The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 19 Issue 40

Weds 1 October 1997

Contents

o "Computer error" affects A-level results
Pete Mellor
o Microsoft: Redefining a problem out of existence
Pete Mellor
o AOL may introduce ads on private e-mail
Nick Rothwell
o Health Care System, Manitoba
Mike Jeays
o Re: EAGLE DEPART|ANDREWS
Daniel Lance Herrick
o ATM Withdrawal?
Colin Perkel
o Electronic Pearl Harbor: Risks of dubious infowar analogies
Eli Jackson
o Possible breakthrough in NP-completeness
Jonathan Seth Hayward
o No network, no demo
Martin Minow
o Internet sting identifies 1,500 suspected child pornographers
Neil Youngman
o 7-bit vs 8-bit incompatibilities
Martin Minow
o Data aggregation -- a Risk
David Parkinson
o Re: AT&T 800...
Peter Capek
o Mad Bus Disease
Geert Jan van Oldenborgh
o Re: FBI wants to ban the Bible ...
Daniel J. Theunissen
Paul Fenimore
o C's data types; was: Re: Y2K and C
Vivek Sadananda Pai
o Re: New --faster-- Macs broke old code
Randy Witlicki
o Info on RISKS (comp.risks)

"Computer error" affects A-level results

Pete Mellor <pm@csr.city.ac.uk>
Tue, 19 Aug 1997 20:09:52 +0100 (BST)
Hundreds of students celebrating their acceptance for university were told
that their places had been withdrawn because of an examination board mix-up.
The Universities and Colleges Admissions Service had passed incorrect
results for [at least?] 807 students' A-level exams to university and
college admissions officers -- because of computer errors.  Also, some
students who were not accepted on the basis of those results may have been
acceptable.

Peter Mellor, Centre for Software Reliability, City University, Northampton Sq
London EC1V 0HB, UK  +44 (171) 477-8422, p.mellor@csr.city.ac.uk

  [PGN Abstracting, from Computer error may mean college offers withdrawn,
  David Charter and Martin Fletcher, *The Times* (London), 18 Aug 1997]


Microsoft: Redefining a problem out of existence

Pete Mellor <pm@csr.city.ac.uk>
Tue, 1 Jul 1997 01:02:42 +0100 (BST)
>>>> Design side effect, n. euph., What Bill Gates' technogeeks at
>>>> Microsoft are allowed to call a defect in company products.
> Also officially tolerated are the euphemisms that describe system failures
> as issues, known issues or intermittent issues, and even as undocumented
> behaviour. Absolutely not permitted is the word ``bug'' -- a term a
> spokesman claims is too "complex" for the company's official language. The
> company's addiction to euphemism has created a new language called
> Microspeak, says the New York Times - which may bug a few people in
> Seattle.  [David Rowan, *Guardian* Weekend magazine, 28 Jun 1997, in the
> "Glossary for the 90s" column]

This reminds me of the old joke in ICL when I worked there in the 1970s:
"That's not a bug! That's a feature!"

Now I know why I spend so much time on IEC/TC56/WG1 "Terms and
Definitions". If someone doesn't take a stand, the powers of darkness will
define the whole concept of software dependability out of existence!

First there is "Software failure is systematic, therefore not time
dependent".  Corollary: There is no such thing as software reliability.
Answer: The failures due to a latent software fault may be systematic, but
the trigger conditions that activate it are encountered randomly over time.

Now we have "Software doesn't fail at all!  Why, it doesn't even contain
faults!".  Corollary: "Software crisis?  What software crisis?"

The Joker has been on screen long enough! Where's Batman?

Peter Mellor, Centre for Software Reliability, City University, Northampton Sq
London EC1V 0HB, UK  +44 (171) 477-8422, p.mellor@csr.city.ac.uk


AOL may introduce ads on private e-mail

Nick Rothwell <nick@cassiel.com>
30 Sep 1997 11:37:35 -0000
The electronic equivalent of having the Post Office open everyone's personal
mail to insert commercial advertising flyers could probably be construed as
an invasion of privacy, and I predict some RISKy scenarios if it goes ahead.

