Please post this message widely I am writing to let interested parties know about the imminent release of the NRC's study of national cryptography policy. If all goes well, we hope to release it on May 30, 1996. However, prior to that time, we won't be able to comment on its contents. For current information on release, visit the web site http://www2.nas.edu/cstbweb/220a.html When you visit that site, you'll have the opportunity to be put onto a mailing list so that we can inform you by e-mail when the report is available in print and/or electronically, as well as any public events associated with the report (e.g., public briefings). Herb Lin Cryptography Policy Study Director Computer Science and Telecommunications Board National Academy of Sciences/National Research Council 202-334-2605
Approximately 800 customers of the First National Bank of Chicago were surprised to see that their balances were $924 million more than they expected last week. The cause was the traditional ``change in a computer program''. According to The American Bankers Association, the total of $763.9 billion was the largest such error in US banking history. Do the RISKS Archives agree? [Source: an AP story in *The Boston Globe*, 19 May 1996.] Dave Tarabar SystemSoft Corp. 2 Vision Drive Natick, MA 01760 firstname.lastname@example.org 508 647-2952 [Yes. PGN]
When Jeff Ferrera and Cindy Broadwater checked their checking balance at the First National Bank of Chicago, the automated voice gave it as $924,844,208.32. More than 800 other folks had similar stories to tell. The sum total for all accounts was $763.9 billion, more than six times the total assets of First Chicago NBD Corp. The problem was attributed to a ``computer glitch''. [Source: AP US & World, 18 May 1996, By MARIO FOX, Courtesy of Associated Press News via CompuServe's Executive News Service. PGN Abstracting]
I'm not sure how widely this was reported, but the head office of the Credit Lyonnais (a bank) in Paris (8e, rue du Quatre Septembre) had a major fire a few weeks ago. I forget the date, but it was a Saturday and the fire burned for quite a while. The investigation is proceeding, but my source of information has some things to say that may be interesting to RISKS readers: 1. The VMS machines in the building were part of a cluster that was replicated remotely. So far so good. 2. There appears to have been no sprinkler system or fire doors in the building. I've seen it, from the outside, and it's more or less gutted. Asking for trouble? 3. The UNIX machines were backed up daily, except for Fridays which was done on Sunday. These machines were backed up to tape and it appears that the tapes stay in the machines until just before the next backup is done. Remember, the fire was on saturday. 24 hour operations are not that expensive. Courier the tapes offsite, after they've been written. Offsite parallel operations? 4. On the Saturday the UNIX machines had the tapes for Thursday night still loaded. They had not yet been put in the fireproof safe and the backup of Friday's data had not commenced. Backup your data ASAP, preferably to a remote site across a network. If the tapes have to stay on site, put them in the safe. 5. In the middle of the _fire_ someone realised this small problem and _while the fire was still burning_ the tapes were rescued from the UNIX machines and from the fireproof safe. I wonder who volunteered? 6. Apparently the fireproof safe was not deemed to be waterproof or taking the tapes _during_ the fire was deemed a better choice than maybe getting them later. Water follows fire. 7. From the news reports it appeared that there was also some concern over whether safe deposit boxes (in the basement?) were waterproof. All of this is unconfirmed, but I think my source is ok. BTW: I bank with the Societe Generale. Boyd Roberts email@example.com
Courtesy of Australian Associated Press via CompuServe's Executive News Service: QLD: THIEVES RAID GOVERNMENT BUILDING Australian Associated Press 5/18/96 6:21 AM Copyright 1996 The Australian Associated Press. <> BRISBANE, May 18 AAP - Computer thieves raided one the <>Queensland government's most sensitive buildings today, <>ransacking three floors and dismantling around 55 computers, <>police said. <> A spokesman for Premier Rob Borbidge said the <>break-in at the executive building annexe in George Street had <>prompted a review of security at all government buildings. o About 55 computers were taken apart and the HD and memory removed. <> The spokesman for Mr Borbidge said the break-in in the <>sensitive treasury area did not appear to be politically motivated. [DMK: "Appear?" Kinda depends on what data "appears" on those Hard Drives doesn't it?] [DMK#2: Murphy's Laws of Combat #14: When you secure the area be sure to let the enemy know.] Dave Kennedy [CISSP] Information Security Analyst, National Computer Security Assoc.
