Subject: RISKS DIGEST 9.78 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Thursday 5 April 1990 Volume 9 : Issue 78 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: RAF Tornado collision (Dorothy R. Graham via PGN) New Georgia Automobile Tags (Warren Tucker) British tax tales (Bob Gray via Mark Brader) Oslo Day in Norway? No way! (Paul Dorey) Computer backorder on cover letters (Yuri Rubinsky) London Underground driver's action (Martyn Ould) Hi-Tech Loo (Wayne W. Lui via Brian Randell) Proposed UK Authority for Risk Management (Brian Randell) [See Box for cases] More on Prodigy's Updating of a User's Disks (Eric Roskos, Paul Eggert) April Fools Day on the net (D. Waitzman via Martin Minow) Automated Fast Food (Dave Curry) UNIX Trix (Paul Eggert) Re: PSU Hackers thwarted (Pete Mellor) Three Australians indicted for computer tampering (PGN) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. TO FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW cd sys$user2:[risks]get risks-i.j . Vol summaries now in risks-i.0 (j=0) ---------------------------------------------------------------------- Date: Thu, 5 Apr 1990 9:40:14 PDT From: "Peter G. Neumann" Subject: RAF Tornado collision (sent by Dorothy R. Graham) In August 1988 two RAF Tornado fighters collided over the village of Millburn in Cumbria, UK, killing the four crewman. Originating from different airfields, each plane was using the SAME preprogrammed cassette to control its on-board computer in low-altitude flight, which resulted in their both coming together at the same height at the same location at the same time. The MoD report identified an "extraordinary" series of coincidences, and put the blame on insufficient coordination among different RAF bases. New rules have been established. Source: The (London) Sunday Times, 11 March 1990, excerpting a Ministry of Defence report. Thanks to Dorothy R. Graham for clipping it. ------------------------------ Date: Thu, 29 Mar 90 00:01:31 EST From: wht@n4hgf.gatech.edu (Warren Tucker) Subject: New Georgia Automobile Tags I heard on a local radio station this afternoon that many Georgia Citizens are being erroneously arrested out of state for possession of stolen vehicles. It seems that numbers in the new series license tags (issued since January) sometimes :-) match numbers from the previous series. Unfortunately for many people, some match numbers belonging to vehicles stolen as long ago as 1983. One elderly gentleman was arrested for riding his own motorcycle. A couple spent the night in an Indiana jail for driving their own car. The state motor vehicle people say they'll get NCIC information updated by September. Adds new meaning to the slogan "Stay and See Georgia," doesn't it? Warren Tucker, TuckerWare [Ray Houghton of Augusta GA sent me a clipping from the Augusta Chronicle, 27 March 1990. PGN] ------------------------------ Date: Fri, 30 Mar 90 05:17:01 EST From: Mark Brader Subject: British tax tales The following items were forwarded to Usenet's soc.culture.britsh by Bob Gray (bob@castle.ed.ac.uk), having originally appeared on Oracle. For those who don't know, the term "poll tax" is used in Britain for a new, flat "per head" tax, replacing what we call property taxes; it has nothing to do with voting. [reformatted] Student Andrew Mursell, 19, of Ryde, Isle of Wight, expected to pay 70 pounds in poll tax but has just received a bill for nearly 4,000,000 pounds. Medina Council said it was a computing error. A man waiting for a bus at Maidstone, Kent, was stunned when a postman tried to force him to take a poll tax demand. The letter was addressed to The Occupier, Bus Stop, High Street. "The postman said he tried to give it to the man at the front of the bus queue, but he refused to take it, and I can't blame him," said a council official. "It was all down to a computer error."'' [The second case was also noted by Dave Horsfall in Australia! Small world. PGN] ------------------------------ Date: Tue Mar 27 21:45:28 1990 From: pgd@cix.UUCP (Paul Dorey) Subject: Oslo Day in Norway? No way! The 'Daily Telegraph' of Tuesday March 27th reports a Reuter news agency story: " A Norwegian Bank was embarrassed yesterday after a cashpoint computer apparently applied its own form of 'fuzzy logic' and handed out thousands of pounds no one had asked for. A long queue formed at the Oslo cashpoint after news spread that customers were receiving 10 times what they requested. " Paul Dorey (pgd@cix.cix.ukc) ------------------------------ Date: Sat, 24 Mar 90 15:35:18 EST From: Yuri Rubinsky