Subject: RISKS DIGEST 12.56 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Friday 25 October 1991 Volume 12 : Issue 56 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: More O'Hare-raising experiences Swedish election results were delayed (Martin Minow) Campaign against telco info services (Mark Seecof) The computer is always right. (E. Kristiansen) 1-900 scam (Torsten Lif) RISKS of Electronic Credit Card Authorization (Derek Atkins) Australian Software Quality Management Standard (Douglas Thomson) AT&T/ATC outage revisited (Alfred H. Scholldorf via PGN) Re: Single Point of Failure in L-1011 Intercom (Brinton Cooper) Re: Law requiring bug fixes (Geoffrey H. Cooper) Re: Prodigy (Jamie Saker, Fred Gilham, Ronald Hale-Evans, Greg Brail) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. REQUESTS please to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 12, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Thu, 24 Oct 91 13:15:02 PDT From: "Peter G. Neumann" Subject: More O'Hare-raising experiences Radar equipment at O'Hare International Airport in Chicago has been malfunctioning for months, losing track of planes, and giving images of ghost planes in empty airspace. FAA's Jim Dermody said radar images appear and disappear for 15 to 20 seconds. Controllers have also reported seeing double images of airplanes. [Summary of an AP item, greatly foreshortened in the San Francisco Chronicle, 25Oct91] Dermody said the FAA suspects T-CAS may be emitting too many electronic signals, causing the radars to malfunction, although the problems seem confined to the Chicago area. In previous incidents, an American Airlines jet came within 50 feet of a smaller plane Saturday in the Chicago area, the FAA reported. Three passenger planes nearly collided near Chicago's Midway Airport on Oct. 3 in an incident the FAA blamed on an error by air-traffic controllers. On Sept. 26, a Southwest Airlines jet was forced to veer sharply as it approached Midway to avoid a smaller plane. [From the full AP report] [The short version was also noted by Rodney Hoffman .] ------------------------------ Date: Wed, 23 Oct 91 20:35:48 PDT From: Martin Minow Subject: Swedish election results were delayed The following is a sidebar -- in its entirety -- from the Stockholm newspaper Expressen, Monday, September 16: the day after the Swedish national election. Expressen is an afternoon paper that would have gone to press sometime Monday morning: it includes photos taken early Monday morning. (My translation, with apologies for inaccuracies.) Miscalculation last night Riksskatteverket [RSV, the national tax authority] could not successfully count the parlimentary election because of computer error. At this edition's press-time, there is conflicting information about the exact parliment seat distribution. However, the difference is on the order of a few tenths of a percent and the balance [of seats between parties] will not be affected. The rest of the page is taken up by a large table showing vote percentages and seat distribution among the eight parties and 28 electoral districts. A two-page article inside the paper has the title "Gigantic Foul-up by Riksskatteverket." Some quotes follow: All night, 120 people from RSV and the newspapers' telegram bureau [the Swedish equivalent to AP] worked to get out the Stockholm election results. The work was often chaotic, and early this morning it became clear that RSV couldn't determine all the results. Thus, the following tables are missing ... [local and province results by electoral district]. The reason for the mess-up was that RSV used a new computer system for the first time this year. "The idea behind the new system is that we will be able to serve all mass-media by the network. So it will be easier for mass-media to process the data themselves," says election chief Lennart Berg. According to Bo Beergrehn, computer cheif for the tax authority in Stockholm, priority was given to results in electoral districts that were meaningful for mandate allocation. Those results were delivered successfully. In the future, the new computer system will require fewer personnel and get the results out quicker. Martin Minow minow@ranger.enet.dec.com ------------------------------ Date: Thu, 24 Oct 91 10:20:39 -0700 From: Mark Seecof Subject: campaign against telco info services The American Newspaper Publisher's Association, Consumer Federation of America, Dialog Information Services, Graphic Communications Int'l Union, National Newspaper Association, and Weatherline, Inc. have published a full page ad in the L.A. Times (and, I presume, in other pubs) inviting people to support a bill called HR 3515 which would restrict the LOC's entry into the "information services" arena. The ad appeals to peoples' interest in their own privacy. The number to call to support HR 3515 is 800-54-PRIVACY and the ad (after drawing a scary picture of what the telcos will do if unleashed) says "We need to stop this potential invasion of privacy. We need to keep the already thriving information services industry competitive and independent of the Bell monopoly. You can help by urging your U.S. Representative to support HR 3515. And by calling 1-800-54-PRIVACY. Because if you remain silent now, everything you say later can, and just might, be used against you." Mark Seecof In this case, I think what I've reported really does represent the opinion of my employers, at least in part. [Wow! A nondisclaimer!!! PGN] ------------------------------ Date: Thu, 24 Oct 91 11:32:46 CET From: "E. Kristiansen - WMS" Subject: The computer is always right. "Flying Dutchman", KLM Royal Dutch Airline's magazine for frequent travellers, October/November 1991, has an article on Eurocontrol,the pan-European organization coordinating air traffic control of some European countries. The article is written by Hans Bouman. I quote without permission. Translation from Dutch is mine. After quite an interesting presentation of Eurocontrol, the author pays a visit to the Maastricht ATC centre. This visit is reported mainly as a dialog between the author and Operations Officer Willy Withofs. In a presentation of "Conflict Alert Messages" and proposed recovery actions displayed on a VDU, Withofs is quoted to say: > Now, we only have to follow the advice of the computer. Because it is > always right. The system is one hundres percent waterproof. I sincerely hope this quote was invented/enhanced/embellished/distorted (pick your choice) by the author, not a verbatim of what the Operations Officer said! Erling Kristiansen - ESTEC, Noordwijk, The Netherlands. ------------------------------ Date: Thu, 24 Oct 91 09:38:59 +0100 From: Torsten.Lif@eos.ericsson.se Subject: 1-900 scam A brief note in a local newspaper the other day told the story of a simple but effective scam to draw money out of public institutions. A couple in southern Sweden set up a "singles hot-line" service using a 071x-number (our equiv. of the 1-900-numbers in the US where the Telco and the called party split the charges paid by the caller). [note to moderator: fell free to correct if I'm mistaken about the number] Apparently, the income from this hot-line was not enough to satisfy them so they decided to increase revenue in a simple but effective fashion. They went all around town to libraries and other public buildings, looking for phone extensions that were not too closely guarded. They'd then pick up the receiver, call the hot-line number and leave the phone with the receiver off-hook. One extension in a library was reported as having been connected to the hot-line for over a week! At a cost of over $0.50/minute, this came as quite a shock to the people in charge of economy at the library when the bills arrived, some months later. The RISK of this is the old one of not letting a stranger use your phone but with a new twist. Normally you'd be worried about him actually USING your phone to call long-distance. In this case, it was enough for him to merely initiate a call and then go away. How many employees in a large office will think twice about a phone being off-hook? Most people will simply assume somebody else is using it and has gone away temporarily. As long as the phone in question is not on your own desk, you're not likely to replace the receiver. Many modern phone systems offer their subscribers blocks against calls to certain numbers or area codes, forcing users to either "unlock" the phone with a certain code sequence or to order e.g. international calls through the switchboard operator. This opens up a new can-o'worms in the matter of personal integrity and your boss knowing who you call, but it prevents the kind of abuse described here. However, it requires somebody to explicitly request this locking service for an office/PABX/whatever. The default, as that library found out the hard way, is to have all calls enabled. +46 8 719 4881 Torsten Lif, Ericsson Telecom AB, EO/ETX/TX/ZD, S-126 25 STOCKHOLM, SWEDEN ------------------------------ Date: Thu, 24 Oct 91 13:43:15 EDT From: Derek Atkins Subject: RISKS of Electronic Credit Card Authorization I was at a store buying something with a credit card the other day, and when