The RISKS Digest
Volume 9 Issue 78

Thursday, 5th April 1990

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


RAF Tornado collision
Dorothy R. Graham via PGN
New Georgia Automobile Tags
Warren Tucker
British tax tales
Bob Gray via Mark Brader
Oslo Day in Norway? No way!
Paul Dorey
Computer backorder on cover letters
Yuri Rubinsky
London Underground driver's action
Martyn Ould
Hi-Tech Loo
Wayne W. Lui via Brian Randell
Proposed UK Authority for Risk Management
Brian Randell
More on Prodigy's Updating of a User's Disks
Eric Roskos
Paul Eggert
April Fools Day on the net
D. Waitzman via Martin Minow
Automated Fast Food
Dave Curry
Paul Eggert
Re: PSU Hackers thwarted
Pete Mellor
Three Australians indicted for computer tampering
Info on RISKS (comp.risks)

RAF Tornado collision (sent by Dorothy R. Graham)

"Peter G. Neumann" <>
Thu, 5 Apr 1990 9:40:14 PDT
In August 1988 two RAF Tornado fighters collided over the village of Millburn
in Cumbria, UK, killing the four crewman.  Originating from different
airfields, each plane was using the SAME preprogrammed cassette to control its
on-board computer in low-altitude flight, which resulted in their both coming
together at the same height at the same location at the same time.  The MoD
report identified an "extraordinary" series of coincidences, and put the blame
on insufficient coordination among different RAF bases.  New rules have been

Source: The (London) Sunday Times, 11 March 1990, excerpting a Ministry of
Defence report.  Thanks to Dorothy R. Graham for clipping it.

New Georgia Automobile Tags

Warren Tucker <>
Thu, 29 Mar 90 00:01:31 EST
I heard on a local radio station this afternoon that many Georgia Citizens are
being erroneously arrested out of state for possession of stolen vehicles.  It
seems that numbers in the new series license tags (issued since January)
sometimes :-) match numbers from the previous series.  Unfortunately for many
people, some match numbers belonging to vehicles stolen as long ago as 1983.
One elderly gentleman was arrested for riding his own motorcycle.  A couple
spent the night in an Indiana jail for driving their own car.  The state motor
vehicle people say they'll get NCIC information updated by September.  Adds new
meaning to the slogan "Stay and See Georgia," doesn't it?

Warren Tucker, TuckerWare

                       [Ray Houghton of Augusta GA sent me a clipping
                       from the Augusta Chronicle, 27 March 1990.  PGN]

British tax tales

Mark Brader <>
Fri, 30 Mar 90 05:17:01 EST
The following items were forwarded to Usenet's soc.culture.britsh
by Bob Gray (, having originally appeared on Oracle.
For those who don't know, the term "poll tax" is used in Britain for
a new, flat "per head" tax, replacing what we call property taxes;
it has nothing to do with voting.


  Student Andrew Mursell, 19, of Ryde, Isle of Wight, expected to
  pay 70 pounds in poll tax but has just received a bill for nearly
  4,000,000 pounds.  Medina Council said it was a computing error.

  A man waiting for a bus at Maidstone, Kent, was stunned when
  a postman tried to force him to take a poll tax demand.
  The letter was addressed to The Occupier, Bus Stop, High Street.
  "The postman said he tried to give it to the man at the front of the
  bus queue, but he refused to take it, and I can't blame him," said a
  council official.  "It was all down to a computer error."''

      [The second case was also noted by Dave Horsfall <>
      in Australia! Small world. PGN]

Oslo Day in Norway? No way!

Paul Dorey <pgd@cix.UUCP>
Tue Mar 27 21:45:28 1990
The 'Daily Telegraph' of Tuesday March 27th reports a Reuter news
agency story:

  " A Norwegian Bank was embarrassed yesterday after a cashpoint computer
  apparently applied its own form of 'fuzzy logic' and handed out thousands of
  pounds no one had asked for. A long queue formed at the Oslo cashpoint after
  news spread that customers were receiving 10 times what they requested. "

Paul Dorey    (pgd@cix.cix.ukc)

Computer backorder on cover letters

Yuri Rubinsky <>
Sat, 24 Mar 90 15:35:18 EST
  After I stopped by this company's booth at the recent CD-ROM conference,
  the following letter arrived here from a major CPU manufacturer...

