Subject: RISKS DIGEST 14.45 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Thursday 1 April 1993 Volume 14 : Issue 45 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Formation of new society/discussion group (Pete Mellor) Re: Turn of the century date problems (Steve Peterson) Daylight Savings Time hampers police (Debora Weber-Wulff) Computer does the right thing -- shuttle launch scrubbed (Pete Mellor) More on Minnesota Legislature phone fraud (Steve Peterson) Re: Call for the Class of '88 (Jonathan Rice) Re: Correcting computer information ... (Pete Mellor) Re: Dutch hacker in jail for another month (Ralph Moonen) Credit and Avis rent a car re-visited (Boyd Roberts) Little green sting (saucers) (Joseph T Chew) Re: The FORTRAN-hating gateway (Phil Karn) The RISKS Forum is a moderated digest discussing risks; comp.risks is its Usenet counterpart. Undigestifiers are available throughout the Internet, but not from RISKS. Contributions should be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with appropriate, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 14, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@cv.vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Thu, 1 Apr 93 11:10:10 BST From: Pete Mellor Subject: Formation of new society/discussion group Society for the Promotion of Ergonomically Reasonable Measurement Peter Mellor, 1st April 1993 This is to announce the formation of the above-named Society. Aims: 1. To resist the use of meaningless scales of measurement. 2. To improve the friendliness of information systems. 3. To resist imposed uniformity. 4. To counteract official nonsense with unofficial nonsense. 5. To have a good piss-up at least once a year. 6. Err...that's it. Discussion of Aims: There is a regrettable tendency today to make everything more friendly to computers, and less friendly to people. Even some recent changes which were intended to make calculations easier for humans have had unfortunate effects. For example, when measuring the height and weight of people, is it more meaningful to say: "Pete Mellor is 1.880 metres tall, and weighs 79.378 kilogrammes stripped." or: "Pete Mellor is 6' 2" tall, tips the scales at 12 and 1/2 stone, and looks quite striking in a pair of tight-fitting flared jeans."? Supporters of the aims of the Society would all agree that the second of these descriptions is easier to grasp, and conveys far more information that is likely to be of interest than the first. The Society therefore supports the use of scales of measurement that are scaled to people. So, for instance, the inch (length of top joint of thumb) is more informative than the millimetre when doing anything on a small scale. Going up one level of scale, the foot (distance from big toe to heel) and yard (distance from tip of nose to end of middle finger of outstretched arm) have served architects and furniture makers well for centuries. The metre, by comparison, is too large for small work, and too small for large. Nobody ever uses the decimetre or decametre anyway, so most of the metric system is immediately redundant. Similar remarks apply to grammes and kilogrammes versus ounces and pounds. The scales of measurement that have evolved with us are the ones that we find most natural to use. This applies even when it comes to measuring new things, like software. The Society therefore promotes the measurement of source code in hands (applied vertically up the side of a pile of print-out, in the same way that the height of a horse is measured). The Biblically minded may use the cubit for medium-scale measurement, otherwise the use of the rod, pole or perch is recommended. The system of units that the Society favours will be known as the "ton, furlong, fortnight" system. Political Allegiance: In the UK, the society will seek the support of the Rainbow Alliance, and the personal patronage of Screaming Lord Sutch and Cynthia Paine. In Italy, it is hoped that La Cicciolina will be persuaded to sponsor us. In other countries, all suggestions welcome. Diversity: Any Eurocrap aimed at doing away with our essential differences is deprecated. For example, in the UK pillar boxes and telephones should be red, in Germany they should be yellow. The Society believes that books written in Britain should be spelt according to the Oxford Dictionary. Americans who do not wish to follow this standard are encouraged to use Mencken. The Society fully supports the Academie Francaise in its attempt to prevent its fine language from being corrupted by either American or English. In fact, it would like to see the Germans doing more, such as reintroducing Gothic script. The same goes for the Welsh, Irish, Russians, etc. The intention is to cause a fragmentation of knowledge across language boundaries. Since there is already far too much information around for anyone to use sensibly, this would be entirely beneficial. Any academic who really wants to know what is going on in artificial intelligence at the University of Beijing should have the dedication to learn Mandarin Chinese! Membership: The fee is 17s. 6d. per annum, payable to: "P. Mellor Ethanol Supplies Ltd." Annual meetings will be held in the King's Head, Upper Street, Islington, London, where beer is still sold at 1 pound 16 shillings per pint. (Dates to be arranged to suit members.) Paid-up members may charge for consultations on any matter regarding measurement, provided fees are quoted in the appropriate national