The German unit of AOL is planning to boost advertising revenues by
including ads on private electronic mail, and AOL itself is considering it.
AOL Germany spokesman Ingo Reese said that they expected ``robust growth''
from the new ad strategy, adding graphical advertisements in e-mail between
users.  He noted that the parent AOL gets 16% of its $2 billion in annual
turnover from ads.

Nick Rothwell, CASSIEL   http://www.cassiel.com

[PGN Stark Abstracting from a Reuter item (AOL may introduce ads on private
e-mail), 26 Sep 1997, http://biz.yahoo.com/finance/97/09/26/aol_x0001_1.html]


Health Care System, Manitoba

Mike Jeays <jeays@statcan.ca>
Wed, 24 Sep 1997 22:25:16 -0400 (EDT)
The CBC aired an article on improvements to the health care system in
Manitoba on 24 Sep 1997.  Viewers were assured that the security software
was ``the finest that money can buy.''  The technically literate might have
been discouraged by the use of a 3-character password in part of the
demonstration.

Mike Jeays, Statistics Canada, Ottawa, Ontario.


Re: EAGLE DEPART|ANDREWS (Re: RISKS-19.39)

daniel lance herrick <herrickd@odin.cle.ab.com>
Tue, 23 Sep 1997 09:54:42 -0400
We have the note:

> ... Strong encryption is the one technology that could have protected
> [the pager interceptions]...

Unfortunately, encryption is not enough.

EAGLE DEPART|ANDREWS appears 16 times near the beginning of the transcript,
separately paging each of the members of the presidential detail who need to
know POTUS[President of the United States]'s movements.

There are similar bursts when he arrives at an airport. When he departs that
airport. When he arrives at a meeting place. When he leaves for the
convention center. When he arrives at the convention center. When he leaves
for the airport. When he departs the airport for Andrews.

The United States Secret Service is criminally negligent of its sworn duties
to broadcast this critical data real time in clear for anyone who cares to
listen. But if it were encrypted, it would still be trivially easy for
malefactors who knew POTUS was in the convention center and had plans to
make his trip to his next location more exciting to listen to encrypted
alpha paging transmissions and know when the presidential detail leaves the
convention center. The traffic analysis is unmistakable. You don't even
need to know the addressees of the encrypted messages. A burst of more than
a dozen messages fast means that the next event of interest to the
presidential detail is happening.

A clear risk of inappropriate use of technology increasing the danger to the
target who is supposed to be being protected.

Or, as someone is said to have put it a long time ago, "The emperor has no
clothes."

dan dlh@dlh.com

  [To some extent, the unencrypted header problems and traffic inference
  problems can be addressed by multiple encryption and by uniformizing
  the traffic to hide the Pentagon Pizza effect.  In that analogy, it
  might cost a lot of extra pizzas and require a lot of extra phone
  bills...  POTUS OPERANDI?  PGN]


ATM Withdrawal?

Colin Perkel <sysop@guildnet.org>
Tue, 16 Sep 1997 01:17:52 GMT
During a recent visit to South Africa, I tried to use my Royal Bank
ATM card at a Standard Bank machine in a mall in Johannesburg to take
out R200 (=CDN$61). After a short while, the machine spit out my card
along with a slip saying: "Your card issuer is unavailable." No money.

The following day, at a different mall, I tried to take out R500 (=CDN$152)
from another machine from the same bank. Same story.  However, at a nearby
CashPoint machine (NedBank), everything ticked along and I was given my
R500.

On my return to Toronto, I was somewhat bemused (but not entirely flummoxed)
to find my account debited for all three transactions, putting me out of
pocket by more than $200. So it was with some trepidation that I called the
Royal (because in the back of my mind was the yarn familiar to medium-term
RISK readers re: the old English gent who ended up getting convicted of
attempted fraud when he complained about an unauthorized withdrawal from his
account via an ATM).

