Subject: RISKS DIGEST 15.70 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Monday 28 March 1994 Volume 15 : Issue 70 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for information on RISKS (comp.risks) ***** Contents: April Fools on the Senate (John Dvorak and Chris Casey via Arthur R. McGee) Risks to government (Robert Davis) IRS persistence (Dave Methvin) BT Billing computers innocent (Marcus Marr) Insurance claims ignore patients name (David Bazell) The RISKs of Canadian Poodles using 911 (John Oram) Ottawa, Canada, Radio contest overloads phone system (Henry Troup) 911 as wrong number - they don't seem to care anymore (Jeff Hibbard) Re: Denver Baggage Handling (Jan Vorbrueggen) Re: The RISKS of whale removal (David G. Novick) Re: Banknotes and photocopiers (Tom Standage, Padgett Peterson) Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: Fri, 25 Mar 1994 19:50:47 -0800 (PST) From: "Arthur R. McGee" Subject: April Fools on the Senate (fwd) [PLEASE SEE MODERATOR'S NOTE BEFORE THE INCLUDED MESSAGE BELOW. THIS EXPLICITLY MARKED APRIL FOOL'S PIECE IS INCLUDED NOT FOR ITS SURPRISE VALUE, BUT IN THE PUBLIC INTEREST. PGN] ---------- Forwarded message ---------- Date: Fri, 25 Mar 94 12:16:58 EST From: Chris_Casey@kennedy.senate.gov To: ace-mg@esusda.gov Subject: April Fools on the Senate Hello ACE, In the April issue of PC Computing, John Dvorak's column describes a Senate Bill, supposedly introduced by Senator Leahy and co-sponsored by Sen. Kennedy, to keep people from being intoxicated on the information highway. The column is an April Fools hoax and I'm sure plenty of people will find it amusing (see below). Unfortunately there are also people that are actually believing it to be true. Our office has received several calls from outraged constituents and I understand Leahy's staff has as well. I originally received the article via e-mail, and I understand that the on-line rumors are flying leading some people to learn about it without the benefit of the actual article (which when read closely, reveals the hoax). Congress has taken some great forwards steps recently, particularly through the availability of the Senate and House gophers (gopher.senate.gov, gopher.house.gov) and it would be unfortunate if people weren't aware of them. I share this with ACE in hopes that you can help quash any of these on-line rumors if you see them. Feel free to put people in touch with me if they'd like to hear more about what's happening in the cyber-Capitol :-) Thanks for any help. I enjoy April Fools gags, but a lot of folks just aren't getting this one! Regards, Chris ############################################################################ Chris Casey chris_casey@kennedy.senate.gov Office of Senator Kennedy 202/224-3570 Washington, DC 20510 ############################################################################ [RISKS MODERATOR'S NOTE: THE FOLLOWING ITEM IS REPRODUCED IN THE RISKS FORUM WITH THE KIND PERMISSION OF THE AUTHOR, WHO HAS HIMSELF RECEIVED SEVERAL CALLS FROM PEOPLE WHO MISSED THE SPOOFINESS. John is quite well known for his annual spoofs. He noted to me that there are (at least) four clues herein. (See if you can find them, but don't bother informing RISKS.) As we approach the big day, I note that this piece is akin to the 1984 Chernenko spoof (due to Piet Beertema) and the "Spafford" spoof (due to Chuck von Rospach), the latter (see RISKS-6.52, 1 April 1988) fully laden with self-referential clues. PGN] >Trust Congress? Not With This Unbelievable Lair of Slop >PC Computing, April 1994, page 88. >By John C. Dvorak > > When Vice President Gore began talking about the Information Highway, > we all knew the bureaucrats would get involved more than we might > like. In fact, it may already be too late to stop a horrible Senate > bill from becoming law. > > The moniker -- Information Highway -- itself seems to be responsible > for SB #040194. Introduced by Senator Patrick Leahy, it's designed to > prohibit anyone from using a public computer network (Information > Highway) while the computer user is intoxicated. I know how silly this > sounds, but Congress apparently thinks that being drunk on a highway > is bad no matter what kind of highway it is. The bill is expected to > pass this month. > > There already are rampant arguments as to how this proposed law can > possibly be enforced. The FBI hopes to use it as an excuse to do > routing wiretaps on any computer if there is any evidence that the > owner "uses or abuses alcohol and has access to a modem." Note how it > slips in the word 'uses'. This means if you've been seen drinking one > lone beer, you can have your line tapped. > > Because this law would be so difficult to enforce, police officials > are drooling over the prospect of easily obtaining permits to do > wiretaps. Ask enforcement officials in Washington and they'll tell you > the proposed law is idiotic, but none will oppose it. Check the > classified ads in the "Washington Post" and you'll find the FBI, > National Security Agency, and something called the Online Enforcement > Agency (when did they set that up?) all soliciting experts in phone > technology, specifically wiretapping. > > It gets worse. The Congressional Record of February 19, 1994, has a > report that outlines the use of computerized BBSes, Internet, > Inter-Relay Chat, and CompuServe CB as "propagating illicit sexual > encounters and meetings between couples -- any of whom are > underage...Even people purporting to routinely have sex with animals > are present on these systems to foster their odd beliefs on the > public-at-large." A rider on SB #040194 makes it a felony to discuss > sexual matters on any public-access network, including the Internet, > America Online, and CompuServe. > > I wondered how private companies such as America Online can be > considered public-access networks, so I called Senator Barbara > Boxer's office and talked to an aide, a woman named Felicia. She said > the use of promotional cards that give away a free hour or two of > service constitutes public access. You know, like the ones found in the > back of books or in modem boxes. She also told me most BBS systems > fall under this proposed statute. When asked how they propose to > enforce this law, she said it's not Congress's problem. "Enforcement > works itself out over time," she said. > > The group fighting this moronic law is led by Jerome Bernstein of the > Washington law firm of Bernstein, Bernstein and Knowles (the firm that first > took Ollie North as a client). I couldn't get in touch with any of the > co-sponsors of the bill (including Senator Ted Kennedy, if you can believe > it!), but Bernstein was glad to talk. "These people have no clue about the > Information Highway or what it does. The whole thing got started last > Christmas during an antidrinking campaign in the Washington D.C., metro > area," Bernstein said, "I'm convinced someone jokingly told Leahy's office > about drunk driving on the Information High and the idea snowballed. These > senators actually think there is a physical highway. Seriously, Senator Pat > Moynihan asked me if you needed a driving permit to 'drive' a modem on the > Information Highway! He has no clue what a modem is, and neither does the > rest of Congress." > > According to Bernstein, the antisexual wording in the bill was > attributed to Kennedy's office. "Kennedy thought that technology was > leaving him behind, and he wanted to be perceived as more up-to-date > technologically. He also though this would make amends for his alleged > philandering." > > Unfortunately, the public is not much better informed than the > Senate. The Gallup Organization, at the behest of Congress, is > polling the public regarding intoxication while using a computer and > online "hot chatting." The results are chilling. More than half of the > public thinks that using a computer while intoxicated should be > illegal! The results of the sexuality poll are not available. But one > question, "Should a teenage boy be encouraged to pretend he is a girl > while chatting with another person online?" has civil rights activists > alarmed. According to Kevin Avril of the ACLU, "This activity doesn't > even qualify as virtual cross-dressing. Who cares about this stuff? > What are we going to do? Legislate an anti-boys-will-be-boys law? It > sets a bad precedent." > > I could go on and on with quotes and complaints from people regarding > this bill. But most of the complaints are getting nowhere. Pressure > groups, such as one led by Baptist ministers from De Kalb County, > Georgia, are supporting the law with such vehemence that they've > managed to derail an effort by modem manufacturers (the biggest being > Georgia-based Hayes) to lobby against the law. "Who wants to come out > and support drunkenness and computer sex?" asked a congressman who > requested anonymity. > > So, except for Bernstein, Bernstein, and Knowles, and a few members of > the ACLU, there is nothing to stop this bill from becoming law. You > can register your protests with your congressperson or Ms. Lirpa Sloof > in the Senate Legislative Analysts Office. Her name spelled backward > says it all. ------------------------------ Date: Mon, 28 Mar 94 16:20:48 GMT From: rdavis@nyx10.cs.du.edu (Robert Davis) Subject: Risks to government My records show this happened on 22 February 1994. The risks we take using computers are one thing, but the risks government officials take when talking about computers are extreme. Here I am, at home watching CSPAN. The entire morning is devoted to the new regulations from the Federal Communications Commission concerning cable television. I find it quite interesting. Then the chairman of the FCC shows up in a news conference. He answers questions about the new rules and regulations. The chairman of the FCC then opines that information about and from the FCC will appear on the "Information Superhighway". He says to connect to ftp.fcc.gov What follows is a near a quote as I remember his words: "G O V stands for government. F C C stands for [long pause] F C C. I don't know what F T P stands for." Remember, this is the chairman of the Federal Communications Commission speaking live on CSPAN. === Being a curious person, I made the connection to ftp.fcc.gov