I saw a demonstration of modern computer-voice-recognition s/w tied to modern ideographic text-processing software. It appeared to me to work pretty well (given that I didn't understand the language involved). Even a few years ago, it appeared that the "information age" was generating forces which would push people away from ideographic writing systems. Most intellectual work would be supported by computerized systems running on alphabetic text; ideographic processing when available was costly, awkward, and slow. Furthermore, hardly anyone could program his computer (in the general sense) using ideograms. Though people using different alphabets could exchange information fairly easily, ideographic data was not very portable. These forces seemed progressive. Alphabetic writing systems are much more convenient for most purposes than ideographic ones. Worse, cultures using ideographic systems force their young to spend tremendous amounts of time and effort memorizing ideograms--time which they could otherwise devote to productive or entertaining activities. Ideographic systems are bad for people with poor visual memories; though they may be capable of intellectual work, they find themselves crippled by their obdurate writing system. But now computer advances (not unanticipated) will relieve some pressures which worked to push people away from ideographic systems. The tedium of penmanship will go away. Recognition of ideograms for programmatic purposes will become widely available. Most computer systems will become able to process and display ideographic text. I fear that the usual forces of reaction and inertia which operate to maintain the cultural status quo may overpower the diminished forces of progress. Even though ideographic writing systems are demonstrably counter-productive, the slow-to-accrue benefits of abandoning them may never outweigh the instantaneous costs of doing so in the minds of adult (already ideographized) decision-makers. Advances in computer systems will enable us to avoid advances in our "human systems." Heck, it's worse than "will enable us to avoid advances." It's more like "will actively retard us..." Mark Seecof <firstname.lastname@example.org>
Courtesy of the Dow Jones News Service via CompuServe's Executive News Service Princeton Team Finds Bug In Part Of Netscape Program Dow Jones 5/20/96 6:02 AM From The Wall Street Journal <> MOUNTAIN VIEW, Calif. -- Netscape Communications Corp. said a <>team of Princeton University computer sleuths found another bug <>in the company's popular Internet browser, but said the flaw <>has been corrected and no information was lost or damaged. <>Jeff Trehaft, Netscape's director of security, said the bug was <>buried "deep in the source code" of its Navigator browser, and <>that it was so esoteric that only experts searching for months <>could find it. The bug was found in Navigator versions that <>support Sun Microsystems Inc.'s Java computer language. o Third bug identified by the team. This one found by Thomas Cargill, a consultant. o Netscape delivered a fixed version within 24 hours. Cargill still gets the $1000 reward. <> Mr. Trehaft added that Navigator is safe. "This product has <>been out almost a year and only a few bugs have been found, and <>as far as we know there's been no damage," he said. Dave Kennedy [CISSP] Information Security Analyst, National Computer Security Assoc [John Markoff had an article on this topic (See also RISKS-18.13) in *The New York Times*, Saturday 18 May 1996.]
The 17 May 96 FORWARD (an American Jewish interest weekly newspaper), page 5, has a brief article about a Jewish CD-ROM put out by the Jewish Publications Society that had a Christian gospel screensaver by mistake. JPS is a large Jewish publisher. But they had never done a CD-ROM before, so they asked Logos Research Systems, a leader in Christian software products, to do the scutwork. Apparently the screensaver was added in at the last minute, and since there were no instructions regarding it, the generic Logos screensaver was packaged in, and presumably nobody beta (beth?) tested it. JPS and Logos are now splitting the cost of replacing hundreds of CD-ROMs already sold, and are pulling off those on the shelves. -Matthew P Wiener (email@example.com) The Wistar Institute of Anatomy and Biology
Ah, the things we don't know about 800 service. Like: Call(er ID) Blocking doesn't work: the owner of the 800 number gets your number anyway. And now this: >From: Abram the spammer >Newsgroups: alt.books (no less!) >Subject: HAIR LOSS?....MINOXIDIL USERS? > >Now available in the U.S. XXXXXXXXXX AND XX-XXX XXXX. >Japan and West Germany's leading treatment for thinning hair. >2.5X more effective than minoxidil. Featured on CNN, NEWSWEEK, >NEW YORK TIMES. DOCTOR recommended. For FREE information, >please call 1-800-555-XXXX Ah, but here's the cute part: >*PLEASE NOTE THAT ANY CALLS NOT PERTAINING TO INFORMATION REQUESTS >WILL BE AUTO-BILLED TO ORIGINATING NUMBER UTILIZING >LONG DISTANCE SURCHARGES. In other words, he is quite willing to spam news, but he doesn't want anyone spamming his 800 number in retaliation. Of course, he could just be bluffing. Any telco people know if this is available?