The bank ("Muru") informed me that their records showed that I'd indeed
withdrawn the money, but that they'd investigate. About a week later, a
"Debbie" called my wife to say their investigation concluded the machine had
given me the dough. When my wife protested that I had the slips showing
"Your card issuer is not available," it was along the lines of "Oh, we'll
investigate some more," and a promise to get back to me. That was more than
a week ago and my heart is sinking. Of course, I haven't given up yet.

Most of the RISKS involved here are obvious. But I'd like to note the one of
relying on a bank to investigate anything. No one has yet even asked to see
the slips I got from the ATMs or actually asked me any detailed questions
about the machines I used or given me any indication that a real
investigation was done -- or is even possible.

How *do* you prove you didn't get money -- especially long-distance?  How do
you avoid the attitude that "computer records never lie" and that you must
either be mistaken -- or a crook?

The saga continues...

Colin Perkel       sysop@guildnet.org      (416) 269-2734
Sysop The GuildNet BBS               GuildNet-L Listowner


Electronic Pearl Harbor: Risks of dubious infowar analogies

"Eli Jackson (Volt Computer)" <a-elija@microsoft.com>
Mon, 22 Sep 1997 13:51:08 -0700
  re: http://www.soci.niu.edu/~crypt/other/harbor.htm

I find this fascinating.  Obviously (??) when the EPH is brought up the
example (/fear/fearmongering) is used to describe the danger of an
unannounced attack in which our vital resources are caught unaware and
severely crippled.

However, if one were to look at the events at Pearl Harbor (and I'm no
history buff here), it would seem that the EPH describes an entirely
different scenario (which is worth worrying about, perhaps):  what
happens when we are given ample warning and already possess knowledge of
an upcoming attack, will we recognize this...

Pearl Harbor wasn't just a surprise attack, it is one of the most
graphic examples of what miscommunications and inaction can accomplish.

Indeed it is very humorous to replace "electronic Pearl Harbor" with
"ignored imminent threat of information warfare attack".  Given this phrase
has been most uttered by brass/military establishment types, its ironic that
the true risk in the EPH scenario is the flailing of military leadership.

Eli O J


Possible breakthrough in NP-completeness

jonathan seth hayward <jhayward@students.uiuc.edu>
19 Sep 1997 08:13:58 GMT
I now have what I believe to be a polynomial time solution to an NP-complete
problem (specifically, satisfying a propositional formula expressed in terms
of parentheses, variables, negations, and conjunctions).  I am posting to
security and cryptography related newsgroups because my algorithm, if
correct, may have substantial implications for cryptography and consequently
security issues (so that, if correct, the algorithm is known to security
people as soon as everybody else).

This program produces correct output for small formulas that I am able to
manually verify, and it had an execution time on a formula of 100 variables
was less than a minute.  (Compare with brute force, which (on a
supercomputer capable of 1 billion elementary operations per second) would
take longer than the age of the universe.)

I will post a uuencoded compressed tar of a directory hierarchy with the
algorithm, implemented in C and supplemented by some bourne shell scripts,
as an immediate followup to this post.  Should the binary UseNet post be
cancelled by someone like Dick Depew, it is also available (same format) on
the web at:

        http://www.imsa.edu/~jhayward/npc.tar.Z.uu
        http://www.students.uiuc.edu/~jhayward/npc.tar.Z.uu

This release should be considered a beta release, i.e., while I am
reasonably sure that the algorithm is correct, the specific implementation
may have bugs.

Thanks to David Henderson (davidh@imsa.edu) and especially Ryan Pierce
(rpierce@imsa.edu) for an excellent parser function.

