Subject: RISKS DIGEST 13.62 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Saturday 4 July 1992 Volume 13 : Issue 62 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Emergency system fails -- Risks of firing employees? (Jim Griffith) Nutrasweet Telephone Sweepstakes (Ranjit Bhatnagar) Risk of Assuming an Int will do (Russell Aminzade) Students cheated BT to win computerised phone contest (Philip Hazel) Computer-literate children find porn (Andrew Shapiro) UK ATMs - legal challenge (Antony Upward) CPSR Challenges Virginia SSN Practice (David Sobel) Are Humans Always Responsible for Computer Errors? (Peter Danielson) Fokker F.100 incident (Robert Dorsett) Another Fokker F.100 incident (Olivier Plaut) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 13, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. If you cannot read RISKS on-line, try FAX! For info, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@cv.vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Wed, 1 Jul 92 23:10:30 PDT From: griffith@dweeb.fx.com (Jim Griffith) Subject: Emergency system fails -- Risks of firing employees? Oakland station KTVU news reported that a Richmond refinery's emergency notification system was sabotaged by a disgruntled ex-employee, and the damage wasn't discovered until a leak caused the refinery officials to attempt to use it. Unfortunately, I didn't catch any names, but the gist of the story is that this refinery has a system in place which automatically dials nearby residents when accidents occur and informs them of emergency procedures that should be followed. Specifically, a recent leak caused them to activate the system in an attempt to warn residents to remain indoors for the duration. However, the system failed to operate. A subsequent investigation discovered that a former programmer who had been fired had sabotaged the system in revenge prior to leaving. Authorities are reportedly planning on filing charges against the former employee once they figure out what charges are appropriate. "Reckless endangerment" springs to mind. Hope they nail the guy to the wall. Jim [An item by Erin Hallissy in the San Francisco Chronicle, 2 July 1992, p.A19 had some details. The emergency alert network is run by the Community Alert Network. An EX-employee of their New York office (who has confessed to the malicious hacking) modified software ("reconfigured some things that caused it to crash") in their computer systems in both New York and San Jose. In this case, the incident occurred at the Chevron refinery. The network had been used four times previously (since last October) in Contra Costa County, twice for incidents at Chevron, once at Pacific Refinery in Hercules, and once for a fire at Rhone-Poulenc in Martinez. As a sidelight, the previously fired perpetrator broke into the NY office two days after the latest Chevron emergency, "maybe just to gloat". The system was down for 10 hours, during which time the only emergency was the one at Chevron. [Note that the system cannot call unlisted numbers or numbers listed without street addresses. PGN] ------------------------------ Date: Sun, 28 Jun 92 17:56:59 EDT From: ranjit@unagi.cis.upenn.edu (Ranjit Bhatnagar) Subject: Nutrasweet Telephone Sweepstakes Among the advertisements in this Sunday's (28 June) Philadelphia Inquirer, and probably most every other newspaper in the United States, was an announcement for the NutraSweet Summer Sweepstakes. It works as follows: call the free 800 number they provide, then punch in your phone number and the UPC code from any product containing NutraSweet, a sugar substitute. You are immediately told whether you won one of a few thousand prizes ranging from a tote bag to ten thousand dollars. In the fine print, it says that the sweepstakes will end after two million calls are received, or at a certain date in July, whichever comes first. It also says that the odds of winning depend on the number of calls received. First point: the odds seems odd to me. Unlike a paper sweepstakes, where all the entries are received before the prizes are drawn, in this sweepstakes the winners are chosen immediately. The random selection process must have fixed odds built-in, probably based on a projection of exactly two million calls. Even if they have to cut off the contest before two million calls are received, the odds for a particular call would still be the same, and some fraction of the prizes would not be awarded. Second point: the drawbacks of a sweepstakes where the entries are free data calls are obvious. People with access to smart modems or