Dear Mr. Rubinsky:

Thank you for your [company name] literature order.

We are very sorry, but the following items that you have requested are
currently on backorder:

        PRODUCT CODE    DESCRIPTION                             ARRIVAL DATE
        ------------    -----------                             ------------
        T217            DEAR CUSTOMER COVER LETTER              FOUR WEEKS

Your order will be filled at the earliest possible date.  In the
meantime, your patience in regard to this matter is greatly appreciated.

Please feel free to call our Literature Distribution Center at
[800-number].  Our operators will be happy to help you place an order
for any additional literature, or refer you to your nearest [company
name] sales office to help you with any technical questions regarding
our products.  If you call to check the status of your order, please
reference your order #[number].

Again, thank you for your order, and we hope to be of service to you
in the future.

                        [empty space here]

                        [company name]
                        Literature Distribution Center

  Curiously, one week earlier I received the literature I had requested --
  without a cover letter.

  Submitted to comp.risks and rec.humor.funny by Yuri Rubinsky, SoftQuad Inc.,
  720 Spadina Ave., Toronto, Ontario, Canada M5S 2T9

London Underground driver's action (RISKS-9.76)

Martyn Ould <mao@praxis.UUCP>
Mon, 26 Mar 90 12:05:45 BST
I heard an interview with the driver of the train shortly after he had averted
the accident.  As I remember it, he said that he had seen the train approaching
him at speed from behind and had taken the action he was trained to take,
namely to short circuit a particular circuit.  It sounded, the way he put it,
as though it was an instinctive action and his presence of mind was in the
response to his training.  I hope he got a bonus.

Another interesting feature of the accident which I didn't get to the bottom
of was that one of the passengers, also interviewed afterwards, seemed to
suggest that passengers in the last carriage (ie the one about to be crushed)
scrambled through the connecting door into the preceding carriage, in response
to hearing the driver shouting at the signalling staff over his comms -
presumably he had switched on the PA so that passengers could be warned at the
same time.  I hope he got two bonuses!

Martyn Ould, Praxis plc, 20 Manvers Street, BATH BA1 1PX, UK

Hi-Tech Loo

Brian Randell <>
Thu, 29 Mar 90 13:52:59 BST
I just saw this on soc.culture.japan, and couldn't resist reposting it
to RISKS just to see what sort of reactions it would arouse.  Brian Randell

>From: lui@cbnewsm.ATT.COM (wayne.w.lui)
>Newsgroups: soc.culture.japan
>Subject: A loo full of technology
>Date: 28 Mar 90 04:01:24 GMT        [edited by PGN]

    Japanese technology is plumbing new depths — it's created the intelligent
toilet.  Last october, Toto Ltd., Omron Corp. and Nippon Telegraph and
Telephone Corp. (NTT) jointly developed the ultimate in information technology:
the fancy flusher.  Makers say a trip to this toilet may save you a trip to the
doctor.   The intelligent diagnostic system packs the latest state-of-the-art
goodies.  The toilet bowl has a sensor to perform urine analyses and then zaps
the data onto a display screen that shows the concentration levels of sugar,
protein, urobilinogen, and blood in the urine for the occupant's viewing.
Users can chart their blood pressure by sticking their left index finger into a
sensor-sensitive unit on the toilet.  The information then can be viewed on the
second screen of the diagnostic system.
    What goes in also comes out.  The diagnostic system has a printer and an
integrated circuit (IC) memory disk card drive that can store up to 130
examinations.  The IC card can also be inserted into a compatible computer
system for simple record updates.  [...]  NTT officials see the diagnostic
system eventually having on-line communications capabilities enabling users to
send information directly to hospitals or clinics.

