Subject: RISKS DIGEST 17.20 REPLY-TO: risks@csl.sri.com RISKS-LIST: Risks-Forum Digest Weds 26 July 1995 Volume 17 : Issue 20 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, etc. ***** Contents: [finally back in gear; remember 1 August anniversary issue(s)] Woman electrocuted using hotel card-key (Karl W. Reinsch) My Grammar is a Dame? (PGN from The New Yorker) Pushbutton ignition code blamed for NY City bus theft (George Mannes) New Pittsburgh Jail (Alan Tignanelli) Bell Atlantic Goofs (Mich Kabay) Risks of misreporting risks? (Jeremy Epstein) No laughing matter: hospital database misuse (Jan Joris Vereijken) Automated performance reviews (Geoff Kuenning) Runaway E-Mail (Mich Kabay) Two Short-Courses on Software Engineering (Dave Parnas) ISOC Symposium on Network and Distributed System Security (Clifford Neuman) Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: Sat, 8 Jul 1995 00:25:34 -0400 (EDT) From: "Karl W. Reinsch" Subject: Woman electrocuted using hotel card-key The Washington Post on Tuesday, 27 June 1995, tells of an 18-year-old Cincinnati woman who was electrocuted Friday at a New Carrollton hotel. Police said that she was barefoot, wet, and standing on wet concrete. The door was apparently charged with electricity from a faulty air-conditioning unit in the wall near the door. An electrical engineer inspected the room. Police spokesman Sgt. Rick Morris said, ``They found a faulty air conditioner emitting some sort of electric charge, and the charge was transcending to the door." Steiner Oftgard, vice president of VingGuard, the manufacturer of the door lock, says the system uses only 9 volts, which is supplied by six 1 1/2-volt batteries. Anthony G. Marshall, who writes the ``At Your Risk" column for Hotel and Motel Management magazine, said, ``This has to be right out of 'Believe It or Not'." The hotel removed all guests from rooms that open directly outside, pending further investigation. I'm sure there are plently of risks to discuss. I don't think this happened with old-fashioned door locks. I also can't decide if Sgt. Morris really said that, or if some "intelligent" software made a substitution. Karl Reinsch, kreinsch@radix.net ------------------------------ Date: Tue, 25 Jul 95 8:28:57 PDT From: "Peter G. Neumann" Subject: My Grammar is a Dame? _The New Yorker_ issue of 10 Jul 1995 has a cute squib on page 33, quoting the output from the grammar checker in Microsoft Word for Windows in response to the sentence, "I graduated from the University of Notre Dame." Sexist expression. Avoid using Dame except as a British title. TNY's traditional retort was quite worthy: They don't call them P.C.s for nothing. ------------------------------ Date: 13 Jul 95 16:53:10 EDT From: George Mannes <74170.152@compuserve.com> Subject: Pushbutton ignition code blamed for NY City bus theft According to an article by Garry Pierre-Pierre in the July 8, 1995, New York Times (p.23), two unidentified youths stole a parked 38,000-pound, 40-foot NYC bus and took it on a six-block joyride, colliding with seven cars and smashing the bus into a subway station entrance. The bus, which cost the city $235,000, suffered "extensive damages." The bus was vulnerable, the article says, because it was parked on the street in front of the depot in which it was supposed to be parked. In the article, a Transit Authority spokesman theorizes that the thieves pried open the bus door and pushed a sequence of buttons necessary to start the bus; the vehicle needs no ignition key. "It's not top-secret information," the spokesman is quoted saying about the ignition code. "It's certainly information that can be obtained from watching operators start the buses." As a New York City taxpayer, resident and vulnerable pedestrian, I'm somewhat concerned when a T.A. spokesman admits that the ignition code is an open secret. Several questions come to mind. How many city buses use pushbutton ignition and not a key? To make it easier on drivers, do all the pushbutton buses use the same code? Are the codes changeable? How often, if ever, does the T.A. change them? Who decided that buttons were better than keys? The article notes that the bus was built in 1994 and is among the newest in the city's fleet. So much for progress. George Mannes 74170.152@compuserve.com ------------------------------ Date: 03 Jul 95 09:06:47 EDT From: Alan Tignanelli <75453.2055@compuserve.com> Subject: New Pittsburgh Jail Summarized from the Pittsburgh Post-Gazette, July 2, 1995 (Direct quotes from the article are in [ ]): The new jail in Pittsburgh took 2 and a half years and $147 million to build, and has been open since early May. But, there are apparently tons of problems with the new facility, including: 1. Dozens of computer terminals that are unusable because, while the data jacks were connected and wired, nobody bothered to put electrical outlets in. 2. A computer system to track inmate information is still off-line for two reasons. One, the software is from a Canadian company and is not formatted to the American justice system (whatever that means - AT). Two, nobody has been trained on how to use the system. 