precedence: bulk Subject: RISKS DIGEST 19.40 RISKS-LIST: Risks-Forum Digest Weds 1 October 1997 Volume 19 : Issue 40 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** Contents: "Computer error" affects A-level results (Pete Mellor) Microsoft: Redefining a problem out of existence (Pete Mellor) AOL may introduce ads on private e-mail (Nick Rothwell) Health Care System, Manitoba (Mike Jeays) Re: EAGLE DEPART|ANDREWS (Daniel Lance Herrick) ATM Withdrawal? (Colin Perkel) Electronic Pearl Harbor: Risks of dubious infowar analogies (Eli Jackson) Possible breakthrough in NP-completeness (Jonathan Seth Hayward) No network, no demo (Martin Minow) Internet sting identifies 1,500 suspected child pornographers (Neil Youngman) 7-bit vs 8-bit incompatibilities (Martin Minow) Data aggregation -- a Risk (David Parkinson) Re: AT&T 800... (Peter Capek) Mad Bus Disease (Geert Jan van Oldenborgh) Re: FBI wants to ban the Bible ... (Daniel J. Theunissen, Paul Fenimore) C's data types; was: Re: Y2K and C (Vivek Sadananda Pai) Re: New --faster-- Macs broke old code (Randy Witlicki) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 19 Aug 1997 20:09:52 +0100 (BST) From: Pete Mellor Subject: "Computer error" affects A-level results Hundreds of students celebrating their acceptance for university were told that their places had been withdrawn because of an examination board mix-up. The Universities and Colleges Admissions Service had passed incorrect results for [at least?] 807 students' A-level exams to university and college admissions officers -- because of computer errors. Also, some students who were not accepted on the basis of those results may have been acceptable. Peter Mellor, Centre for Software Reliability, City University, Northampton Sq London EC1V 0HB, UK +44 (171) 477-8422, p.mellor@csr.city.ac.uk [PGN Abstracting, from Computer error may mean college offers withdrawn, David Charter and Martin Fletcher, *The Times* (London), 18 Aug 1997] ------------------------------ Date: Tue, 1 Jul 1997 01:02:42 +0100 (BST) From: Pete Mellor Subject: Microsoft: Redefining a problem out of existence >>>> Design side effect, n. euph., What Bill Gates' technogeeks at >>>> Microsoft are allowed to call a defect in company products. > Also officially tolerated are the euphemisms that describe system failures > as issues, known issues or intermittent issues, and even as undocumented > behaviour. Absolutely not permitted is the word ``bug'' -- a term a > spokesman claims is too "complex" for the company's official language. The > company's addiction to euphemism has created a new language called > Microspeak, says the New York Times - which may bug a few people in > Seattle. [David Rowan, *Guardian* Weekend magazine, 28 Jun 1997, in the > "Glossary for the 90s" column] This reminds me of the old joke in ICL when I worked there in the 1970s: "That's not a bug! That's a feature!" Now I know why I spend so much time on IEC/TC56/WG1 "Terms and Definitions". If someone doesn't take a stand, the powers of darkness will define the whole concept of software dependability out of existence! First there is "Software failure is systematic, therefore not time dependent". Corollary: There is no such thing as software reliability. Answer: The failures due to a latent software fault may be systematic, but the trigger conditions that activate it are encountered randomly over time. Now we have "Software doesn't fail at all! Why, it doesn't even contain faults!". Corollary: "Software crisis? What software crisis?" The Joker has been on screen long enough! Where's Batman? Peter Mellor, Centre for Software Reliability, City University, Northampton Sq London EC1V 0HB, UK +44 (171) 477-8422, p.mellor@csr.city.ac.uk ------------------------------ Date: 30 Sep 1997 11:37:35 -0000 From: Nick Rothwell Subject: AOL may introduce ads on private e-mail The electronic equivalent of having the Post Office open everyone's personal mail to insert commercial advertising flyers could probably be construed as an invasion of privacy, and I predict some RISKy scenarios if it goes ahead. The German unit of AOL is planning to boost advertising revenues by including ads on private electronic mail, and AOL itself is considering it. AOL Germany spokesman Ingo Reese said that they expected ``robust growth'' from the new ad strategy, adding graphical advertisements in e-mail between users. He noted that the parent AOL gets 16% of its $2 billion in annual turnover from ads. Nick Rothwell, CASSIEL http://www.cassiel.com [PGN Stark Abstracting from a Reuter item (AOL may introduce ads on private e-mail), 26 Sep 1997] Originally http://biz.yahoo.com/finance/97/09/26/aol_x0001_1.html, Later http://www.yahoo.com/headlines/970926/entertainment/stories/online_notes_8.html [CHANGED IN ARCHIVE COPY] ------------------------------ Date: Wed, 24 Sep 1997 22:25:16 -0400 (EDT) From: Mike Jeays Subject: Health Care System, Manitoba The CBC aired an article on improvements to the health care system in Manitoba on 24 Sep 1997. Viewers were assured that the security software was ``the finest that money can buy.'' The technically literate might have been discouraged by the use of a 3-character password in part of the demonstration. Mike Jeays, Statistics Canada, Ottawa, Ontario. ------------------------------ Date: Tue, 23 Sep 1997 09:54:42 -0400 From: daniel lance herrick Subject: Re: EAGLE DEPART|ANDREWS (Re: RISKS-19.39) We have the note: > ... Strong encryption is the one technology that could have protected > [the pager interceptions]... Unfortunately, encryption is not enough. EAGLE DEPART|ANDREWS appears 16 times near the beginning of the transcript, separately paging each of the members of the presidential detail who need to know POTUS[President of the United States]'s movements. There are similar bursts when he arrives at an airport. When he departs that airport. When he arrives at a meeting place. When he leaves for the convention center. When he arrives at the convention center. When he leaves for the airport. When he departs the airport for Andrews. The United States Secret Service is criminally negligent of its sworn duties to broadcast this critical data real time in clear for anyone who cares to listen. But if it were encrypted, it would still be trivially easy for malefactors who knew POTUS was in the convention center and had plans to make his trip to his next location more exciting to listen to encrypted alpha paging transmissions and know when the presidential detail leaves the convention center. The traffic analysis is unmistakable. You don't even need to know the addressees of the encrypted messages. A burst of more than a dozen messages fast means that the next event of interest to the presidential detail is happening. A clear risk of inappropriate use of technology increasing the danger to the target who is supposed to be being protected. Or, as someone is said to have put it a long time ago, "The emperor has no clothes." dan dlh@dlh.com [To some extent, the unencrypted header problems and traffic inference problems can be addressed by multiple encryption and by uniformizing the traffic to hide the Pentagon Pizza effect. In that analogy, it might cost a lot of extra pizzas and require a lot of extra phone bills... POTUS OPERANDI? PGN] ------------------------------ Date: Tue, 16 Sep 1997 01:17:52 GMT From: sysop@guildnet.org (Colin Perkel) Subject: ATM Withdrawal? During a recent visit to South Africa, I tried to use my Royal Bank ATM card at a Standard Bank machine in a mall in Johannesburg to take out R200 (=CDN$61). After a short while, the machine spit out my card along with a slip saying: "Your card issuer is unavailable." No money. The following day, at a different mall, I tried to take out R500 (=CDN$152) from another machine from the same bank. Same story. However, at a nearby CashPoint machine (NedBank), everything ticked along and I was given my R500. On my return to Toronto, I was somewhat bemused (but not entirely flummoxed) to find my account debited for all three transactions, putting me out of pocket by more than $200. So it was with some trepidation that I called the Royal (because in the back of my mind was the yarn familiar to medium-term RISK readers re: the old English gent who ended up getting convicted of attempted fraud when he complained about an unauthorized withdrawal from his account via an ATM). The bank ("Muru") informed me that their records showed that I'd indeed withdrawn the money, but that they'd investigate. About a week later, a "Debbie" called my wife to say their investigation concluded the machine had given me the dough. When my wife protested that I had the slips showing "Your card issuer is not available," it was along the lines of "Oh, we'll investigate some more," and a promise to get back to me. That was more than a week ago and my heart is sinking. Of course, I haven't given up yet. Most of the RISKS involved here are obvious. But I'd like to note the one of relying on a bank to investigate anything. No one has yet even asked to see the slips I got from the ATMs or actually asked me any detailed questions about the machines I used or given me any indication that a real investigation was done -- or is even possible. How *do* you prove you didn't get money -- especially long-distance? How do you avoid the attitude that "computer records never lie" and that you must either be mistaken -- or a crook? The saga continues... Colin Perkel sysop@guildnet.org (416) 269-2734 Sysop The GuildNet BBS GuildNet-L Listowner ------------------------------ Date: Mon, 22 Sep 1997 13:51:08 -0700 From: "Eli Jackson (Volt Computer)" Subject: Electronic Pearl Harbor: Risks of dubious infowar analogies re: http://www.soci.niu.edu/~crypt/other/harbor.htm I find this fascinating. Obviously (??) when the EPH is brought up the example (/fear/fearmongering) is used to describe the danger of an unannounced attack in which our vital resources are caught unaware and severely crippled. However, if one were to look at the events at Pearl Harbor (and I'm no history buff here), it would seem that the EPH describes an entirely different scenario (which is worth worrying about, perhaps): what happens when we are given ample warning and already possess knowledge of an upcoming attack, will we recognize this... Pearl Harbor wasn't just a surprise attack, it is one of the most graphic examples of what miscommunications and inaction can accomplish. Indeed it is very humorous to replace "electronic Pearl Harbor" with "ignored imminent threat of information warfare attack". Given