Source: Kyodo News.  Date: 24 March 1990

    [This opens up all sorts of privacy issues!  There is also a potential
    problem with a user being identified and trapped for capture.  PGN]

Proposed UK Authority for Risk Management

Brian Randell <>
Mon, 19 Mar 90 21:59:35 BST

 At a time of increasing concern over both public safety and `green issues',
 an Authority for Risk Management would have a vital role as Britain's main
 source for scientific assessment of risks. As an independent umbrella
 organisation, taking in such agencies as the Food Safety Directorate and the
 Chief Medical and Veterinary Officers, Richard North argues it would help to
 ensure more public confidence in official information.

The British democracy is the most mature in the world. Perhaps, accordingly, it
has problems responding to a new desire in its citizens to be better informed.

An older generation accepts that the Government knows best, but this
comfortable assumption has been eroded fast. Last week, a local government
report described Britain's proneness to disaster as being more appropriate to a
third world country.

There has been an embarrassing plethora of major disasters - Piper Alpha, the
Bradford football fire, the King's Cross tube fire, the Zeebrugge ferry
sinking and several others - which suggest a failure to develop a proper
safety culture.

There has also been a worrying series of insidious problems.

In 1988, South West Water allowed poison into the the drinking water at
Camelford; bovine spongiform encephalopathy, "mad cow disease", has invaded
domestic herds; eggs and poultry have been found to be pathogenic. Groups
have sprung up to complain about pesticide residues in food and veterinary
product residues in farm animals.

The Authority for Risk Management, ARM, would be the formal means by which such
risks - and those of nuclear power, public transport, environmental pollution,
food poisoning, even global warming - are scientifically assessed, brought to
public attention, rationally explained, and responses to them costed.

One of its jobs would be to develop a way of talking about the tolerability
of risks; almost all of us take huge risks every day with hardly a second
thought, yet get very nervous about much smaller - but involuntary - hazards.

ARM would be a creature of Parliament, and report to it. Its advice would be
given in public, and ministers would have to respond in public. ARM would not
be directly democratic, but would be required to hold open meetings, in the
way the BBC has done in recent years. Indeed, it could develop a "roadshow"
approach, taking key issues to the public, and inviting comment.

ARM's rigorously independent scientists will not be allowed to become
purists. Their advice would have to be accompanied with the cost
implications of new policy. The minister, public and Parliament need to know
how much they are going to spend to live in a safer environment, and decide
if they want to pay the price.   ....

ARM would develop a culture of its own - both stricly regulatory and alert to
costs. It would look a little like the Office of Technology Assessment in the
USA. But OTA advises Congress, and only on specific matters drawn to its
attention by elected representatives. ARM would have a stronger statutory,
and innovatory, role. The creation of ARM could make Britain a world leader
in the "greening" of government.

 BOX: Catalogue of UK disaster and disease

 The following is a list of recent key events which have encouraged discussion
 on whether Britain is adequately able to manage risk, whether in terms of
 disaster or disease.

 1984 - May: 16 die in Abbeystead pumping station in Lancashire. November:
 Hundreds flee as fire breaks out in Oxford Circus Tube.

 1985 - May: Legionnaire's disease in Staffordshire kills 30 in a month.  May:
 Bradford City football stadium fire; 56 killed.

 1986 - November: BSE identified for first time (confirming first outbreak was
 in 1985). November: North Sea helicopter crash; 45 dead.

 1987 - March: Herald of Free Enterprise capsizes; 193 dead. October: Gale
 force winds lash Britain after low-key warning. November: King's Cross Fire;
 31 dead.