the clerk ran my card through, found that the printer was out of paper. (It was one of those machines where you run the card through, it calls up the card agency for an Authorization, and then prints the receipt on a thermal two-copy printer)... Well, after he figured out that there wasn't a receipt, and found more paper to fill the printer, he punched a few numbers and it printed out a WHOLE NEW receipt! (Receipts are the equivalent to the old carbon receipts, except you dont need to physically imprint it with the card -- the card information is printed on the receipt for you).... He printed this receipt WITHOUT the use of the card! Now, what's to stop him from printing a second copy, etc... It seems like a risk to let that information be that easily obtained. -derek --warlord@mit.edu [Nothing TECHNOLOGICAL stops him, although there are other considerations such as good business practice, hiring of honest employees, and fraud laws. This is a classical RESIDUE problem of an incomplete deallocation. The notion of TRUSTED SYSTEMS in this notion usually means that the customer must blindly trust the system and the system people, not that the system is trustworthy. PGN] ------------------------------ Date: Fri, 25 Oct 91 13:43:01 est From: doug@giaea.oz.au (Douglas Thomson, ...!munnari!goanna!giaea!doug) Subject: Australian Software Quality Management Standard I thought the following might be of interest (our news feed is a bit slow, so this may well be old news by now...). I am pleased to find the state of the art is sufficiently mature to warrant such a standard; I had formed a different impression from reading RISKS :-) Excerpted from an advertising blurb (without permission): > * Software Quality Management System > > AS 3563-91 is a major two-part Australian standard which establishes > the key elements required to operate an effective quality management > system during the development of computer software. > > * Indispensable wherever software is developed > > AS 3563 encourages a controlled approach to all stages of software > development and can be used as the basis for a cost-effective in-house > quality assurance program. It is also specifically designed to be > called up as a contractual requirement in agreements for the > development of software. By adopting the quality practices defined in > AS 3563, both the developer and the customer can agree on a set of > quality assurance procedures designed to ensure the finished > software achieves its specifications. [...] > * International acceptance > > The prestigious US-based Institute of Electrical and Electronic > Engineers (IEEE) is currently adopting this Australian-prepared > document as the US standard for quality management in software > development. [...] > > * How to Order > > AS 3563 Part 1-91 (Requirements) AU$18.50 > AS 3563 Part 2-91 (Implementation guide) AU$42.00 > [plus P&P - no idea of rates outside Australia] [...] > > Mail: Standards Australia, National Sales Centre, PO Box 1055, > Strathfield, NSW 2135, AUSTRALIA FAX: +612 746 3333 > VISA, MASTERCARD, or cheque drawn on Australian bank ------------------------------ Date: Fri, 25 Oct 91 14:42:51 PDT From: "Peter G. Neumann" Subject: AT&T/ATC outage revisited Alfred H. Scholldorf, Manager of Info Services, Reuters Information Services, Inc., sent me two clippings on the aftermath of the AT&T outage, from the 30Sep91 issue of Network World. An article by Ellen Messmer is mostly familiar stuff to RISKSers. An editorial considers the increased awareness of reliability problems that this outage has brought about, and "the need for the federal government to step up efforts to guarantee the reliability of the public network." [No GUARANTEES are possible, of course.] "Rep. Robert Wise [D.-W.Va] was right when he said, ``The nation must have some assurance that the FCC is providing the proper oversight to ensure that carriers fulfill their responsibilities to provide reliable service to the public.'' ... The government needs to act now, before a network crisis cripples the U.S." As an aside, I am reflect on the unintended irony of the word `oversight' in such a context. Government (FCC, Congress, etc.) is supposedly dedicated to oversight [overseeing], but is often guilty of oversight [overlooking]. Something about being Over The Hill? PGN ------------------------------ Date: Thu, 24 Oct 91 13:21:41 PDT From: geof@aurora.com (Geoffrey H. Cooper) Subject: Re: Law requiring bug fixes (Mark Seecof, RISKS-12.54) Certainly such laws are already on the books for hardware products. My understanding of this is that