The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 18 Issue 14

Weds 22 May 1996


o The National Research Council Study of National Cryptography Policy
Herb Lin
o Largest Computer Error in US Banking History: US$763.9 BILLION?
Dave Tarabar
David Kennedy
o Credit Lyonnais Fire
Boyd Roberts
o Gov't computer break-in in Australia
David Kennedy
o Computers facilitate foolishness
Mark Seecof
o Another Netscape Bug US$1K
David Kennedy
o Screensaviour?
Matthew P Wiener
o The risks of calling 800 numbers?
Rob Slade
o 12am: noon or midnight?
Ken Knowlton
o The `pound' sign
Donald Mackie
o Prompt bus sign
Donald Mackie
o Addendum to my tirade on bad numbers
Bob Frankston
o When your last name's also a first name ...
Scott Alastair
o Number cruncher derides numbers
Bertrand Meyer
o Call for Participation - SEI Conference on Risk Management
Carol Biesecker
o Info on RISKS (comp.risks)

The National Research Council Study of National Cryptography Policy

"Herb Lin" <>
Wed, 22 May 96 13:54:00 EST
  Please post this message widely

  I am writing to let interested parties know about the imminent release of
  the NRC's study of national cryptography policy.  If all goes well, we
  hope to release it on May 30, 1996.  However, prior to that time, we won't
  be able to comment on its contents.

  For current information on release, visit the web site

  When you visit that site, you'll have the opportunity to
  be put onto a mailing list so that we can inform you by e-mail
  when the report is available in print and/or electronically, as well
  as any public events associated with the report (e.g., public briefings).

  Herb Lin
  Cryptography Policy Study Director
  Computer Science and Telecommunications Board
  National Academy of Sciences/National Research Council

Largest Computer Error in US Banking History: US$763.9 BILLION?

Dave Tarabar <>
Mon, 20 May 1996 09:57:54 -0400
Approximately 800 customers of the First National Bank of Chicago were
surprised to see that their balances were $924 million more than they
expected last week. The cause was the traditional ``change in a computer

According to The American Bankers Association, the total of $763.9 billion
was the largest such error in US banking history. Do the RISKS Archives

[Source: an AP story in *The Boston Globe*, 19 May 1996.]

Dave Tarabar  SystemSoft Corp.  2 Vision Drive  Natick, MA  01760  508 647-2952

   [Yes.  PGN]

Largest Computer Error in US Banking History: US$763.9 BILLION?

David Kennedy <76702.3557@CompuServe.COM>
22 May 96 08:24:13 EDT
When Jeff Ferrera and Cindy Broadwater checked their checking balance at the
First National Bank of Chicago, the automated voice gave it as
$924,844,208.32.  More than 800 other folks had similar stories to tell.
The sum total for all accounts was $763.9 billion, more than six times the
total assets of First Chicago NBD Corp.  The problem was attributed to a
``computer glitch''.

[Source: AP US & World, 18 May 1996, By MARIO FOX, Courtesy of Associated
Press News via CompuServe's Executive News Service.  PGN Abstracting]

Credit Lyonnais Fire

Boyd Roberts <>
Wed, 22 May 96 15:13:13 PST
I'm not sure how widely this was reported, but the head office of the Credit
Lyonnais (a bank) in Paris (8e, rue du Quatre Septembre) had a major fire a
few weeks ago.  I forget the date, but it was a Saturday and the fire burned
for quite a while.  The investigation is proceeding, but my source of
information has some things to say that may be interesting to RISKS readers:

    1. The VMS machines in the building were part of a cluster that was
       replicated remotely.

       So far so good.

    2. There appears to have been no sprinkler system or fire doors
       in the building.  I've seen it, from the outside, and it's more
       or less gutted.

       Asking for trouble?

    3. The UNIX machines were backed up daily, except for Fridays which
       was done on Sunday.  These machines were backed up to tape and
       it appears that the tapes stay in the machines until just before
       the next backup is done.  Remember, the fire was on saturday.