3. Guards carry an electronic personal alarm. These alarms are supposed to send out signals when there is a security problem, but are prone to false alarms. [A few weeks ago, one of the personal alarms accidentally went off and almost every light and audio alarm on the nuclear sub-like control panel lit up, said Bruce Helt, a guard who is the union vice president. As a result, there was no way to locate where the crisis would have been if the alarm had been a real emergency, he said.] In another incident with these alarms, a female guard had to work an entire shift last week without an alarm because her battery went dead and there were no spares. 4. There was another electrical malfunction which left jail employees unable to unlock the doors to three pods, leaving one guard isolated with 56 inmates in each pod. (According to a TV report, the malfunction not only locked the guards in, but the cells were left _unlocked_!) The president of the jail guards' union, John Pastor, said ["Fortunately, there was no type of altercation. But if there had been, we couldn't have gotten help to anybody."] The malfunction lasted about two hours and knocked out the air circulation system on half of the second floor. 5. [The ventilation system occasionally shuts off for no apparent reason.] 6. [The fire alarms go off at all hours for no apparent reason.] (I guess that means there's a faulty switch somewhere, but they haven't been able to figure out how to find it.) 7. The employee elevator in the high-rise jail only works sporadically. 8. [In an emergency, guards could use the pod phones to dial 911. But it wouldn't do them any good. The outside lines to each pod have been disconnected. In fact, jail officials mistakenly had the phone company block all but a few phones from being able to place or receive outside calls] said Allegheny county Director of Criminal Justice Bob Coll. Perhaps the most incredible quote of the entire article was attributed to James J. Gregg, Jr., the deputy warden for operations. He said ["Everything is working as scheduled."] (Who the hell approved that schedule????- AT) The guards' union president attributed some of the problems to political maneuvering. He charged that County Commissioners Tom Forester and Pete Flaherty rushed the new facility into at least partial use two months early to show they were tough on crime. Incidentally, they were both defeated in the Democratic primary. I don't think the risks need to be pointed out. I'm certainly glad I'm not a guard in this place. Fortunately, I don't know of any friends or relatives who are guards there either. It always makes me shake my head in wonderment when I see a project finish up like this. Makes you wonder who supervises this stuff. Alan Tignanelli ------------------------------ Date: 25 Jul 95 05:50:56 EDT From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Subject: Bell Atlantic Goofs >From the Washington Post news wire via CompuServe's Executive News Service, 25 July 1995: Three Little Digits, One Big Goof; Bell Atlantic Errs in Telling N.Va. Residents of New Area Code By Mike Mills Washington Post Staff Writer Sorry, wrong number. In a gaffe that would give any public relations manager intestinal trouble, Bell Atlantic Corp. late last week sent notices to 388,000 Northern Virginia homes and businesses, telling them that their 703 area code would soon be changed to 540. "Welcome to 540 Country, from Bell Atlantic" read the cheerful notices, which included little stickers for people to place on their phones as a helpful reminder of the impending change. The problem is, they told the wrong people. It seems the Bell Atlantic staff should have sent the notices to the more westerly region of VA. A company spokesperson blamed a programming error for the $100,000 blunder. The writer defines the correct area as follows: The real boundaries of the new 540 area code stretch from the southwestern tip of Virginia northeast along both sides of the Blue Ridge to the Potomac River and east to Fredericksburg. Prince William County -- which is served by GTE Corp. and did not receive the mailing -- remains in 703, as do eastern Loudoun County and Leesburg; western Loudoun County and Stafford County join Fredericksburg in the new 540 area. Leesburg also had been originally included, but the map was modified to exclude the town after many residents complained that they wanted to remain in the 703 code. The article mentions gleefully that Bell Atlantic could have done worse; after all, AT&T recently used the number of a sex-line instead of its own toll-free information line. [Comment by MK: Another illustration of why quality assurance is needed in everything. Also an example of the tendency to blame the I.T. staff: "programming error" indeed! I wonder how many people approved this farce before the mail got out the door?] M.E.Kabay,Ph.D. / Dir. Education, Natl Computer Security Assn (Carlisle, PA) ------------------------------ Date: Tue, 27 Jun 1995 11:34:51 -0400 From: jepstein@inetml.cordant.com (Jeremy Epstein -C2 PROJECT) Subject: Risks of misreporting risks? The Washington Post Monday business section has a regular "shorts" called "Digital Flubs", in which they report on interesting