a vendor must be willing to repair (stock spair parts, maintain expertise) a computer hardware product for up to 5 years after the product ceases to be sold by the vendor. This costs a vendor lot, but it does provide a basic protection for the consumer. One technique used by vendors is to buy their way out of the problem. I can recall several dead end product situations, where a vendor simply gave all users free upgrades to a better product, to avoid having to maintain the old product anymore. This technique is likely even more applicable to software than hardware. Regarding Brooks' problem of fixes causing new bugs, the vendor might not be required to fix ALL the bugs for everyone. After all, if you didn't report other bugs, you might not care (e.g., color display problem but you have only a B&W). Or you might even like the product better with some of the bugs in it! If a bug requires a simple patch, the patch itself might be sent out and registered as a delta from the released sources (or, all too often, the released binaries...). By tracking many different deltas but not allowing the original QA'd product to evolve, the few users who are "bitten" by a particular bug may be satisfied. Clearly this doesn't get around Brooks' "two steps back" problem, but does it does prevent the problem from compounding over time. Geof ------------------------------ Date: Fri, 25 Oct 91 17:45:43 EDT From: Brinton Cooper Subject: Re: Single Point of Failure in L-1011 Intercom (Seidel, RISKS-12.55) Craig Seidel (seidel@puma.sri.com) writes that the intercom harness in the TWL L-1011 is "wired like christmas tree lights where any failure in the chain causes a complete failure and requires a check of each component." He then goes on to wonder if a redundant (parallel?) system wouldn't be bettter because it would prevent total system disability if one component were to be broken in an emergency. On the other hand, it seems that this risk must be balanced against the risk of the redundancy masking the loss of one part of the intercom (probably because of imperfect status checking or poor system design/installation). At least, in a total series configuration, you *know* that every part of the system is working, and you know when even one goes down. I suppose a quantitative "risk assessment" (oh, no, not *that* again) should compare these (and other) alternatives. _Brint ------------------------------ Date: Thu, 24 Oct 91 15:26:40 -0500 From: jsaker@unomaha.edu (Jamie Saker) Subject: Re: Risks of double standards (on PRODIGY)? There was an excellent write-up in the Wall Street Journal (cover of second section) yesterday about this situation - apparently some reports indicate that while the Prodigy censor staff allowed anti-semitic comments past their review, they were not allowing others who opposed such views to reply and were censoring such messages. According to the Prodigy representative cited in the article, they were censoring them since they were argumentative in nature. I certainly would look for this to become an excellent test case in terms of liability issues. Since Prodigy did act as a guarantor of the information presented in their forums (remember their claim that they were following the "newspaper" analogy instead of the "telephone" analogy?), they quite possibly accepted liability for any information that is slanderous, defamatory, etc. Now all it takes is for some "harmed" party (possibly the ADL???) to take Prodigy to court. Jamie Saker, The Penny Network Foundation, P.O. Box 138, Blair, NE 68008-0138 ------------------------------ Date: Thu, 24 Oct 91 13:43:59 PDT From: quail!fred (Fred Gilham) Subject: Prodigy (RISKS-12.55) Someone has posted a message explaining the situation; apparently Prodigy will not post attacks on individual subscribers. Thus a subscriber can say, ``Jews deserved Hitler's treatment,'' and that's OK because Prodigy doesn't censor ideas, but if someone says, ``That was an anti-semitic sentiment,'' that's not OK because it is an attack on a subscriber. ------------------------------ Date: Thu, 24 Oct 1991 15:08 EDT From: Ronald Hale-Evans Subject: An inside look at Prodigy's `double standard' (Spector, RISKS-12.55) My wife is a Prodigy editor (probably known to you as a "censor"), and she gives me the following information. The incident in question happened about a year ago. First, the bulletin in question was not posted; it was private email. The receiver of the bulletin tried to post the email in full some fifteen times in order to open discussion and it was rejected as inappropriate by the editors every