       24 hour operations are not that expensive.  Courier the tapes
       offsite, after they've been written.  Offsite parallel operations?

    4. On the Saturday the UNIX machines had the tapes for Thursday night
       still loaded.  They had not yet been put in the fireproof safe and
       the backup of Friday's data had not commenced.

       Backup your data ASAP, preferably to a remote site across a
       network.  If the tapes have to stay on site, put them in the safe.

    5. In the middle of the _fire_ someone realised this small problem and
       _while the fire was still burning_ the tapes were rescued from the
       UNIX machines and from the fireproof safe.

       I wonder who volunteered?

    6. Apparently the fireproof safe was not deemed to be waterproof or
       taking the tapes _during_ the fire was deemed a better choice than
       maybe getting them later.

       Water follows fire.

    7. From the news reports it appeared that there was also some concern
       over whether safe deposit boxes (in the basement?) were waterproof.

All of this is unconfirmed, but I think my source is ok.

BTW: I bank with the Societe Generale.

Boyd Roberts                              

Gov't computer break-in in Australia

David Kennedy <76702.3557@CompuServe.COM>
22 May 96 08:24:11 EDT
Courtesy of Australian Associated Press via CompuServe's Executive News

Australian Associated Press  5/18/96  6:21 AM

Copyright 1996 The Australian Associated Press.

<>   BRISBANE, May 18 AAP - Computer thieves raided one the
<>Queensland government's most sensitive buildings today,
<>ransacking  three floors and dismantling around 55 computers,
<>police said.
<>  A spokesman for Premier Rob Borbidge said the
<>break-in at the  executive building annexe in George Street had
<>prompted a review of  security at all government buildings.

o   About 55 computers were taken apart and the HD and memory removed.

<>   The spokesman for Mr Borbidge said the break-in in the
<>sensitive  treasury area did not appear to be politically motivated.

[DMK:  "Appear?"  Kinda depends on what data "appears" on those Hard Drives
doesn't it?]

[DMK#2:  Murphy's Laws of Combat #14:  When you secure the area be sure to let
the enemy know.]

Dave Kennedy [CISSP] Information Security Analyst, National Computer Security

Computers facilitate foolishness

Mark Seecof <>
Sun, 19 May 1996 13:44:01 -0700
I saw a demonstration of modern computer-voice-recognition s/w tied to modern
ideographic text-processing software.  It appeared to me to work pretty well
(given that I didn't understand the language involved).

Even a few years ago, it appeared that the "information age" was generating
forces which would push people away from ideographic writing systems.  Most
intellectual work would be supported by computerized systems running on
alphabetic text; ideographic processing when available was costly, awkward,
and slow.  Furthermore, hardly anyone could program his computer (in the
general sense) using ideograms.  Though people using different alphabets
could exchange information fairly easily, ideographic data was not very

These forces seemed progressive.  Alphabetic writing systems are much more
convenient for most purposes than ideographic ones.  Worse, cultures using
ideographic systems force their young to spend tremendous amounts of time and
effort memorizing ideograms--time which they could otherwise devote to
productive or entertaining activities.  Ideographic systems are bad for people
with poor visual memories; though they may be capable of intellectual work,
they find themselves crippled by their obdurate writing system.

But now computer advances (not unanticipated) will relieve some pressures
which worked to push people away from ideographic systems.  The tedium of
penmanship will go away.  Recognition of ideograms for programmatic purposes
will become widely available.  Most computer systems will become able to
process and display ideographic text.

I fear that the usual forces of reaction and inertia which operate to maintain
the cultural status quo may overpower the diminished forces of progress.
Even though ideographic writing systems are demonstrably counter-productive,
the slow-to-accrue benefits of abandoning them may never outweigh the
instantaneous costs of doing so in the minds of adult (already ideographized)

Advances in computer systems will enable us to avoid advances in our "human
systems."  Heck, it's worse than "will enable us to avoid advances."  It's
more like "will actively retard us..."