Jonathan Hayward jhayward@math.uiuc.edu jhayward@ncsa.uiuc.edu


No network, no demo

Martin Minow <minow@apple.com>
Thu, 25 Sep 1997 13:46:56 -0700
Larry Ellison, CEO of Oracle Inc, and a strong proponent of network
computers, was demo-ing his NC at the Oracle OpenWorld conference.
Unfortunately, the network crashed and the application hung "and Ellison was
left hanging on stage."  See
  <http://www.techweb.com/wire/news/1997/09/0924ellison.html>

Martin Minow  minow@apple.com

  [As I recall, a similar thing happened to Bill Gates at
  Networld+InterOp in Las Vegas in April 1996.  PGN]


Internet sting identifies 1,500 suspected child pornographers

Neil Youngman <n.youngman@videonetworks.com>
Tue, 30 Sep 1997 15:54:10 +0100
RISKS readers may be interested in the above article, which is available
at http://www.cnn.com/US/9709/30/cybersting/.

Neil Youngman

  [18-month ``Operation Rip Cord'' run by NY Attorney
  General's office and U.S. Customs employees.]


7-bit vs 8-bit incompatibilities

Martin Minow <minow@apple.com>
Fri, 26 Sep 1997 10:08:15 -0700
  [This note is in response to some out-of-band discussions on
  Swedish characters and the ISO eight-bit extended ASCII.  PGN]

The effect of the PDP-11 and Unix on internationalization.

I trace a lot of these problems back to the design of the Dec PDP-11 and
Unix, and some misplaced optimizations. On the PDP-11, byte values were
represented as *signed* integers. This was useful for some instruction
decoding, but probably a bad idea in the long run -- remember that the
PDP-11 was designed in the late 1960's to work within very limited target
configurations.

The Unix operating system, and many Unix programs, used this to provide
in-band signalling of non-character information.  For example, one release
of the C-language preprocessor used "negative" character values to
distinguish preprocessor macro arguments from ordinary text.  Thus, if a
program's source file contained any characters from the international range
(i.e., values from 0xA1 through 0xFF), the preprocessor would treat these as
macro parameters, with disastrous results (random memory accesses).

Although ISO/ANSI defined escape sequences that allow all characters, from
multiple character sets, to be expressed in a seven-bit data stream, few
programmers made use of these conventions.

Since then, we've seen a great number of re-mapping algorithms, including
MIME, a Unicode encoding used by Java, HTML, TeX, etc.  By now, "the tyranny
of small decisions" will probably require software workarounds for 7-bit
limitations for many more years.

Martin


Data aggregation -- a Risk

David Parkinson <dparkins@alien.bt.co.uk>
Tue, 30 Sep 1997 11:41:59 +0100
These days advertising is getting everywhere.  One of the many places is on
the receipts I get from the local supermarket.  The other day, having filled
up the car, the words "Win A Grand Move" caught my eye (This is car from
Daihatsu). It turned out to be a free prize draw, all you do is fill in your
name, address, telephone number, a few details about your current car, and
then send the form off.  A (minuscule) chance of a free car for the price of
stamp - probably worth doing for the potential return.  (I always live in
hope that one day it'll be me who wins!).

Turn over the entry form (a piece of paper 7" x 4") and you realise it's
your credit card receipt for the petrol (gas) you've just bought.  So, we have:
On side 1:
  Credit card type (eg VISA)
  Expiry Date
  Full Credit Card number
  Your signature
On side 2:
  Your Name and initials
  Your Address

For one who is not normally paranoid about his Credit Card details it made
me stop and think.

David  dparkins@alien.bt.co.uk


Re: AT&T 800... (Re: Perillo, RISKS-19.39)

Peter Capek < 23 Sep 1997 14:16:51 EDT
Robert Perillo suggests that

> These tables should be tested off-line, and automatically checked ...

I infer that what happened in the AT&T case, as well as perhaps in the
similar recent case at Network Solutions involving the routing for .COM and
.NET, was that some process created a file which was used to generate a new
set of "live" tables, and that this file was in error, due to some upstream
problem.

I suggest that this is a case where a simple solution is best.  In this kind
of situation, almost always, the database changes very slowly -- a percent
or two of new, deleted, or changed entries per update cycle, at most; in
these two examples, probably far few than that.