currency, e.g., a UK member should quote a consultancy rate in guineas per fortnight. (Any attempt to quote in ECUs will result in immediate expulsion.) Other points: The use of metric sizes of nuts and bolts in the UK should be discontinued in favour of Whitworth. Aeroplane prices should be quoted in the currency of the country of origin. For example, British aeroplanes should be sold at so many pounds sterling per hundredweight, like everything else of a comparable size. If this causes a problem in purchasing an A320, it is recommended that the individual bits be bought independently from the various members of the Airbus Industrie consortium in the appropriate national currencies and that these are assembled by the buyer, rather like the purchase of a motorcycle in "kit" form. Since the Society opposes the use of acronyms, anything that you might have thought the initial letters of the Society's name might have spelt is irrelevant. Peter Mellor, Centre for Software Reliability, City University, Northampton Sq., London EC1V 0HB, Tel: +44(0)71-477-8422, JANET: p.mellor@city.ac.uk ------------------------------ Date: Mon, 29 Mar 93 18:24:35 CST From: Steve Peterson Subject: Re: Turn of the century date problems (Ravin, RISKS-14.44) In a humorous vein, I've regularly proposed a "programmer's cruise" that would depart on December 30, 1999. The cruise would be 30 days long and would come with the following guarantees: * The ship would be be controlled by mechanical or simple electric controls -- no computers in the loop. * The crew would be tested on their ability to navigate via dead reckoning and celestial navigation. * It's route would avoid going under established routes for airliners and would stay out of the normal shipping lanes. * It would be impossible for anyone on-board to be contacted from the shore. * Anything else that could be done to avoid date-related failures. Given the spate of date-related failures, I'm starting to give it serious consideration. Steve Peterson, FOURTH SHIFT Corporation, 7900 International Drive, Bloomington, MN 55425 USA 612 851 1523 peterson@fs.com ------------------------------ Date: Wed, 31 Mar 1993 08:55:52 GMT From: dww@math.fu-berlin.de (Debora Weber-Wulff) Subject: Daylight Savings Time hampers police The "Tagespiegel", a Berlin daily, carried an article on Monday describing the problems encountered switching from Middle European Time to Middle European Summer Time on Sunday. It seems that the Bavarian Police Computer System was caught unawares, and responded by closing down. "Inpol", which stores all information about persons the police are looking for, as well as having connections to the car and stolen car registries and other databases, just stopped. From 3 a.m. on no checks could be made at the borders or for stopped cars, except for alcohol tests. A dragnet action, scheduled for 4 a.m. was carried out despite the data loss, but only resulted in 16 arrests for DUI. The cause of the error was still being feverishly searched for as the paper went to press. [no update in Tuesday's papers, so they must have found it ;-)] Debora Weber-Wulff, Professorin fuer Softwaretechnik, Technische Fachhochschule, FB Informatik, Luxemburgerstr. 10, 1000 Berlin 65 GERMANY ------------------------------ Date: Thu, 1 Apr 93 10:05:37 BST From: Pete Mellor Subject: Computer does the right thing -- shuttle launch scrubbed An item on BBC news a few days ago described how the latest shuttle launch was aborted when the control computers closed down the main engines 3 seconds before lift-off. It was reported that the system had detected a stuck fuel valve. If so, this appears to be a case of a computer system doing the right thing for once, and probably saving the lives of the astronauts. Does anyone have any more information on the incident? Peter Mellor, Centre for Software Reliability, City University, Northampton Sq., London EC1V 0HB, Tel: +44(0)71-477-8422, JANET: p.mellor@city.ac.uk ------------------------------ Date: Tue, 30 Mar 93 11:24:27 CST From: Steve Peterson Subject: More on Minnesota Legislature phone fraud There was an item a couple issues ago about a phone fraud case in the Minnesota Legislature. Events since then may be of interested to RISKS readers. As reported previously, the Majority Leader of the Minnesota House of Representatives (the second most powerful position in the House) hid an $85,000 phone fraud problem for several months. The fraud occurred because the Majority Leader's son revealed his father's access code to the state phone system to a few of his friends, who then told it to others, and so on. The system was set up to allow users to dial in on an 800 number, enter the code, then dial any number. Once the fraud was publicly revealed the scandal has grown and the leadership of the DFL (the Minnesota Democratic party) has been working overtime on damage control. Already there are articles in the local press (normally supporters of the DFL) suggesting that they has become "too arrogant" in its power. Since the discovery of the fraud the following has occurred: * The Majority Leader was forced to resign from his post. * There has been an effort by the Democrats to shift the blame to MCI, who is the Legislature's long distance provider. The Republicans, sensing a political opportunity, are battling efforts to shift the blame. * The House suspended its rules to approve an amendment to Minnesota's Open Meeting act, which restricts