autodialing machinery and the ability to program them have a significant advantage over those without. Many telephones nowadays have programmable dialers built in, but they're usually not as useful as the following command string for a Hayes-compatible modem: ATDT 18002351000,,,,,,1,,2100012868 I used this command to enter the sweepstakes approximately 40 times while eating a carrot cake. When I heard the "you lose" message over the modem's speaker, I hung up and used the repeat command "A/" to call again. It took about 30 seconds per call. I imagine more dedicated redialers than myself have already made thousands of calls since the official opening of the contest at 3:01 AM. By the way, after you enter the UPC code (21000 12868 in this example), the system takes about 6 seconds and then mentions the product by name. I was surprised that it took even that long. Third point: the Official Rules are NOT included in the advertisement. (I'm a bit surprised that that's legal.) You have to send a stamped, self-addressed envelope to get them. I'd bet a phenylalanine tote bag that less than 1% of the entrants will actually request and read the rules, though the phone message exhorts you to be familiar with them. Assuming a very optimistic one week turnaround time to get the rules, you could miss a substantial portion of the contest by waiting for them. If the rules explicitly forbid machine-assisted entries, how will they enforce this? Will they disqualify people for using the autodialers built into their phones? Fourth point: what are they going to do when they know the phone numbers and something of the eating habits of hundreds of thousands of Americans? I can't believe they don't have some use in mind for the information. If you enter a false phone number at this point, it may disqualify you for a prize, and they can get your real number from billing records anyway. From the phone number, name and address are a simple database lookup. By the way, I never eat NutraSweet if I can help it. I don't like the taste. Ranjit Bhatnagar ------------------------------ Date: Mon, 22 Jun 1992 12:08 EST From: "Russell Aminzade: Trinity College of VT" Subject: Risk of Assuming an Int will do In the current (6/92) BYTE, Jerry Pournelle discusses his difficulties with using the word-count feature in Microsoft Word For Windows. ...when I would read in the file, Word For Windows told me there were 767,356 characters and 135,000 words; the word count was in gray, indicating that it was an estimate...clicking on [the 'update' button] caused the program to trundle for a while and then proudly announce a total of 60,273; which, of course was absurd...I've since learned, though, that all I needed to do was add 65,535 to the total shown... Sounds like one of the wizards at Microsoft determined that an int rather than a longint was plenty big for the kind of documents people would be editing. ------------------------------ Date: Wed, 1 Jul 92 11:06:36 BST From: Philip Hazel Subject: Students cheated BT to win computerised phone contest >From the "Cambridge Evening News", June 30 1992: [HEADLINE] Students cheated BT to win phone contest Two students swindled BT [British Telecom] out of 68,000 pounds [sterling] in a "lucrative scam" to constantly win on a telephone quiz game, a court heard. The two men hired four phone lines between them under false names and left the receivers off the hook for hours on end at a Cambridge flat to win thousands of pounds. On one occasion, said a BT official outside court, a receiver was left off the hook for almost 24 hours. Eight or nine hours was the average, with peak rate calls at 48 pence a minute. >From his winnings, Shaun Middleton bought an XR3i high-performance car and a computer, while his confederate, Tristan Abbott-Coates, also bought a computer. The pair were "determined to beat the system", Cambridge Crown Court heard, and hatched a scheme to constantly win on the "Wheel of Fortune" game advertised in the national press. The game has a 10,000 pound jackpot. The pair rang the contest phone number, which was monitored by a computer. When the computer asked them questions, they made no response - and the computer was programmed to interpret silences as "no" answers. The correct "no" answers accumulated into winning cash combinations. A copy of the original advert, printed in The Sun newspaper, was presented as evidence. Judge Frederick Beezley asked if it was page three. [Page 3 of The Sun carries pin-up photographs.] When told it was not, he quipped, "Oh well, never mind, I'll suppose I'll look at it anyway." Middleton, 