Subject: RISKS DIGEST 13.48 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Sunday 10 May 1992 Volume 13 : Issue 48 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Farmer receives $4M US Government check by mistake (Fernando Pereira) Daylight savings time started early this year (David J. Fiander) C-17 software problems (Mark Seecof) Composite Health Care System at Walter Reed Hospital (PGN) Microsoft advocates killing of Jews (Aaron Dickey via Jim Horning) DATATAG (Brian Randell) Re: $70 million bank scam (Tom Perrine) Re: April Fools' Meteorology (Bear Giles) Re: Free TRW Credit Report (Mary Culnan) Risk of direct deposit (Stuart Bell) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 13, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Fri, 8 May 92 20:30:35 EDT From: pereira@mbeya.research.att.com (Fernando Pereira) Subject: Farmer receives $4M US Government check by mistake The Associated Press reports today from Crosby, N.D, that farmer Harlan Johnson who was expecting a $31 check from the U.S. Agricultural Stabilization and Conservation Service received instead one for $4,038,277.04. Dale Ihry, head of the agency's office in North Dakota said that their computer program occasionally picks that particular amount and prints it out on something, although this is the first time that it was printed on a check. The farmer returned the check the day after. It's wonderful how the agency seems to accept the bug as an act of God. Looks to me instead like an act of off-by-one indexing into an inappropriate memory location... Fernando Pereira, 2D-447, AT&T Bell Laboratories, 600 Mountain Ave, PO Box 636 Murray Hill, NJ 07974-0636, pereira@research.att.com ------------------------------ Date: Sat, 9 May 1992 08:50:58 -0400 From: "David J. Fiander" Subject: Daylight savings time started even earlier this year The following excerpt is taken from shortwave radio magazine _Monitoring Times_, May 1992 issue: Does anyone have the correct time? When subscriber Fred Latus ... came in at 5 a.m. to "open up" station WKTV-TV ... he felt something was amiss with the clock - an ESE NBS Master Clock receiver, locked to WWV's time signal. Not having time to check it, however, it wasn't until a second engineer arrived and asked why the digital clock was one hour fast, that it hit him. [...] "Having had problems with our receiver and antenna the past few months, we thought it could be our problem. By eight a.m. I had reset the system twice and it still was in error." "About 9:15 a.m. I finally got an engineer at WWV, just coming on duty at 7 a.m. MST." ... Keeping Fred on the phone while he checked the computer, he came back to report that, sure enough, a "3" had been entered instead of a "4" for the month starting Daylight Savings Time. ... The United States had been on Daylight Savings Time for about nine and a half hours a month early and only half a dozen people caught it! Since the rule for determining the start of daylight savings time is so simple (in the US), why isn't there an easy way to describe the rule, rather than punching in a date every year (as would seem to be the case). [... It is not trivial, however, because any program older than a few years will get the shift wrong! The switchover used to occur on the LAST Sunday in April, and now is on the FIRST Sunday. PGN] ------------------------------ Date: Fri, 8 May 92 15:34:32 -0700 From: Mark Seecof Subject: C-17 software problems In a story by Ralph Vartabedian on page D-12, Friday, 8 May '92, the Los Angeles Times reported [brutally condensed by M. Seecof]: GAO Says C-17 is Riddled With Computer Problems The McDonnell Douglas C-17 cargo jet is plagued with serious computer hardware and software problems, resulting in part from shortcuts taken by the company ... according to a General Accounting Office report obtained Thursday. The GAO report is the first public finding that the C-17 has serious computerization problems, though Air Force documents have hinted before that the computer system lacks adequate capacity and that its development has fallen behind schedule. The GAO report asserts that the software ... has been ``a major problem...'' It found that the Air Force wrongly assumed that the software portion of the program would be low-risk and ``did little to manage its development or oversee the contractor's performance.'' The C-17 is the most software-intensive transport aircraft ever developed. The report said the aircraft has 19 different on-board computers, using 80 microprocessors and functioning in six different computer languages. The GAO found that the Air Force ``made a number of mistakes,'' including underestimating the size and complexity of the task, waiving many Pentagon standards for software development and awarding a contract to McDonnell that gave the firm control over software. McDonnell officials declined to comment on the GAO report. But the report notes that both the Air Force and McDonnell concurred with its findings. END OF STORY. Mark Seecof asks: has anyone seen the report itself? I'd like to know in what way it was a mistake to give McDonnell-Douglas control over software development for a plane it was building? ------------------------------ Date: Sun, 10 May 92 14:07:57 PDT From: "Peter G. Neumann" Subject: Composite Health Care System at Walter Reed Hospital Walter Reed Army Medical Center has