 1988 - April: Independent committee set up to investigate BSE. July: Piper
 Alpha explosion; 167 dead. August: Department of Health issues press release
 suggesting advoidance of raw eggs. October: In the year so far, 46
 egg-associated outbreaks of food poisoning involving 1,000 people. December:
 Clapham rail disaster; 35 dead. December: Lockerbie air disaster; 270 dead.
 December: 26 people are reported to have died in salmonella-linked deaths in
 the year so far. December: Edwina Currie says most egg production is infected
 with salmonella. December: Government announces increased controls on egg

 1989 - January; M1 Boeing 737 air crash; 47 dead. February: Department of
 Health announces that 61 people died of listeriosis in previous year. April:
 Hillborough stadium crush: 95 dead. July: 2 die, 80 ill in salmonella
 outbreak. August: Marchioness river boat sinks; 51 dead. December: Royal
 Oldham Hospital salmonella outbreak; 3 dead.

 1990 -January: 29,998 cases of salmonella in humans in past year, up from
 27,478 in the previous year.

Brian Randell, Computing Laboratory, University of Newcastle upon Tyne, UK
PHONE = +44 91 222 7923    FAX = +44 91 222 8232

More on Prodigy's Updating of a User's Disks

Eric Roskos <>
Mon, 26 Mar 90 09:50:20
In a recent RISKS posting, I responded to Donald B. Weschler's
statement that Prodigy could update arbitrary files on the user's hard
disk by saying that it appeared that Prodigy only does cache management
of data in a single file, STAGE.DAT, via this method.

In response to my comment I received mail from Simson Garfinkel, who
wrote the recent Christian Science Monitor article on Prodigy.  He said
that Prodigy's manager of software services had told him that they could
indeed update other files, including .EXE files, thus avoiding the need
to send out update disks.

Seeking an explanation, I asked what could be updated by this method on
Prodigy's technical service bulletin board about a week ago, and also
wrote to one of their technical support people asking for clarification.
In response to this, Prodigy, who has always previously answered my
technical questions immediately, simply ignored the question altogether.
It has now been deleted from the bulletin board by Prodigy's automatic
article-expiration software.  Harold Goldes, the Prodigy representative
who I asked about the updating, likewise did not reply.

There were several messages by users who read my posting; they all said
the same thing — that Prodigy could update .EXE files.  One person said
that he had expressed concerned about the problem, but that Prodigy had
replied "trust us, no one has the access needed to cause an unauthorized
update." None of the posters said where they obtained their information,
but all postings are screened by Prodigy's staff before appearing on the
board, and Prodigy did nothing to correct these statements.  Thus, I
tend to believe them, since they support the statement made by the
Prodigy manager.

Needless to say, this is not encouraging.  I re-checked my files in the
Prodigy directory this evening, and found that no file but STAGE.DAT has
been updated since I installed the software nearly a year ago.  I
examined the contents of STAGE.DAT with a disassembler, and it does not
seem to be 8086 code.  It has always been my belief that STAGE.DAT
contains code interpreted by the main Prodigy program, since Prodigy
also runs on the Macintosh and since STAGE.DAT seems from Prodigy's
previous descriptions to contain definitions of graphics screens and
windows displayed while the system is operating.

If it is indeed an interpreted environment, it would be relatively easy
for Prodigy to prevent unauthorized updates of anything but STAGE.DAT.

If, however, the claims are correct, the Prodigy updating mechanism
would seem to be a considerable risk to Prodigy and its users, as in the
case of a disgruntled employee who arranged for an "update" to occur
after leaving the company, or of someone who discovered a way to
circumvent Prodigy's access controls.  Prodigy acknowledges the
possibility of such unauthorized access by outsiders in its membership
agreement: "Unauthorized access to the PRODIGY service or to restricted
portions of the service is a breach of this agreement and a violation of

This same agreement also tries (in capital letters) to limit Prodigy's
12 MONTHS." At current service fees, this would be a maximum of $120
liability on the part of Prodigy for damage to a user's data.

Risk-free PRODIGY

Paul Eggert <>
Wed, 28 Mar 90 13:48:37 PST
Here's what the PRODIGY folks say about risks in using their service.
In junk mail I just got from them, the front teaser says:

                A second chance to try the most exciting new
                       personal computer service ever.

  But you have just 7 days left to take advantage of this _risk-free_ offer.