what types of public business can be conducted in private. The amendment adds the Legislature to the list of public bodies which are affected by the law, which is a step that many have felt desirable for years. The case has recently taken a turn into the realm of privacy law. The Ramsey County Attorney (the county in which the state Capitol is located) yesterday issued a grand jury subpoena for the detailed phone records of every member of the House. Many members are opposed to this on the grounds that communications between them and their constituents are privileged. State law is unclear on the issue and it is likely that the subpoena will be challenged in court. Separately, the House Speaker has asked the District Court to rule on whether she can release the records. In addition to the investigation by the County Attorney, State Attorney General Hubert H. Humphrey III has opened a criminal investigation into the matter. Steve Peterson, FOURTH SHIFT Corporation, 7900 International Drive, Bloomington, MN 55425 USA 612 851 1523 peterson@fs.com ------------------------------ Date: Wed, 31 Mar 93 14:02:13 CST From: rice@tamarack.cray.com (Jonathan Rice) Subject: Re: Call for the Class of '88 (Ravin, RISKS-14.44) The local paper had a bit more information. I believe that the database in question was one maintained by the church that Mary Bandar belongs to, in which she is listed by consent. This does not seem to be the usual bugbear of huge and ill-controlled government databases. More interesting to me from a RISKS perspective is that the clerk who generated the form letters to potential kindergarteners actually *typed* "1988" -- it was the program itself that accepted but discarded the leading digits, without notice. Sorry, no idea what software was in use. Jonathan C. Rice | rice@zizania.cray.com | ...uunet!cray!rice ------------------------------ Date: Tue, 30 Mar 93 11:27:56 BST From: Pete Mellor Subject: Re: Correcting computer information ... (Debenham, RISKS-14.44) Further to the mailing by Peter Debenham in RISKS-14.44: > Recently a television advert has been running showing clips of actors > mentioning problems that can happen with computer systems ... It is interesting that the government is embarking on a publicity campaign now. I do not recall a comparable campaign when the act first came into force, though this may be due to erasable memory chips between the ears. DP professionals certainly had it drawn to their attention by poster campaigns and training sessions provided internally by large computer manufacturers, but I don't *think* there were any TV ads. > Under the Data Protection Act (1986) in this country a Data Protection > Registrar was set up to monitor uses of computers to store personal > information and to be an independent source of help to get faulty data > corrected. This poses certain risks for computer users. Suppose that I keep the following information on-line for my own reference: a) Names and addresses of professional contacts. b) Notes on their research interests. c) Names and birthdays of members of their families. (It might be good for business if I sent their kids birthday cards! :-) d) Comments such as: "This guy is an idiot. Don't get into any more projects with him!" As I understand it, I am not required to register as a data holder if I merely keep type a) data. I am *probably* required to register if I keep b), and more so if I keep type c). In any case, it is extremely unlikely that I would be prosecuted for failing to register unless I were foolish enough to keep type d) data and also to supply a copy of my file to someone who passed it back to the person about whom I had written nasty comments. The University keeps computer files with staff and student records. Naturally it is registered and every employee or student has the right to see the information held and demand that it be corrected if it is error. (In fact, hard copies are posted to staff periodically to remind them to update their records, e.g., change of address.) What about e-mail, though? Suppose I send a piece of vitriolic e-mail about a particular student to another member of staff (not that I would, of course! :-). Am I in breach of the Act by sending the e-mail? Am I in breach of the Act if I keep an on-line copy? Is the recipient in breach by filing an on-line copy, and if the recipient keeps one but I don't, am I still liable? Is the recipient in breach while it resides in the destination mail-box before it is read? Are we both covered by the fact that the University is registered? (In fact I *think* the Act requires registration of particular systems.) Regardless of whether we should register or not, does every student in the University have the right to read every e-mail memo about them sent between staff if these have been stored on-line? If comments are felt to be unfair, should the student be able to demand that the record of past correspondence be toned down even though the vitriolic original was read and acted upon long ago, or would it suffice simply to print and file a hard copy of the memo and delete it from the on-line file, thereby removing it from the terms of the Act? I am not thoroughly familiar with the wording of the Act, but I suspect the answers to some of the above questions are far from obvious. Does anyone know how successful the Act has been in terms of prosecutions for unregistered holding of data or justified demands for corrections? Have any test