The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 9 Issue 83

Wednesday 25 April 1990

Contents

o You think YOU have problems with your telephone company?
PGN
o Traffic light outages
King Ables
o Sabbath Goes High-Tech
David Dabney
o Computers and Hyphenated names
Allan Meers
o London tube train and the Boeing 747 ...
Clive Walmsley
o Risky McDonald's comrade...
David Gursky
o Risks of engine computers and EMP
Lynn R Grant
o Info on RISKS (comp.risks)

You think YOU have problems with your telephone company?

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 24 Apr 1990 15:45:46 PDT
A woman in Kissimmee, Florida, sent me a dossier that she has compiled over the
past few months, carefully documenting an alarming sequence of problems.  It is
one of the most bizarre cases I have ever seen.  The problems are still
continuing, unresolved.

She runs a business out of her home, and has an 800 number that rings onto one
of her two home phones -- although the problems began BEFORE the 800 line was
connected.  Her local phone company is United Telephone Company.  The list of
anomalous events is somewhat incredible, but is supported by many witnesses,
including law enforcement people.  It includes the following types of
incidents.

   Calls billed to her 800 number from parties that never called her (in one
   case from a phone in Chicago that was not equipped for outgoing calls!).

   Calls billed to one of the home phones when there was no phone activity,
   that is, for calls that were never made to people who never received them.

These troubles with the phone company have resulted in huge bills for calls
that apparently were never made.  Even more fascinating incidents were these:

   Frequent incoming calls that were wrong numbers -- usually in large batches
   on the same day -- to similar 800 numbers, originally THREE numbers in
   particular, and then suddenly TWO new numbers after some problem was
   allegedly fixed.

   With alarming frequency, apparently crossed lines resulting in two parties
   BOTH getting ringing tones, answering, and finding themselves talking to
   each other.

   Crossed lines such that multiple conversations could be heard clearly at the
   same time.

   Repeated calls to 911 attributed to her phone, even when no one was home.

The most interesting and best documented single incident was probably this:

   On 27 Feb 90, a local Kissimmee police officer was in the house trying to
   make sense out of what was going on.  ``He picked up the phone and dialed
   the police department, however he reached Yellow Cab.  He put down the phone
   ... not understanding how he reached the Yellow Cab company when [about
   three minutes later] the telephone rang and [the officer] answered the phone
   only to be connected to a Howie, a dispatcher at the police department,
   only neither of them had called one another...''

It's only a software problem?  With remotely reprogrammable call forwarding,
speed dial, redial, automatic dialing units, etc., in central offices, almost
anything seems possible these days, especially when you consider the possible
interactions among these features.  One could program up some of the above
incidents as combinations thereof.  However, she did not subscribe to any of
these features -- although the mechanism to turn them on is itself
programmable.

If these were the only problems, the logical choice would be a messed-up
central office and monumental incompetence on the part of the telephone company
in fixing the problems.  Apparently the telephone company has been baffled,
with even the trap-and-trace efforts seemly not having been consistent with
observed reality.  Some observed calls were not trapped, and some trapped calls
were never placed!  But compounding the situation have been a variety of
apparently genuine threatening and/or harassing phone calls.  From that we
consider the tentatative conclusion that there are either at least TWO
COMPLETELY INDEPENDENT PHENOMENA, telephone system problems plus malicious
human agents, or ONE SET OF INTERRELATED PHENOMENA caused by a malicious person
who has access to and knows the telephone hardware/software system, with any of
a variety of motives.  I have several (unpublished) reports about how easy it
is for outsiders to hack telephone switches, but it is obviously even easier
when an insider is involved.

The RISKS archives include quite a few cases of intentional hacking of
telephone systems, as well as numerous cases of accidental misbilling and other
screwups.  But above all, RISKS readers know how easy it is for things like
that to happen.

