The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 7 Issue 63

day 1 October 1988


o Re: Killer terminals
Steve Wilson
o Can't Happen and Antilock Braking Systems
Marcus Barrow and Robert Allen
via Mark Brader
o ATM's credit check
Amos Shapir
o Dive Computers
Terry S. Arnold
Henry Spencer
o Emergency Access to Unlisted Telephone Numbers
Dave Wortman
o Re: Risks of Cellular Phones
Wes Plouff
Peter Robinson
Walter Doerr
o Computers, Copyright Law, and the Honor System (a talk)
Mark Mandel
o Info on RISKS (comp.risks)

Re: Killer terminals

Steve Wilson <hplabs!>
Wed, 5 Oct 88 12:42:58 PDT
After seeing all the articles about Killer terminals I thought I'd relate a
story about a killer card reader.  Many moons ago I was a computer operator at
the local community college.  The computer was a Nova 2/10 that spent most of
the day running a Basic interpreter talking to 4 ASR-33s.  Every afternoon we
would bring the Basic system down and run jobs for the Fortran class.  We
couldn't do this often because the card reader(this was ALONG time ago) would
work for about a week, then mysteriously die.  We must have had 20 service
calls on this card reader over 3-4 month period.  Everytime the technician
would come out with a new card reader and replace the old one.  Finally, the
technician who had to keep on making this weekly trip looked into what was
causing the problem.  (I'm not sure why he didn't do this the 2nd time the card
reader went out, but...)  His explanation was that the card reader was "too
fast" for the Nova and the real damage was being done by the interface card
from the Nova trying to slow the card reader down.  They repaired the problem
by "turning down" the card reader to a level the Nova could keep up with.

Steve Wilson, National Semiconductor 

Can't Happen and Antilock Braking Systems (from Usenet

<Mark Brader <> [SoftQuad Inc., Toronto]>
Thu, 6 Oct 88 05:54:10 EDT
From: (Marcus Barrow)
Subject: abs, just say no...
Date: 3 Oct 88 15:40:03 GMT
Organization: Bolt Beranek and Newman Inc., Cambridge MA

   I've been seeing this discussion of abs for awhile now, and i have a
small story to tell. A friend of mine runs a very modified '87 'vette in the
New England Hillclimb series. This car naturally enough has abs, along with
oversize rotors, suspension mods and a ~350 b.h.p. smallblock. Abs is
probably a "good thing" for many drivers.
   But for Mike, " I ain't 'fraid o' no ZR1", there is another story. It
seems at Burke Mt. he approached a corner, pushing 90 as he is wont to do.
The paved surface at these hills is less than ideal, and the situation is
agravated by tripling and quadrupling the speed limit. So the car hit a bump
or waver in the pavement and took a skip. Now what does the abs do once the
wheels are off the ground? It's not programmed to deal with wheel lockup.
It's supposed to prevent that. When four wheels lock up, the unit apparently
shuts down for .5 seconds. The pedal stays hard but nothing happens for a
terribly long moment...
   Mike's car is repairable, but now he's afraid of abs at least!
   p.s. please folks, don't try this at home...

    - = - =  - = - =  - = - =  - = - =  - = - =  - = - =  - = - =  - = - = 

From: robert@milk10.uucp (Robert Allen)
Subject: Re: abs, just say no...
Date: 3 Oct 88 21:43:03 GMT
Organization: SRI International, Menlo Park CA

    This isn't the first time this problem has been noted.  When abs
    first became popular some track racers tested it out.  Their
    universal complaint was that when they topped a certain bump
    in the track, the car lost traction as it became temporarily
    airborne, and abs interpreted that to mean that abs should be
    activated since traction was lost.

    Computer programs in big computers aren't yet smart enough to
    do the instant pattern recognition that the human mind can
    apparently make in such circumstances (ie "I haven't REALLY
    lost traction yet"), let alone some gimpy program in cars ROM.

                - abs.  Just say No.

