The RISKS Digest
Volume 18 Issue 50

Thursday, 3rd October 1996

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


E-mail scam from "Global Communications"
Vanity E-Mail Bugs College Administrators
Edupage via Dave Farber
Rhode Island "Disgruntled employee" arrested for "e-mail virus"
Lee Rudolph
ACLU Files Suit Against Georgia Internet Law
Clinton Okays Encryption Plan with Key Recovery System
Bellcore Warns Smart Cards Are Vulnerable
More side-effects from the Palo Alto power outage
The new UK air traffic control system
Brian Randell
Re: RISKS of temporary change-of-addresses
William K McFadden
Two recent occurrences: ATM, change of postal address
Philip H. Smith
Re: Postal change-of-address on-line
Watch your return address
Erann Gat
Queensland Police put Wanted Poster on the Web
Boyd Roberts
Getting scarier all the time
Erann Gat
Heart monitoring software
Bill Ragland
Tim Pietzcker
Steve Kilbane
More on Java security: see JavaSoft Forum
Marianne Mueller
Computerization and Controversy: Value Conflicts and Social Choices
Watch your return address
Erann Gat
Spring Forward, Fall Back — but not just yet
Martin Minow
Airliner interference from a COMPAQ mouse, revisited
Paul Oldham
Advance Bank offers Internet Banking
Boyd Roberts
CFP Workshop on Formal Methods for Industrial Critical Systems
Diego Latella
Info on RISKS (comp.risks)

E-mail scam from "Global Communications"

"Peter G. Neumann" <>
Thu, 3 Oct 96 9:00:34 PDT
Another e-mail scam has appeared, informing you as a would-be victim that
you have "only 24 hours to settle your outstanding account" and suggesting
that you can call an 809 number to avoid subsequent court action.  The call
goes to a Caribbean telephone company (apparently in Tortola in the British
Virgin Islands) and costs you $3 to $5 (and presumably more if you are dumb
enough to hang around for their strategy of putting you on hold with a
sequence of creative recorded messages).  The FROM: address "Global
Communications" is BOGUS.  This is a cheaper variant on a recent
809-900 pager scam, which costs you $25 if you return the call.  [Source:
*San Francisco Chronicle*, 3 Oct 1996, A2.]

Vanity E-Mail Bugs College Administrators

Dave Farber <>
Tue, 24 Sep 1996 21:34:23 -0400
A new e-mail service offered by New Century Technologies gives customers an
e-mail address sporting a prestigious university domain name for $25 a year.
The customer, who must have a valid e-mail address somewhere else, then
receives mail addressed to, or whatever school is chosen. The
vanity address closely resembles the real thing, except it ends in .com
instead of .edu.  The universities aren't happy about the impersonation:
"You can't assume people understand that the address isn't affiliated with
the university somehow," says Florida State's director of Web development. A
member of Georgia Tech's licensing committee is even more adamant: "They
can't do that.  People can't sell anything over the Internet and use our
name without paying us royalties.  We will fight this."  (*Chronicle of
Higher Education Academe Today*, 19 Sep 1996) [This evidently came from
Edupage.  PGN]

Rhode Island "Disgruntled employee" arrested for "e-mail virus"

Lee Rudolph <>
Wed, 2 Oct 1996 06:55:00 -0400 (EDT)
Denise M. Johnson works for Aerotek (under subcontract from EDS) as a PC
help-desk troubleshooter for Textron Corp.  Textron is accusing her of
planting a virus that caused them to lose all computer data for 15 hours
beginning at 11 p.m. on 16 Sep 1996 and shutting down their system.  She
says she is innocent of the charge and attributes the allegation to ``office
politics.''  She also noted that Textron's computers had been struggling
with computer viruses for months and that the system crashed the same week
she was accused of the crime.  An investigation is in progress.  ``The virus
was already in the system,'' she said.  [Source: Jonathan Saltzman,
Computer Expert Faces Charge of Putting Virus in Textron's System,
*Providence (R.I.) Journal-Bulletin*, 1 Oct 1996, page 1, PGN Abstracting]

ACLU Files Suit Against Georgia Internet Law (Edupage, 26 Sep 1996)