and as of that morning, no FCC files were available for FTP. However, one directory, bearing a name which may have been the initials of a system operator at the FTP site had something in it. One file, a GIF picture of actress Erika Eleniak, wearing most of her clothing, was available for FTP. So I grabbed it. As of today (28 March) that directory does not appear on the system, but there are directories containing FCC stuff. rdavis@nyx.cs.du.edu Robert Davis Salina, KS ------------------------------ Date: Sun, 27 Mar 94 22:47 EST From: Dave Methvin <0003122224@mcimail.com> Subject: IRS persistence Unlike [many others], I dutifully filed an IRS Form 942 for a nanny we employed in the first quarter of 1992. Unfortunately, my calculations were too high by a dollar; I suspect human error. The ever-vigilant IRS computer found my mistake and issued a $1.01 refund check within a month, even adding that penny for interest. Something about having a $1.01 government check really tickled me, so I decided to just keep it instead of cashing it. Since the check expires after a year, I figured I was doing my part to reduce the deficit. This week, two years later, I get _another_ check for $1.01, with the same notation ("F-942 REF 03/92") as the previous check. I'm not cashing this one either; now I want to find out how badly they want to give me this money. dwm ------------------------------ Date: Mon, 28 Mar 94 13:50:39 BST From: Marcus Marr Subject: BT Billing computers innocent The current issue of New Scientist (26 March 1994, p. 19) includes an article following up from the one I quoted (RISKS-15.56, 17 February 1994: Telephone charges fail to fit the bill) regarding the overcharging on some telephone bills in multiples of \pounds 420. ``Human error, not computer failure, was to blame for British Telecom's recent overcharging of some subscribers. BT says that each case of incorrect billing was caused by ``an extremely unlikely combination of two human errors''. The findings exonerate the computers, but indicate that BT staff sometimes ignore odd discrepancies in bills. The first error arose when an engineer working on a new digital exchange broke house rules and used a procedure borrowed from old analogue exchanges. He sent a handwritten note to BT's billing department, asking it to log the meter reading as zero on its computer. The computer's software registers the last four digits of the meter reading, and on being given a reading ending in a string of zeros it deduced that the meter reading must have risen past 9,999 to 10,000. When the time came to prepare the bill, the computer then took the same logic a stage further and added together two spurious quantities: one from the last real reading up to 10,000, and one from zero to the new reading. Each unit costs 4.2p, leading to an overcharge of \pounds 420. The second error came when BT's automatic verification system correctly highlighted these figures as inordinately high compared with past readings on the same line. But BT's staff ignored the warning and dispatched the bill, complete with errors.'' New Scientist made no reference to their last sentence of the original article: ``[Insiders] believe that BT has a bug in its accounting software and that the problem is thus much more widespread than has so far been recognised.'' >From the article as I understand it, it seems that the computer software has difficulty in making the distinction between freshly reset meter readings, and normal `clocked' meter readings. This could be explained cleanly if it was not possible (or unnecessary or difficult) to reset the meters of old analogue exchanges. The move to digital exchanges would therefore either need a change in the software or a change in the procedures. Ignoring my suppositions, though, the system (including personnel and computers) is designed correctly to cope with both analogue and digital exchanges. ------------------------------ Date: Mon, 28 Mar 1994 09:58:33 -0500 From: bazell@cuba.gsfc.nasa.gov (David Bazell) Subject: Insurance claims ignore patients name I just got off the phone with my prescription plan holder, trying to find out why my son Jason's deductible had not been fulfilled. I picked up a prescription for him last week and had to pay the full $43.95 cost of the medicine. My plan has a $50 deductible per family member but I was sure that he had had several other prescriptions since the beginning of the plan year. I check my records and, sure enough, the prescriptions totaled more than $50. After checking back with the pharmacy, it was determined that although the Jason's name was on the prescription, the prescription had gone toward fulfilling my other son Graham's deductible. The pharmacist had entered the wrong code (02 rather than 03). However, I was also sure that Graham had had several prescriptions filled, so his deductible should already have been fulfilled. Further checking showed that Graham's prescriptions had been charged toward my deductible (my code is 00). Talking to the prescription plan representative on the phone, I declared that this was a stupid way to do things. The system ignored the name