goofs. Many of them appear to be culled (without attribution) from RISKS. The June 26 edition reads as follows: A piece of security software widely used on computer networks has a hole in it. [CERT] said it has distributed instructions on how to correct the problem in FreeBSD, a program created by a software engineer in the Netherlands. In some circumstances, the hole lets people tapping into a computer see and alter information that should be off-limits to them. FreeBSD is an "enhancement" to S/Key, a program that controls password access to networked computers. S/Key itself does not have the problem. I'm not sure what this is actually trying to say, but whatever it is, it's wrong. FreeBSD is an operating system, not security software or an enhancement to S/Key. FreeBSD wasn't developed by an engineer in the Netherlands, although it's possible that S/Key was ported to FreeBSD by some such person. The risk is that someone might read this, think it actually describes a weakness, and mistakenly take action (or not take action) without knowing that the article is confused. ------------------------------ Date: Tue, 27 Jun 1995 11:28:47 +0200 (MET DST) From: janjoris@win.tue.nl (Jan Joris Vereijken) Subject: No laughing matter: hospital database misuse The 13-year-old daughter of a hospital records clerk in Jacksonville, Fla., used her mother's computer during an office visit and printed out names and numbers of patients previously treated in the hospital's emergency room. According to police, she then telephoned seven people and falsely told them that they were infected by the HIV virus. One person attempted suicide after the call. Upon arrest, the girl told police the calls were just a prank. Source: _Communications of the ACM_, Volume 38, Number 5, May 1995. ------------------------------ Date: Wed, 28 Jun 1995 10:10:25 -0700 From: Geoff Kuenning Subject: Automated performance reviews An article by Richard O'Reilly in the business section of the June 28, 1995, Los Angeles Times describes and evaluates two products intended to help managers write performance reviews of their employees, Performance Now! from Knowledge-Point and Employee Appraiser from Austin-Hayne Corp. Given the time spent on this task in the typical company, and its (non-)popularity among managers, I am sure that both products will quickly find a marketplace niche. But I am very concerned about the RISKS of hype and legal liability. The article describes both products as being expert systems, but to me they sound more like a collection of canned phrases and paragraphs with a little bit of software to select them. Each product asks you to numerically rate the employee in a number of different categories, then suggests an evaluation paragraph. Convenient menu buttons allow you to "tune" the paragraph by making it slightly more negative or positive. Both products allow post-customization of the text. Performance Now! will also combine some categories into a single paragraph when they are related. It also warns you when you give a negative review, so that you can add supporting material. This is bad enough, with its tendency to encourage lazy managers to give an employee exactly the same review, word for word, in successive years. But much more worrisome are the extended features offered by the two programs. Performance Now! will combine all the numerical categories into an overall 1-through-5 rating of the employee, with no chance for the manager to specify which categories are more important for that particular job. This is a classic example of using computers to dehumanize underlings. Employee Appraiser skips this feature, but instead invents evaluations out of whole cloth. For example, according to O'Reilly: If you choose "generally understands job," the program proposes an evaluation that says, "You generally understand the duties and responsibilities of the job. As a result, you are often able to act on your own initiative." As O'Reilly notes, the manager has not given the program any indication that the employee has initiative, and the manager must remember to remove this sentence if it is false. One can well imagine the glowing review that might be given Beetle Bailey by this software! To be fair to these programs, I am sure that many savvy managers already have canned paragraphs stored in their word processors to ease the task of writing reviews. In that sense, these programs are probably an advance, because they can integrate multiple factors into their prepackaged writing. (Besides, one can at least hope that they will use good English!) But RISKS readers will be most unhappy about Performance Now!'s attempt to squash all of this information into a 1-5 numerical rating, and about Employee Appraiser's tendency to insert things that managers never intended to say. Especially with the latter, I predict that a wrongful-discharge suit a few years from now will be quoting a glowing automatically-written performance review that a manager never intended to be so positive. Geoff Kuenning g.kuenning@ieee.org geoff@ITcorp.com http://www.cs.ucla.edu/ficus-members/geoff/ ------------------------------ Date: 13 Jul 95 02:50:52 EDT