a $1.6 billion computer system intended to streamline health care in the U.S. military. It has gotten low marks from WRAMC personnel, who attribute bungling of prescriptions, patient-care records, and doctors' orders to software glitches. One doctor said that use of the system increased his workload by up to two hours per day. The system had been used for two years for admissions and general record-keeping, but the problems began when laboratory and pharmacy orders were incorporated. One doctor stated that his name was linked with patients he had never seen. Another noted that access to narcotics was not secure. About half of the 625 doctors do not use the system for in-patient lab orders, although most do use it for radiology and pharmacy orders. [Source: An article by Christine Spolar in the Washington Post, appearing in The Times-Picayune, New Orleans, 2 Feb 1992, p.A-22, and submitted (somewhat belatedly) to RISKS by Sevilla Finley.] [I missed this one altogether at the time. A review was held later, in March. I hope a reader can provide an update -- including someone from SAIC in San Diego, which designed the system. PGN] ------------------------------ Date: Fri, 08 May 92 14:28:56 -0700 From: horning@src.dec.com Subject: A Newspaper Risk? ------- Forwarded Message From: axd7104@acfcluster.nyu.edu (Aaron Dickey) Newsgroups: alt.folklore.computers,alt.folklore.urban Subject: Microsoft advocates killing of Jews Date: 29 Apr 92 23:24:20 GMT Hey everyone!! Did you know that Microsoft is advocating the killing of Jews in New York City? I sure didn't! But it's true! I read it in the paper! Get ready for a whopper. Once again the news media proves that it doesn't know the first thing about computers. The entire story, retransmitted without permission, is below, as it appeared in today's New York Post. For those who don't know, the Post is a tabloid paper, where the entire front page is one huge headline. So, screaming out at millions of New Yorkers this morning was the headline, "PROGRAM OF HATE". Above the headline is a photo of one of those old PC green-screen displays, with "NYC" = superimposed on the screen. Above that is a subheadline, "Millions of computers carry secret message that urges death to Jews in New York City..." So, without further ado, here's the story: ANTI-JEWISH CODE LURKS IN POPULAR SOFTWARE, by Don Broderick One of the world's best-selling computer programs contains a secret anti-Semitic message apparently urging death to Jews in New York City. A computer consultant discovered the diabolic message while installing Microsoft's new Windows 3.1 software for a client yesterday. The consultant was testing a mailing-address use of the program when he noticed the letters "NYC" had been replaced by a hateful message - a skull and crossbones, the Star of David and an approving thumbs-up symbol. Microsoft strongly denies any hidden message. Others disagree. "There's no way it could be a random coincidence," said Brian Young, a friend of the consultant, who does not wish to be named. "It's pretty scary. I was pretty shocked by the whole thing." Computer owners who use Microsoft Excel, Microsoft Word or any other Microsoft program containing a print font named "Wingdings" can duplicate the anti-Semitic message by typing the letters "NYC" on their screen. Microsoft said "Wingdings" was designed by Bigelow and Holmes, an outside vendor, and denied that Microsoft intentionally designed the secret message. Prof. Charles Bigelow confirmed that his company provided the symbols, but insisted that Microsoft made the final "mapping" decisions assigning his symbols to specific keys on the keyboard. But a senior Microsoft spokesman said the charge that the fonts contain a hidden message is "outrageous." "It's like saying that if you randomly type out characters on a keyboard to spell 'Satan', you can do that, but it's incredible to say that there's anti-Semitism in Microsoft or one of its vendors," said Charles Hemingway. But Young, who discussed the matter with other computer consultants, isn't so sure it's just a coincidence. The "Wingdings" font contains no letters - just 255 symbols. Young calculated the odds of three letters of the alphabet being combined with 255 symbols, and said he found that the odds of obtaining the message were less than one in a trillion. "It's mind-blowing," said Young. "Somebody's responsible for this. This is very offensive." "I found it hard to believe some of the stories about the resurgence of Nazi sympathizers - but this puts things back into perspective." Microsoft, based in Seattle, is the world's biggest software publisher, with 100 million customers around the world and sales of more than $2.3 billion in 1991. When Windows 3.0 was introduced in 1990, customers were snapping it up at the rate of 30,000 a week. -- end of article Above the story is a line of some of the various symbols in the "Wingdings" font, with the caption: "LOADED: When a specific font is used in Microsoft's Windows, these symbols, which correspond to the alphabet, appear. Type the letters NYC, you get the death sign, the Star of David and the thumbs-up." So what do you all think? Should we load up the buses and make a pilgrimage to Redmond to firebomb Bill Gates's mansion, or what? Aaron Dickey Bitnet: axd7104@nyuacf New York University Internet: axd7104@ACFcluster.nyu.edu ------- End of Forwarded Message [EVERY computer-mapped linguistic utterance will correspond to some sequence of symbols in this alphabet, so there are certainly many other combinations that will be offensive to someone. For example, the word CYNIC will begin with thumbs-up, Star of David, and skull and crossbones, and end with another thumbs-up. Two thumbs-up are not necessarily good. PGN] ------------------------------ Date: Fri, 8 May 1992 11:31:37 +0100 From: Brian.Randell@newcastle.ac.uk Subject: DATATAG The following article appeared in The Independent (do I have to keep on explaining to RISKs readers that this is one of the "quality" national newspapers here in the UK?) and is reprinted in its entirety without permission. Typically of such articles, there is only a discussion of the advantageous uses, rather than the possible risky misuses of the device described. I smiled wryly at the claim that "We haven't thought of a question yet which we could not answer in our favour" - perhaps they should have asked RISKS! :-) Incidentally, I wonder how this device relates to the similar devices that are being being advocated, and perhaps already used, for tagging pet dogs by implanting a the device under the skin. (This idea was a hot topic a year or so here in Britain, after some horrific incidents involving pit bull terriers mauling and indeed killing children.) Brian Randell -------------- FIRM OFFERS "FOOLPROOF" CAR SECURITY SYSTEM, by John Arlidge A "FOOLPROOF" car security system could be available this year. Datatag, which uses hidden microchips to identify vehicle owners, was launched for motor cycles yesterday and car owners could be using it this summer. Police, ministers and insurers have praised the system, the first of its kind offered to road users. Hugh Chamberlain, managing director of Chamberlain Engineering, who will head a company to be formed next week which will market Datatag for cars, said he thought the new system was foolproof "It is a watershed. We haven't thought of a question yet which we could not answer in our favour." Motorists would install microchips - about the size of a 5p coin - anywhere in their vehicles. Each chip would have a unique, pre-programmed code number which could be "read" using a special electro-magnetic "gun" which will be distributed to police forces around the country. The codes would be logged on a secure police computer with engine and chassis numbers and the owner's name. Motorists could install as many microchips as they wanted. Five chips and registration would cost about (pounds) 40 - less than half the price of an alarm. Hologram stencils which could not be removed or window etchings would warn potential thieves that the vehicle had been tagged. An estimated 2,500 motorcyclists are already using the system to prevent theft and the sale of bikes and bike parts. Two hundred motorcyclists a day are tagging their machines. Commander George Ness, of the Metropolitan Police stolen vehicles squad, said the system was very good. "It will help police re-cover stolen property and will have a considerable deterrent effect on the thief." But he added: "lt is early days. It is the front edge of technology" The new system would not prevent joyriders stealing cars. Mr Chamberlain, who predicted do-it-yourself Datatag kits would be on sale by July, said microchips hidden in inaccessible places - inside seats or down tubes - would mean that even if they could locate the chips, thieves could not remove them without damaging the car, reducing its value. Thieves could never be sure that they had removed all the chips and if they tried to sell a car, prospective buyers could check if it was stolen. Michael Jack, Minister of State at the Home Office, speaking at the launch of Datatag yesterday praised it as "part of industry's efforts to find the solutions" to auto crime. >From this summer Norwich Union, which insures more of Britain's 22 million vehicles than any other company, will send leaflets to motorcycle policy holders informing them of the advantages of Datatag. Vehicles are stolen at a higher rate in Britain than any other European country. More than 580,000 vehicles were stolen in England and Wales last year and more than 913,000 thefts from vehicles were recorded. Auto crime accounts for almost a third of all recorded crime. Experts believe Datatag could be used to "owner code" almost any item - from videos to antiques. ------------------------------ Date: Fri, 8 May 92 10:00:47 PDT From: tep@tots.logicon.com Subject: Re: $70 million bank scam (RISKS-13.47) It appears that the attempted $70 million bank scam may be affecting bank customers. All of our employees received a phone mail message from our corporate payroll department warning us that "due to bank difficulties", our bank (First Interstate Bank of California) would be slow in processing automatic payroll deposits; we could expect that deposits which normally are made to accounts Thursday night (May 7) would not be made until Friday night at the earliest, but would not be made any later than Saturday night. No other reason was given. Since this is the first delay in the nine years I have been here, I find is *interesting* that this coincides with FIBoC other difficulties. (It could be due to difficulties in Los Angeles, but as the bank corporate offices are nowhere near the riot area, I