22, of St George's Road, Preston, admitted three charges of obtaining services by deception. He won a total of 10,709 pounds but ran up an unpaid BT bill of 51,469 pounds. Abbott-Coates, 24, of the same address, admitted one charge of obtaining services by deception. He won a total of 2,672 pounds - but ran up an unpaid bill of 16,601 pounds. The offences were committed while the two men each rented a room in Marshall Street, Cambridge, between March and September last year. They moved to Preston together to attend the polytechnic there. Francis Sheridan, prosecuting, said that Abbott-Coates first recognised the loophole in the telephone quiz, but Middleton was the most active in the swindle. He said the pair used false names to hire the lines "to avoid being cut off and thus ending a lucrative scam". Abbott-Coates chose the alias Murphy after an actor who played a famous screen policeman. Eventually, BT became suspicious and traced the pair to Preston. Both men were then arressted. Sentencing was adjourned until July 24 so that social enquiry reports could be made. Judge Beezley said he was considering a custodial sentence, and remanded both men in custody. Internet: P.Hazel@ucs.cam.ac.uk University Computing Service, JANET: P.Hazel@uk.ac.cam.ucs Computer Laboratory, Pembroke St, Phone: +44 223 334714 Cambridge CB2 3QG, England. ------------------------------ Date: Fri, 26 Jun 92 12:05:26 MDT From: andrew@gooter.metronet.org (Andrew Shapiro) Subject: computer-literate children find porn Rocky Mountain News Mon., June 22,1992 COMPUTER-LITERATE CHILDREN FIND PORN AVAILABLE ON THEIR SCREENS AT HOME By James Michels, Scripps Howard News Service Connie Lewis recently discovered one of the unpleasant shocks of patenting: pornographic pictures her 15-year-old son had collected. What surprised her more was where she found them: on the screen of the family's home computer. Her son had gotten them free from a local computer bulletin board. [..Deleted..] The pornographic pictures could have been posted on the computer bulletin board by anyone. Lewis' son had learned about them from a friend. The pictures were in an area of the board restricted to adults, but all the 15-tear-old had to do to get access was to type in false information about his name and age. He instantly gained access to dozens of pornographic pictures. [..Deleted..] The technology of putting pornographic pictures on computers and distributing them by telephone is so new it is unregulated. Public officials say current laws don't appear to apply to the bulletin boards. Indiana Bell can block access to sexually explicit 900 numbers, but not to local numbers, such as those used by the boards. The Federal Communication Commission, which regulates telephone lines, said the issue does not come under its jurisdiction. The FBI is investigating a case in which a national computer board was used to pass along child pornography. [..Deleted..] So What's a responsible system operator to do? He can threaten to close his board to those who misuse it, but that is often a hollow threat. "You have a apparently strong warning that you can be banned and so on if you mislead the system operator," said Michael Banks, a Cincinnati computer writer familiar with bulletin boards "The threat of being banned permanently is meaningless. If someone wants to get back on, they do it with a different name." - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Even though this is a sensationalistic article designed to invoke a shock response in 'decent americans' (a risk in and of itself) there are several good points. If it is deemed a crime to distribute, electronically, pornographic images to minors then what sort of validation is enough? Who is actually responsible? Can the owner of the bulletin board be charged? Should the original poster be charged? In this day and age of store-and-forward worldwide networks how are legal boundaries handled? Is the system operator responsible for all the data stored on his machine? -Andrew T. Shapiro, andrew@gooter.metronet.org ------------------------------ Date: 02 Jul 92 17:05 GMT From: UPWARD.A@applelink.apple.com (KPMG - Antony Upward,IVC) Subject: UK ATMs - legal challenge Banks face challenge over teller machines Reproduced without permission from the Financial Times Weekend June 27/June 28 1992 edition. Banks and building societies face their most serious legal challenge from customers over cash dispensing automated teller machines (ATMs), writes Barbara Ellis. This is in spite of words of comfort from the Building Society Ombudsmen this week. They welcomed