The RISKS Digest
Volume 19 Issue 29

Monday, 11th August 1997

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Software error may have contributed to Guam crash
Steve Bellovin
Plane crashes into power lines near Los Angeles
Explosion causes Internet blackout in New England
Vonneguten Morgen, Mary Schmich! Internet hoax
Bank robbery *wanted* poster based on image of wrong person
No Surfing on the Senate Floor
Edupage via R Spainhower
Yet Another Java Flaw-this time with MSIE?
Randy Holcomb
System malfunction implicated in need for death-penalty review
Webb Bryan
German Telekom's latest phone feature
Wilhelm Mueller
GPS: Exactly - and I do mean EXACTLY! where were you?
Sam Lepore
Y2K lawsuits begin
Jim Huggins
Airline travelers with duplicate names
Chuck Charlton
Re: Clean Sweep wasn't quite soon enough
Steve Branam
More on license forgeries
Mark Laubach via Dave Farber
Re: What to do about software patents
Dan Hicks
Re: Ctrl+Alt+Del
Dave Porter
Jered J Floyd
Bryan Costin
Roland Giersig
Info on RISKS (comp.risks)

Software error may have contributed to Guam crash

Steve Bellovin <>
Mon, 11 Aug 1997 19:53:19 +0200
National Transportation Safety Board investigators say that a software error
may have been a contributing factor in the crash of the Korean Air 747,
Flight 801, in Guam.  The bug didn't cause the crash; however, if it were
not for the bug, the crash might have been averted.

The airport at Guam has a system known as Radar Minimum Safe Altitude
Warning.  It notifies controllers if a plane is too low; they in turn can
notify the pilot.  It normally covers a circular area with a 63-mile radius.
Because of the bug, it was only covering a one-mile wide strip around the
circumference of the circular area.

An NTSB member said "This is not a cause — it might have possibly been a

And why was the code changed?  Because the old version gave too many false
alarms.  [Source: An AP wire story]

  [225 of the 254 people on board were killed.  The bug in the upgraded
  software apparently existed in airports throughout the world, and was not
  detected until analysis after the crash.  Seeking to discover the exact
  point in time at which the altitude-warning system had failed,
  investigators discovered that the system had not issued any expected
  warnings and had failed completely.  PGN]

Plane crashes into power lines near Los Angeles

"Peter G. Neumann" <>
Sat, 9 Aug 97 16:08:23 PDT
A Piper aircraft crashed into a 500,000-volt power line near the Cajon
summit northeast of Los Angeles, causing widespread power interruptions
across LA, Orange, and San Bernadino Counties.  (The three people on board
were killed.)  More than 1000 traffic lights were either out or flashing,
and apparently had to be reset individually.  With record-high temperatures
already affecting people's nerves, the evening commute was described as
"chaotic".  (I thought it always is.)  [Source: *San Francisco Chronicle*, 6
Aug 1997, A18]

Computer-related?  Not necessarily (except maybe for the monitors that might
have gotten fried by surges), but just another reminder of how our lives are
dependent on our critical infrastructures, which in turn are dependent on
all sorts of events *not* happening.  Once again, recall that this is the
Forum on Risks to the Public in Computers and Related Technologies.
Electric power is clearly related!

Explosion causes Internet blackout in New England (Edupage)

Edupage Editors <>
Sun, 10 Aug 1997 11:19:05 -0400
More than 200 New England businesses experienced a four-hour Internet
blackout on 7 Aug 1997 after an explosion knocked out electrical power in
the Boston area.  One person was killed in the blast, which overloaded a
panel switch at MIT, causing a fire and cutting off Internet access to BBN
Planet customers.  Access resumed around 10:00 in the evening.  The speed
with which the incident happened made it impossible to reroute traffic, said
a BBN spokesman.  (*TechWire*, 8 Aug 1997; Edupage, 10 Aug 1997)