time. I suggest you read more recent news releases. >Some of the messages _advocate_ "another holocaust", etc, etc... My wife says messages advocating "another holocaust" are not posted. Perhaps you are again confusing email and bulletin board messages. >The ADL (Anti-Defamation League) has protested to the PRODIGY management who >responded that they "oppose anti-semitism", but they "encourage the free >expression of ideas". This is in keeping with Prodigy practice; controversial ideas may be posted to the boards, but not personal insults. My wife tells me that what happened in this case was that some Holocaust Revisionists (people who believe the Holocaust never happened) were posting to the bulletin boards. Many people were angered and tried to reply, but their responses were usually rejected because they called the Holocaust Revisionists "Nazi *ssh*l*s" and so on (I don't know the exact language, but the Prodigy editors understood it to be personally insulting). >Is this the same PRODIGY that makes decisions about what >acceptable "free expression" is when it comes to use of electronic mail, and >what are "acceptable" topics in their Health forums? Hmmm.. sees like a pretty >scary double standard to me.... Prodigy editors do not and cannot read private email between members. If a member complains that another member is harrassing them through email, Prodigy will often warn the harrasser and sometimes remove them from the service. By the way, Prodigy no longer has a Health forum. As for the "double standard", the editors find it both disturbing and amusing that they are usually criticised for censorship, and now they are criticised for lack of it. If Prodigy had caved to the demands of the ADL in the first place, none of this would have happened, and the ACLU would not have to step forward and speak for Prodigy, as they now are doing. Ron Hale-Evans, Brandeis University, evans@binah.cc.brandeis.edu ------------------------------ Date: Thu, 24 Oct 91 23:04:08 EDT From: ibism!raven!gjb@uunet.UU.NET (Greg Brail) Subject: Anti-semitism controversy on Prodigy The Wednesday, 10/23 issue of New York Newsday features on the front cover a large color photo of a Macintosh II with the headline "High-Tech Hate: Computer Network Used for Anti-Semitic Venom." The article reads that Prodigy was taken to task by the Anti-Defamation League for allegedly allowing anti- Semitic messages to appear. The second two paragraphs of the article, which appear as if they might have been pasted in at the last minute, say Prodigy reviewed its records and found the messages were sent in private e-mail. Geoffrey Moore, a company spokesman, told the Associated Press that Prodigy was "100 percent sure" the messages were not in a public bulletin board. The ADL, however, said some anti-semitic messages could be seen by the public. Rich Klein, an ADL spokesman, told Newsday he was concerned about Prodigy's guidelines, which call for censorship of other types of messages, but not anti-Semitic ones. Newsday quotes from some of the messages in question, and even blows four of them up in the left-hand two columns of page five. "The holocaust itself is really an edifice, a monument so to speak, to the naive gullibility of the world," reads one. The ADL said this particular message appeared in a public forum. The article goes on to quote Gerard Van der Leun of the Electronic Frontier Foundation, plus others, in a discussion of free speech on computer networks. It does not mention the call for "another holocaust" that another poster mentioned. The quotes I read don't sound too much different from the calls for people to "prove the holocaust really happened" and other such talk that goes on regularly in Usenet groups like alt.conspiracy and soc.history. It appears there is some confusion over whether these messages appeared in public bboards, in private e-mail, or somewhere else. (I am not a Prodigy user.) If they were in private e-mail, then how did this become a controversy, and why do other Prodigy users and/or administrators read e-mail? The local New York TV news was sure to mention this incident, basically taking the tone that computer people were out to spread hate electronically. It seems there is some risk in this sort of thing. I don't see a risk of a Fourth Reich forming on Prodigy, but of society placing restrictions and expectations on electronic speech that it claims not to place on other forms of expression. Greg Brail, Citibank ibism!gjb@uunet.uu.net uunet!ibism!gjb ------------------------------ End of RISKS-FORUM Digest 12.56 ************************