There are compelling reasons to consider "12 am" to mean noon, as in the hour-by-hour sequence 10 am, 11 am, 12 am. But just as compelling is the minute-by-minute sequence 12:00 pm, 12:01 pm, 12:02 pm. People generally duck (actually clarify) the issue by saying "12 noon" and "12 midnight." Another dodge is to make rules and laws go into effect at such times as 12:01 am. But is there a more or less universally understood meaning of 'am' or 'pm' as applied to exactly 12? If there isn't, what should it be? The truly logical answer to this, of course (try to get this one through Congress) is to replace 12 by 0: there's no confusion about what 0 am and 0 pm would mean. Not to me anyway. Ken Knowlton [Lots of folks around the world solve this by going from 00:00 through 12:00 to 23:59 each day. Who needs am, p, n, and m? So, perhaps a correct answer to the Subject line is *neither*. PGN]
The pound sign `#' is often used as shorthand for the word `fracture' by medical staff from the UK and other countries. For example, "Mrs Smith has a # radius and ulna". Our hospital computer systems move data from one system to another. If Mrs Smith's diagnosis is entered as above on the administrative system and then her information is called up from the pathology system the diagnosis appears as "=A3 radius and ulna". Of course, the same problem may occur in transmission of this message. The pound or hash sign is replaced by the stylised L used to designate the pound sterling (currency). RISK: the patient's arm may be more valuable to pathology than anyone else. Donald Mackie FANZCA FRCA=20 Middlemore Hospital, Auckland, New Zealand ph +64 9 276 0168 fax +64 21 785 378
Our local buses have electronic signs on the front, rather like those used for airport departure boards. The sign shows the destination of the bus and scrolls through stops it is yet to make. As the bus passes each stop it is removed from the list. Yesterday I saw a bus apparently destined for >:run64 I suspect the driver needed to hit <enter> just one more time. Donald Mackie FANZCA FRCA Middlemore Hospital, Auckland, New Zealand ph +64 9 276 0168 fax +64 21 785 378
I'm watching CNN as background noise and they are touting the use of Astrology for investing. The problem is just another illustration of how difficult it is to get straight information to form ones one judgment. They noncritically report that three successful predictions including the Gulf war. There is not an iota of incredulousness -- not only does the reporter not do fact checking (what is a prediction?) there isn't even the idea of checking to see if there is any significance against the larger set of predictions. Astrology is an obvious target but there is no reason to assume any of the other reports are any better researched. Reminds me of the great Dilbert strip where the Boss is determined to track down the miscreants since a full 40% of the sick days were on Monday or Friday. But it's not just innumeracy. Lest we be smug (whoever "we" are) the same naivete appears in assuming that one can simply design a system and deploy it without a continual learning and refinement cycle. (formerly known by its denigrated name of "maintenance").