Vonneguten Morgen, Mary Schmich! Internet hoax

"Peter G. Neumann" <>
Fri, 8 Aug 97 17:12:23 PDT
A column by Mary Schmich in the *Chicago Tribune* has been freely adapted
(with only minor alterations) and has appeared widely on the Internet as the
seemingly legitimate transcript of an MIT commencement speech supposedly
given by noted author Kurt Vonnegut.  Of course, Vonnegut never gave a
commencement speech at MIT.  But the transcript was sufficiently ironic and
witty enough to be mistaken for his style, and generated all sorts of
interesting responses.  Schmich even had callers accusing her of stealing
Vonnegut's speech!  Other *Tribune* readers recognized the hoax, as did
those MIT folks who knew that the commencement address had really been given
by U.N. Secretary General Kofi Annan.  But on the Internet, no one knows
you are a hoaxter unless they happen to open their eyes once in a while to
other inputs, so the hoax spread apace.

Bank robbery *wanted* poster based on image of wrong person

"Peter G. Neumann" <>
Sat, 9 Aug 97 15:52:39 PDT
Edward Sanders happened to visit his regular Bank of America branch at 5th
and Brannan in San Francisco after someone else had managed to rob the bank
-- without any alarms being activated (and therefore without being
photographed).  Unfortunately, the FBI thought that Sanders' face — which
had been routinely recorded — was close enough to eye-witness reports of
the robber, after which it appeared on *wanted* posters around town.
Sanders wonders why the FBI never bothered to ask the tellers if the
selected image was indeed that of the robber.  Sanders has filed a $250,000
lawsuit against BoA, with potential triple damages.  [Source: *San Francisco
Chronicle*, 2 Aug 1997, A1]

No Surfing on the Senate Floor (Edupage)

R Spainhower <>
Sun, 10 Aug 1997 22:26:55 -0400
The 10 Aug 1997 issue of Edupage contained the following awful, scary,
horrible thing demonstrating just how behind the times at least three of our
Senators are.  The most far-reaching RISK: that our legislators are
completely incompetent to pass judgement on any technology-related legal
issues.  But we already knew that, didn't we?

Senator Michael B. Enzi (R., Wyoming) wants to use his laptop on the floor
of the U.S. Senate, but many of his colleagues are opposed to the idea.
Senator Diane Feinstein (D., California) says: "I'm not against computers,
but I think they have their place and it's not everywhere.  When you're
speaking on the Senate floor, you should be speaking from a lifetime of
experience, not from what you punch up on a computer."  Senator Robert G.
Torricelli (D., New Jersey) agrees: "The entry of an electronic notebook on
the floor of the United States Senate will inevitably lead to staff
instructions on voting and the scripting of all remarks."  And the idea
makes Senator Robert C. Byrd (D., Virginia) positively cranky: "What will be
the next step if we take this?  I would be a bit irritable, I think, if I
looked around and saw someone sitting beside me, typing on this thing."
(*The New York Times*, 10 Aug 1997; (Edupage, 10 August 1997)

Yet Another Java Flaw-this time with MSIE?

Randy Holcomb <>
Sat, 9 Aug 1997 19:19:11 -0500
C-Net News is reporting a flaw with Microsoft's Internet Explorer 3.x and
4.0 allows a network connection to be opened to a foreign machine in alleged
violation of the Java Security Model.  The article can be found at,4,13226,00.html.

Randy Holcomb

System malfunction implicated in need for death-penalty review

Webb Bryan <>
Fri, 8 Aug 1997 15:50:37 -0700
In California last week, death row inmate Thomas Martin Thompson was within
hours of his execution when the 9th Circuit Court of Appeals intervened and
granted a stay of execution because of a previous error the court had made
in not considering an "en banc" review of this case earlier.  In Judge
Kozinski's dissent within the published opinion _Thompson v. Calderon_, he
supplies a brief description of the court's processes that were implicated
in the court's previous error to schedule the "en banc" review in the normal
timely manner.

Background: The court operates under a strict set of rules.  The rules
provide that notice be given to other judges so that they may request "en
banc" review (during a limited time period) of a panel's decision before it
is published.  After the time period expires, their request for "en banc"
review would have to follow different procedures (requiring more effort and

The judges appear to have a network of personal computers.  E-mail is used
to provide the notice of a pending decision, and also for interposing the
request for "en banc" review.  According to an unnamed "Judge Y" quoted in
the decision:

"I . . . attempted to determine why I had not become aware of your decision
earlier.  The answer appears to be that my chambers systems malfunctioned
and the opinion simply fell between the cracks.  A partial explanation, but
not excuse, is that the disposition was circulated shortly before a law
clerk transition and that the old and new law clerks assigned to he case
failed to communicate."

