The RISKS Digest
Volume 18 Issue 53

Thursday, 17th October 1996

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Stolen computer contains ophthalmology certification exam
Computers miss $1.2M in ATM withdrawals
Jack Fenner
Microsoft AGAIN distributes Macro Virus
Klaus Brunnstein
Re: Rats take down Stanford and Silicon Valley Internet
Arthur P. Smith
Health Info Database Misused
Duane Fickeisen
Risks of not understanding the system
John Stewart
RISKS of just having a name!
Nick Brown
Telephone Switch Cutover Problem
Paul J. Mech
Re: Maybe your secure Mac isn't as secure ...
Jon Callas
Re: Another Mail-Forwarding
Tony Lima
Risks of not including manual overrides: not a computer risk!
Jerry Leichter
The Year-2000 Crisis
Announcement: Year-2000 Software Crisis Conference
Hawkins Dale
Info on RISKS (comp.risks)

Stolen computer contains ophthalmology certification exam

"Peter G. Neumann" <>
Wed, 16 Oct 1996 8:06:24 PDT
A laptop disappeared from a ``high-security'' suite in the San Francisco
Palace Hotel while board examiners were out of the room for an hour in the
morning of 15 Oct 1996.  The laptop contained the questions for one segment
of the national oral exam for doctors seeking ophthalmology certification.
The hotel suite was reportedly accessible only by using one of six access
mag-stripe cards, with the claim being made that hotel personnel could not
possibly have had any access to the rooms.  [Source: *San Francisco
Chronicle*, 16 Oct 1996, A15]

  [Now, why is it that cleaning personnel generally get in to hotel rooms
  for which you are told your unique registration-time-generated mag-stripe
  access code gives only you access?  Ah, yes, RISKS readers probably won't
  believe that there could not have been any master-key cards, or emergency
  overrides, or other access modes such as creating a new access card from
  the front desk, or somehow triggering the door release electronically
  with an out-of-band signal!  So, was this merely the theft of a $5000
  laptop?  Or an attempt to eye the exam?  (An-eye-for-an-eye-exam?)  PGN]

Computers miss $1.2M in ATM withdrawals

Jack Fenner <>
Mon, 14 Oct 1996 21:03:39 -0600
The local paper here in Colorado Springs has had a series of articles about
a "massive computer glitch" affecting 12,000 customers of a local credit
union.  Ent Federal Credit Union recently announced that it was about to
subtract a total of $1.2M from the accounts of its members because, for over
a year, multiple identical ATM withdrawals on the same day were incorrectly
processed.  Only the first withdrawal was charged to the account.  People
without enough money in their accounts to cover what Ent decides they owe
will be offered loans (at prevailing interest rates, of course).  Ent blamed
the problem on a "computer conversion" by the company that services its
automatic teller transactions.

Naturally, some people are upset and are moving money out of their accounts.
The NCUA, which insures credit unions, is investigating, and (before they
had a chance to actually investigate anything) gave Ent a clean bill of
health and said it was in no danger of being closed.  A variety of experts
have been interviewed by the newspaper, and all express astonishment that it
took so long to be discovered (but curiously are not surprised that it
happened in the first place).  Ent says it has no choice but to collect the
money because absorbing the loss "would wipe out nearly three months'
profit".  Ent is asking its internal auditor, Arthur Andersen, to "fully
investigate the incident."

Also, newspapers have reported that many people reported the problem to Ent
over the past months, and were ignored.

Besides the obvious risks of potentially uncollectable losses, disgrunted
customers, and lost interest due to the time lag in charging accounts, there
are a variety of other risks.  Separate investigations by the NCUA and
Arthur Andersen must be time consuming and expensive.  Lawsuits are a
possibility (if the computer is wrong about deducting multiple charges, why
should we believe it about the charges in the first place?).  Then there is
the increased call for more federal oversight of credit unions in general
and Ent in particular.  Finally, there is the nightmare scenario: people
decide that Ent is not safe enough for their money, and start a run on the
credit union.  Ent claims that while some money has moved out since the
announcement, it is not a significant portion of their $1B in assets.  Even
assuming that's true, I'd say it leaves them with no margin of error for
future problems.

Jack Fenner,  Colorado Springs

Microsoft AGAIN distributes Macro Virus

Klaus Brunnstein <>
Mon, 14 Oct 1996 16:02:16 +0200
On ORBIT, a Swiss IT exhibition (held in Basel last week), Microsoft
distributed a CD-ROM with a document (including German hotline numbers)
infected with WAZZU.A Word Macro virus. Even when MS officials were made
aware of this virus, the CD-ROM was continued to be distributed. At the same
time, this infected document was also available for downloading from
Microsofts Swiss Internet site, for several (at least 5) days after MS was

MS experts at the exhibition said that this virus was "harmless". Indeed,
WAZZU.A just interchanges (with probability of 1/5th) 2 randomly selected
words in a document, and with a lesser probability, it inserts strings

Any Risk in Microsoft behaviour and attitude? "WAZZU" is a harmless string
(does not delete anything :-), and random interchange of 2 words may even
improve readability of texts :-). So, what risk?