Inside, there's more:

  Now you can use your computer in ways
    you never did (or could) before.

  But hurry, this RISK-FREE Offer expires in 7 days.   [...]
  And now you can try the PRODIGY service...RISK-FREE.
  There's absolutely no obligation.    [...]
  Risk-Free OFFER TERMS: If you are not completely satisified with the
  PRODIGY service during your first month, simply mark your first bill
  ``cancel'' when it comes, return it, and owe nothing.   [...]

April Fools Day on the net

"Martin Minow, ML3-5/U26 02-Apr-1990 0957" <>
Mon, 2 Apr 90 06:58:26 PDT
              [an explanation for Risks redistribution problems?]

(I removed some page separators).

Network Working Group                                        D. Waitzman
Request for Comments: 1149                                       BBN STC
                                                            1 April 1990

   A Standard for the Transmission of IP Datagrams on Avian Carriers

Status of this Memo

   This memo describes an experimental method for the encapsulation of
   IP datagrams in avian carriers.  This specification is primarily
   useful in Metropolitan Area Networks.  This is an experimental, not
   recommended standard.  Distribution of this memo is unlimited.

Overview and Rational

   Avian carriers can provide high delay, low throughput, and low
   altitude service.  The connection topology is limited to a single
   point-to-point path for each carrier, used with standard carriers,
   but many carriers can be used without significant interference with
   each other, outside of early spring.  This is because of the 3D ether
   space available to the carriers, in contrast to the 1D ether used by
   IEEE802.3.  The carriers have an intrinsic collision avoidance
   system, which increases availability.  Unlike some network
   technologies, such as packet radio, communication is not limited to
   line-of-sight distance.  Connection oriented service is available in
   some cities, usually based upon a central hub topology.

Frame Format

   The IP datagram is printed, on a small scroll of paper, in
   hexadecimal, with each octet separated by whitestuff and blackstuff.
   The scroll of paper is wrapped around one leg of the avian carrier.
   A band of duct tape is used to secure the datagram's edges.  The
   bandwidth is limited to the leg length.  The MTU is variable, and
   paradoxically, generally increases with increased carrier age.  A
   typical MTU is 256 milligrams.  Some datagram padding may be needed.

   Upon receipt, the duct tape is removed and the paper copy of the
   datagram is optically scanned into a electronically transmittable


   Multiple types of service can be provided with a prioritized pecking
   order.  An additional property is built-in worm detection and
   eradication.  Because IP only guarantees best effort delivery, loss
   of a carrier can be tolerated.  With time, the carriers are self-
   regenerating.  While broadcasting is not specified, storms can cause
   data loss.  There is persistent delivery retry, until the carrier
   drops.  Audit trails are automatically generated, and can often be
   found on logs and cable trays.

Security Considerations

   Security is not generally a problem in normal operation, but special
   measures must be taken (such as data encryption) when avian carriers
   are used in a tactical environment.

Author's Address

   David Waitzman, BBN Systems and Technologies Corporation,
   BBN Labs Division, 10 Moulton Street, Cambridge, MA 02238
   Phone: (617) 873-4323            EMail: dwaitzman@BBN.COM

Automated Fast Food

Mon, 02 Apr 90 13:41:01 PDT
Went to the local Arby's today...

They don't have cash registers anymore.  Instead, they've got touch-screens
in the counter, and the customer is expected to navigate through a series
of menus, touching the items he wants.

Some notes:

- The screens are IBM PS/2 color monitors, with a "micro-touch" label
  stuck on them

- The menus are reasonably well designed, with large squares to push,
  etc.  Unfortunately, the screens are positioned such that the glare
  makes them hard to read.  I expect people with bad eyesight, or who
  forgot their glasses, would also have problems.

- There is a "delete" option for when you screw up, or have fat fingers

- The manager thought the system was the best thing since sliced bread
  and pop-top beer cans.  I unfortunately was there during the lunch
  hour, so didn't have time to engage him in conversation to find out
  just why he liked it so much, even in face of the obvious problems
  the system has.