Edupage Editors <>
Thu, 26 Sep 1996 19:04:53 -0400 (EDT)
The American Civil Liberties Union has filed suit in federal district court
in Georgia, challenging a new law that makes it illegal for organizations to
"fraudulently misrepresent their Web site as that of another organization,"
says Representative Don Parsons, who sponsored the Georgia bill.  The law
also prohibits anonymously sending e-mail in some circumstances.  Parsons'
critic, Rep. Mitchell Kaye, says, "We've chosen to regulate free speech in
the same manner that communist China, North Korea, Cuba and Singapore have.
Legislators' lack of understanding has turned to fear.  It has given Georgia
a black eye and sent a message to the world — that we don't understand and
are inhospitable to technology."  (*Wall Street Journal*, 25 Sep 1996, B1)

Clinton Okays Encryption Plan with Key Recovery System (Edupage)

Edupage Editors <>
Tue, 1 Oct 1996 20:49:33 -0400 (EDT)
Attempting to compromise with critics of its "key escrow" approach to data
encryption, the Clinton Administration now plans to begin allowing U.S.
computer companies to export software using powerful encryption codes (or
"keys") up to 56 bits long.  However, the government will require those
companies to develop, within two years, a "key recovery" system allowing
U.S. law enforcement or anti-terrorist groups armed with a search warrant to
get the key from the several third-party companies, each of which would hold
one part of the key.  IBM and some other large companies are supporting the
plan, but other companies are expected to oppose it.  The system will be
successful only if the Administration can convince other countries to adopt
the same kind of system.  (*The New York Times*, 1 Oct 1996 C1; Edupage, 1 Oct

   [There is a huge amount of netspace devoted to this topic in the past
   two days.  It is likely to generate much discussion, although much of
   the basic arguments are made in earlier issues.  I include the Edupage
   item to remind us to dig for it.  PGN]

Bellcore Warns Smart Cards Are Vulnerable (Edupage, 1 Oct 1996)

Edupage Editors <>
Tue, 1 Oct 1996 20:49:33 -0400 (EDT)
Researchers at Bellcore have discovered that applying heat or radiation to a
smart card's embedded chip can make it vulnerable to reverse engineering,
allowing the data on the chips to be stolen.  Michael Smith, director of the
Smart Card Forum, discounts the researchers' findings, however.  He points
out that smart card transactions require security passes by several systems,
not just those on the card itself, and that exposing the card to heat or
radioactivity would not result in repeatable faults, which would be needed
for reverse engineering.  "If what Bellcore says is right, that would mean
you could bake 10 personal computers, turn them on, run a spreadsheet, and
each one would show two plus two equaling five," says Smith.  (*Investor's
Business Daily*, 1 Oct 1996, A8)

  [The researchers are Dan Boneh, Richard A. DeMillo, and Richard J. Lipton.
  Their work is fascinating, and provides another wonderful reminder of how
  difficult the security problem is.  An article by John Markoff in *The New
  York Times*, 26 Sep 1996, C1, seems more informative.  The Smith quotes
  are evidently inaccurate.  Repeatable faults are not required.  Baking
  computers is not required.  Stay tuned for the full article, which is due
  out imminently.  PGN]

More side-effects from the Palo Alto power outage

"Peter G. Neumann" <>
Mon, 30 Sep 96 15:09:33 PDT
One more effect of the 10 Aug 1996 west-coast power outage has come to light
in a letter from Sloane Citron of Menlo Park, published in the *Palo Alto
Weekly*, 18 Sep 1996.  When the lights went out, a standby generator kicked
in at the Cable Co-op transmitting point (the ``headend'').  Batteries kept
their phone service working, although their shared answering service was
seriously overloaded.  Finally, the batteries ran out on their phone switch.
When power was restored, the cable system had to be brought back on line,
although the knowledge of which customers were affected was not available
because the phones were out.  Meanwhile, back at the headend, the circuit
board that normally scrambles the Playboy Channel was fried — despite surge
protection.  Sloane Citron's letter on behalf of Cable Co-op apologized to
those cable viewers who were offended by having received the Playboy Channel

  [Also known as raw video.  I hope no lawyers tried on a surge suit.  PGN]