An inexpensive technique I have used very effectively in similar (albeit
less visible) cases is to incorporate into the "installation" process for
the file a step which randomly chooses a few entries from the old (presently
"live") version of the file and makes sure that most -- say 98% -- of those
entries appear in the new version of the file identically.  Further, it
should confirm that the size of the old and new files is the same, within a
small margin.

The offered new file must be rejected if either of these checks is not met.
At that point a manual check can determine whether the rejection is valid or
spurious, although even if the rejection seems to be spurious, I have found
it to be better practice to re-run the check, perhaps with a small
adjustment to the thresholds, than simply to bypass it.  Checking that the
sampled records are EXACTLY the same will also provide a degree of
protection against any lack of robustness in the downstream processes.

The precise design of the checking process will depend on the specific
application, but the cost of this process and of retaining the most recent
input file from one cycle to the next is a small price to pay to avoid such
public faux pas.

Peter Capek, IBM Research


Mad Bus Disease

Geert Jan van Oldenborgh <gj@ganesha.xs4all.nl>
Sat, 27 Sep 97 10:20:43 +0200
Nine people were injured, one of which seriously, when a Dutch long-distance
bus suddenly accelerated from the bus terminal behind Eindhoven Central
Station, and ran into the station restaurant.  The builder acknowledged that
these sudden accelerations were a known problem, he suspected that it had
something to do with interference on the electronic accelerator pedal by the
communications equipment, the 2-way radio, the mobile telephone and/or the
little box which operates traffic lights.  No technical shortcomings had
been found in previous inspections, but the busses still career out of
control every now and then...  The worst-affected 22 out of 178 have now
been taken out of service.  [source: NRC Handelsblad, 25 and 26 sep 1997].

Two out-of-band comments: in case you wondered, a long-distance bus is
defined locally as one that goes more than 50km.  The linear dimensions of
our country are about 200km...  Secondly, with regards to the
computer-operated storm-surge barrier I reported on earlier, a week later it
transpired that the software was not yet ready in fact, and would become
operational this autumn.  Until then a human would decide when to close off
Rotterdam harbour.  Fairly typical I assume...  GJ

Geert Jan van Oldenborgh  oldenbor@knmi.nl   http://www.xs4all.nl/~gjvo


Re: FBI wants to ban the Bible ... (Millar, RISKS-19.37)

"Daniel J. Theunissen" <dtheunis@erols.com>
Mon, 22 Sep 1997 20:57:15 -0700
Spread that net further, FBI.  Any picture, even one posted on a public
internet site, can be used to carry hidden messages.  A fairly simple
program could modify colors of individual pixels in a picture file so that
the picture looks the same to the human eye, but conveys one or more
messages.  This creates a nice two part code without need for encryption.

So, when the picture of the cat Mr. Big at Al's Kitty-Cat Page gets replaced
on a specific date and changed back the next day, nobody notices ... except
the three regular net-surfing operatives who receive three different
messages.  It's the ultimate drop-box, available world-wide.

As an alternative scenario, Al e-mails Mr. Big's picture to three "friends"
who have the original picture and the correct software to de-code it.

I know of no such encoding product, but if it doesn't already exist, I would
be surprised.  Unfortunately, codes are insufficient for electronic trade.

Encryption is not needed for covert, secure communications between
individuals with simple technology available today.  Codes work well enough
to discount the anti-terrorism argument.

So why the stonewalling on encryption?  I suspect the heads of government
agencies just fail to grasp the underlying technology completely.
(Refer to: Eagle (the President) and the Eagle Beagle (Wagner, RISKS-19.39)).
Which brings up the RISK of the software industry changing so fast, non-technical
people (like managers and government executives) are left behind.

- Daniel J. Theunissen <dtheunis@erols.com.nospam>

  [Yes, such tools do exist on the Net.  And don't forget Peter Wayner's
  book on steganography, which I noted in RISKS-18.17:
    Peter Wayner, Disappearing Cryptography: Being and Nothingness on the Net,
    AP Professional (Academic Press), Chestnut Hill, Massachusetts, 1996.
  PGN]


Re: FBI wants to ban the Bible ... (Gleeson, RISKS-19.38)

Paul Fenimore <fenimore@roadrunner.com>
Mon, 22 Sep 1997 21:27:31 -0700
>It could be argued that languages are elaborate "substitution codes".