    Robert Allen,, 415-859-2143 (work phone, days)

ATM's credit check

Amos Shapir <amos@taux02.UUCP>
8 Oct 88 21:33:29 GMT
The other night I tried to make a withdrawal of the maximum daily amount
allowed. The  ATM considered  my request, and  the said  something like:
"Service temporarily unavailable",  which usually means "I  have run out
of cash". Trying  again later, it insisted that I  was no longer allowed
to withdraw  anything on that business  day. As Murphy would  have it, I
was completely out of cash.

Since all major banks here are tied  on the same network, no ATM in town
would allow me any credit, and those that can show previous transactions
indicated that a withdrawal of the  requested amount has been made. This
transaction disappeared from the records the next day, and my credit was
restored automatically.

It's quite obvious  that to save network traffic, the  same message from
the ATM to  the central database which asks for  confirmation of credit,
also serves to inform it of a withdrawal; it seems that the ATM does not
report incomplete transactions. Such sloppiness in programming would not
be tolerated  in any business, but  frankly, my dear, I  don't think the
banks give a $%^&$@.

Amos Shapir, National Semiconductor (Israel) P.O.B. 3007, Herzlia 46104, Israel
Tel. +972 52 522261

Dive Computers (Re: RISKS-7.60, Brian Randell)

"Terry S. Arnold" <Arnold@DOCKMASTER.ARPA>
Tue, 4 Oct 88 21:07 EDT
The advent of dive computers has changed the way most serious divers go about
their sport.  Prior to the introduction of dive computers we had to rely on a
variety of dive tables based in most cases on originals published in 1959.  The
current generation of dive computers are based on more current research work on
Decompression Sickness and just how nitrogen (the cause of Decompression
Sickness) is exchanged during diving.  In the past we had to work with our own
fudge factors for the artificial dive profiles that the tables assumed.  Most
divers fudged on the "safe" side were successful in avoiding the bends.  The
modern dive computers use a more realistic model of how sport diving is really
done and eliminates the need for fudge factors.  Like any piece of modern
safety equipment dive computer can and are misused sometimes with ill effects.
Unlike the usual dive tables the dive computer come with a considerable amount
of literature including research references.  When I purchased my dive computer
I looked up the refrences and read the papers.  I found that the dive computers
were more conservative than the tables and provided guidance on how to take
age, sex, and physical activity into account in a much more realistic way than
the guidance published for the dive tables.

I use a dive computer for all of my diving (>200 dives in the last 18 months)
and will not dive any other way.  I have developed methods so that I can revert
back to the tables if a computer failure ever occurs.  Most of the reports that
I have read in the diving press including the professional association journals
indicates that dive computers lead to an overall improved level of safety.  The
reports that I have seen where divers have suffered from the bends while using
dive computers have been strongly correlated with using them to the limits
under extreme conditions.  In short they were being pushed to the region where
the theory was starting to get on thin ground and the tables were just as
questionable.  This is one case where computers are most likely reducing the
risk rather than increasing the risk.
                                                  Terry Arnold

Re: Diving Computers

Wed, 5 Oct 88 12:38:24 EDT
>... the computer software may be based on unsafe data, that it does not
>take into account such factors as age, fitness, sex and exertion, and therefore
>gives divers a false sense of security....

I am not a diver, but I am driven to wonder whether the old tables make any
real effort to take age, fitness, sex, and exertion into account.  It seems
much more likely to me that the *real* problem here is not that the software
is buggy or unsafe, but that divers are falling into the "computers are
always right" trap.  That is, everyone knew that the tables were only an
approximation to the truth, and used them cautiously, but the supposedly-
omniscient computer is not inspiring the same level of distrust.

Another consideration: the computers do (I'm told) take more variables into
account.  But this isn't necessarily a good thing:  since the tables could not
do so, they needed safety margins that would accommodate extremes of those
variables.  That meant that, most of the time, the tables had large safety
margins.  Divers may well have gotten used to that.  It's even possible that
those big safety margins were hiding some over-optimistic assumptions, which
the software writers have copied.

