Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Fort Worth, Texas (AP) 24 May 1988 A 39-year-old computer progammer is being prosecuted on felony charges of infecting his ex-employer's computers with an electronic "virus", and faces up to 10 years in prison if convicted. Donald Gene Burleson faces a charge of "harmful access to a computer," and is free on a $3,000 bond pending his July 11 trial. Police described the electronic interference as a "massive deletion" of more than 168,000 records of sales commissions for employees. Burleson is thought to be the first person charged under the state law prohibiting computer sabotage, which took effect Sept. 1, 1985, about three weeks before the alleged incident, said Davis McCown, chief of the Tarrant County district attorney's economic crimes division. [From Steve Smaha, Austin, TX]
Abstracted from a notice that I received yesterday. "Volvo has determined that a defect which relates to motor vehicle safety exists in Volvo installed cruise control systems of 1986 and 1987 Volvo automobiles. "In laboratory tests, we have been able to induce a malfunction in the microprocessor of the cruise control unit. We have found that if the cruise control switch is left in the "on" position and the car's electrical system experiences a voltage drop, the cruise control may unexpectedly engage. We have also found that the application of the brake pedal and the movement of the switch to the "off" position cancels the malfunction. This cannot occur if the cruise control is in the "off" position. "We know of know cases where this has happened in normal driving, but we do not want a malfunction of the cruise control to contribute to an accident. Accordingly, we will replace the microprocessor of your cruise control at no charge to you...." A few observations: -- I'd really like to know how they discovered this — was it by some programmer staring at the source code, or by testing in a design verification test chamber? The problem itself might make an interesting case study for a "software safety" seminar (assuming you can pry the details out of the manufacturer). -- A law (The National Traffic and Motor Vehicle Safety Act) does wonders for improving the quality of manufacturered goods. Would the problem have been discovered (and the roms replaced) if it weren't for this act? (Note: this is a voluntary recall from a manufacturer who advertises the quality of its cars.) -- "Microprocessor" is now a common English word. Martin Minow
We had what is, in retrospect, a fairly humorous occurrence here
last Friday 13th.
As most readers are no doubt aware by now, there was a rumor
to the effect that a disgruntled employee of Sun Microsystems had
planted a "logic bomb" (nature unspecified) in Sun's operating system,
set to "detonate" on Friday 13th. [RISKS-6.83-84]
This rumor hit our site only sometime on Thursday the 12th.
As a precaution, and after some considerable thought, one of our
chief systems team members decided to set all the clocks back so that
the Suns in our network would think that Friday was Thursday.
Imagine the surprise some of us got when we arrived at work
on Friday morning to discover that the screens on our Suns were blank,
dead, kaput, no response, zippola. This made us really wonder if perhaps
there were some truth to the rumor.
Well, no. Those of us with dead screens were the ones who run
a Sun-supplied program called "screenblank" which turns off the video
signal to the Sun screen after a certain period of inactivity. This
program, after blanking the tube, goes into a sleep loop, waking every
1/4 second by default to check for keyboard and/or mouse activity.
What had happened, of course, was that our screenblank programs
were asleep when the date was set back by 24 hours. Since in UNIX,
time is kept as an absolute quantity, the programs were now waiting
for 24 hours plus 1/4 second before checking for activity. They
had to be killed off and the video restored manually (running another
"screenblank" did the trick).
As I say, this is amusing in retrospect: in defending against
a non-existent RISK, we created a real one, though minor. Risks don't
even have to exist to cause real damage.
Mike O'Brien, The Aerospace Corporation
>From Betty_Smith@UK.AC.NEWCASTLE Tue May 24 14:39:41 1988
DAEDALUS
David Jones
For years now, we have been told that the cashless society is
just around the corner. Every shop will have a computer terminal;
simply enter the transaction, validate it with your personal card, and
the central computer will transfer the sum specified from your bank
account to that of the shop. Wonderful! The reason why it doesn't
happen is that fraud would be so easy. Card fraud is so widespread
already that the banks daren't risk anything worse. But Daedalus has
the answer. His new cash-card is unstealable: the user's own
thumbnail.
A nail has a smooth and uniform surface, and is transparent
enough to let through the light from a laser. A small laser could
bring a brief light pulse to a focus in the body of the nail, burning
a tiny white mark that could easily be read, but would be protected
from chance abrasion. A dot-matrix pattern of such marks could easily
encode a financial transaction. A nail has no nerves so the process
would be quite painless. Accordingly, the new Dreadco financial
terminal has, besides a keyboard for entering the transaction, a
thumb-port to admit the user's thumb.
Every day a nail grows about a tenth of a millimetre. With laser
dots about the size of those on a compact disc , this would give space
for about ten new transactions. Over time the user will accumulate on
his thumbnail a running financial statement showing all his
transactions for the past few months. Each time he inserts his thumb
into a terminal, the sytem will check that statement against its file.
If everything matches, his identification is secure; the terminal
accepts the new transaction and prints it below the previous ones.
But if there is a discrepancy, it sounds an alarm and clamps down on
the suspect thumb, trapping the fraudster until the police arrive!
But suppose a bent manicurist manages to photograph a client's
thumbnail, and uses it to construct a forged thumb? Even then, the
fraud is risky. By the time the forged thumb is ready, the victim
will probably have used the system again. The forgery will not carry
this latest transaction: it will be detected and trapped by the
terminal, for the police to study later as evidence.