Mark Seecof <>

Another Netscape Bug US$1K

David Kennedy <76702.3557@CompuServe.COM>
22 May 96 08:24:09 EDT
Courtesy of the Dow Jones News Service via CompuServe's Executive News Service

     Princeton Team Finds Bug In  Part Of Netscape Program
Dow Jones  5/20/96  6:02 AM

   From The Wall Street Journal
<>  MOUNTAIN VIEW, Calif. -- Netscape Communications Corp. said a
<>team of Princeton University computer sleuths found another bug
<>in the company's popular Internet browser, but said the flaw
<>has been corrected and no information was lost or damaged.
<>Jeff Trehaft, Netscape's director of security, said the bug was
<>buried "deep in the source code" of its Navigator browser, and
<>that it was so esoteric that only experts searching for months
<>could find it. The bug was found in Navigator versions that
<>support Sun Microsystems Inc.'s Java computer language.

o   Third bug identified by the team.  This one found by Thomas Cargill, a

o   Netscape delivered a fixed version within 24 hours.  Cargill still gets
the $1000 reward.

<>  Mr. Trehaft added that Navigator is safe. "This product has
<>been out almost a year and only a few bugs have been found, and
<>as far as we know there's been no damage," he said.

Dave Kennedy  [CISSP] Information Security Analyst, National Computer Security

   [John Markoff had an article on this topic (See also RISKS-18.13)
   in *The New York Times*, Saturday 18 May 1996.]


Matthew P Wiener <>
Sun, 19 May 96 19:11:19 EDT
The 17 May 96 FORWARD (an American Jewish interest weekly newspaper),
page 5, has a brief article about a Jewish CD-ROM put out by the
Jewish Publications Society that had a Christian gospel screensaver
by mistake.

JPS is a large Jewish publisher.  But they had never done a CD-ROM
before, so they asked Logos Research Systems, a leader in Christian
software products, to do the scutwork.  Apparently the screensaver
was added in at the last minute, and since there were no instructions
regarding it, the generic Logos screensaver was packaged in, and
presumably nobody beta (beth?) tested it.

JPS and Logos are now splitting the cost of replacing hundreds of
CD-ROMs already sold, and are pulling off those on the shelves.

-Matthew P Wiener (
The Wistar Institute of Anatomy and Biology

The risks of calling 800 numbers?

"Rob Slade" <>
Tue, 21 May 1996 18:10:14 EST
Ah, the things we don't know about 800 service.  Like: Call(er ID) Blocking
doesn't work: the owner of the 800 number gets your number anyway.

And now this:

>From: Abram the spammer
>Newsgroups: alt.books (no less!)
>Now available in the U.S.  XXXXXXXXXX AND XX-XXX XXXX.
>Japan and West Germany's leading treatment for thinning hair.
>2.5X more effective than minoxidil. Featured on CNN, NEWSWEEK,
>NEW YORK TIMES.  DOCTOR recommended.  For FREE information,
>please call 1-800-555-XXXX

Ah, but here's the cute part:


In other words, he is quite willing to spam news, but he doesn't want
anyone spamming his 800 number in retaliation.

Of course, he could just be bluffing.  Any telco people know if this
is available?

12am: noon or midnight?

Tue, 21 May 1996 22:02:15 -0400
There are compelling reasons to consider "12 am" to mean noon,
as in the hour-by-hour sequence 10 am, 11 am, 12 am.  But just
as compelling is the minute-by-minute sequence 12:00 pm,
12:01 pm, 12:02 pm.  People generally duck (actually clarify) the
issue by saying "12 noon" and "12 midnight."  Another dodge is to
make rules and laws go into effect at such times as 12:01 am.  But
is there a more or less universally understood meaning of 'am' or
'pm' as applied to exactly 12?  If there isn't, what should it be?
The truly logical answer to this, of course (try to get this one
through Congress) is to replace 12 by 0:  there's no confusion about
what 0 am and 0 pm would mean.  Not to me anyway.