this phrase has been most uttered by brass/military establishment types, its ironic that the true risk in the EPH scenario is the flailing of military leadership. Eli O J ------------------------------ Date: 19 Sep 1997 08:13:58 GMT From: jhayward@students.uiuc.edu (jonathan seth hayward) Subject: Possible breakthrough in NP-completeness I now have what I believe to be a polynomial time solution to an NP-complete problem (specifically, satisfying a propositional formula expressed in terms of parentheses, variables, negations, and conjunctions). I am posting to security and cryptography related newsgroups because my algorithm, if correct, may have substantial implications for cryptography and consequently security issues (so that, if correct, the algorithm is known to security people as soon as everybody else). This program produces correct output for small formulas that I am able to manually verify, and it had an execution time on a formula of 100 variables was less than a minute. (Compare with brute force, which (on a supercomputer capable of 1 billion elementary operations per second) would take longer than the age of the universe.) I will post a uuencoded compressed tar of a directory hierarchy with the algorithm, implemented in C and supplemented by some bourne shell scripts, as an immediate followup to this post. Should the binary UseNet post be cancelled by someone like Dick Depew, it is also available (same format) on the web at: http://www.imsa.edu/~jhayward/npc.tar.Z.uu http://www.students.uiuc.edu/~jhayward/npc.tar.Z.uu This release should be considered a beta release, i.e., while I am reasonably sure that the algorithm is correct, the specific implementation may have bugs. Thanks to David Henderson (davidh@imsa.edu) and especially Ryan Pierce (rpierce@imsa.edu) for an excellent parser function. Jonathan Hayward jhayward@math.uiuc.edu jhayward@ncsa.uiuc.edu ------------------------------ Date: Thu, 25 Sep 1997 13:46:56 -0700 From: Martin Minow Subject: No network, no demo Larry Ellison, CEO of Oracle Inc, and a strong proponent of network computers, was demo-ing his NC at the Oracle OpenWorld conference. Unfortunately, the network crashed and the application hung "and Ellison was left hanging on stage." See Martin Minow minow@apple.com [As I recall, a similar thing happened to Bill Gates at Networld+InterOp in Las Vegas in April 1996. PGN] ------------------------------ Date: Tue, 30 Sep 1997 15:54:10 +0100 From: Neil Youngman Subject: Internet sting identifies 1,500 suspected child pornographers RISKS readers may be interested in the above article, which is available at http://www.cnn.com/US/9709/30/cybersting/. Neil Youngman [18-month ``Operation Rip Cord'' run by NY Attorney General's office and U.S. Customs employees.] ------------------------------ Date: Fri, 26 Sep 1997 10:08:15 -0700 From: Martin Minow Subject: 7-bit vs 8-bit incompatibilities [This note is in response to some out-of-band discussions on Swedish characters and the ISO eight-bit extended ASCII. PGN] The effect of the PDP-11 and Unix on internationalization. I trace a lot of these problems back to the design of the Dec PDP-11 and Unix, and some misplaced optimizations. On the PDP-11, byte values were represented as *signed* integers. This was useful for some instruction decoding, but probably a bad idea in the long run -- remember that the PDP-11 was designed in the late 1960's to work within very limited target configurations. The Unix operating system, and many Unix programs, used this to provide in-band signalling of non-character information. For example, one release of the C-language preprocessor used "negative" character values to distinguish preprocessor macro arguments from ordinary text. Thus, if a program's source file contained any characters from the international range (i.e., values from 0xA1 through 0xFF), the preprocessor would treat these as macro parameters, with disastrous results (random memory accesses). Although ISO/ANSI defined escape sequences that allow all characters, from multiple character sets, to be expressed in a seven-bit data stream, few programmers made use of these conventions. Since then, we've seen a great number of re-mapping algorithms, including MIME, a Unicode encoding used by Java, HTML, TeX, etc. By now, "the tyranny of small decisions" will probably require software workarounds for 7-bit limitations for many more years. Martin ------------------------------ Date: Tue, 30 Sep 1997 11:41:59 +0100 From: David Parkinson Subject: Data aggregation -- a Risk These days advertising is getting everywhere. One of the many places is on the receipts I get from the local supermarket. The other day, having filled up the car, the words "Win A Grand Move" caught my eye (This is car from Daihatsu). It turned out to be a free prize draw, all you do is fill in your name, address, telephone number, a few details about your current car, and then send the form off. A (minuscule) chance of a free car for the price of stamp - probably worth doing for the potential return. (I always live in hope that one day it'll be me who wins!). Turn over the entry form (a piece of paper 7" x 4") and you realise it's your credit card receipt for the petrol (gas) you've just bought. So, we have: On side 1: Credit card type (eg VISA) Expiry Date Full Credit Card number Your signature On side 2: Your Name and initials Your Address For one who is not normally paranoid about his Credit Card details it made me stop and think. David dparkins@alien.bt.co.uk ------------------------------ Date: 23 Sep 1997 14:16:51 EDT From: (Peter Capek) Subject: Re: AT&T 800... (Re: Perillo, RISKS-19.39) Robert Perillo suggests that > These tables should be tested off-line, and automatically checked ... I infer that what happened in the AT&T case, as well as perhaps in the similar recent case at Network Solutions involving the routing for .COM and .NET, was that some process created a file which was used to generate a new set of "live" tables, and that this file was in error, due to some upstream problem. I suggest that this is a case where a simple solution is best. In this kind of situation, almost always, the database changes very slowly -- a percent or two of new, deleted, or changed entries per update cycle, at most; in these two examples, probably far few than that. An inexpensive technique I have used very effectively in similar (albeit less visible) cases is to incorporate into the "installation" process for the file a step which randomly chooses a few entries from the old (presently "live") version of the file and makes sure that most -- say 98% -- of those entries appear in the new version of the file identically. Further, it should confirm that the size of the old and new files is the same, within a small margin. The offered new file must be rejected if either of these checks is not met. At that point a manual check can determine whether the rejection is valid or spurious, although even if the rejection seems to be spurious, I have found it to be better practice to re-run the check, perhaps with a small adjustment to the thresholds, than simply to bypass it. Checking that the sampled records are EXACTLY the same will also provide a degree of protection against any lack of robustness in the downstream processes. The precise design of the checking process will depend on the specific application, but the cost of this process and of retaining the most recent input file from one cycle to the next is a small price to pay to avoid such public faux pas. Peter Capek, IBM Research ------------------------------ Date: Sat, 27 Sep 97 10:20:43 +0200 From: Geert Jan van Oldenborgh Subject: Mad Bus Disease Nine people were injured, one of which seriously, when a Dutch long-distance bus suddenly accelerated from the bus terminal behind Eindhoven Central Station, and ran into the station restaurant. The builder acknowledged that these sudden accelerations were a known problem, he suspected that it had something to do with interference on the electronic accelerator pedal by the communications equipment, the 2-way radio, the mobile telephone and/or the little box which operates traffic lights. No technical shortcomings had been found in previous inspections, but the busses still career out of control every now and then... The worst-affected 22 out of 178 have now been taken out of service. [source: NRC Handelsblad, 25 and 26 sep 1997]. Two out-of-band comments: in case you wondered, a long-distance bus is defined locally as one that goes more than 50km. The linear dimensions of our country are about 200km... Secondly, with regards to the computer-operated storm-surge barrier I reported on earlier, a week later it transpired that the software was not yet ready in fact, and would become operational this autumn. Until then a human would decide when to close off Rotterdam harbour. Fairly typical I assume... GJ Geert Jan van Oldenborgh oldenbor@knmi.nl http://www.xs4all.nl/~gjvo ------------------------------ Date: Mon, 22 Sep 1997 20:57:15 -0700 From: "Daniel J. Theunissen" Subject: Re: FBI wants to ban the Bible ... (Millar, RISKS-19.37) Spread that net further, FBI. Any picture, even one posted on a public internet site, can be used to carry hidden messages. A fairly simple program could modify colors of individual pixels in a picture file so that the picture looks the same to the human eye, but conveys one or more messages. This creates a nice two part code without need for encryption. So, when the picture of the cat Mr. Big at Al's Kitty-Cat Page gets replaced on a specific date and changed back the next day, nobody notices ... except the three regular net-surfing operatives who receive three different messages. It's the ultimate drop-box, available world-wide. As an alternative scenario, Al e-mails Mr. Big's picture to three "friends" who have the original picture and the correct software to de-code it. I know of no such encoding product, but if it doesn't already exist, I would be surprised. Unfortunately, codes are insufficient for electronic trade. Encryption is not needed for covert, secure communications between individuals with simple technology available today. Codes work well enough to discount the anti-terrorism argument. So why the stonewalling on encryption? I suspect the heads of government agencies just fail to grasp the underlying technology completely. (Refer to: Eagle (the President) and the Eagle Beagle (Wagner, RISKS-19.39)). Which brings up the RISK of the software industry changing so fast, non-technical people (like managers and government