Another judge called "Judge X" also appeared to have problems with the
system.  From the somewhat fuzzy description, it looks like either (1) Judge
X did not receive an e-mail notice of the decision and yet the authoring
judge had confirmation of receipt, or (2) Judge X or a law clerk misplaced
or lost the e-mail.

As a result of Judge X's and Judge Y's problems with the system, they did
not timely request "en banc" review of the case; following the rule under
which they were requesting the review, the scheduling judge had no authority
to schedule the review.

Later, after losing his appeal to the U.S. Supreme Court and his request for
clemency from the governor, Thompson filed an emergency appeal again to the
Court of Appeals for an "en banc" review, which was denied.  Then the Court
of Appeals, on its own initiative chose to review its panel's earlier
decision and reversed itself, rendering the decision discussed here.

(1) Inadequate training and system recovery procedures,
(2) Possible bugs in the e-mail system,
(3) Possible system design issues (is the e-mail system user friendly for
    the sorts of message sorting, flagging, and tickling that an appellate
    judge needs to do, is a higher level of redundancy appropriate, is a
    more proactive message tickler system appropriate where missed legal
    deadlines can forever cause litigants to lose full or further
    opportunity for legal review)
(4) The bare facts presented suggest possible employee sabotage, or what
    would possibly be negligence if done by other than government employees.

--Bryan Webb

German Telekom's latest phone feature

Wilhelm Mueller <>
Fri, 8 Aug 1997 15:42:15 +0200 (MET DST)
With my telephone bill for July, I received a flyer with a description of
the latest feature offered by the German Telekom: T-Net-Box, a kind of
answering-machine service.

To allow calls to reach that answering machine, you'll have to do two things:

 1. You have to enable the feature yourself.
 2. You have to activate forwarding of incoming calls to the answering
    machine for certain conditions (always, if busy, after third ring).

(Of course, I immediately tried step 2 before step 1, and it seemed to work.
But now calls which should have been forwarded were rejected with a message
that no T-Net-Box was enabled.  I would have liked a bit more of
documentation.  Oh, well...)

Step 1 consists of dialing a toll free number.  The call is answered by an
automatic responder which explains a few things and asks you to think of a
PIN (4 to 10 digits), enter it twice, and, unless you mistyped it the second
time, confirms that your T-Net-Box has been enabled.  What it does *not*
tell you, but that's printed in really *big* letters on the flyer, is that
you'll have to pay *only* DM 4,-- per month.

For all further operations besides turning forwarding on and off, you'll
have to enter the PIN, but you can do it from any touch tone phone.  Only
(de)activating forwarding (you don't need a PIN for that) and disabling the
box must be done from your own phone.

So: Somebody has access to my phone.  For several reasons I don't want the
T-Net-Box, but this person now just enables it when I don't notice and
doesn't tell me anything about it.  He/she may even at the same time
activate forwarding on busy and after third ring, and I would probably not
notice. (Immediate call forwarding would be noticeable because the dial tone

Only when I check my next phone bill thoroughly, I'll find out that there
are an extra DM 4,-- on it, and then I'll probably have quite a problem
getting rid of the unwanted T-Net-Box--German Telekom is known to be not
very customer friendly when you think you have paid too much.

When I asked at a Telekom shop, they couldn't tell me much about that
problem, or about any of the other questions I'd got.  (Actually, I hadn't
expected them to be able to help me.)  The toll free T-Net-Box help line
has been busy whenever I tried, so I finally called the regular customer
service who told me that someone would call me back--which even happened
today.  This person now was surprised about my concern.  His reaction was
essentially, ``But who would do such a thing?''