Klaus Brunnstein (October 14,1996)

PS: For those with short memory: Microsoft was that company which released
the first non-theoretical Word Macro virus, when it distributed, in July
1995, several CD-ROMs (dedicated to Windows 95 proliferation) with documents
infected with Word.Macro.Concept (now .A). Until then, this was just a
theoretical threat discussed first by Prof. Harold Highland back in
1989/1990. Since Microsoft`s pioneering work, almost 70 Word Macro viruses
have been detected (plus one EXCEL and One AMIPRO Macro virus), some of
which are "in-the-wild" primarily in the Anglo-Saxon Word World, but with
fast development also in some non-Anglo-Saxon Word countries such as Taiwan
and Germany :-)

   [Check out the VIRUS-L Digest ( with the command
   "help virus-l"), which keeps up the WAZZU discussion (in 12 of the
   last 16 issues!).  PGN]

Re: Rats take down Stanford power and Silicon Valley Internet service

"Arthur P. Smith" <>
Sat, 12 Oct 1996 23:25:08 -0400 (EDT)
> But I'm surprised that power-system technology has not found a way to
> develop rodent-tolerant circuits.

I recently discussed this with a friend who is an engineer for LILCO (and
well paid and qualified, thanks to our 18 cent/kwh rates). He pointed out
that this was a very difficult problem due to the high voltages - you don't
want ANYTHING in the neighborhood that provides a possible electrical path
between the high voltage lines. The best thing to have as insulation is
plain old air, but that leaves lots of room for little creatures to get in
and mess things up.  People have come up with lots of ideas for fancy
enclosures, traps, noise-makers and the like to keep small animals out, and
none of them have yet worked reliably for long. Anybody who can figure this
one out will be saving the utility companies a lot of money (and their
customers a lot of hassle)!

Arthur Smith (

  [I was actually thinking about rat-tolerant systems along the lines
  of double-error-correcting, triple-error-detecting coding systems,
  where a system could for example tolerate two rats and detect
  the simultaneous presence of a third by shutting down safely.  But I
  was raticent to suggest it.  PGN]

Health Info Database Misused

Duane Fickeisen <dfickeisen@Sunnyside.COM>
Thu, 10 Oct 1996 11:06:01 -0700
An AP story from Tampa Bay appearing in the Palo Alto Daily News asserts
that a public health worker took a laptop and disks with confidential lists
of people with AIDS and HIV home and to a gay bar to check out the HIV
status of potential dates and offered to look up names of people his
friends were interested in dating. One person asserted that he had warned
friends away from potential dates, telling them that their names were "on
the list." Another claimed that people interested in dating him backed away
after the health worker talked to them. The County Health Department has
fired him, although he claims he did nothing wrong. The former health
worker also owns and lives in a funeral home. The state had permitted such
databases to be removed from offices and taken home until they changed
their internal rules two weeks ago.

This raises anew questions about privacy and confidentiality of records,
security, and misuse/abuse of information for personal and private gain.
This ought to be raised up as an example of abuse in response to the
announced plans for a national health information database.

Duane H. Fickeisen, Interim Director
Computer Professionals for Social Responsibility

Risks of not understanding the system

John Stewart <>
Tue, 15 Oct 96 11:37:13 EDT
One day the accountants network printer failed. She needed some printouts
from the financial computer in England. We were in The Netherlands. The
"company" we worked for is based in Canada.

I called the maintainers of the financial system in London, and asked them
to re-route the account print queue to go to a different IP address. They
could not, as that was considered a security risk, and nobody in London had
the system privilege to make that change. Time zone differences meant that
the people who could change it (in Canada) were still asleep.

So, I changed an ethernet address in the bootp table, rebooted a printer,
and lo and behold, the accountants information came out on a printer in my
office. She was happy. The people in London and Canada were not - I had
broken their "security".

I also once made my manager the "head" of the organization, as she was
requested by him to send out an e-mail in his name. It took me all of about
20 seconds to copy the passwd file, change his password, have her log in,
etc, etc. She was amazed, and scared about the ease of such changes.

I could go on and on about the design issues of the network (and did, and
was listened to, by the maintainers of the system - nice people!).

The RISK? I think that the exponential growth of networking usage has
produced a whole range of uninformed "experts" who design systems and place
unreasonable bounds on them.

It is not the experts fault - it takes time to gain experience, and that
time is not available to them.

Needless to say, I no longer work for that organization.