executives) are left behind. - Daniel J. Theunissen [Yes, such tools do exist on the Net. And don't forget Peter Wayner's book on steganography, which I noted in RISKS-18.17: Peter Wayner, Disappearing Cryptography: Being and Nothingness on the Net, AP Professional (Academic Press), Chestnut Hill, Massachusetts, 1996. PGN] ------------------------------ Date: Mon, 22 Sep 1997 21:27:31 -0700 From: fenimore@roadrunner.com (Paul Fenimore) Subject: Re: FBI wants to ban the Bible ... (Gleeson, RISKS-19.38) >It could be argued that languages are elaborate "substitution codes". This is much more than just a theoretical argument, there is solid evidence! The use of language as a substitution cypher is well-known in the case of the World War II American Marine "Code Talkers." The "Code Talker" scheme primarily relied on the Japanese ignorance of indigenous American languages. Additionally, the cypher substituted non-sense phrases within the language, to prevent trivial decryption by captured Navajo soldiers. Soviet physicist Lev Landau did not need to decipher the "encrypted" (i.e. English) part of John Bardeen's superconductivity paper, because Bardeen was good enough to include the plain text of the message in the article (i.e., the mathematics). Does anyone know if the ancient "linear-B/C" scripts are still undecrypted? So far as I know, they are unread in modern times. Is this due to a lack of text, or to the intrinsic difficulty of decryption? It seems clear to me that natural languages are sufficiently flexible that there is no fundamental difference between a "language" and a "cypher". Paul Fenimore [Also noted by Dan Vogel , Bill Hensley , matthew.a.hertz" , and many others. PGN] ------------------------------ Date: Wed, 17 Sep 1997 16:26:48 -0500 (CDT) From: Vivek Sadananda Pai Subject: C's data types; was: Re: Y2K and C (Sapovits, RISKS-19.38) I used to work at a company that had developed several internal applications that required user-entered technical data. When I was hired, the applications wrote the binary contents of structures directly to disk - no version numbers, etc., etc. Every new field added to a structure required a new ad-hoc way of determining what was "version" was in use. I wanted to convert to anything with a little more structure (no pun intended), and would have liked structured text with identifiers - the input/output overhead was insignificant and applications could have shared data without too much hassle. This proposal was viewed as too drastic, but they did start adding version numbers and application identifiers to the beginning of data files. I even got them to accept the idea of writing out the size of a structure before writing the structure itself - it was a hack, but at least it provided a way of expanding structures (by adding new fields at the end). However, even that had its drawbacks - one of the group members would add fields to the end of structures that were nested _inside_ of other structures, with the outer structure being written to disk. It took him a while to understand how the hack worked and why his trick didn't. In the end, I gave up trying to impose order universally, and as a result, users would have to re-enter (or cut-and-paste) the same data into multiple applications. The risks? It seemed that C's allowing you to write structures to disk so easily invited abuse. Even a hack like the size field got abused into the ground because some folks didn't take the time to understand why it worked. Sometimes, it seems that making it harder to do these "dangerous" things might be a good idea... -Vivek P.S. Incidentally, the productivity measurements used only took into account that you were busy, not what you were really doing. So, fixing stupid errors arising from poor data storage formats counted as real work - there was effectively no incentive to do things right the first time, but that's another story... ------------------------------ Date: Wed, 17 Sep 1997 17:35:16 -0400 From: "Randy.Witlicki." Subject: Re: New --faster-- Macs broke old code > I see what's going on. It's a bug directly tied to processor performance; > there's never been a processor fast enough to cause this integer overflow > before. I think the most pervasive example of this assumption resulted in the "Turbo" button on the front panel of PC computers so that a user could still run MS-DOS games written with timing code based on CPU speed (the Turbo button slowed the CPU to 8 Mhz). A more recent and more subtle example is the patch to add a call to the UNIX sleep shell command in the install tests for the Tripwire security program. The granularity of the system clock allowed a file create and subsequent test to occur during the same clock tick on fast CPUs, causing the test to fail. ------------------------------ Date: 1 Apr 1997 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Or use Bitnet LISTSERV. Alternatively, (via majordomo) DIRECT REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] => The INFO file (submissions, default disclaimers, archive sites, .mil/.uk subscribers, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 18" for volume 18] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS ------------------------------ End of RISKS-FORUM Digest 19.40 ************************