                                 Henry Spencer at U of Toronto Zoology

Emergency Access to Unlisted Telephone Numbers

Dave Wortman <>
Wed, 5 Oct 88 12:35:37 EDT
The article below was originally posted to misc.consumers.  I thought it might
be of interest to RISKS readers as an example of a well-thought-out set of
administrative procedures designed to balance the needs of protection of
privacy and response to emergency situations.


All examples in this message pertain to Illinois Bell Telephone Company, which
covers the Chicago metropolitan area, and quite a bit of the rest of Illinois.

There are three types of phone numbers which do not appear in the printed and
publicly available directory: (1) Too new to list (2) Non-listed (3) Non-pub.
[discussion of types (1) and (2) deleted.]

The third category of numbers not in the phone book or available from the
Directory Assistance Bureau are non-published numbers. Non-pub numbers are NOT
available at the Directory Assistance level. Inquiries about same which are
input into a DA terminal simply come up with a message that 'at the customer's
request, the number is not listed in our records; the number is non-published.'

Well, who does keep non-pub records then? The Business Office has no handy way
to retrieve them, since they depend on an actual phone number when they pull up
a record to discuss an account. Once a service order is processed, the number
and associated name are no longer available to the average worker in the
central office.

There was for several years a small group known as the 'NonPub Number Bureau'
which at the time was located in Hinsdale, IL. Needless to say, the phone
number to the NonPub Number Bureau was itself non-published, and was only
available to specified employees at Bell who were deemed to have a 'need to
know'. Now I think with all the records being highly computerized, the keepers
of the non-pub phone numbers are themselves scattered around from one phone
office to another.

When there is some specific need for an employee at the phone company to
acquire the non-published number of a subscriber, then certain security
precautions kick into place. Only a tiny percentage of telephone company
employees are deemed to have a 'need to know' in the first place; among
these would be the GCO's (Group Chief Operators), certain management people
in the central offices, certain people in the Treasury/Accounting office,
and of course, security representatives both from Illinois Bell and the
various long distance carriers, such as AT&T/Sprint/MCI.

Let us have a hypothetical example for our Correspondent: Your mother has taken
seriously ill, and is on her deathbed. Your brother is unable to reach you to
notify you of this because you have a non-pub number. When his request for the
number has been turned down by Directory Assistance, simply because they do not
have it, he asks to speak with a supervisor, and he explains the problem. He
provides his own name and telephone number, and the supervisor states he will
be called back at a later time. The supervisor does not question if in fact an
emergency exists, which is the only valid reason for breaking security. The
supervisor may, if they are doing their job correctly, ask the inquirer point
blank, "Are you stating there is an emergency situation?".

Please bear in mind that the law in Illinois and in many other states says that
if a person claims that an emergency exists in order to influence the use (or
discontinuance of use) of the telephone when in fact there is no emergency is
guilty of a misdemeanor crime. You say yes this is an emergency and I need to
contact my brother/sister/etc right away. The supervisor will then talk to
his/her supervisor, who is generally of the rank of Chief Operator for that
particular facility.

The Chief Operator will call the NonPub people, will identify herself, and
*leave her own call back number*. The NonPub people will call back to verify
the origin of the call, and only then will there be information given out
regards your brother's telephone number. It helps if you know the *exact* way
the name appears in the records, and the *exact* address; if there is more than
one of that name with non-pub service, they may tell you they are unable to
figure out who it is you want.

The NonPub person will then call the subscriber with the non-published number
and explain to them what has occurred: So and so has contacted one of our
operators and asked for assistance in reaching you. The party states that it is
a family emergency which requires your immediate attention. Would it be alright
if we give him/her your number, *or would you prefer to call them back

Based on the answer given, the number is either relayed back to the Chief
Operator, or a message is relayed back saying the non-pub customer has been
notified. If the customer says it is okay to pass his number, then the Chief
Operator will call you back, ask who YOU are, rather than saying WHO she wants,
and satisfied with your identification will give you the number you are seeking
or will advise you that your brother has been given the message by someone from
our office, and has said he will contact you.