Besides that immediate risk it seems that the new feature is not well
incorporated in what has already been there.  I thought about setting the
Box to take calls when the line is busy.  I've already got call waiting and
would have expected the Box to take over when I don't accept the second
call.  But according to the Telekom person who called me, the Box has
precedence; I'd never get call waiting.  The person in the shop, though,
told it the other way round, so it's probably just one thing I'll have to
experiment with.

Wilhelm Mueller, Der Senator fuer Bau, Verkehr und Stadtentwicklung, Referat
43, Ansgaritorstrasse 2, D-28195 Bremen, Germany   +49-421-361-10629

GPS: Exactly - and I do mean EXACTLY! where were you?

Sam Lepore <>
Sat, 09 Aug 1997 23:54:36 -0700
Recently I was amused by the story of a motorcycle riding friend who has a
GPS device on his bike. He started out to visit someone several hundred
miles away and saw his map with the destination details blow out of his
pocket and get mangled by traffic behind him. But no matter, before leaving
he had entered the precise coordinates of his destination in the GPS, so he
decided to follow the tracker/advisor and see how close he could get before
he had to call.

He took a few wrong turns because he wasn't paying attention to the route
advisor, and he took a couple of impulsive side trips, eventually getting
back 'on course'. Low and behold, several hours later the unit starts
beeping to indicate he is within 30 yards of his destination ....  and there
he is in front of the proper house.

As he and his friend settle into conversation, one of the computer savvy
room mates takes the GPS off the bike and downloads the recorded trip
information to a mapping program. They all have a good laugh at his wrong

I, however, am concerned at the potential risks. GPS devices are nearly
foolproof already and will come to be trusted as infallible soon. Then when
the police demand (or subpoena) a GPS to see EXACTLY where you were at what
time (and, oh by the way ... seems you were speeding here, and here, and,
oops you were parked right behind The SmutShak for 23 minutes ...) we will
not only have to face serious privacy concerns, but be put in the position
of having to prove innocence in the face of 'incontrovertible' evidence.

Except that it is controvertible ... I've seen GPS devices lose contact
with satellites and fill in the missing route segment as it 'should have
been'. Despite the convenience GPS offers there is a tremendous risk to
privacy if your every move can be recorded.

Technology and privacy are antagonists. And I love them both.

Sam Lepore, San Francisco

Y2K lawsuits begin

Jim Huggins <>
Thu, 7 Aug 1997 11:43:09 -0400 (EDT)
Summarized from the *Detroit Free Press,* 7 August 1997, pp. 1A,11A:

Produce Palace International (a Warren, MI, fruit & vegetable store) has
filed suit against Tec-America Corporation and its local distributor,
All-American Cash Register (Inkster, MI), over Y2K problems.  The article
claims this is one of the first Y2K lawsuits ever filed.

In April 1995, the store spent about $100K for a computer system (including
10 registers) that handles purchases and inventory control.  Immediately
they noticed some problems in the system.

The problems escalated in 1996, when customers began using credit cards
with 2000 expiration dates.  When asked to process such a transaction, the
system crashes, requiring 4-5 hours to restart.  The system suffered 105
such crashes between 30 April 1996-6 May 1997.

Currently, the store is working around the problem by using the system to
confirm that customers have sufficient credit, but writing up the
transaction on paper.  Later, the transactions are manually entered into
the system using a 1999 expiration date.  The store estimates they have
lost over $50K in additional wages paid and hundreds of thousands of
dollars in lost business.

The article comments that the lawsuit may not help much; lawsuits can take
years to resolve, and in the meantime, they're still stuck with a
poorly-functioning system.

An aside: as bad as things may be in 2000 when all of these systems start
failing, I wonder how bad it will be in 1999, when work arounds like these
won't work anymore ...

--Jim Huggins, GMI Engineering & Management Institute (

Airline travelers with duplicate names

Chuck Charlton <>
Fri, 8 Aug 1997 09:34:18 -0800
In RISKS-19.28, Jordin Kare described a problem with electronic airline
ticketing for people with similar names.  The problem is worse when you have
people with identical names, and affects all forms of airline reservations,
not just E-tickets.