Subject: Computer backorder on cover letters After I stopped by this company's booth at the recent CD-ROM conference, the following letter arrived here from a major CPU manufacturer... Dear Mr. Rubinsky: Thank you for your [company name] literature order. We are very sorry, but the following items that you have requested are currently on backorder: EXPECTED PRODUCT CODE DESCRIPTION ARRIVAL DATE ------------ ----------- ------------ T217 DEAR CUSTOMER COVER LETTER FOUR WEEKS Your order will be filled at the earliest possible date. In the meantime, your patience in regard to this matter is greatly appreciated. Please feel free to call our Literature Distribution Center at [800-number]. Our operators will be happy to help you place an order for any additional literature, or refer you to your nearest [company name] sales office to help you with any technical questions regarding our products. If you call to check the status of your order, please reference your order #[number]. Again, thank you for your order, and we hope to be of service to you in the future. Sincerely, [empty space here] [company name] Literature Distribution Center Curiously, one week earlier I received the literature I had requested -- without a cover letter. Submitted to comp.risks and rec.humor.funny by Yuri Rubinsky, SoftQuad Inc., 720 Spadina Ave., Toronto, Ontario, Canada M5S 2T9 ------------------------------ Date: Mon, 26 Mar 90 12:05:45 BST From: Martyn Ould Subject: London Underground driver's action (RISKS-9.76) I heard an interview with the driver of the train shortly after he had averted the accident. As I remember it, he said that he had seen the train approaching him at speed from behind and had taken the action he was trained to take, namely to short circuit a particular circuit. It sounded, the way he put it, as though it was an instinctive action and his presence of mind was in the response to his training. I hope he got a bonus. Another interesting feature of the accident which I didn't get to the bottom of was that one of the passengers, also interviewed afterwards, seemed to suggest that passengers in the last carriage (ie the one about to be crushed) scrambled through the connecting door into the preceding carriage, in response to hearing the driver shouting at the signalling staff over his comms - presumably he had switched on the PA so that passengers could be warned at the same time. I hope he got two bonuses! Martyn Ould, Praxis plc, 20 Manvers Street, BATH BA1 1PX, UK ------------------------------ Date: Thu, 29 Mar 90 13:52:59 BST From: Brian Randell Subject: Hi-Tech Loo I just saw this on soc.culture.japan, and couldn't resist reposting it to RISKS just to see what sort of reactions it would arouse. Brian Randell >From: lui@cbnewsm.ATT.COM (wayne.w.lui) >Newsgroups: soc.culture.japan >Subject: A loo full of technology >Date: 28 Mar 90 04:01:24 GMT [edited by PGN] Japanese technology is plumbing new depths -- it's created the intelligent toilet. Last october, Toto Ltd., Omron Corp. and Nippon Telegraph and Telephone Corp. (NTT) jointly developed the ultimate in information technology: the fancy flusher. Makers say a trip to this toilet may save you a trip to the doctor. The intelligent diagnostic system packs the latest state-of-the-art goodies. The toilet bowl has a sensor to perform urine analyses and then zaps the data onto a display screen that shows the concentration levels of sugar, protein, urobilinogen, and blood in the urine for the occupant's viewing. Users can chart their blood pressure by sticking their left index finger into a sensor-sensitive unit on the toilet. The information then can be viewed on the second screen of the diagnostic system. What goes in also comes out. The diagnostic system has a printer and an integrated circuit (IC) memory disk card drive that can store up to 130 examinations. The IC card can also be inserted into a compatible computer system for simple record updates. [...] NTT officials see the diagnostic system eventually having on-line communications capabilities enabling users to send information directly to hospitals or clinics. Source: Kyodo News. Date: 24 March 1990 [This opens up all sorts of privacy issues! There is also a potential problem with a user being identified and trapped for capture. PGN] ------------------------------ Date: Mon, 19 Mar 90 21:59:35 BST From: Brian Randell Subject: Proposed UK Authority for Risk Management MODERN HAZARDS DEMAND A `SAFETY CULTURE' At a time of increasing concern over both public safety and `green issues', an