This is much more than just a theoretical argument, there is solid evidence!
The use of language as a substitution cypher is well-known in the case of
the World War II American Marine "Code Talkers."  The "Code Talker" scheme
primarily relied on the Japanese ignorance of indigenous American languages.
Additionally, the cypher substituted non-sense phrases within the language,
to prevent trivial decryption by captured Navajo soldiers.

Soviet physicist Lev Landau did not need to decipher the "encrypted" (i.e.
English) part of John Bardeen's superconductivity paper, because Bardeen was
good enough to include the plain text of the message in the article (i.e.,
the mathematics).

Does anyone know if the ancient "linear-B/C" scripts are still undecrypted?
So far as I know, they are unread in modern times.  Is this due to a lack of
text, or to the intrinsic difficulty of decryption?

It seems clear to me that natural languages are sufficiently flexible that
there is no fundamental difference between a "language" and a "cypher".

Paul Fenimore

  [Also noted by
     Dan Vogel <dmv@ravenstrum.transient.net>,
     Bill Hensley <Bill_Hensley@smtp.rc.trw.com>,
     matthew.a.hertz" <matthew.a.hertz@ac.com>,
  and many others.  PGN]


C's data types; was: Re: Y2K and C (Sapovits, RISKS-19.38)

Vivek Sadananda Pai <vivek@cs.rice.edu>
Wed, 17 Sep 1997 16:26:48 -0500 (CDT)
I used to work at a company that had developed several internal applications
that required user-entered technical data.  When I was hired, the
applications wrote the binary contents of structures directly to disk - no
version numbers, etc., etc. Every new field added to a structure required a
new ad-hoc way of determining what was "version" was in use.  I wanted to
convert to anything with a little more structure (no pun intended), and
would have liked structured text with identifiers - the input/output
overhead was insignificant and applications could have shared data without
too much hassle.

This proposal was viewed as too drastic, but they did start adding
version numbers and application identifiers to the beginning of data
files. I even got them to accept the idea of writing out the size of a
structure before writing the structure itself - it was a hack, but at
least it provided a way of expanding structures (by adding new fields
at the end). However, even that had its drawbacks - one of the group
members would add fields to the end of structures that were nested
_inside_ of other structures, with the outer structure being written
to disk. It took him a while to understand how the hack worked and why
his trick didn't.

In the end, I gave up trying to impose order universally, and as a result,
users would have to re-enter (or cut-and-paste) the same data into multiple
applications. The risks? It seemed that C's allowing you to write structures
to disk so easily invited abuse. Even a hack like the size field got abused
into the ground because some folks didn't take the time to understand why it
worked. Sometimes, it seems that making it harder to do these "dangerous"
things might be a good idea...

-Vivek

P.S. Incidentally, the productivity measurements used only took into account
that you were busy, not what you were really doing. So, fixing stupid errors
arising from poor data storage formats counted as real work - there was
effectively no incentive to do things right the first time, but that's
another story...


Re: New --faster-- Macs broke old code

"Randy.Witlicki." <randy.witlicki@valley.net>
Wed, 17 Sep 1997 17:35:16 -0400
> I see what's going on. It's a bug directly tied to processor performance;
> there's never been a processor fast enough to cause this integer overflow
> before.

I think the most pervasive example of this assumption resulted in the
"Turbo" button on the front panel of PC computers so that a user could still
run MS-DOS games written with timing code based on CPU speed (the Turbo
button slowed the CPU to 8 Mhz).

A more recent and more subtle example is the patch to add a call to the UNIX
sleep shell command in the install tests for the Tripwire security program.
The granularity of the system clock allowed a file create and subsequent
test to occur during the same clock tick on fast CPUs, causing the test to
fail.

Please report problems with the web pages to the maintainer

Top