From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Subject: Runaway E-Mail >From the Associated Press news wire via CompuServe's Executive News Service: Pilot-Electronic Mail WASHINGTON (AP, 11 July 1195) -- To the embarrassment of the Pentagon, a detailed account of the June rescue of Capt. Scott O'Grady in Bosnia -- sprinkled with salty language and a dig at the United Nations -- found its way onto the global Internet computer network. It was written by Air Force Capt. Scott Zobrist, an F-16 pilot based with O'Grady at Aviano, Italy, just hours after O'Grady's rescue by Marines. Zobrist was flying an F-16 on the periphery of the operation; he listened in on the rescue team's conversations and tape-recorded them. The article explains that Zobrist sent his personal thoughts on the events to friends, and ZOT! it ended up in wide distribution through AOL. DoD officials were embarrassed by Zobrist's language and hostility to the Bosnian Serb forces. However, there was apparently no classified information at all in the document. This incident _could_ have happened if Zobrist had sent printed messages to his friends, but it might have taken longer to spread the photocopies of photocopies of photocopies to an audience of millions. Anyone sending any information that should remain moderately confidential should include a warning in their message so that the author's intentions can be clear to all; e.g., "Please do not copy this message to anyone else and do not post it publicly." This, too, would not prevent the information from going out of control, but it might slow down the explosion of copies. The following section of the article was particularly interesting: A separate question for the Pentagon is whether it can control the spread of sensitive or embarrassing military information on the Internet computer network. "We need to either control it ourselves or figure out some way to control it," Brig. Gen. Ron Sconyers told the Detroit Free Press, which reported on the case in Tuesday's editions. "It's growing faster than we can keep up with." The Internet originated in ARPANET, funded by the Defense Advanced Research Projects Agency 30 years ago. Maybe the piper wants to start calling the tune again. M.E.Kabay,Ph.D. / Dir. Education, Natl Computer Security Assn (Carlisle, PA) ------------------------------ Date: Mon, 3 Jul 95 21:47:34 EDT From: parnas@triose.crl.McMaster.CA (Dave Parnas) Subject: Two Short-Courses on Software Engineering McMaster University Faculty of Engineering presents Two Short-Courses on Software Engineering SOFTWARE DESIGN: AN ENGINEERING APPROACH ----------------------------------------- August 8-12, 1995 INSPECTING CRITICAL SOFTWARE ---------------------------- August 15-17, 1995 instructed by Prof. David L. Parnas Department of Electrical and Computer Engineering McMaster University's Faculty of Engineering is pleased to present two courses on Software Engineering. "Inspecting Critical Software" was presented last summer and was well received by all who attended. "Software Development: An Engineering Approach" a course previously taught on-site at several development organizations, provides a broader, more basic, introduction to software design principles and will be useful for those developing software that does not require critical inspection. It is aimed at engineers who want to know how to design software well. Inquiries should be directed to Jan Arsenault McMaster University Phone: (905) 525-9140, ext. 24910 Fax: (905) 577-9099 e-mail: arsenau@mcmaster.ca [Dave is one of the earliest contributors to RISKS, and internationally known for his work in software engineering. He pioneered many concepts of modularity, information hiding, object orientation, etc. This is a rare opportunity for any of you seriously interested in software engineering, system design, and critical software. The full course information is also available for FTP in the UNIX.SRI.COM risks ftp directory, as risks-17.parnas . PGN] ------------------------------ Date: Wed, 19 Jul 1995 07:05:37 -0700 From: Clifford Neuman Subject: ISOC Symposium on Network and Distributed System Security--Second CFP SECOND CALL FOR PAPERS Submission deadline is 14 August The Internet Society Symposium on Network and Distributed System Security February 22-23, 1996 San Diego Princess Resort, San Diego, California GOAL: The symposium will bring together people who are building hardware and software to provide network and distributed system security services. The symposium is intended for those interested in the practical aspects of network and distributed system security, focusing on actual system design and implementation, rather than theory. We hope to foster the exchange of technical information that will encourage and enable the Internet community to apply, deploy, and advance the state of available security technology. Symposium proceedings will be published by the IEEE Computer Society Press. Topics for the symposium include, but are not limited to, the following: * Design and implementation of communication security services: authentication, integrity, confidentiality, authorization, non-repudiation, and availability. * Design and implementation