Is it possible that we might be able to provide some help for this person in
Kissimmee, who seems to be a victim of many problems -- including the "computer
is never wrong" syndrome on the part of the telephone company, whose employees
have had difficulty believing that any of these things could actually happen?
My main question to you all is this:

   Do you know of other cases of unintentional (or intentionally caused)
   rampant deviations from expected normal behavior that have been attributable
   to a telephone system and its operation, as a result of scrambled software,
   miswired switching gear, inept personnel, etc.?  Has anything like this
   happened to you?

Please try to provide as much detail as possible.  Also, avoid speculation on
this particular case unless it is VERY WELL INFORMED.  The dossier is very
thoughtfully constructed, and the complexity of the case suggests that an
adequate explanation may be nontrivial, although -- as we all know by now -- a
small software flaw can go a long way.  PGN

   [P.S.  I have omitted her name and phone numbers, because that might only
   tend to worsen the problem for her, and for you -- were you to call her.]


Traffic light outages

King Ables <ables@mcc.com>
Sat, 21 Apr 1990 12:40:46 CDT
Well, last month (Rich Neitzel, in RISKS-9.73) we read about Lakewood,
Colorado, where the computer controlling the town's traffic light system lost a
disk and all the traffic lights in town went to blink.

I said then I couldn't believe that not only did they not have a duplicate
machine they could quickly pull in for use, but that when the traffic signals
got confused, they didn't simply go to some "sane" cycle of green-yellow-red
even if it wasn't timed the way it should be for various intersections.

I spoke too soon.  On Good Friday (Friday the 13th, no less) we experienced the
same thing here in Austin.  Apparently some software was modified and the
changes were loaded without the proper testing.  The next day (Friday) at noon,
the system sent out incorrect information to about 60% of the traffic signals
in town (about 360 or so).  Apparently, when a traffic signal here get confused
(or receives bad information), it is supposed to go to a red/yellow blink (or
red/red depending on the intersection).  As long as only one signal gets bad
information from time to time, this works okay.  But when the bad information
originates at the controlling system, all hell breaks loose!  Of course,
traffic ground to a halt and there were accidents all over town (I never heard
a final count of accidents, but they were still counting the reports Saturday
afternoon).

I had the bad luck to have Friday off, so of course, I was out trying to run
errands and such.

City crews had to drive around town and manually reset the lights at the site.
It seems after a light gets bad information, it quites listening for any other
information and has to be manually reset!  Does this seem like a really BAD
idea to anybody else?

So I guess I should be more careful before I go pointing my finger and saying
"they" deserved what they got in Colorado!  Are all traffic signal systems
designed this poorly?  Maybe that's a good area to get into right now!

The official word was untested software.  It still seems REAL suspicious to me
that it happened almost exactly at noon on Friday the 13th.  I can't help but
wonder if there was a reason for that.

But my original point still stands.  We rely on computers too much to
simply "believe" that the answer they provide will always be right,
because just like anything else, computers fail.  The bigest danger we
face is people believing in them TOO MUCH.

King Ables, Micro Electronics and Computer Technology Corp.
3500 W. Balcones Center Drive, Austin, TX  78759      +1 512 338 3749


Sabbath Goes High-Tech

David Dabney <ddabney@hal.unm.edu>
Sat, 21 Apr 90 15:16:41 MDT
This is a summary of an AP story from Jerusalem, from the Albuquerque Journal
(`about 3 weeks old', says David.  Stark abstracting by PGN)

        ISRAELI RABBIS ADAPT STRICT SABBATH LAWS TO HIGH TECHNOLOGY

For modern convenience, there is now a "Sabbath timer" to control lights, hot
plates, hot water heaters, and other devices that under strict laws should not
be touched on the Sabbath.