John A. Stewart

RISKS of just having a name!

"Nick BROWN" <>
14 Oct 1996 18:20:28 +0200
Bill McFadden (Re: RISKS-18.50, RISKS of temporary change-of-addresses)
raises, perhaps inadvertently, an interesting point about people's names,
describing his problems with his son's name differing from his own by just
one initial.

Having been cursed at birth with three given names, I have become used over
the years to appearing in lists several times, as N.Brown, N.J.Brown,
N.J.L.Brown, etc etc.  My wife has two given names, but has always used her
second given name, perhaps fortunately for us because her first name (Nansi)
begins with N too.

When our children were born, we used unambiguity of initials as one
criterion for choosing their names (really !): manual systems have not
served us well up to now, and computer systems do not have a good record of
improving on the reliability of existing manual systems.  Thus, our children
both have exactly one given name (Alexander and Joanna respectively),
neither of which begins with the same letter as ours.

In fact even "Alexander" is turning out to be a mistake: he is only ever
called Alex, and I know he is in at least one (manual) database under both
Alex and Alexander.  This is partly because in France, most people only ever
use one given name, and also because nicknames are relatively rare.  (In the
Netherlands, by contrast, it is not uncommon to have four given names, and
be known (from birth) by a nickname which is unrelated to any of one's given

When I visit the US, I find both manual and automated systems quite unable
to cope with the idea of multiple "middle initials"; doubtless my children
will have plenty of crashes when "middle initial = <empty>".  Somebody told
me that some Americans have middle initials that don't stand for anything -
I wonder if their parents were anticipating software problems ?

Nick Brown, Strasbourg, France (

Telephone Switch Cutover Problem

"Paul J. Mech" <>
Sun, 13 Oct 1996 03:28:23 -0400
I thought this experience might be of interest to other RISKS readers.  In
the wee hours of Saturday morning (12 Oct 1996), I was ftp-ing data from
around the world.  My network-inspired happiness was marred by my sudden
loss of the phone connection to my Internet provider.  No problem, these
things occasionally happen.  However, the situation went to annoying when my
modem announced "... your call could not be completed as dialed ...".

After this condition persisted for thirty minutes, I contacted Ameritech.
Residential Repair told me that they were told that this sort of behavior
occurs when they are disconnecting a customer and forwarded me to Business
Repair.  Business Repair said that they couldn't comment on the situation
because their computers were down.  They did, however take my name and
address and told me that they would call me back when they came back up.
I left a couple of concerned messages on my provider's voice mail and
decided to wait until morning.

By 10:00 AM Saturday, I had received no calls and the situation persisted.
I pursued the same route, starting with Ameritech Residential Repair, and
found things far less painful than the night shift had lead me to believe.
At the time that I had been cut off, Ameritech had cut our exchange over to
a brand spanking new switch.  Our line checked out all right.  Small
Business Repair placed a call to the number that I was trying to reach and
got through.  Large Business Repair filed a trouble report and a technician
called back shortly thereafter.  As RISKS readers have no doubt concluded,
the cutover apparently had a few unresolved bugs.

RISK 0 : Can you trust customer service?
    By what I was first told, it seemed that my Internet provider
    was going out of business ... a scary thought, as I am not only
    pleased with this particular service, but I had to search quite
    a bit to find one who spoke *NIX this fluently.

RISK 1 : Emergencies
    I am fairly savvy as to telephony problems, having spent several
    years programming for long distance resellers.  Yet in the fog
    of the early AM, I obviously wasn't being too bright.  What If
    someone had tried to place a call from our exchange to a doctor
    in my Internet provider's exchange?  Would they have gotten
    through?  Would they have though to call for operator assistance?
    How much time would they waste?

I'm not sure if there is any way I could have anticipated this, and I was no
more than inconvenienced and slightly annoyed.  But twenty four hours after
the problem started, I'm back on line.  Ftp is perking along happily in one
window, and life is good again.  I'm also glancing at a postcard that
arrived this afternoon.  It announces, in glowing terms, that Ameritech is
going to install a new switch for our exchange on 12 Oct.  It figures.

Paul J. Mech

Re: Maybe your secure Mac isn't as secure ... (Maniscalco, RISKS-18.52)

Jon Callas <>
Mon, 14 Oct 1996 14:06:55 -0700
The "problem" is not with PPP. PPP does not store e-mail account names in its
preferences file.

The problem almost certainly resides with something called "Internet
Config." Internet Config is a database and API for storing information that
Internet programs often need, oh, like your e-mail address. Your web browser
wants that when it mails a page (or a message), your ftp program wants that
to ease anonymous logins, and so on. Internet Config lets networking
programs have a common database of information. It also allows programs like
automatic shareware registration programs to know who you are, which is
precisely what you saw.