the new (pounds) 50 limit introduced by the Code of Banking Practice, on losses from unauthorised use of machines unless the bank can prove fraud or gross negligence. Some 400 customers assembled into an action group by J. Keith Park, solicitors, of St Helens, Merseyside, are to seek a High Court ruling, within the next two to three weeks, that banks and building societies operating teller machines are in breach of contract beacuse the machines are suseptible to error and fraud. Each of the 400 will make detailed claims for losses through alleged unauthorised withdrawals ranging from (pounds) 90 to (pounds) 13,000 and totalling close to (pounds) 500,000. All the claims have been rejected by banks and building societies. For example, Barclays stated this week that out of its 15 million machine transactions each month, fewer than one in every 250,000 is disputed - which would imply 60 disputes a month. Dennis Whalley , of J.Keith Park, says he has deduced, from ATM dispute cases that disputes have been running close to 9,000 a month. Barclays says there is no correlation between the volume of teller machine disputes and the reference numbers which relate to computer files. (Strange I haven't seen a computer program yet that didn't start counting at one with increments of one!) For years banks and building societies have insisted that the ATM systems are completely secure and that money can only be withdrawn with the use of a card and personal identification number (PIN) [sic]. The obudsmen have almost inveriably backed the insitutions in rejecting claims from customers who detected "phantom" unauthorised withdrawals, saying that they must have unwittingly lost their cards, disclosed their PIN or been a victim of a dishonest family member. However, the 1989 Jack report on banking acknowledged that the PIN system was open to fraud and last year an engineer employed by the Clydesdale Bank confessed to removing (pounds) 17,000 from customers' accounts by arranging phantom withdrawals using a hand-held computer. ------------------------------ Date: Tue, 30 Jun 1992 19:45:42 -0400 From: sobel@washofc.cpsr.org Subject: CPSR Challenges Virginia SSN Practice PRESS RELEASE, June 30, 1992 CPSR Challenges Virginia SSN Practice WASHINGTON, DC -- A national public interest organization has filed a "friend of the court" brief in the federal court of appeals, calling into question the Commonwealth of Virginia's practice of requiring citizens to provide their Social Security numbers in order to vote. Computer Professionals for Social Responsibility (CPSR) alleges that Virginia is violating constitutional rights and creating an unnecessary privacy risk. The case arose when a Virginia resident refused to provide his Social Security number (SSN) to a county registrar and was denied the right to register to vote. Virginia is one of a handful of states that require voters to provide an SSN as a condition of registration. While most states that require the number impose some restrictions on its public dissemination, Virginia allows unrestricted public inspection of voter registration data -- including the SSN. Marc A. Greidinger, the plaintiff in the federal lawsuit, believes that the state's registration requirements violate his privacy and impose an unconstitutional burden on his exercise of the right to vote. The CPSR brief, filed in the Fourth Circuit Court of Appeals in Richmond, supports the claims made by Mr. Greidinger. CPSR notes the long-standing concern of the computing community to design safe information systems, and the particular effort of Congress to control the misuse of the SSN. The organization cites federal statistics showing that the widespread use of SSNs has led to a proliferation of fraud by criminals using the numbers to gain driver's licenses, credit and federal benefits. The CPSR brief further describes current efforts in other countries to control the misuse of national identifiers, like the Social Security number. Marc Rotenberg, the Director of the CPSR Washington Office said that "This is a privacy issue of constitutional dimension. The SSN requirement is not unlike the poll taxes that were struck down as unconstitutional in the 1960s. Instead of demanding the payment of money, Virginia is requiring citizens to relinquish their privacy rights before being allowed in the voting booth." CPSR argues in its brief that the privacy risk created by Virginia's collection and disclosure of Social Security numbers is unnecessary. The largest states in the nation, such as California, New York and Texas, do not require SSNs for