I have the misfortune to have both an unusual first name (Scottish Gaelic) and a last name which passes muster as a first name in most, if not all, of the English-speaking parts of the world. Our Microsoft Exchange mail system stores names as
Number cruncher derides numbersBertrand Meyer <firstname.lastname@example.org> Sat, 18 May 96 14:19:08 PDTA story in the 29 Apr 1996 issue of Web Week, a magazine devoted to the World-Wide Web, describes new developments in the controversy between Nielsen Media Research and a group of academics from Vanderbilt and North Carolina, who criticized an earlier Nielsen study as overstating Internet usage in the US and Canada. The magazine quotes the following from David Harkness, senior VP of Nielsen Media Research: "What doesn't matter now, in my opinion, is how many users there were in August of last year, because the Internet is growing so fast. The Internet is not being served by this debate". The last comment may cause anyone who has forked out $5,000 - what the magazine says it takes to buy a copy of the Nielsen report - to raise an eyebrow or two. Are we to understand that the purpose of such a study is to "serve the Internet", that is to say cheer up everyone in the Internet industry by reporting good news, rather than provide a snapshot of the reality? But the most interesting part remains the first sentence in Mr. Harkness's comment. If I understand properly: let's not quibble about minor differences between the two studies (a mere 8 million people - or actually 20 million, making the result more than 100% off target, if you compare Nielsen's "Internet access" numbers with the academics' estimates of actual Internet use!); we all know the Internet is expanding by leaps and bounds. Which of course brings up the whole question of why we should trust Nielsen's numbers any more than Mr. Harkness seems to. For example, according to his study, 1.51 million people have used the Web to make a purchase. Even if you bought the report, better double-check before making a major policy decision based on such statistics. -- Bertrand Meyer, ISE Inc., Santa Barbara, <email@example.com> Posting applying the SELF-DISPLINE rules, see http://www.eiffel.com/discipline
Call for Participation - SEI Conference on Risk ManagementCarol Biesecker <cb@SEI.CMU.EDU> 22 May 1996 18:43:34 GMTCall for Participation Software Engineering Institute (SEI) Conference on Risk Management: acquisition, programs, projects, systems, and software Managing Uncertainty in a Changing World Hotel Cavalier Virginia Beach, Virginia April 7-9, 1997 In today's world of downsizing and reengineering, you're moving into uncharted territory. You've been asked to acquire and develop systems with less money, and said, "I can do that." You've been asked to succeed with shorter schedules, and said, "I can do that." You've been asked to use fewer people, and said, "I can do that." So, how can you do that? You need to improve your ability to acquire systems, to proactively manage your resources, people, schedules, and budgets--to predict and avoid problems before they occur. You must rapidly integrate, under controlled conditions, the acquisition of complete systems providing end users with predictable system performance. You need to determine which risks are more critical to the success of your program to make effective use of scarce resources. You need proven methods and techniques as well as suggestions for advanced capabilities. Acquisition practices and risk management are being implemented and improved throughout the government and industry. To maintain your competitive edge in this uncertain world, you need effective acquisition and risk management practices. This conference is a way to find out what's going on and what's applicable and useful to you. The SEI Conference on Risk Management will provide a forum that brings together the government, industry, and academic managers, practitioners, change agents, and researchers using and exploring risk management and acquisition. The conference will provide a unique forum for exchanging ideas and experiences with experts and professionals who practice or study acquisition and risk management. This is a tremendous opportunity to increase your awareness and to advance your knowledge and skills by being exposed to the latest methods, tools, and techniques, and some of best practices in the field of system development and acquisitions. Managers will find the means to improve their ability to make informed decisions and to gain better control of their project's cost, schedule, and technical contents. Practitioners will find the ways to increase awareness of risks and their ability and skills to avoid or mitigate them. Both development and acquisition professionals will gain insight from the experiences of leading experts and professionals, learn about the latest developments and technological issues, and learn how to manage uncertainty in a changing world. The SEI Conference on Risk Management will feature keynote speakers, distinguished presenters, selected presentations from invited speakers, panel discussions with experts and professionals, and exhibitors. It will also provide learning opportunities with hands-on tutorials and opportunities to accomplish work to advance the practices of acquisition and risk management through mini-workshops. The conference will further provide value for different audiences such as managers and practitioners, beginners and advanced professionals, or development and acquisition professionals through separate tracks for presentations and panels. Opportunities to mingle with people who have similar interests will be provided through birds-of-a-feather sessions. The Hotel Cavalier in Virginia Beach provides beach-side accommodations. The Virginia Beach area is convenient to Washington, D.C. and offers golfing, deep-sea and freshwater fishing, tennis, hiking, historic dwellings, museums, shops, and restaurants. The Norfolk International Airport serves the Virginia Beach area with more than 200 flights daily to all major hubs and most major cities. The oceanfront is a 20-minute drive from the airport. Important Dates September 19, 1996: deadline for submitting papers and workshop proposals October 17, 1996: deadline for mailing acceptance notification to participants January 24, 1997: deadline for submitting camera-ready materials For more information about the conference, contact-- SEI Customer Relations Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Phone 412 / 268-5800 FAX 412 / 268-5758 Email firstname.lastname@example.org World Wide Web http://www.sei.cmu.edu For more information about vendor exhibits, contact-- Heather Stupak, as above, with Phone 412 / 268-1587, FAX 412 / 268-5758 Email email@example.com [Truncated for RISKS. PGN]
Please report problems with the web pages to the maintainer