The new UK air traffic control system

Brian Randell <>
Tue, 1 Oct 1996 23:14:56 +0100
The *Daily Telegraph* 1 Oct 1996 contains an article entitled:

  "When Failure is Out of the Question"  by Paul Forster

Quoting, admittedly *very* selectively, from the article (which is approx.
600 words long):

National Air Traffic Services Ltd., part of the Civil Aviation Authority, is
close to completing a new (pounds)300 million centre at Swanick . . .  "It's
all digital and probably the most advanced ATC setup anywhere," says Dr John
Barrett, the Swanick project director, almost nonchalantly. "It's so complex
I have difficulty in explaining it even to my board," he says.  Throughout,
safety is paramount. The whole system is made up of networked workstations
rather than a central mainframe, so there is no single point of failure. . .
The system totals roughly two million lines of software, but like most
software it is behind schedule and is still being debugged .  . . Operations
are not now due to begin until the winter of 1997 . . .  "With ATC it's
obvious that we simply have to remove all the faults in the code, and we are
now working 24 hour a day, seven days a week," says Barrett. "Our
over-arching requirement is that the system has to be completely safe."

How reassuring!

Brian Randell, Dept. of Computing Science, University of Newcastle,
Newcastle upon Tyne, NE1 7RU UK +44 191 222 7923

Re: RISKS of temporary change-of-addresses

William K McFadden <>
26 Sep 1996 16:17:37 GMT
Simson Garfinkel related the problem he experienced with a temporary change
of address.  I had a similar problem when my ex-wife moved out and filed
permanent change-of-address forms for herself and our two-year-old son, of
whom she had been awarded custody.  Unfortunately, my son's name differs
from mine only by middle initial.

For the last five years I have had nothing but trouble as a result,
including my and my father's mail being delivered to my ex-wife's address;
companies I do business with continually having the wrong address in their
records, in spite of numerous attempts to correct it; and my voter
registration being changed without my approval.

The risks of using change-of-address forms are many.  For example,
erroneous change-of-address data that continues to live on, long after it
has been purged from post office systems; the inability or unwillingness of
organizations to determine the age of change-of-address data, so that
erroneous data continually displaces newer, corrected information; and
governmental organizations changing registration records without direct,
written notification from the party(ies) involved.

Bill McFadden   Tektronix, Inc.  P.O. Box 500  MS 50-350  Beaverton, OR  97077     (503) 627-6920

Two recent occurrences: ATM, change of postal address

703) 506-0500 <PHILS@RELAY.RELAY.COM (Philip H. Smith III,>
Thu, 03 Oct 96 09:12:15 EDT
A friend was at his grocery store, using his MOST card to buy about $150.xx
of groceries.  He wanted $30 cash, so he keyed in $180.xx When he ran the
card, it said "Daily limit exceeded".  Which was wrong, as he'd not used the
card at all that day.

He tried again without the extra $30, and it worked.

He then went over to the ATM to try to get the $30, and decided to get $100
instead.  It said "Daily limit exceeded".  He tried $30, and it said "Daily
limit exceeded."

The next day, he of course called his bank to find out what was up.  They
looked at it, and found that *every one of the transactions* was recorded as
having been successful — so they'd deducted several hundred dollars more
from his account than he'd received.

Not a friendly failure mode.  He's still working on getting it
straightened out.

The second item is from a web page, <>.

It *looks* as if you can now forward anyone else's mail without ever having
to set foot in a Post Office.  A friend found this while looking for online
forms, to save him time, as he *was* moving; he used this form, and it sent
back e-mail "to confirm".  This doesn't appear real secure, although not
having tried to use this facility fraudulently, I can't be sure that there
isn't some additional level of checking.  (And for those who say "Hey, don't
spread FUD if you're not sure" — well, the fact that I can't *tell* is a
problem in and of itself, eh?)