voter registration. CPSR points out that California, with 14 million registered voters, does not need to use the SSN to administer its registration system, while Virginia, with less than 3 million voters, insists on its need to demand the number. David Sobel, CPSR Legal Counsel, said "Federal courts have generally recognized that there is a substantial privacy interest involved when Social Security numbers are disclosed. We are optimistic that the court of appeals will require the state to develop a safer method of maintaining voting records." CPSR has led a national campaign to control the misuse of the Social Security Number. Earlier this year the organization testified at a hearing in Congress on the use of the SSN as a National Identifier. CPSR urged lawmakers to respect the restriction on the SSN and to restrict its use in the private sector. The group also participated in a federal court challenge to the Internal Revenue Service's practice of displaying taxpayers' SSNs on mailing labels. CPSR is also undertaking a campaign to advise individuals not to disclose their Social Security numbers unless provided with the legal reason for the request. CPSR is a national membership organization, with 2,500 members, based in Palo Alto, CA. For membership information contact CPSR, P.O. Box 717, Palo Alto, CA 94303, (415) 322-3778, cpsr@csli. stanford.edu. For more information contact: Marc Rotenberg, Director or David Sobel, Legal Counsel CPSR Washington Office, (202) 544-9240 rotenberg@washofc.cpsr.org or sobel@washofc.cpsr.org Paul Wolfson, attorney for Marc A. Greidinger Public Citizen Litigation Group (202) 833-3000 ------------------------------ Date: Wed, 24 Jun 92 11:30:08 PDT From: Peter Danielson Subject: Are Humans Always Responsible for Computer Errors? (Davis,RISKS-13.54) While I concur with Davis' criticism of the anthromorphic attribution of the mistake to the Endeavour's computer, I cannot accept the assumptions about responsibility that seem to stand behind this criticism. He seems to assume that whenever something goes wrong, some human did wrong. This is clearly too strong. Most technological causation works through groups (teams, firms). But even the weaker assumption that all wrong is attributable to humans -- let me call it Complete Human Responsibility, or CHR -- is problematic. My point is that CHR is not obviously true. It is trivial to note that some bad events *just happen*. I do not see why this is not the case with artifacts as well. People are not naturally responsible for everything that happens, just because people made the object(s) involved. I suggest that we see CHR as a value or standard, not a report of a fact about the world. But then CHR needs to be argued for. The risk? Taking a (controversial) matter of principle to be a simple fact. Peter Danielson, Centre for Applied Ethics, University of British Columbia ------------------------------ Date: Tue, 23 Jun 92 23:15:12 CDT From: Robert Dorsett Subject: Fokker F.100 incident An interesting little story from AIRLINE PILOT, May 1992 issue ("No Brakes, No Reversers!", by Joseph J. Poset, USAir). It deals with a Fokker F.100 which landed at Chicago O'Hare, on November 21, 1991, with thrust reversers and brakes inoperative. The F.100 is a higher-capacity, fundamentally redesigned version of the Dutch company's popular F.28. It is a twin-engine, T-tailed "commuter" jet, in the 100-120 seat capacity. It was certified in November 1987. It has a "glass cockpit," but is *not* an FBW airplane, at least as far as flight control is concerned. Essentially: the flight landed on Chicago's Runway 22L. Upon landing, the crew discovered their brakes and thrust reversers weren't working. They took the high-speed turnoff (a taxiway oriented about 30 degrees off the runway), shut down one engine, zipped down the parallel taxiway, turned left at the end of it (90-degree U-turn), went back up Runway 4R (reciprocal runway of the one they landed on), took the *opposite* high-speed taxiway, and headed onto Runway 27, which an American Airlines jet had just taken off from. Twice, the captain thought he would have had to turn off the pavement into the rough, to avoid a collision. After they finally came to a stop on Runway 27, the crew noticed that their flight computers thought they were still in the air. The stickshaker (stall warning) was also activated, and the "speed limit" flag on their flight display (indicating excursion outside the approved flight envelope) was on. After some investigation, it was discovered that both Air/Ground switches (located on the landing