Ken Knowlton

    [Lots of folks around the world solve this by going from
    00:00 through 12:00  to 23:59 each day.  Who needs am, p, n, and m?
    So, perhaps a correct answer to the Subject line is *neither*.  PGN]

The `pound' sign

Donald Mackie <>
Tue, 21 May 1996 22:22:53 +1200
The pound sign `#' is often used as shorthand for the word `fracture'  by
medical staff from the UK and other countries. For example, "Mrs Smith has
a # radius and ulna".

Our hospital computer systems move data from one system to another.  If Mrs
Smith's diagnosis is entered as above on the administrative system and then
her information is called up from the pathology system the diagnosis appears
as "=A3 radius and ulna".

Of course, the same problem may occur in transmission of this message.  The
pound or hash sign is replaced by the stylised L used to designate the pound
sterling (currency).

RISK: the patient's arm may be more valuable to pathology than anyone else.

Donald Mackie FANZCA FRCA=20  Middlemore Hospital, Auckland, New Zealand
ph +64 9 276 0168       fax +64 21 785 378

Prompt bus sign

Donald Mackie <>
Tue, 21 May 1996 22:22:58 +1200
Our local buses have electronic signs on the front, rather like those used
for airport departure boards. The sign shows the destination of the bus and
scrolls through stops it is yet to make. As the bus passes each stop it is
removed from the list.

Yesterday I saw a bus apparently destined for


I suspect the driver needed to hit <enter> just one more time.

Donald Mackie FANZCA FRCA  Middlemore Hospital, Auckland, New Zealand
ph +64 9 276 0168       fax +64 21 785 378

Addendum to my tirade on bad numbers (... Births, RISKS-18.10)

Tue, 21 May 1996 12:58 -0400
I'm watching CNN as background noise and they are touting the use of
Astrology for investing. The problem is just another illustration of how
difficult it is to get straight information to form ones one judgment. They
noncritically report that three successful predictions including the Gulf
war. There is not an iota of incredulousness -- not only does the reporter
not do fact checking (what is a prediction?) there isn't even the idea of
checking to see if there is any significance against the larger set of
predictions. Astrology is an obvious target but there is no reason to assume
any of the other reports are any better researched. Reminds me of the great
Dilbert strip where the Boss is determined to track down the miscreants
since a full 40% of the sick days were on Monday or Friday. But it's not
just innumeracy.

Lest we be smug (whoever "we" are) the same naivete appears in assuming that
one can simply design a system and deploy it without a continual learning and
refinement cycle. (formerly known by its denigrated name of "maintenance").

When your last name's also a first name ...

"Scott Alastair (Exchange)" <>
Mon, 20 May 1996 09:07:24 +0100
I have the misfortune to have both an unusual first name (Scottish Gaelic)
and a last name which passes muster as a first name in most, if not all, of
the English-speaking parts of the world.

Our Microsoft Exchange mail system stores names as 

Number cruncher derides numbers

Bertrand Meyer <>
Sat, 18 May 96 14:19:08 PDT
A story in the 29 Apr 1996 issue of Web Week, a magazine devoted to the
World-Wide Web, describes new developments in the controversy between
Nielsen Media Research and a group of academics from Vanderbilt and North
Carolina, who criticized an earlier Nielsen study as overstating Internet
usage in the US and Canada.

The magazine quotes the following from David Harkness, senior VP of
Nielsen Media Research: "What doesn't matter now, in my opinion, is
how many users there were in August of last year, because the Internet
is growing so fast. The Internet is not being served by this debate".

The last comment may cause anyone who has forked out $5,000 - what the
magazine says it takes to buy a copy of the Nielsen report - to raise an
eyebrow or two. Are we to understand that the purpose of such a study is to
"serve the Internet", that is to say cheer up everyone in the Internet
industry by reporting good news, rather than provide a snapshot of the

But the most interesting part remains the first sentence in Mr. Harkness's
comment. If I understand properly: let's not quibble about minor differences
between the two studies (a mere 8 million people - or actually 20 million,
making the result more than 100% off target, if you compare Nielsen's
"Internet access" numbers with the academics' estimates of actual Internet
use!); we all know the Internet is expanding by leaps and bounds.