consider that a remote possibility.) Tom E. Perrine (tep), tep@Logicon.COM ------------------------------ Date: Fri, 8 May 1992 18:37:10 -0600 From: Bear Giles Subject: Re: April Fools' Meteorology I just wanted to let you know that I did _not_ know the report of hunters vandalizing a profile was bogus. The information posted on our bulletin board had no originating information on it, but _did_ have a "approved by" stamp in the corner indicating the office of the Director of the Boulder Labs had reviewed it. Furthermore, none of the people I discussed this with knew it was a joke either. At our site/floor it appeared a legitimate news report. It didn't even seem unreasonable, knowing some of the situations others have reported. (The hippies who sued the National Park Service after being struck by lightning -- while holding a metal railing on a stony outcrop in a thunderstorm -- comes to mind). I'll protest this on Monday. I have no problem with April Fool's jokes (as the original article was clearly intended) which can be identified as April Fool's jokes, but posting an April Fool's joke a month later with no indication of its nature is a different matter. At least the newspaper clippings on my door, e.g. "Mom carried 12 miles by Tornado!" are clearly from the _Weekly World News_! Bear Giles bear@fsl.noaa.gov Apologies for any inconvenience my misinterpretation of the article may have caused. ------------------------------ Date: Fri, 8 May 1992 08:10 EDT From: MCULNAN@guvax.georgetown.edu Subject: Re: Free TRW Credit Report (Turner, RISKS-13.47) Re Dave Turner's accurate assessment of the RISK of blindly mailing private information to an address posted in a computer bulletin board, you may verify the earlier posting from USA Today (Money section, P. 1B, April 27 1992, Final Edition). Second, people have expressed concerns about TRW building a database from the information people supply when they request their credit rpt. The research I have done on direct marketing over the past two years suggests that TRW won't learn *anything* new from us if people do supply all the info they ask for because TRW already has this AND MORE. TRW maintains an extensive marketing database on individuals from which it sells mailing lists. The source of this information includes public records (drivers license, deeds, USPS change of address information), credit reports, and information it has purchased from mail order companies. Names and addresses may be selected based on such factors as exact age, height, weight or whether or not you wear glasses (from drivers license records), information about a home mortgage (amount, type), recording date and whether or not the transaction was a purchase or a refinance (deed/tax assessor records), whether you are a "new mover," the distance of your move and whether it is local, regional or out-of-state as well as the date (USPS change of address information), whether you are a credit shopper, an active credit shopper, your purchasing power (credit report) and whether you shop by direct mail, are a multi-category buyer, recent purchase date, and category of purchases (e.g. collectors, crafts, high tech, sports, etc. etc) (information purchased from unspecified third parties). TRW is not the only company in this business. There are a number of large direct marketing firms which sell similar types of lists. We would all be able to exert much more control over the secondary use of our personal information if public records came with a check-off box, allowing each person to decided whether or not he/she wanted to received solicitations because they bought a house or car, moved and changed their address, or got a drivers license. Currently you can only ask these companies not to resell your name by writing to them directly or by signing up for the DMA's Mail Preference Service. This will keep your name off of mailing lists, but it's not clear if it stops your name from moving around for those who are concerned about this. Mary Culnan, School of Business Administration, Georgetown University MCULNAN @ GUVAX.GEORGETOWN.EDU ------------------------------ Date: Friday, 8 May 1992 09:23:17 EDT From: stu@mwvm.mitre.org (Stuart Bell) Subject: Risk of direct deposit I, and my brother, use direct deposit to avoid the risk of lost, stolen or forgotten pay checks. Nice deal. Last week, the company apparently decided he was paid a bonus check in error. Several days after the check had been electronically deposited to his account - and he had been notified of the amount - they reversed the deposit and withdrew the amount. He was not notified the bonus was withdrawn, nor was he notified (until the overdrafts arrived) that his account was reversed. He is disputing the reversal of the decision to pay the bonus - and the company and bank are cooperating in notifying the folks who got the bounced checks and reversing the associated charges - but, it seems quite a risk to know that if you authorize direct deposit, you are also authorizing an implicit direct withdrawal. Maybe I'll ask to be paid in cash! The company is a large one and is in no financial difficultly so the problem was human or computer-to-computer and just left the poor worker out of the loop. /Stu Bell MS=NASA (713) 333-0906 STU@MWVM.MITRE.ORG ------------------------------ End of RISKS-FORUM Digest 13.48 ************************