The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 6 Issue 90

Tuesday 24 May 1988


o "Man Charged with 'Infecting' Computers"
Steve Smaha
o Automobile recall notice
Martin Minow
o The Risks of Risks [Second-Order Friday the 13th Effects]
Mike O'Brien
o Cash on the Nail
Betty Smith via Brian Randell
o "Sciences & Vie Micro": BILLIONS
Franklin Anthes
o Who watches the watchers? -- Southern Bell outage
Scott Schwartz
o "The Bell System"; aircraft navigation systems
Steve Philipson
o Hinsdale File
John Haller
o Info on RISKS (comp.risks)


Tue, 24 May 88 09:23 EDT
Fort Worth, Texas (AP)  24 May 1988

A 39-year-old computer progammer is being prosecuted on felony charges of
infecting his ex-employer's computers with an electronic "virus", and faces up
to 10 years in prison if convicted.

Donald Gene Burleson faces a charge of "harmful access to a
computer," and is free on a $3,000 bond pending his July 11 trial.

Police described the electronic interference as a "massive deletion"
of more than 168,000 records of sales commissions for employees.

Burleson is thought to be the first person charged under the state law
prohibiting computer sabotage, which took effect Sept. 1, 1985, about three
weeks before the alleged incident, said Davis McCown, chief of the Tarrant
County district attorney's economic crimes division.

[From Steve Smaha, Austin, TX]

Automobile recall notice

Martin Minow THUNDR::MINOW ML3-5/U26 223-9922 <>
24 May 88 19:36
Abstracted from a notice that I received yesterday.

"Volvo has determined that a defect which relates to motor vehicle safety
exists in Volvo installed cruise control systems of 1986 and 1987 Volvo

"In laboratory tests, we have been able to induce a malfunction in the
microprocessor of the cruise control unit.  We have found that if the cruise
control switch is left in the "on" position and the car's electrical system
experiences a voltage drop, the cruise control may unexpectedly engage.  We
have also found that the application of the brake pedal and the movement of the
switch to the "off" position cancels the malfunction.  This cannot occur if the
cruise control is in the "off" position.

"We know of know cases where this has happened in normal driving, but we do not
want a malfunction of the cruise control to contribute to an accident.
Accordingly, we will replace the microprocessor of your cruise control at no
charge to you...."

A few observations:

-- I'd really like to know how they discovered this -- was it by some
   programmer staring at the source code, or by testing in a design
   verification test chamber?  The problem itself might make an interesting
   case study for a "software safety" seminar (assuming you can pry the
   details out of the manufacturer).

-- A law (The National Traffic and Motor Vehicle Safety Act) does wonders
   for improving the quality of manufacturered goods.  Would the problem
   have been discovered (and the roms replaced) if it weren't for this act?
   (Note: this is a voluntary recall from a manufacturer who advertises the
   quality of its cars.)

-- "Microprocessor" is now a common English word.

Martin Minow   

The Risks of Risks [Second-Order Friday the 13th Effects]

Mon, 23 May 88 09:57:23 -0700
    We had what is, in retrospect, a fairly humorous occurrence here
last Friday 13th.

    As most readers are no doubt aware by now, there was a rumor
to the effect that a disgruntled employee of Sun Microsystems had
planted a "logic bomb" (nature unspecified) in Sun's operating system,
set to "detonate" on Friday 13th.   [RISKS-6.83-84]

    This rumor hit our site only sometime on Thursday the 12th.
As a precaution, and after some considerable thought, one of our
chief systems team members decided to set all the clocks back so that
the Suns in our network would think that Friday was Thursday.

    Imagine the surprise some of us got when we arrived at work
on Friday morning to discover that the screens on our Suns were blank,
dead, kaput, no response, zippola.  This made us really wonder if perhaps
there were some truth to the rumor.

    Well, no.  Those of us with dead screens were the ones who run
a Sun-supplied program called "screenblank" which turns off the video
signal to the Sun screen after a certain period of inactivity.  This
program, after blanking the tube, goes into a sleep loop, waking every
1/4 second by default to check for keyboard and/or mouse activity.

    What had happened, of course, was that our screenblank programs
were asleep when the date was set back by 24 hours.  Since in UNIX,
time is kept as an absolute quantity, the programs were now waiting
for 24 hours plus 1/4 second before checking for activity.  They
had to be killed off and the video restored manually (running another
"screenblank" did the trick).

    As I say, this is amusing in retrospect: in defending against
a non-existent RISK, we created a real one, though minor.  Risks don't
even have to exist to cause real damage.