Before the NonPub people will even talk to you, your 'call back number' has to
be on their list of approved numbers for that purpose. A clerk in the Business
Office cannot imitate a Chief Operator for example, simply because NonPub would
say that the number you are asking us to call back to is not on our list. "Tell
your supervisor what it is you are seeking and have them call us..."

Other emergency type requests for non-pub numbers would be a big fire at some
business place in the middle of the night, and the owners of the company must
be notified at their home; or a child is found wandering by the police and
the child is too young to know his parent's (non-pub) number.

They will also handle non-emergency requests, but only if they are of some
importance and not frivolous in nature. You have just come to our city to visit
and are seeking a long lost friend who has a non-pub number; you are compiling
the invitations to your high school class fiftieth re-union and find a class
member is non-pub. Within certain reasonable limits, they will pass along your
request to the desired party and let them make the choice of whether to return
the call or not. But always, you leave your phone number with them, and in due
time someone will call you back to report what has been said or done.

You would be surprised -- or maybe you wouldn't -- at the numerous scams and
[........] stories people tell the phone company to get the non-pub number of
someone else. Fortunately, Bell takes a great deal of pride in their efforts to
protect the privacy of their subscribers.

Patrick Townson, The Portal System(TM) 

Re: Risks of Cellular Phones

Wes Plouff <>
6 Oct 88 09:45
Recent writers to RISKS, starting with Chuck Weinstock in issue 7.57, have
focused on the risk of vehicle location by cellular telephone systems.  In my
opinion, they exaggerate this risk and underestimate another risk of mobile
phones, the complete lack of privacy in radio transmissions.

Roughly 10 years ago I designed vehicle location controller hardware and
firmware used in the Washington-Baltimore cellular demonstration system.
That system led directly to products sold at least through the first 
waves of cellular system construction a few years ago.

Since cellular base stations have intentionally limited geographic coverage,
vehicle location is a requirement. This limitation is used to conserve radio
channels; one cell's frequencies can be re-used by others far enough away in
the same metropolitan area.  The cell system must determine which cell a mobile
user is located in when he begins a call, and when during a conversation a
vehicle crosses from one cell into another.  Cells are set up perhaps 3 to 20
miles in diameter and range from circular to very irregular shapes.  Cellular
phone systems are designed with ample margins so that statistically very few
calls will be lost or have degraded voice quality.

Making this system work does not require anything so fancy as
triangulation.  Vehicle location needs to be only good enough to keep
signal quality acceptably high.  John Gilmore explained in RISKS 7.58
how this works while the mobile phone is on-hook.  During a
conversation, the base station periodically measures the signal strength
of an active mobile in its cell.  When the signal strength goes below a
threshold, adjacent cells measure the mobile's signal strength.  This
'handoff trial' procedure requires no interaction with the mobile.  If
the mobile was stronger by some margin in an adjacent cell, both the mobile
phone and the cellular exchange switch are ordered to switch to a channel and
corresponding phone line in the new cell.  Since base stations commonly use
directional antennas to cover a full circle, mobiles could be reliably located
in one third of the cell area at best.  Distance-measuring techniques advocated
by AT&T were not adopted because the added cost was too high for the modest
performance gain.

Certainly a cellular phone system can locate a mobile at any time, and always
locates a mobile during a conversation.  But the information is not
fine-grained enough to implement some of the schemes imagined by previous

A more important risk is the risk of conversations being intercepted.  The
public airwaves are simply that: public.  Scanner radios can easily be found or
modified to cover the cellular band, and listeners will tolerate lower signal
quality than cellular providers, hence one scanner can listen to cell base
stations over a wide area.  The communications privacy law is no shield because
listeners are undetectable.  To bring this back to risks of computers,
automated monitoring and recording of selected mobile phones is probably beyond
the reach of the average computer hobbyist, but easily feasible for a
commercial or government organization using no part of the infrastructure
whatever, just the control messages available on the air.

Wes Plouff, Digital Equipment Corp, Littleton, Mass.