cases established precedents for the points I have raised? Perhaps a publicity campaign should be aimed at holders of data who might be unwittingly breaking the law (as was the earlier campaign at the time the Act came into force). Peter Mellor, Centre for Software Reliability, City University, Northampton Sq., London EC1V 0HB, Tel: +44(0)71-477-8422, JANET: p.mellor@city.ac.uk ------------------------------ Date: Tue, 30 Mar 93 08:26 GMT From: rmoonen@ihlpl.att.com Subject: Re: Dutch hacker in jail for another month (from: Hans van Staveren) ->According to the papers, forged credit cards were found while searching his ->home, and that also will not help his case. He is supposedly unwilling to ->answer any questions at this point, but is charged with crimes that could ->send him to jail for a maximum of four years. Don't forget that when he was arrested the previous time, he also was unwilling to answer any questions. This gives a good motive for 'nailing' this guy. The credit cards shouldn't be much of a problem for him, because possession of them is not as big an offense as actually using them, and that's hard to prove. ->Although I am definitely not suggesting he is a nice guy, somehow I have some ->difficulty connecting this nervous kid in our room with a sentence of four ->years. I hope that being the first to be caught under the new law, and in the ->act to boot, is not going to give him too much extra attention from law ->officers. I'm afraid that being the first will only make for a harsh trial, to set an example. It's not only the first time a hacker will go to trial under the new law, it's also the first time one was caught red-handed. A sentence of four years will not only ruin those four years for him, but the rest of his career will also be in severe danger. I hope the judge has done his homework on computers though... (Trials in the Netherlands do not work with juries, which might be to his advantage, because in this case, the parties involved will at least know what they are talking about...) --Ralph Moonen ------------------------------ Date: Tue, 30 Mar 1993 18:49:43 +0200 From: Boyd Roberts Subject: Credit and Avis rent a car re-visited On returning from my US vacation yesterday, I found a strange letter asking me to contact my old bank whose accounts I'd closed more than a year and a half ago. On calling the bank today, they tell me that an Avis car rental was billed to my old VISA card I had with then, although I'd charged it to another card when I made the rental. The a/c number they used was the one used on the application form. Must be yet another benefit of having an Avis ``Wizard Card''. So, this begs the question: Will any random digit sequence work as long as the leading digits point to a real bank? [Not if they do a real-time check. PGN] This is just another problem caused by renting from Avis. The last time I did it, their data on me was misused and cost me some US$2000 through fraudulent `telephone' transactions of which I've only recoved half of, some 6 months later. Boyd Roberts boyd@prl.dec.com ------------------------------ Date: Tue, 30 Mar 93 13:54:21 PST From: jtchew@Csa3.LBL.Gov (Joseph T Chew) Subject: Little green sting (saucers, Cooper/Maeda, RISKS-14.44) A reading from RISKS-14.44... > [I have seen this on several groups. There is a question whether it > is actually illegal if you are merely listening, as opposed to doing > something about it. PGN] Might as well indulge my sense of the obvious by inserting, "...under UK laws." I don't know if they subscribe to the idea, as we do in the US, that most things heard on the air may be listened to and even acted upon with impunity. (Newsies with a police/fire scanner take advantage of this, for instance.) According to my faulty memory of possibly obsolete US broadcast law, *disclosing* the contents of non-broadcast transmissions is the no-no. --Joe ------------------------------ Date: Tue, 30 Mar 93 14:58:06 -0800 From: karn@qualcomm.com (Phil Karn) Subject: Re: The FORTRAN-hating gateway I had a very similar problem last year with the SLIP link to my house. Every time I tried to FTP the individual files making up the infamous PC game Wolfenstein 3D, the transfer hung at the same point in one particular file. A compressed archive of the same files went over fine. Investigation showed that the offending data sequence was a long string of ascii '+' characters. This is the default "command escape" character on a modem with the Hayes command set. To escape from data mode to command mode, you send '+++' preceded and followed by at least a second of idle time. But I *wasn't* triggering the command escape. The modem stayed in data mode. It just corrupted my packets. The modems in question were Motorola/Codex 3260 FASTs, which support DTE speeds up to 115.2 kb/s. It seems that at such a high link speed, whatever special processing the modems do on the '+' character (e.g., restarting a timer) takes more than one character time. So if you send too many '+' characters in a row the modem's fifo eventually overflows. The workaround was to change the command escape character to 128, which effectively disabled the in-band escape feature, and to use DTR to control the modem state. Not only is this completely reliable, it's faster too. And it avoids Hayes' stupid patent on the "+++" sequence, a worthwhile goal in itself. Phil ------------------------------ End of RISKS-FORUM Digest 14.45 ************************