that was entered and keyed only on the family member's number. I was assured that this was the best way to reduce the RISK of a mistake (he used that word). I guess the person who set up the system must have had several siblings with the same name. Fortunately, my wife keeps all our medical records in good order so we were able to find documentation and figure out what had happened. The monitary cost to us would have been small if we had not sorted it out, but I can easily see this happening where the costs could be much higher. Dave Bazell, General Sciences Corporation. ------------------------------ Date: Thu, 24 Mar 1994 22:44:12 -0800 From: oramy92@halcyon.com (John Oram) Subject: The RISKs of Canadian Poodles using 911 VANCOUVER (Reuter) - A pesky pet played havoc with Canadian police who responded to an emergency call only to find they were barking up the wrong tree. A team of officers burst into a Vancouver home after receiving a 911 emergency phone call but found nothing more threatening than a poodle inside, police said Wednesday. The dog had knocked the phone off the hook and hit an automatic dial button that called police. Police feared the worst when all they heard on the line was the dog barking. ``We came screeching over. It was a bit silly,'' confessed police spokesman Joe Arduini. They had 911 on speed dial? Come on - that's inexcusable, given how easy it is to accidentally hit the wrong button on a phone. Do that many people die because they never finish dialing all three numbers? "Poor guy. Would have made it, but he was only able to hit 9-1." I suppose the moral of this story is that the RISK isn't necessarily in the technology but rather in the people (mis)using it. John Oram oramy92@halcyon.com ------------------------------ Date: Mon, 28 Mar 1994 11:11:00 -0500 From: "henry (h.w.) troup" Subject: Ottawa, Canada, Radio contest overloads phone system Friday, March 25th, the Ottawa radio station CHEZ-FM offered 53 pairs of Pink Floyd concert tickets free to callers. The offer was open from 6 pm. The station is on a specially equipped exchange, but an estimated 300,000+ call attempts in an hour caused delayed dial tone and other problems from Cornwall, Ontario to Pembroke, Ontario (about 100+ miles). Ottawa is Canada's capital. One story noted that some people (100 or so) called 911 to report telephone trouble, instead of 611. There were reports of actual outages, but it is not clear that people were waiting for dial tone and not hanging up and trying again. Personal observation - I certainly had delayed dial tone, but only delayed 10 seconds or so. One person I spoke to said that he had had seven phone lines active trying to get the free tickets. Very little is new here. I leave the obvious pun for the moderator. ------------------------------ Date: Mon, 28 Mar 1994 12:27:33 -0600 From: Jeff Hibbard Subject: 911 as wrong number - they don't seem to care anymore When 911 was first implemented (many years ago) here in Peoria IL, everyone with a phone number of the form x91-1xxx was forced to change their numbers. After a few years, though, the phone company started reassigning numbers of this form. Jeff Hibbard jeff@bradley.bradley.edu [In various old small-town switching centers, one could dial just the last four digits, or in some cases five digits, for local calls. That led to similar problems when 911 was introduced, and has now disappeared almost everywhere in the U.S.A. (although for other reasons as well.) PGN] ------------------------------ Date: 25 Mar 94 12:41:34 GMT From: jan@neuroinformatik.ruhr-uni-bochum.de (Jan Vorbrueggen) Subject: Re: Denver Baggage Handling (Wexelblat, RISKS-15.68) 1. I would think Frankfurt/Main airport (FRA) was the first to have an integrated, computer-controlled baggage distribution system. For years I heard they were the only international airport able to guarantee 45 minute connections because of it. 2. When the system was installed (ca. '72), the contractor, AEG, required something like six months past the deadline to get it running. In that time, they reputably paid a penalty (or whatever you call "Konventionalstrafe" in English) of DM 200K _per_day_. I don't think they made much profit on the contract... Jan ------------------------------ Date: Mon, 28 Mar 94 10:02 PST From: novick@cse.ogi.edu (David G. Novick) Subject: Re: The RISKS of whale removal (Stalzer, RISKS-15.67) I cannot explain why the Highway Dept. chose to blow up the deceased whale. I can, however, explain why this problem fell to the Highway Dept. Unlike most states, which allow private ownership of beaches, Oregon has kept all its beaches owned by the state. The mechanism for this, curiously, is that the beach is technically part of the of state highway system--although you generally aren't allowed to drive on it. So the whale shows up on a state highway, and it's the Highway Dept.'s problem David G. Novick | Department of Computer Science and Engineering | Oregon Graduate Institute of Science & Technology novick@cse.ogi.edu | 20000 N.W. Walker Road tel (503) 690-1156 | P.O. Box 91000 fax (503) 690-1548 | Portland, OR 97291-1000 ------------------------------ Date: Mon, 28 Mar 94 13:49:47 -0800 From: Tom Standage Subject: Are there really pictures of banknotes inside photocopiers? Following the resent posting about how photocopiers prevent banknote forgery, I wonder how many other readers' jaws dropped open at the suggestion that there is a ROM inside a colour photocopier (such as the Canon CLC350/550) with images of common banknotes in it. This just wouldn't make sense, aside from the fact that it would rapidly go out of date - it would simply be too computationally expensive to compare every image placed on the copier with the images in ROM. The Canon machines in question can also be used as colour laser printers in conjunction with special interfaces, so presumably any anti-forgery computer inside the copier would also have to check that banknotes weren't being scanned into a personal computer and then printed out via the colour copier. This is absurd. We have a CLC300 at work, and when an engineer came to fix it one day, he said that the problems we were having (with jammed paper) were a design fault that had been fixed on the CLC350. I asked what other features the 350 had, and he said it had anti-forgery features - and proceeded to tell me the same story about a chip with pictures of banknotes in it. I found this so hard to believe that I asked around, and eventually someone gave me a more believable explanation. Apparently the security measures depend on special inks used when the banknotes are printed. These inks change colour when illuminated by the scanner in the copier, and produce copies of the banknote with an obvious colour shift. I don't know whether the 350 and 550 have a different kind of bulb in the scanner or are able detect the special inks, but I have also heard of other documents that won't copy properly because the copier thinks they're banknotes. Rumour has it you can get round this by photocopying through very thin tracing paper - which presumably works with banknotes as well. Anyhow, perhaps someone at Canon can give us a definitive answer. On the other hand, I wouldn't be surprised if they wished the status quo to continue, where we all believe that copiers have chips with pictures of banknotes in them. What makes me laugh is the message on the front panel of the CLC300, which warns you not to copy money or certain other documents: "you *may* be committing a criminal offense for which you *may* be prosecuted." Pretty strong language, huh? ------------------------------ Date: Fri, 25 Mar 94 19:58:12 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: "Funny Money" and Smart Copiers Once upon a time, long long ago in a galaxy far far away, an automobile manufacturer known to all of its employees as "Generous Mother" began using computers to control such things as mixture and spark advance and a host of other variables. The maps for these variables were carried in 1k x 8 PROMS. Certain individuals who shall remain nameless acquired the maps of these programs for certain "performance" cars and designed their own maps. Unfortunately, these new maps, though amazing in improving performance and efficiency were not what the manufacturer had certified. So the aspiring young engineers replaced the 1k x 8 PROM with a 2k x 8 EEPROM and a switch concealed under the dashboard. The lower 1k contained the stock settings and the upper 1k, settings of a more "interesting" variety. For roadside tests the switch was turned "off" and for normal driving "on". I suspect that copiers that rely on "firmware" to block copying of bills might soon acquire such switches. Padgett [RISKS received lots of mail on this topic, most of which is NOT included, including bob@demosthenes.ilt.tc.columbia.edu (Bob Matsuoka), dgursky@nextsrv1.andi.org (David Gursky), jml4@cus.cam.ac.uk (John Line), hoover@cs.ualberta.ca (Jim Hoover). dylan@mundil.cs.mu.OZ.AU (Dylan John SHUTTLEWORTH) noted that Australian $5 and $10 notes are plastic with a transparent "hole" around a hologram. PGN] ------------------------------ Date: ongoing From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA) with SUBSCRIBE RISKS or UNSUBSCRIBE RISKS as needed. Users on US Military and Government machines should contact (Dennis Rears). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, send requests to (not automated). CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ARCHIVES: "ftp crvax.sri.comlogin anonymousYourName cd risks: Issue j of volume 15 is in that directory: "get risks-15.j". For issues of earlier volumes, "get [.i]risks-i.j" (where i=1 to 14, j always TWO digits) for Vol i Issue j. Vol i summaries in j=00. "dir" (or "dir [.i]") lists (sub)directory; "bye" logs out. CRVAX.SRI.COM = [128.18.30.65]; =CarriageReturn; FTPs may differ; UNIX prompts for username, password. WAIS and bitftp@pucc.Princeton.EDU are alternative repositories. FAX: ONLY IF YOU CANNOT GET RISKS ON-LINE, you may be interested in receiving it via fax; phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for info regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ------------------------------ End of RISKS-FORUM Digest 15.70 ************************