Daedalus' new thumbcard will impose financial prudence on its
users. The spendthrift who fills his thumb up with wild transactions
will soon be choked off by sheer lack of space. On the other hand,
should he go down with mumps or measles (which arrests nail growth)
bankruptcy would rapidly threaten. And secrecy is not really assured.
Gigolos with magnifiers may shrewdly revive the old gallantry of
hand-kissing: gypsy palmists will read both sides with great care;
shady financial operators of both sexes may take to wearing opaque
nail varnish. And a death in the family will have the sorrowing
relatives hastily erasing the deceased's thumbs with a
laser-scrambler, before some unscrupuous undertaker or body-snatcher
can detach or copy them to filch their encoded legacy.
The Guardian
24 May l988
>RISKS DIGEST 6.85 includes a brief excerpt translated from the
>French-language "Sciences & Vie Micro" referring to chances of a crash
>due to a software error:
> "One chance in a million? Wrong! One chance in a billion and that
> for each hour of flight!"
The original was:
"Je prends l'avion, quelle probabilite ai-je de m'ecraser au sol pour
une erreur de logiciel? Une chance sur un million? Perdu! Une chance
sur un milliard et par heure."
So the translation was correct concerning the billion. I Looked in the
dictionary and found out that billion actually has two meanings in French: one
old and one new (talk about a RISK!). The old meaning is 10**9, and the new is
10**12, like you said. Anyway thank you for pointing out the possible
ambiguities.
Frank Anthes-Harper ....!ucbvax!decvax!uunet!mcvax!inria!geocub!anthes
Relying on alarms, even with humans in the loop is sometimes not
enough, it seems.
The following article is from the Philadelphia Inquirer, 23 May '88, pA10.
"Power Surge Knocks Out Telephone Service in N.C"
UPI, Charlotte N.C. — A mysterious power surge that went undetected
for six hours knocked out telephone service to about one-fifth of
North Carolina Saturday (May 21) night and early yesterday, forcing
hospitals and police to rely on radio communications. ...
The outage was caused by an apparent power surge of unknown origin that
struck the central office of Southern Bell in Charlotte at about 11:30
a.m. Saturday. A skeleton crew at the office failed to notice alarms
warning of the problem until the overloaded system failed about six
hours later.
-- Scott Schwartz schwartz@swarthmore.edu
In RISKS 6.89, ihuxz!mfe@moss.att.com (Mike Eastman) writes: >As of Jan 1, 1984 the Bell System was abolished when the Justice Dept had AT&T >officially divest itself of the local operating companies. ... It has been three and a half years since divestiture and a lot of operational changes have occurred in that time. However, that Ill. Bell cable vault has probably been around a long time. Was it put in place and operated by the "Bell System" BEFORE divestiture? Did the Bell System originally place the primary and backup trunks in the same building? These questions have significance to RISKS in that we should find the roots of our technical errors in their design process and not simply lay blame on government decisions that we don't like. Has divestiture increased risk, or is it beginning to serve as a convenient whipping boy when something goes wrong? It's easier to point fingers at the other guy than to accept responsibility. We see this all the time in multi-vendor computer systems. No one want to accept blame when they can say it's someone else's problem. Of course, the users just want the system fixed! (It's not a hardware problem — it's a wetware bug!) One more point on aircraft navigation systems: The concerns of depending on electrical power for navigation become insignificant for many new aircraft, as some cannot fly at all if there is total electrical system failure. In RISKS we've discussed the new Airbus jets. The opposite end of the spectrum is the new Mooney PFM. This single engine aircraft uses electronic ignition. It does have dual electrical systems and batteries, and a very low failure probability, but if total failure does occur, the pilot will be more concerned with landing his glider than navigating to a distant destination.
Last Friday, May 20, there was a Chicago Tonight (1/2 hour show on PBS channel) that described the Hinsdale fire. Apparently, the fire alarms go off whenever there is a power failure. Since there was an AC power alarm at the same time as the fire alarm, it was assumed to be the source of the fire alarm. I personally would not be surprised if that was actually the case, and that the AC power went off as a result a short, which caused the fire. The diesels started automatically, and then failed within 10 minutes, causing another power and fire alarm. At this time, when the alarms were released (a manual operation), they did not re-occur, indicating only a glitch in the alarm circuits. The alarms are detected by a contact closure on the switch itself, and passed to the SCCS (Switching Control Center System) via a data link. Since the alarms were being received, the switch was obviously working, the prime concern of SCC personnel. Since the fire, the other three hub switches in Chicago are being staffed 24 hours a day, because of the vulnerability caused by Hinsdale not being in full operation. I can understand some of the logic behind not staffing offices on off-hours, as there is a large expense involved, particularly if all offices are to be staffed. Even assuming a day shift at all offices, another 3 shifts are required to cover the remainder of the week. At a typical salary of a craft person, that would be ~$120,000 per year per office. To staff 100 offices, at $12,000,000 per year, it is easy to see the decision not to staff compared to the cost of a new switch. Before Hinsdale, public utilities commissions probably would be likely to disallow those charges, as unnecessary. I also suspect that Hinsdale grew more by accident than by design into such an important part of the Chicago network. There has been tremendous growth in development in the western suburbs, along with subsequent growth in telecommunications. I seriously doubt that anyone in Illinois Bell ever did a worst case catastrophe analysis of their network. After all, it could have been a tornado destroying the entire building, rather than a fire destroying merely the contents. I am positive that there has never been a study by Illinois Bell of the effects of two simultaneous failures. John Haller, AT&T Bell Laboratories
Please report problems with the web pages to the maintainer