- There is *no* way to do a special order from the customer screen.
  When I complained about this to the manager (who was standing there
  making noises about how great this system was), he said "yes you
  can, we do it from back here".  When I asked him what the point of
  me doing my own order was if he had to come over and adjust it for
  the special-ness, he just didn't seem to see the problem.  Sigh.

- After you enter your stuff and press "finished order", then the person
  behind the counter comes up and takes your money, just like before, and
  they get your order for you.  The whole time we were ordering, these
  folks were just standing around watching us.  So I'm not sure how these
  devices are supposed to save any money/time/whatever.

- It took me about three times as long to place my order and get my
  food as it did before, when I'd just say "super, no sauce, fries,
  large coke".  And I had to fill my own soft drink, too.

Another example of adding technology "becuase it is there", and taking
a giant step backwards as a result.

Dave Curry, SRI International

Re: PSU Hackers thwarted (Angela Marie Thomas, RISKS-9.74)

Pete Mellor <>
Wed, 21 Mar 90 18:23:30 PST
David C. Lawrence (RISKS-9.75) questions the validity of assigning amounts of
cash to computer time and other services allegedly 'stolen' by hackers.
Obviously, the sums quoted depend on what the services *could have* been sold
for *if* the owner of the system had been running a bureau service.

Where the service is charged for only in "funny money" for departmental
accounting purposes, such figures should be regarded with suspicion.

Some years ago, I was working in a department which owned an ICL 1904S running
the GEORGE 3 operating system. This had an automatic accounting system which
calculated charges via a complex algorithm whose parameters were defined by
the system manager (so much per Kbyte of filestore space, so much per mill
second, etc.), and printed cash invoices to users every month.

Our system manager, a man not known for wasting resources, had been very
successfully augmenting the departmental budget by cross-charging for bureau
services provided to other departments.

One Friday afternoon, after the department had celebrated someone's imminent
departure in the traditional way at the pub, he noticed that the system was
clogged up by several very large core images whose size and mill consumption
could only indicate mass playing of Star-Trek. He therefore ran the accounting
package, traced the individuals by their account names, and duly presented
them with personal bills of several hundreds of pounds each for 'computing

Nobody paid up, but a few programmers got a nasty shock!

Peter Mellor, Centre for Software Reliability,
City University, Northampton Square, London EC1V 0HB


Paul Eggert <>
Mon, 2 Apr 90 13:09:51 PDT
The following note is taken in its entirety from page 1 of CommUNIXque 1:1
(Second Quarter 1990), a quarterly newsletter put out by ASCAR Business
Systems, Glendale, CA.

                                UNIX Trix

        For those of you in the reseller business, here is a helpful tip that
        will save your support staff a few hours of precious time.  Before you
        send your next machine out to an untrained client, change the
        permissions on /etc/passwd to 666 and make sure there is a copy
        somewhere on the disk.  Now when they forget the root password, you can
        easily login as an ordinary user and correct the damage.  Having a
        bootable tape (for larger machines) is not a bad idea either.  If you
        need some help, give us a call.

I wonder how many UNIX machines have their security turned off this way?

Three Australians indicted for computer tampering

Peter G. Neumann <>
4 Apr 90 08:37:00
John Markoff's article in the 4 April 1990 NY Times notes the indictment and
arrest of three Australians for breaking into and tampering with computers in
the U.S. and Australia, after a two-year investigation.  Computers included
Citicorp as well as many on the Internet — at Los Alamos National Laboratory,
Harvard University, Digital Equipment Corp., Lawrence Livermore National
Laboratories, Boston University, New York University, the University of Texas
and Bellcore.  The three were identified as Nanshon Even-Chaim, 18; Richard
Jones, 20, and David John Woodcock, 21. Jones and Even-Chaim are students and
Woodcock is a computer programmer.  (Handles are Phoenix, Electron and Nom.)
"Dave" had previously called the NY Times.

Please report problems with the web pages to the maintainer