigned identifiers for each call, so that
nothing leaves the system which would allow calls to be associated with
specific phones.

Peter Campbell Smith, Logica, London, UK

Re: AOL curbs incoming spams (RISKS-18.41 et al.)

"Herr, Fred K TR" <>
Wed, 11 Sep 96 10:39:00 EDT
The judge's injunction to prevent AOL from interfering with the subject
spams seemed to rest on a comparison of free speech expressed via the USPS
as against free speech expressed via on line message services, with the
assumption, pending at least until the trial in November, that there is no
essential difference.

There is, of course, a significant economic difference - which may have
no relevance in discussing the constitutional issues - but which
highlights a risk of computer and network technology to itself and its
users.  The risk is that the rapid reduction in costs and rapid growth in
capability changes the economic balance so quickly that the system's
stability, even survival, is dependent on the good manners (or common
sense) of its user community until the entire system evolves to a new
state of economic equilibrium.

Free speech via the USPS is anything but free, in the financial sense.  The
junk mail that I so readily send to the trash-to-steam plant without opening
has at least four real financial costs associated with it.  A payment to the
postal service to deliver it.  Payment to a printer to produce it and
deliver it to the postal service.  Payment to a mailing list provider so it
can be sent to a real address.  And payment of the costs related to creating
the content (text and graphics).  Thus the sender spends a few dozen cents
to a few dollars to irritate me for a second and generate an ounce of steam.

The spam advertiser, on the other hand, may have to bear some creative
expense, but the other three costs are practically zero (divide a modest
network access fee by a few million messages).

The paper mailer has to carefully balance the costs of "free speech" against
the profit expected to result, and he is using a resource that is in
equilibrium, more or less balancing the postal rates against the people and
tools needed to handle a predictable volume of paper.  The spammer has no
concern for balancing cost against profit - the potential profit of each
additional message delivered is always greater than the minuscule
incremental cost of the additional message.  But the risk to the delivery
system becomes quite large as the load rapidly exceeds the service capacity
that assumed good manners would be the norm.

To restore equilibrium perhaps the delivery system could learn to recognize
spams.  When it does, it could credit the account of each receiving mailbox
with a few cents, and debit the sender's account a similar amount.  If
spammers can still figure out how to make a profit in this new environment,
well at least the rest of us will pay less for access, and we may even make
a profit if we receive enough junk mail.

Oops!  That will tip the equilibrium the other way as individuals start
getting multiple mailboxes in hopes of attracting lots of junk e-mail.

Fred Herr

AOL spamming case and direct e-mail in general

"Lance J. Hoffman" <>
Wed, 11 Sep 1996 07:19:13 -0400 (EDT)
For those who wish to see some of the key players in action, a videotape of
the following event is available for $50 from GWTV (The George Washington
University TV station) (attn Paul Caffrey, GWTV, 801 22nd St NW, Washington
DC 20052, 202 994-8233).  While the discussion is now a year old, the
passion of the players is captioned on tape (or the non-passion in the case
of the computer-impaired lawyer from the DMA).  It might be of interest to
some RISKS readers.  Those in the Washington area might consider coming to
the seminar series this year (third Tuesdays of each month, info at

Lance Hoffman


       Panel Discussion, 21 Nov 1995
       Marc Rotenberg, Electronic Privacy Information Center
       Ram Avrahami, Concerned Consumer
       Sanford Wallace, Promo Enterprises
       Robert Sherman, Direct Marketing Association

Please report problems with the web pages to the maintainer