Re: Postal change-of-address on-line (Smith, RISKS-18.50)

"Peter G. Neumann" <>
Thu, 3 Oct 96 8:03:31 PDT
This is an old problem whose electronic reemergence represents a serious
potential escalation.  The U.S. Postal Service folks in charge of on-lining
the USPS have insisted that this problem would go away in the new system,
but evidently it may have worsened.  Perhaps we need to flood them with
requests to DISABLE ENTIRELY the ability to change our own addresses
electronically or by postcard, requiring in-person or electronically
certified requests (the USPS is now testing its entry into this business!),
but it is likely to take a lot of requests before anyone will listen.  By
the way, the web page Philip Smith cites indicates that signing the
change-of-address form certifies legitimacy of the request, and notes that
anyone submitting false or inaccurate information is subject to punishment
by fine or imprisonment.  Given the ease of spoofing e-mail addresses, that
is not likely to provide a sufficient disincentive.  There have already been
vastly too many scams (many untraceable) perpetrated using the old manual
approach.  Caveant omnes.

Watch your return address

Erann Gat <>
Fri, 27 Sep 1996 23:34:11 -0700 (PDT)
Today I got a message from David Jones (, names changed to
protect the guilty) with whom I correspond regularly.  David has a unique
writing style and signature that would be impossible to reproduce by
accident.  It was only after I sent him a response that I noticed that this
message was not from David after all, but from someone I'd never heard of,
John Smith (

Without thinking the situation through all the way I dashed off another
note to John Smith asking him essentially who the hell he was and what he
was doing impersonating my friend Dave.

Of course what happened was that Dave had been using a public Netscape
browser that John Smith had at some earlier time configured for himself.
David (who has a Ph.D. in nuclear physics, not a dumb guy) didn't know
that you could even do that.  He just assumed that the computer had some
way of figuring out who you were and that you couldn't change it.  The
computer on his desk always does the Right Thing automagically, why
wouldn't the one in the Library?

So John Smith, who has never heard of me or David Jones, now has two very
cryptic e-mail messages from me: my original reply to David, and my
subsequent inquiry into John's identity.  And David is wondering why I am
taking so long to reply to his e-mail.

What is astounding about this mess is not only the sheer number of errors
that had to be made in order to bring it about (four - John Smith not
removing his personal e-mail configuration from the public computer, David
Jones not reconfiguring the program before using it to send e-mail, my not
checking the From address in the message, and my not thinking the situation
through before sending my second reply) but also how utterly easy it was for
all those mistakes to be made.  In fact, for *all* these mistakes to occur
is the *natural* evolution of events in the presence of Netscape running on
a publically accessible machine.  To eliminate *any* of these mistakes
requires considerable effort and knowledge.

The risk: when you reply to an e-mail message you are *not* necessarily
replying to the person who wrote it.  You could be sending mail to a
complete stranger through a completely innocent, and potentially very
common, set of circumstances.

Erann Gat

Queensland Police put Wanted Poster on the Web

Boyd Roberts <>
Thu, 3 Oct 1996 10:17:45 +0200
After reading an article in the Sydney Morning Herald regarding the
theft of a laptop from a shop and subsequent death of the shop's owner
[] I checked
out the Web page with the wanted poster for this crime, issued by the
Queensland Police [].

It's certainly an inspired way to catch this guy, but the thing that
strikes me is the RISK of the site being hacked [RISKS 18.49: CIA
disconnects home page after being hacked] or the DNS being spoofed and
some random person's picture replacing the bad guy's.  Not to mention
the ease with which copies of such 'wanted posters' could be made.

I'm sure someone will point out that this sort of thing would be
resolved when the bogus information was given to the Police.  I am
skeptical because it wouldn't be the first time that a wrong
person/address mix up has occurred, sometimes with dire consequences.

Getting scarier all the time

Erann Gat <>
Mon, 30 Sep 1996 16:10:47 -0700 (PDT)
Today my doctor sent me to the HMO's lab to have some blood drawn.  After
jumping through the usual hoops (put the form in the slot, hand over the ID
card, sign here, sign there) I was called in and seated in the little room
with racks of empty vials on the wall.  Twenty or so minutes passed, which
seemed a little unusual, so I got up to find out what was causing the delay.
I found the lab technician in another room looking at a computer screen.
When I asked him what was going on he responded that he was unfamiliar with
the procedure for one of the tests my doctor had ordered, and was having
some trouble getting the instructions from the computer.  Mo, there was no
one else around whom he could ask.