My father and I have the same name on our driver licenses, except that he is
Jr. and I am III.  The airlines apparently do not or cannot capture the last
few bytes of this kind of common naming convention.  I was aware that this
could be a problem the last time we travelled together, so I told the travel
agent to make sure that she clearly identified that there were two of us,
and that we needed two tickets and two seats.  When we arrived to check in,
we found that the airline had, in its diligence to cope with people who make
multiple reservations for a single trip, indeed cancelled one of our tickets
and reservations.

The counter clerk at check-in was able to get us in ahead of the standby
travellers, otherwise we would have been out of luck.  We discussed strategy
with her, and she suggested that I simply use my middle name instead of my
first name whenever I travel with Dad again.

Re: Clean Sweep wasn't quite soon enough (Horning, RISKS-19.28)

Steve Branam <>
Mon, 11 Aug 1997 12:21:31 -0400
Jim Horning describes his problems and dismay with bank procedures when
his account was raided in an over-the-counter fraud scam, and brings up
several electronic banking issues.

I think a longer term risk of electronic banking fraud is that people may
revert wholesale to paper banking in reaction. That at least gives them the
feeling that they are in control of all the transactions, especially if they
have the ability to block all electronic access to their accounts. I often
worry about what would happen if an electronic transaction was fouled
up. There is even greater risk of the "computer is always right" syndrome,
already documented in RISKS. I get more and more worried as I think about
all the sources of electronic transactions destined for my account, growing
every day. It feels very out of control, and I am relying very heavily on a
lot of other people's information protection systems.

Steve Branam               Hub Products Engineering       508-486-6043  Digital Equipment Corporation  DTN 226-6043

More on license forgeries (Re: Horning, RISKS-19.28)

Mark Laubach <>
Thu, 7 Aug 1997 16:53:43 -0700
  [via Dave Farber]

The forger's new techniques I suspect are in response to Wells Fargo's
recent use of requiring a fingerprint of the person trying to cash a check
if they themselves do not have an account at the bank.

I got hit last November in a check washing fraud case.  Postal mail was
stolen from my mailbox containing a handwritten check from me.  Since then,
I never leave mail for pickup in my mailbox on the street, it's too easy for
someone to drive by and steal the contents.

The amount was for about $75.00.  The thieves washed the check in solvent,
removing the ink, then rewrote the payee and the amount and duplicated my
signature.  The new amount was $990.00.  I found out about the problem via
my on-line banking, but I had to wait for the statement to get a hold of the
check.  The check was cashed in the branch in Palo Alto that is my account
home.  After providing some evidence and written description of events, the
bank eventually gave me $990 back.  This past spring, I saw the notes in the
bank about the finger printing requirements.  With this new scam that Jim
points out, the cashier appears to be the account owner and no fingerprint
would be required. Intersting way to get around and very difficult to catch.

I was put out for inconvenience of having to close and open a new account
and for getting a new set of laser checks.

Maybe I could put a restriction on my checking account that disallowed the
cashing of checks to myself or to "cash".  I always use my ATM card for
getting money.


Re: What to do about software patents (RISKS-19.27)

Dan Hicks <>
Thu, 07 Aug 97 22:35:13 CDT
Something I've discussed with some of my peers (several of whom are spending
most of their time engaged in advising lawyers for who are defending us from
a meritless patent infringement suit) is some sort of peer review process
for patents.  It seems to me that it would be possible to set up a
reasonably reliable peer review process so that patent applications could be
reviewed for obviousness and prior art.

In addition to freeing patent attorneys from time-consuming prior-art
investigations, it would serve to fulfill the constitutional mandate for the
patent process — to "promote the progress of science" — by enhancing
inter-communications between technologists.

Dan Hicks

  [Actually not a bad idea.  Although this item is only marginally relevant
  to RISKS, it certainly addresses a serious problem in our technology.
  Please send any subsequent discussion to Dan, who — if it has some
  RISKS relevance — can perhaps provide a concise summary.  PGN]

Re: Ctrl+Alt+Del (VanDyke, RISKS-19.28)

Dave Porter <>
Thu, 7 Aug 1997 15:55:42 -0400
In RISKS-19.28, Paul VanDyke commented on the use of Ctrl+Alt+Del being used
as the secure-logon sequence on a Windows NT system (his point being the
potential confusion since Ctrl+Alt+Del is the reboot sequence when the PC is
running in real mode, and in some other protected mode OSes as well).