of security mechanisms, services, and APIs to support communication security services, key management and certification infrastructures, audit, and intrusion detection. * Requirements and designs for securing network information resources and tools -- WorldWide Web (WWW), Gopher, archie, and WAIS. * Requirements and designs for systems supporting electronic commerce -- payment services, fee-for-access, EDI, notary -- endorsement, licensing, bonding, and other forms of assurance. * Design and implementation of measures for controlling network communication -- firewalls, packet filters, application gateways, and user/host authentication schemes. * Requirements and designs for telecommunications security especially for emerging technologies -- very large systems like the Internet, high-speed systems like the gigabit testbeds, wireless systems, and personal communication systems. * Special issues and problems in security architecture, such as interplay between security goals and other goals -- efficiency, reliability, interoperability, resource sharing, and cost. * Integration of security services with system and application security facilities, and application protocols -- including but not limited to message handling, file transport, remote file access, directories, time synchronization, data base management, routing, voice and video multicast, network management, boot services, and mobile computing. GENERAL CHAIR: Jim Ellis, CERT Coordination Center PROGRAM CHAIRS: David Balenson, Trusted Information Systems Clifford Neuman, USC Information Sciences Institute LOCAL ARRANGEMENTS CHAIR: Thomas Hutton, San Diego Supercomputer Center PUBLICATIONS CHAIR: Steve Welke, Institute for Defense Analyses REGISTRATIONS CHAIR: Donna Leggett, Internet Society PROGRAM COMMITTEE: [deleted for space] SUBMISSIONS: The committee invites technical papers and panel proposals for topics of technical and general interest. Technical papers should be 10-20 pages in length. Panel proposals should be two pages and should describe the topic, identify the panel chair, explain the format of the panel, and list three to four potential panelists. Technical papers will appear in the proceedings. A description of each panel will appear in the proceedings, and may at the discretion of the panel chair, include written position statements from each panelist. Deadline for paper submission: August 14, 1995 Submissions must be received by 14 August 1995. Submissions should be made via electronic mail. Submissions may be in either of two formats: PostScript or ASCII. If the committee is unable to print a PostScript submission, it will be returned and hardcopy requested. Therefore, PostScript submissions should arrive well before 14 August. If electronic submission is difficult, submissions should be sent via postal mail. All submissions and program related correspondence (only) should be directed to the program chair: Clifford Neuman University of Southern California Information Sciences Institute 4676 Admiralty Way Marina del Rey, California 90292-6695 Phone: +1 (310) 822-1511 FAX: +1 (310) 823-6714 Email: sndss96-submissions@isi.edu Dates, final call for papers, advance program, and registration information will be made available at the URL: http://nii.isi.edu/info/sndss [Contact Clifford for further info. This is a shortened announcement. PGN] ------------------------------ Date: 24 March 1995 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. U.S. users on .mil or .gov domains should contact (Dennis Rears ). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, THEN please send requests to (which is not yet automated). SUBJECT: SUBSCRIBE or UNSUBSCRIBE; text line (UN)SUBscribe RISKS [address to which RISKS is sent] CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. All other reuses of RISKS material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using RISKS material should obtain permission from the contributors. RISKS can also be read on the web at URL http://catless.ncl.ac.uk/Risks Individual issues can be accessed using a URL of the form http://catless.ncl.ac.uk/Risks/VL.IS.html (Please report any format errors to Lindsay.Marshall@newcastle.ac.uk) RISKS ARCHIVES: "ftp unix.sri.comlogin anonymous[YourNetAddress] cd risks or cwd risks, depending on your particular FTP. Issue J of volume 17 is in that directory: "get risks-17.J". For issues of earlier volumes, "get I/risks-I.J" (where I=1 to 16, J always TWO digits) for Vol I Issue j. Vol I summaries in J=00, in both main directory and I subdirectory; "bye" I and J are dummy variables here. REMEMBER, Unix is case sensitive; file names are lower-case only. =CarriageReturn; UNIX.SRI.COM = [128.18.30.66]; FTPs may differ; Unix prompts for username and password. Also ftp bitftp@pucc.Princeton.EDU. WAIS repository exists at server.wais.com [192.216.46.98], with DB=RISK (E-mail info@wais.com for info) or visit the web wais URL http://www.wais.com/ . Management Analytics Searcher Services (1st item) under http://all.net:8080/ also contains RISKS search services, courtesy of Fred Cohen. Use wisely. ------------------------------ End of RISKS-FORUM Digest 17.20 ************************