Be afraid.  Be very afraid.  Erann Gat

Re: Heart monitoring software (Garrison, RISKS-18.49)

"Bill Ragland" <>
Thu, 26 Sep 96 11:53:35 CST
Jim Garrison's <> description of an incident with heart
monitor software in RISKS-18.49 omitted to say whether either the nurse or
doctor took a pulse before ordering a confirming ECG to determine if the
heart monitor was inaccurate.  If this was the case, it points out another
risk not confined to computers, that of immediately attempting a "high-tech"
solution to a problem when a "low tech" solution was at hand.  Often the
"low tech" solution offers results that are more intuitive and easier to

Bill Ragland

Re: Heart monitoring software (Garrison, RISKS-18.49)

Tim Pietzcker <>
Thu, 3 Oct 1996 08:31:39 +0200 (MET DST)
I'm referring to the recent posting about the safety of medical monitoring
devices. Or better, about the failure of people to read these properly.
First of all, as the poster said, they are no EKG (ECG if you're British)
replacement. They are only used to diagnose disturbances of the heart's
rhythm or frequency. Of course, if somebody switches the display to half
speed, the spikes will still appear at the same rate which really is obvious
(should be).  Second, during an exercise situation it may be very difficult
for the monitor to pick up the correct frequency because of all the
artifacts generated by movement of the electrodes.  On the other hand, the
monitors are smarter than you might think from watching Arnold's latest
movie "Eraser": No monitor I've seen would respond to disconnection of an
electrode by showing a flatline EKG, so this "risk" is fictitious. What's
more, no nurse or doctor would (should?) shock a patient who is moving about
and protesting, only because his EKG is flatline.  Moral: With all the
machines we doctors get, we still have to think.


Re: Heart monitoring software (Garrison, RISKS-18.49)

Thu, 26 Sep 1996 09:05:18 +0100
So it was the triggering condition that was wrong, not that the trigger
caused an audible alarm. Sigh.

> She immediately went into "emergency mode", ...

This sounds quite good to me, actually, although not necessarily for the
reasons implied. Ok, so it seems that a mistake was made, and was luckily
detected before damage occurred. On the other hand, the nurse was acting as
though a serious, time-critical problem existed, and moved to handle that
problem, rather than wasting time checking the equipment - how often does
RISKS carry tales of operators not believing that the situation was as bad
as indicators claimed? Also, a sanity check was applied, *after* events were
set in motion, but *before* damage was done.  Personally, I would have
thought a quick sanity-check with a stethoscope might have been appropriate,
but I'm not in the medical profession, and don't know how effective it would
have been.


More on Java security: see

Marianne Mueller <mrm@Eng.Sun.COM>
Sat, 28 Sep 1996 12:06:58 -0700
RISKS readers are well aware of the difficulties inherent in trying to
achieve strong security.  JavaSoft is trying to increase general awareness
of these problems relating to Java and related approaches, and has begun
a series of forums that should be of considerable interest to many of you.

The first forum was on the topic of ActiveX and Java.  The second forum is
on the topic of security, and started running last week.  You can find it at .  (Follow the link from the top level page.)

We're now hosting the second in the series of online Forums, and are
inviting experts to comment on an opening statement from JavaSoft.  We will
publish statement and comments on our web page, and invite comments from the
Internet community at large.

We are interested in feedback and comments.  One thing we're hoping to do is
to raise the level of commentary about security, because we feel that
security is really an architectural issue, not a black-and-white-checkbox
kind of issue.  We recognize there are things that need to be fixed and
we're working on that from an architectural or fundamental point of view.

Check out the Forum and send us your comments.  We can't personally answer
all the comments, but we plan to publish a subset of the feedback we get in
a follow-up Forum.