Which of course brings up the whole question of why we should trust
Nielsen's numbers any more than Mr. Harkness seems to. For example,
according to his study, 1.51 million people have used the Web to make
a purchase. Even if you bought the report, better double-check before
making a major policy decision based on such statistics.

-- Bertrand Meyer, ISE Inc., Santa Barbara, <>
Posting applying the SELF-DISPLINE rules, see

Call for Participation - SEI Conference on Risk Management

Carol Biesecker <cb@SEI.CMU.EDU>
22 May 1996 18:43:34 GMT
Call for Participation
Software Engineering Institute (SEI) Conference on Risk Management:
acquisition, programs, projects, systems, and software

Managing Uncertainty in a Changing World
Hotel Cavalier
Virginia Beach, Virginia
April 7-9, 1997

In today's world of downsizing and reengineering, you're moving into
uncharted territory. You've been asked to acquire and develop systems with
less money, and said, "I can do that."  You've been asked to succeed with
shorter schedules, and said, "I can do that."  You've been asked to use fewer
people, and said, "I can do that."

So, how can you do that?

You need to improve your ability to acquire systems, to proactively manage
your resources, people, schedules, and budgets--to predict and avoid
problems before they occur. You must rapidly integrate, under controlled
conditions, the acquisition of complete systems providing end users with
predictable system performance. You need to determine which risks are more
critical to the success of your program to make effective use of scarce
resources. You need proven methods and techniques as well as suggestions for
advanced capabilities.

Acquisition practices and risk management are being implemented and improved
throughout the government and industry. To maintain your competitive edge in
this uncertain world, you need effective acquisition and risk management
practices. This conference is a way to find out what's going on and what's
applicable and useful to you.

The SEI Conference on Risk Management will provide a forum that brings
together the government, industry, and academic managers, practitioners,
change agents, and researchers using and exploring risk management and
acquisition. The conference will provide a unique forum for exchanging ideas
and experiences with experts and professionals who practice or study
acquisition and risk management. This is a tremendous opportunity to
increase your awareness and to advance your knowledge and skills by being
exposed to the latest methods, tools, and techniques, and some of best
practices in the field of system development and acquisitions. Managers will
find the means to improve their ability to make informed decisions and to
gain better control of their project's cost, schedule, and technical
contents. Practitioners will find the ways to increase awareness of risks
and their ability and skills to avoid or mitigate them. Both development and
acquisition professionals will gain insight from the experiences of leading
experts and professionals, learn about the latest developments and
technological issues, and learn how to manage uncertainty in a changing

The SEI Conference on Risk Management will feature keynote speakers,
distinguished presenters, selected presentations from invited speakers,
panel discussions with experts and professionals, and exhibitors. It will
also provide learning opportunities with hands-on tutorials and
opportunities to accomplish work to advance the practices of acquisition and
risk management through mini-workshops. The conference will further provide
value for different audiences such as managers and practitioners, beginners
and advanced professionals, or development and acquisition professionals
through separate tracks for presentations and panels. Opportunities to
mingle with people who have similar interests will be provided through
birds-of-a-feather sessions.

The Hotel Cavalier in Virginia Beach provides beach-side accommodations. The
Virginia Beach area is convenient to Washington, D.C. and offers golfing,
deep-sea and freshwater fishing, tennis, hiking, historic dwellings, museums,
shops, and restaurants. The Norfolk International Airport serves the Virginia
Beach area with more than 200 flights daily to all major hubs and most major
cities. The oceanfront is a 20-minute drive from the airport.

Important Dates

September 19, 1996: deadline for submitting papers and workshop proposals
October 17, 1996:   deadline for mailing acceptance notification
                    to participants
January 24, 1997:   deadline for submitting camera-ready materials

For more information about the conference, contact--
SEI Customer Relations
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
Phone 412 / 268-5800
FAX 412 / 268-5758
World Wide Web

For more information about vendor exhibits, contact--
Heather Stupak, as above, with Phone 412 / 268-1587, FAX 412 / 268-5758

   [Truncated for RISKS.  PGN]

Please report problems with the web pages to the maintainer