Jon Callas  Senior Scientist  Apple Computer, Inc.

  [Also noted by (Paul Robichaux) in a much longer message.  PGN]

Re: Another Mail-Forwarding (RISKS-18.52)

Tony Lima <>
Mon, 14 Oct 1996 09:45:00 -0700
  [Several RISKS readers reminded Tony that
     ``branches of the U.K. postal service don't.''
  should have read
     ``branches of the U.S. postal service don't.''
  I fixed it in the archive copy.  PGN]

Risks of not including manual overrides: not a computer risk!

Jerry Leichter <>
Wed, 16 Oct 96 22:19:01 EDT
In RISKS-18.47, William Hutchens reports his experiences at a hotel where an
electronic keycard lock failed.  Various "master keycards" also failed to
open the door; "During the times I was left waiting in the hallway, I was
half expecting the maintenance man to return with a sledgehammer".  The door
was eventually opened using a PC with a special interface.  Mr. Hutchens
says "I don't believe that it would be a problem to include a conventional
mechanical keyway in the lock."

Just because a computer contributes to a problem, doesn't mean the computer
*is* the problem.  Just because there is no "mechanical override" doesn't
mean there *should* have been one.

I, too, once found myself locked out of a hotel room by a failed lock.
Repeated attempts to open the lock failed.  My wife and I waited around in
the hallway for quite some time as various attempts were made to get the
lock to open.  (The attempt that succeeded involved a ladder, a third floor
window, and a hotel employee with a good head for heights.)

The only difference between our experience and that of Mr. Hutchens is that
the lock in question was a traditional mechanical lock.  Part of the
mechanism broke, and literally fell off the door into the room.  Without it,
there was no way to open the door for the outside.

Should I complain about the lack of overrides for mechanical locks?

There would only be a valid complaint here if the electronic keycard locks
failed as badly as Mr. Hutchens describes significantly more often than
their mechanical brethren.  I know of no evidence that this is the case.  I
do know that, in addition to my hotel experience, in the last year I found
myself caught in a conference room at work when the (non-locking) door latch
broke (the locksmith arrived shortly after I'd managed to remove the door
from its hinges, a more elaborate job than it ought to have been); and I had
to replace a broken lock on an external door at home after it, too, failed
in a way that left the door "stuck shut".  In that case, I had to literally
smash the lock with a chisel in order to get the door open.  Finally, while
we were undergraduates (*so* many years ago, sigh), a friend got to call
security to tell them he was locked *into* his room.  Come again?  You mean
you lost your keys and are locked out, don't you?  Well, no, the lock broke
and I'm locked *in*.

Mechanical locks are not quite as reliable as Mr. Hutchens appears to
believe, and when they do fail, the failures very often do require
significant mechanical intervention - the guy with the sledgehammer - to get
them open.  That's essentially what the locksmith at the hotel I was staying
at had to use to get the old lock out of the door; it's what he would have
used to get in to the room if the third-floor-ladder trick hadn't worked.
If most failures of keycard systems - even if more common than failures of
mechanical systems - can be repaired by the simple use of a master card key,
I should think we're well ahead of the game.
                            — Jerry

The Year-2000 Crisis: a possible resource

"Peter G. Neumann" <>
Thu, 17 Oct 1996 17:15:24 PDT
I ran into Tom Reps this morning in San Francisco (where I had the pleasure
of introducing Henry Petroski's wonderful keynote address to the ACM SIGSOFT
Foundations of Software Engineering conference).  Tom has been chartered by
DARPA to make serious recommendations on the Year-2000 problem.  I noted to
him that a bunch of RISKS readers have offered me some possibly useful
approaches, but indicated that it would be appropriate for those of you who
believe you have something useful in this regard to contact Tom directly.  I
think he (and DARPA) would appreciate it.  He can be reached at the Computer
Sciences Department, University of Wisconsin-Madison, 1210 West Dayton
Street, Madison, WI 53706-1685 1-608-262-2091, fax 1-608-262-9777
<> <>.

Announcement: Year-2000 Software Crisis Conference

Hawkins Dale <>
Thu, 17 Oct 1996 15:58:18 -0700
The Education Foundation of the Data Processing Management Association
announces a conference on The Year 2000 Software Crisis

Information Systems professionals from the commercial, defense, and
governmental sectors will share strategies and techniques for handling the
coming potential disaster.

Date:     5--6 December 1996
Location: Alexandria, VA (the Radisson Plaza Hotel at Mark Center)

More information:

        online info:
        voice: Hawkins Dale (310) 534-4871

Hawkins Dale
Technology Training Corporation
3420 Kashiwa St.
Torrance, CA 90505
voice:   (310)-534-4871
fax:     (310)-534-8585
alt fax: (310)-534-0743

Please report problems with the web pages to the maintainer