Mike O'Brien, The Aerospace Corporation

Cash on the Nail

Brian Randell <>
Tue, 24 May 88 21:42:26 +0100
>From Betty_Smith@UK.AC.NEWCASTLE Tue May 24 14:39:41 1988

 David Jones

      For  years  now,  we  have been told that the cashless society is
 just around the corner.  Every shop will  have  a  computer  terminal;
 simply enter the transaction, validate it with your personal card, and
 the central computer will transfer the sum specified  from  your  bank
 account  to  that  of the shop.  Wonderful!  The reason why it doesn't
 happen is that fraud would be so easy.  Card fraud  is  so  widespread
 already  that the banks daren't risk anything worse.  But Daedalus has
 the  answer.   His  new  cash-card  is  unstealable:  the  user's  own

      A  nail  has  a  smooth  and  uniform surface, and is transparent
 enough to let through the light from a laser.   A  small  laser  could
 bring  a brief light pulse to a focus in the body of the nail, burning
 a tiny white mark that could easily be read, but  would  be  protected
 from chance abrasion.  A dot-matrix pattern of such marks could easily
 encode a financial transaction.  A nail has no nerves so  the  process
 would  be  quite  painless.   Accordingly,  the  new Dreadco financial
 terminal has, besides a  keyboard  for  entering  the  transaction,  a
 thumb-port to admit the user's thumb.

      Every day a nail grows about a tenth of a millimetre.  With laser
 dots about the size of those on a compact disc , this would give space
 for about ten new transactions.  Over time the user will accumulate on
 his  thumbnail  a  running  financial  statement   showing   all   his
 transactions  for the past few months.  Each time he inserts his thumb
 into a terminal, the sytem will check that statement against its file.
 If  everything  matches,  his  identification  is secure; the terminal
 accepts the new transaction and prints it  below  the  previous  ones.
 But  if  there is a discrepancy, it sounds an alarm and clamps down on
 the suspect thumb, trapping the fraudster until the police arrive!

      But  suppose  a  bent manicurist manages to photograph a client's
 thumbnail, and uses it to construct a forged thumb?   Even  then,  the
 fraud  is  risky.   By  the time the forged thumb is ready, the victim
 will probably have used the system again.  The forgery will not  carry
 this  latest  transaction:  it  will  be  detected  and trapped by the
 terminal, for the police to study later as evidence.

      Daedalus'  new  thumbcard  will  impose financial prudence on its
 users.  The spendthrift who fills his thumb up with wild  transactions
 will  soon  be  choked off by sheer lack of space.  On the other hand,
 should he go down with mumps or measles (which  arrests  nail  growth)
 bankruptcy would rapidly threaten.  And secrecy is not really assured.
 Gigolos with magnifiers may  shrewdly  revive  the  old  gallantry  of
 hand-kissing:  gypsy  palmists  will  read both sides with great care;
 shady financial operators of both sexes may  take  to  wearing  opaque
 nail  varnish.   And  a  death  in  the family will have the sorrowing
 relatives   hastily   erasing   the   deceased's   thumbs    with    a
 laser-scrambler,  before  some unscrupuous undertaker or body-snatcher
 can detach or copy them to filch their encoded legacy.

The Guardian
24 May l988

"Sciences & Vie Micro": BILLIONS (Re: RISKS-6.86)

Franklin Anthes <mcvax!geocub!anthes@uunet.UU.NET>
Mon, 23 May 88 21:15:50 +0200
>RISKS DIGEST 6.85 includes a brief excerpt translated from the
>French-language "Sciences & Vie Micro" referring to chances of a crash
>due to a software error:
>  "One chance in a million?  Wrong!  One chance in a billion and that
>   for each hour of flight!"

 The original was:

   "Je prends l'avion, quelle probabilite ai-je de m'ecraser au sol pour
    une erreur de logiciel? Une chance sur un million? Perdu! Une chance
    sur un milliard et par heure."

So the translation was correct concerning the billion. I Looked in the
dictionary and found out that billion actually has two meanings in French: one
old and one new (talk about a RISK!). The old meaning is 10**9, and the new is
10**12, like you said. Anyway thank you for pointing out the possible

Frank Anthes-Harper   ....!ucbvax!decvax!uunet!mcvax!inria!geocub!anthes

who watches the watchers? -- Southern Bell outage

Scott Schwartz <>
Tue, 24 May 88 04:46:11 EDT
Relying on alarms, even with humans in the loop is sometimes not
enough, it seems.