I understand that Microsoft's reason for choosing Ctrl+Alt+Del was that the
secure-logon sequence must not be capable of interception by any app, and
that it was hard to find a key combination which was not already used by
some dusty-deck (if I may mix metaphors) Windows app.

Which is not to say that Paul's point has no validity.  On NT I sometimes
type two Ctrl+Alt+Dels in my impatience to get to the security dialogue. On
Windows 95, that's instant death.


Re: Ctrl-Alt-Del (VanDyke, RISKS-19.28)

Jered J Floyd <>
Fri, 8 Aug 1997 15:48:09 -0400
> I used to think that is was neat to hit C-A-D and not have the computer
> reboot, but not anymore.  Bad programming Microsoft!

No, this was a good move on their part!  It was the only conceivable
equivalent to the old Secure Attention Key — so the user can be sure whom
he is actually talking to! Nobody under WindowsNT but the operating system
can catch the Ctrl-Alt-Delete key combination, so you know that when you
press that and get a login window, you're actually getting a Windows NT
login window and not a window from a Trojan horse application.

  [Similar comment from Scott Andrew Borton <>.
  The DoD Orange Book will live forever on that one.  PGN]

Re: Ctrl-Alt-Del

Bryan Costin <>
Sat, 9 Aug 1997 23:59:45 -0400
Waitaminit. This person's friend carelessly hit C-A-D on the wrong keyboard,
and IBM OS/2 Warp Server reboots, apparently without demanding any kind of
confirmation, and it's _Microsoft's_ fault?  What about IBM? What about the
RISKS of LAN admins with the fast fingers and multiple unlabeled keyboards?
MS certainly deserves some criticism, but this is just silly.

Even leaving all this aside, the C-A-D combo hasn't defaulted to a
completely unconditional reboot under any MS OS since MS-DOS, including all
versions of Windows since 3.1 (the earliest version I had around to check.)
Nor does Novell NetWare or your average Unix box. I'm honestly stunned that
Warp Server is apparently lacking in this respect.


Re: Ctrl-Alt-Del (Duennebeil, RISKS-19.28)

Roland Giersig <>
Mon, 11 Aug 1997 10:25:06 +0200
Subtitled: Microsoft arrogance

> I used to think that is was neat to hit C-A-D and not have the computer
> reboot, but not anymore.  Bad programming Microsoft!

Yes, another two cases of blatant M$ arrogance (see also the posting in

In the first case, not only that but also of grave impoliteness.  I mean, in
real life it is customary for a newcomer or guest to (at least at first) ask
the owner if one may use certain facilities.  Or what would you think of a
party guest that uses your phone without asking or starts redecorating your

In the second case, I think Microsoft is the *only* company that has
the audacity to ignore the past and happily change the semantics
of Ctrl-Alt-Del by 180 degrees (`login' instead of `shutdown').

But it's not stupidity that is behind that, it's a way to control the
market. Just take the latest development with M$ mail: now they use WinWord
as the mail editor, so each and every mail is in reality empty with an
attached WinWord document. Doesn't matter when you have the same system, but
gets hellish complicated in a heterogeneous environment, effectively
"forcing" everybody to "upgrade" to the new Wintel system. And this scheme
works, given the usual decision-making structure:

Managers are the first to get the newest Wintel systems, because these
are perfect for them (easy to use, nice to look at, and WinWord doesn't
choke on the few-paged documents that managers normally write).

Then managers try to send mail to the technical workers and bingo, the
scheme works: due to intentionally ignored industry standards, the technical
people suddenly aren't able to read the bosses mails (though it works
perfectly between them).

And now the Dilbert solution: managers (who have the power to make that
decision) force the technical people (who don't have any decision power, who
always complain but seldom get heard) to "upgrade" their perfectly working
old system to the non-standard, non-robust and inadequate new system.

Please, open your eyes, look around and tell me: is it that bad or am I just
too cynical?


Please report problems with the web pages to the maintainer