gear) were each "stuck," thus relaying improper data to the computers and devices which controlled the stickshaker, various annunciators, reversers, and ground braking. It was only after maintenance applied glycol that the computers indicated the proper modes. Now, there's nothing new about the use of Air/Ground switches--they're used, for instance, to prevent the inadvertent application of reverse thrust in flight, for most airliners. They're also used to deactivate stall-warning systems on the ground. But this is a pretty widespread set of high-level services that were affected by the switches being out of whack. I don't believe, for instance, that the A/G switch is used to establish whether wheel braking is available, on most airliners. It also has interesting ramifications to FBW aircraft, which might use an independent "ground control" mode to determine how everything from nosewheel steering to rudder control to wheel brakes work. In this case, if the airplane did not have nosewheel steering (for instance, if the design was highly compartmentalized into "ground" services and "air" services), it may have gone off the high-speed taxiway, into the rough, and ended up on yet another runway. This could have been a major accident... There is a "flight-test" article on the F.100 in the January 30, 1998, issue of FLIGHT INTERNATIONAL, by Harry Hopkins ("Fokker 100: protect by wire."). It's interesting reading. Robert Dorsett, Internet: rdd@rascal.ics.utexas.edu UUCP: ...cs.utexas.edu!rascal.ics.utexas.edu!rdd ------------------------------ Date: Wed, 24 Jun 92 15:50:21 CDT From: Robert Dorsett Subject: Re: Fokker F.100 More info on the Fokker incident. Note that it wasn't based on an ASRS report; I had confused it with another article. R. >I hate to say it, but I find that incident pretty unbelieveable. >Firstly, I can't imagine that, if the Fokker had enough momentum to >need to come back on runway 4, that it wouldn't have groundlooped >around the 180 (90?) degree turn. The article said they had a 25G38 kt headwind on roll-out. Around 40-50 kt at the first high-speed exit. But then again, if they hadn't stopped by the loop back up RWY 4, that headwind would have become a TAILWIND... The article indicates they started *accelerating* up RWY 4. They entered the other high-speed exit at 20-30 knots. >Also, F100's like F28's, don't >*have* thrust reversers, so the continual reference to them worries me. It was penned by the captain, based upon his ASRS report. He was much more inexperienced than his F/O, but surely not that much! :-) >Are you sure of the veracity of the publication? Absolutely not. It's garbage. But the occasional article catches my interest. >It wasn't dated April 1 or something? No. I went to the FLIGHT article cited, looking for more information. Generally, it played up Fokker's in-flight protections; it's quite interesting. Little on systems. On the last page: "Final roll-out to a standstill was made without reverse thrust, and with late minimum braking for test purposes. Rudder and pedal steering completed a halt within 2ft of the centerline. Reverse was restricted temporarily to idle anyway, because full reverse efflux can impinge on the tailplane, and a modification will set a gap between the two target doors to spill some flow centrally. The F.28 is not fitted with reversers. "Reverse opeation is shown by a green 'R' at the top of the primary engine instrument display, but I did not find it compelling. A brighter panel, nearer to peripheral vision, would be easier to take in." Perhaps reversers were INOP on early models, or are optional equipment. I don't imagine there's a compelling need for them on the lighter configurations, but this is probably a regulatory issue. Robert ------------------------------ Date: 29 Jun 92 12:29:04 +0200 From: plaut@sc2a.unige.ch (Olivier PLAUT) Subject: Another Fokker F.100 incident A Swissair pilot reported to me another incident he had with a F100 just a few days ago: they had no flaps for landing. The computer controls if flaps on both wings are extending together, and if not, it blocks to avoid an asymetrical configuration. The flaps were moving correctly, but the computer had a false indication and did not permit to extend them. The aircraft landed without problem at 160 KTS instead of 130. The passengers didn't even remark an abnormality. Olivier Plaut, Institute of Forensic Medicine, Toxicology Unit, University of Geneva, Av. de Champel 9, CH-1211 Geneve 4, Switzerland +41 (22) 702.56.12 ------------------------------ End of RISKS-FORUM Digest 13.62 ************************