The following article is from the Philadelphia Inquirer, 23 May '88, pA10.

    "Power Surge Knocks Out Telephone Service in N.C"

    UPI, Charlotte N.C. --  A mysterious power surge that went undetected
    for six hours knocked out telephone service to about one-fifth of 
    North Carolina Saturday (May 21) night and early yesterday, forcing
    hospitals and police to rely on radio communications.   ...

    The outage was caused by an apparent power surge of unknown origin that
    struck the central office of Southern Bell in Charlotte at about 11:30
    a.m. Saturday.  A skeleton crew at the office failed to notice alarms
    warning of the problem until the overloaded system failed about six
    hours later.

-- Scott Schwartz

"The Bell System"; aircraft navigation systems

Steve Philipson <>
Mon, 23 May 88 11:44:02 PDT
In RISKS 6.89, ihuxz! (Mike Eastman) writes:

>As of Jan 1, 1984 the Bell System was abolished when the Justice Dept had AT&T
>officially divest itself of the local operating companies. ...

It has been three and a half years since divestiture and a lot of operational
changes have occurred in that time.  However, that Ill. Bell cable vault has
probably been around a long time.  Was it put in place and operated by the
"Bell System" BEFORE divestiture?  Did the Bell System originally place the
primary and backup trunks in the same building?  These questions have
significance to RISKS in that we should find the roots of our technical errors
in their design process and not simply lay blame on government decisions that
we don't like.  Has divestiture increased risk, or is it beginning to serve as
a convenient whipping boy when something goes wrong?

It's easier to point fingers at the other guy than to accept responsibility.
We see this all the time in multi-vendor computer systems.  No one want to 
accept blame when they can say it's someone else's problem.  Of course, the 
users just want the system fixed!  (It's not a hardware problem -- it's a
wetware bug!)

One more point on aircraft navigation systems:

The concerns of depending on electrical power for navigation become
insignificant for many new aircraft, as some cannot fly at all if there is
total electrical system failure.  In RISKS we've discussed the new Airbus jets.
The opposite end of the spectrum is the new Mooney PFM.  This single engine
aircraft uses electronic ignition.  It does have dual electrical systems and
batteries, and a very low failure probability, but if total failure does occur,
the pilot will be more concerned with landing his glider than navigating to a
distant destination.

Hinsdale File (Re: RISKS DIGEST 6.89)

Tue, 24 May 88 01:10:16 EDT
Last Friday, May 20, there was a Chicago Tonight (1/2 hour show on PBS channel)
that described the Hinsdale fire.  Apparently, the fire alarms go off whenever
there is a power failure.  Since there was an AC power alarm at the same time
as the fire alarm, it was assumed to be the source of the fire alarm.  I
personally would not be surprised if that was actually the case, and that the
AC power went off as a result a short, which caused the fire.  The diesels
started automatically, and then failed within 10 minutes, causing another power
and fire alarm.  At this time, when the alarms were released (a manual
operation), they did not re-occur, indicating only a glitch in the alarm

The alarms are detected by a contact closure on the switch itself,
and passed to the SCCS (Switching Control Center System) via a
data link.  Since the alarms were being received, the switch was
obviously working, the prime concern of SCC personnel.

Since the fire, the other three hub switches in Chicago are being
staffed 24 hours a day, because of the vulnerability caused by
Hinsdale not being in full operation.  I can understand some of the
logic behind not staffing offices on off-hours, as there is
a large expense involved, particularly if all offices are to be staffed.
Even assuming a day shift at all offices, another 3 shifts are required
to cover the remainder of the week.  At a typical salary of a
craft person, that would be ~$120,000 per year per office.  To
staff 100 offices, at $12,000,000 per year, it is easy to see
the decision not to staff compared to the cost of a new switch.
Before Hinsdale, public utilities commissions probably would be
likely to disallow those charges, as unnecessary.

I also suspect that Hinsdale grew more by accident than by design into such an
important part of the Chicago network.  There has been tremendous growth in
development in the western suburbs, along with subsequent growth in
telecommunications.  I seriously doubt that anyone in Illinois Bell ever did a
worst case catastrophe analysis of their network.  After all, it could have
been a tornado destroying the entire building, rather than a fire destroying
merely the contents.  I am positive that there has never been a study by
Illinois Bell of the effects of two simultaneous failures.

John Haller, AT&T Bell Laboratories

Please report problems with the web pages to the maintainer