  ``Though most people use simple, inexpensive timers like those commonly
installed in video recorders, some Jerusalemites have now built elaborate,
computer-controlled timing systems into their homes.  In one luxury home built
by an American immigrant, the computer switches the hot-water supply from
electric-run boilers to solar heaters on Saturdays, thus avoiding trespassing
of custom.  Of course, there are those accused of abusing the system.  "I know
some guys who arrange for the TV to come on just in time for the ball game,"
said one American-born woman who restricts her timers to lights.''

The article also included some discussion on koshering a microwave, and on
interpreting old laws in terms of modern technology.


Computers and Hyphenated names

Allan "I like broccoli" Meers <allans@EBay.Sun.COM>
Sun, 22 Apr 90 23:10:03 PDT
Since your Social Security number is quickly becoming our National
Identification Number (IRS wants one for 2-year-olds and up), they might as
well get used to hyphenated names, really long names, multiple name changes, and
one-word names.

      [... not to mention intermediate upper-case letters that change the
      parse, Swedish vowels, and perhaps eventually further nonalphabetic
      characters such as in some of the net addresses I have to put up with
      (":", "#", "^"), etc.  PGN]

  Dear Abby,
    When my husband and I were married, I chose to retain my last
  name.  When our son was born, we decided to give him a hyphenated last name,
  using both our names.  Came time for our son to get a Social Security number,
  we learned that there was no hyphen in his last name.  I called the Social
  Security office and was told, "Our computers cannot put hyphens in names".

    This was very frustrating.  If two names are seperated by a space
  instead of a hyphen, the name is alphabetized incorrectly; if two names are
  joined together, everyone mispronounces the resulting name.  Wouldn't you
  think that in the day of technological mircales, someone could make it
  possible for hyphenated names to be recorded correctly on our official
  documents?
                Barbara - Oakhurst, California

    Dear Barbara:  Someone has.  The symbol for the hyphen was programmed
    into the Social Security computer in August 1988.  Contact your local
    Social Security office and request your son's hyphen.

      [Perhaps they thought she wanted a Haifan?  Or `Und der Hyphisch?'  PGN]


London tube train and the Boeing 747 ...

"Clive" <walmsley@ccint1.rsre.mod.uk>
23 Apr 90 10:01:00 WET DST
I could not help smile at the two unrelated articles in Risks 9.81. These
are of course the London Tube train incident and the software failures on the
Boeing 747-400.

One wonders how long it will be before we read of an incident where a
passenger carrying aircraft takes off leaving the pilot on the ground !!!

Clive Walmsley

    [I try not to edit contributions too much, but I could not help (but)
    smile at the notion of a passenger carrying more than one aircraft
    and thought that the passenger might deserve a hyphen.  But I resisted
    inserting it.  Sorry.  PGN]


Risky McDonald's comrade...

David Gursky <dmg@lid.mitre.org>
Tue, 17 Apr 90 07:54:47 EDT
The ironic portion of the story of McDonald's new store in the Soviet Union is
that the Russians are right.  The most efficient way to process the large
queue of people is with one queue and multiple servers, not the way McDonald's
traditionally does it with multiple queues and multiple servers.


Risks of engine computers and EMP

Lynn R Grant <Grant@DOCKMASTER.NCSC.MIL>
Sun, 22 Apr 90 20:34 EDT
I just got done pouring a bunch of money into my car because the engine
computer died, and it got me thinking about the vulnerability of modern
car engines.

In the event of a nuclear explosion, the resulting EMP (electromagnetic pulse)
would not only wipe out a lot of semiconductor-based communications gear, it
would also kill the engine computers in every late model car.  And what about
the Military?  I used to work for a big-3 truck manufacturer, and the trucks we
built for the Army looked pretty much like our regular trucks (except for the
cammo paint jobs) and were build on the same assembly lines.  I wonder if they
used the same computer-based engines?  If a tactical nuclear strike could wipe
out all the vehicles in the area, that's a rather scary thought, eh?

This is all speculation on my part.  If anyone out there knows how real
this vulnerability is, I would be interested in hearing it.

Please report problems with the web pages to the maintainer

Top