Marianne Mueller

Computerization and Controversy: Value Conflicts and Social Choices

"Peter G. Neumann" <>
Mon, 30 Sep 96 14:46:30 PDT
  Edited by Rob Kling
  Computerization and Controversy: Value Conflicts and Social Choices
  Second Edition
  Academic Press, San Diego CA, 1996

The second edition of Rob Kling's book contains 78 articles with a wide
variety of views representing a spectrum of authors, many of whom are
familiar to long-time RISKS readers.  The parts of the book are as follows:

  I.    Heads Up! Mental Models for Traveling Through the Computer World
  II.   The Dreams of Technological Utopianism
  III.  The Economic, Cultural, and Organizational Dimensions of
  IV.   Computerization and the Transformation of Work
  V.    Social Relationships in Electronic Forums
  VI.   Privacy and Social Control
  VII.  System Safety and Social Vulnerability
  VIII. Ethical Perspectives and Professional Responsibilities
        for Information and Computer Science Professionals

There is much provocative thought in this collection, with a lot
more than just a little something for everyone.

Spring Forward, Fall Back — but not just yet

Tue, 1 Oct 1996 12:02:10 +0200
The biannual daylight savings time confusion began this weekend in Sweden.
When Sweden joined the EU (Common Market), it changed the fall changeover
from the last weekend in September to the last weekend in October to conform
with the rest of Europe.

Unfortunately, a few hundred thousand Windows '95 machines were not
informed of the changeover and, followed pre-programmed instructions,
switched on the old schedule.

This is, of course, one small example of a much more difficult problem:
there is no obvious way to pre-program daylight savings time changeover
in a way that is sufficiently robust to withstand government intervention.
(My favorite example is Arizona, where federal land changes, but state
land remains on mountain standard time year around.)

Martin Minow

Airliner interference from a COMPAQ mouse, revisited (revisited!)

Paul Oldham <>
Tue, 01 Oct 1996 09:57:32 GMT
In RISKS-18.45 Mark Brader forwarded an article originally posted by Dewayne
Matthews in sci.aeronautics.airliners. In it Dewayne, commenting on a
previous post that RFI interference with airliner systems is based on
unsubstantiated anecdotal evidence goes on to give exactly the same sort of

A valid reading of the episode is that the MD88's glass cockpit crashed for
some unspecified reason and started to quietly re-boot.  The pilot assumed
RFI interference from PCs (he'd heard those anecdotes too) and got the only
PC on board which was on turned off.  Meanwhile the cockpit had completed
its re-boot, entirely unrelated to the PC.

So yup, it's just another anecdote proving precisely nothing, expect perhaps
that pilots listen to these stories too.

PS: meanwhile back in the real world of RFI interference I wonder if it's
occurred to the airlines that many PDAs are actually all the time in standby
mode and produce RFI. Just try putting an AM radio next to your PDA and

Paul Oldham  Milton, Cambridge

Advance Bank offers Internet Banking

Boyd Roberts <>
Thu, 3 Oct 1996 18:21:53 +0200
I'm not really sure if these guys really know what they're doing, but the
Advance Bank in Australia has offered Internet Banking:

It claims to use RSA and IDEA for encrypting the traffic between a
PC based client and the server.

The RISKS?  Where can I start?

They currently don't offer a Java version, but they say:

  Will a Java Version be released?

    Not for a while. While Advance Bank is often seen to be an "early
    leader" in new technology, Java is not yet a released product, nor are
    the security aspects finalised to our satisfaction. We'll keep a close
    eye on it, though.

"early leader?"  Ahh... bleeding edge?

CFP Workshop on Formal Methods for Industrial Critical Systems

Diego Latella <>
Wed, 2 Oct 1996 12:51:20 +0200 (MET DST)
The Second International Workshop on Formal Methods for Industrial Critical
Systems will take place in CESENA (Italy), 4-5 July 1997, close to Bologna
(Italy) as a Satellite Workshop to the 24th International Colloquium on
Automata, Languages, and Programming, sponsored by ERCIM Working Group on
Formal Methods for Industrial Critical Systems, University of Bologna, CNR /
Ist. CNUCE - Pisa, CNR / Ist. Elaborazione dell'Informazione, Pisa
Dependable Computing Center.

More information can be obtained from

S. Gnesi - CNR/IEI - Pisa (IT)
D. Latella - CNR/CNUCE - Pisa (IT)
L. Simoncini - Univ. of Pisa and CNR/CNUCE - Pisa (IT)

Please report problems with the web pages to the maintainer