Re: Risks of cellular telephones

Peter Robinson <>
28 Sep 88 10:10:47 +0100 (Wednesday)
As a radio amateur, I have always been taught that using mobile transmitters
near petrol stations is bad form - the radiation from the transmitter can
induce currents in nearby metalwork and perhaps cause a spark.  The thought of
a cellular telephone being able to transmit without the operator's consent (in
response to a paging call) is, therefore, slightly RISKy.

This could even get worse as technology progesses.  As the sunspot cycle
advances, it seems plausible that transmissions will carry further and
interfere with those in nearby cells (not the adjacent ones, they usually have
distinct frequencies).  Before long the manufacturers will introduce adaptive
control where the transmitter power is adjusted dynamically to compensate for
variations in the signal path between the mobile and base stations.  So then
when you pull into a petrol station and receive a call, the system will notice
that all the surrounding metal is impairing your signal and will increase the
transmitter power accordingly...

Incidentally, I am not sure what power these radios use, but I would be
slightly nervous about using a hand-held telephone with the antenna anywhere
near my eyes if it is more than a few Watts.

Risks of cellular phones

"Walter Doerr" <wd@dg2kk.UUCP>
Sat, 8 Oct 88 15:59:56 MET
Chuck Weinstock <weinstoc@SEI.CMU.EDU> writes in RISKS 7.57:

> Subject: Risks of Cellular Phones?
> While discussing radio triangulation last night, the question came up:
> If I dial a phone number attached to a cellular phone, how does the
> cellular system know which cell should send the ring signal to the
> phone?  Is it a system wide broadcast, or does the cellular phone
> periodically broadcast a "here I am" signal?

In the 'C-Net' here in Germany, all mobile phones send a "here I am" signal
whenever they move to a new cell. This information (the cell where the phone
can be reached) is stored in the database of the phone's "home" base.  Calls to
mobile phones are routed to a computer in Frankfurt which contacts the home
base computer (based on the first few digits of the mobile phonenumber), which,
in turn, knows the cell the phone is currently in.

> If the latter, a less than benevolent government (or phone company for
> that matter) could use that information to track its citizens' cars'
> whereabouts.

According to an article in an electronics magazine, the German PTT was
approached by a police agency, who expressed interest in the data stored in the
networks computers.  The article quotes a Siemens mobile telephone specialist
as saying that it isn't possible to pinpoint the current location of a mobile
phone because:

    - the phone must be switched on for the network to recognize it
    - the cells use omnidirectional antennas, so it isn't possible
      to determine the direction from where the mobile phone's signal came.

While this is true, it is certainly possible to determine the location of a
phone with an accuracy of a few miles (the size of the cell the phone is in)
without using any additional direction finding methods (radio triangulation).

Walter Doerr

Computers, Copyright Law, and the Honor System (a talk)

Mon, 10 Oct 88 09:47 EDT
Computers, Copyright Law, and the Honor System
Mark A. Fischer, of counsel to the firm of Wolf, Greenfield & Sacks Boston

Easy access to information through computer databases has given tremendous
power to people once called readers -- now known as "end-users."  The change in
title is significant.  End-users have the power to reproduce, store, transmit,
and use information once reserved to publishers.  Are the legal obligations
coincident with the ethical?  Are the legal obligations enforceable?  Are we
all on the honor system?

Mr. Fischer represents publishers, software firms, musicians, authors,
performing artists, and theatrical and motion-picture producers.  He holds a
law degree from Boston College Law School and specializes in copyright,
publishing, entertainment, arts and computer law.  He has taught courses in
Copyright and Trademark Law and in Intellectual Property.  His writing has
is a member of the American Bar Association's Forum Committee on the
Entertainment and Sports Industries, and chairman of the Boston Patent Law
Association's Copyright Law Committee.

                               WEDNESDAY, 19 October 1988
                                          7:30 P.M.
              8th floor lounge, 545 Technology Square, Cambridge
              (Corner of Main & Vassar Streets, in Kendall Square)
                                 Free parking in front

    CPSR/Boston  *  P.O. Box 962  *  Cambridge, MA  02142  *  617-666-CPSR

Please report problems with the web pages to the maintainer