Authority for Risk Management would have a vital role as Britain's main source for scientific assessment of risks. As an independent umbrella organisation, taking in such agencies as the Food Safety Directorate and the Chief Medical and Veterinary Officers, Richard North argues it would help to ensure more public confidence in official information. The British democracy is the most mature in the world. Perhaps, accordingly, it has problems responding to a new desire in its citizens to be better informed. An older generation accepts that the Government knows best, but this comfortable assumption has been eroded fast. Last week, a local government report described Britain's proneness to disaster as being more appropriate to a third world country. There has been an embarrassing plethora of major disasters - Piper Alpha, the Bradford football fire, the King's Cross tube fire, the Zeebrugge ferry sinking and several others - which suggest a failure to develop a proper safety culture. There has also been a worrying series of insidious problems. In 1988, South West Water allowed poison into the the drinking water at Camelford; bovine spongiform encephalopathy, "mad cow disease", has invaded domestic herds; eggs and poultry have been found to be pathogenic. Groups have sprung up to complain about pesticide residues in food and veterinary product residues in farm animals. The Authority for Risk Management, ARM, would be the formal means by which such risks - and those of nuclear power, public transport, environmental pollution, food poisoning, even global warming - are scientifically assessed, brought to public attention, rationally explained, and responses to them costed. One of its jobs would be to develop a way of talking about the tolerability of risks; almost all of us take huge risks every day with hardly a second thought, yet get very nervous about much smaller - but involuntary - hazards. ARM would be a creature of Parliament, and report to it. Its advice would be given in public, and ministers would have to respond in public. ARM would not be directly democratic, but would be required to hold open meetings, in the way the BBC has done in recent years. Indeed, it could develop a "roadshow" approach, taking key issues to the public, and inviting comment. ARM's rigorously independent scientists will not be allowed to become purists. Their advice would have to be accompanied with the cost implications of new policy. The minister, public and Parliament need to know how much they are going to spend to live in a safer environment, and decide if they want to pay the price. .... ARM would develop a culture of its own - both stricly regulatory and alert to costs. It would look a little like the Office of Technology Assessment in the USA. But OTA advises Congress, and only on specific matters drawn to its attention by elected representatives. ARM would have a stronger statutory, and innovatory, role. The creation of ARM could make Britain a world leader in the "greening" of government. BOX: Catalogue of UK disaster and disease The following is a list of recent key events which have encouraged discussion on whether Britain is adequately able to manage risk, whether in terms of disaster or disease. 1984 - May: 16 die in Abbeystead pumping station in Lancashire. November: Hundreds flee as fire breaks out in Oxford Circus Tube. 1985 - May: Legionnaire's disease in Staffordshire kills 30 in a month. May: Bradford City football stadium fire; 56 killed. 1986 - November: BSE identified for first time (confirming first outbreak was in 1985). November: North Sea helicopter crash; 45 dead. 1987 - March: Herald of Free Enterprise capsizes; 193 dead. October: Gale force winds lash Britain after low-key warning. November: King's Cross Fire; 31 dead. 1988 - April: Independent committee set up to investigate BSE. July: Piper Alpha explosion; 167 dead. August: Department of Health issues press release suggesting advoidance of raw eggs. October: In the year so far, 46 egg-associated outbreaks of food poisoning involving 1,000 people. December: Clapham rail disaster; 35 dead. December: Lockerbie air disaster; 270 dead. December: 26 people are reported to have died in salmonella-linked deaths in the year so far. December: Edwina Currie says most egg production is infected with salmonella. December: Government announces increased controls on egg producers. 1989 - January; M1 Boeing 737 air crash; 47 dead. February: Department of Health announces that 61 people died of listeriosis in previous year. April: Hillborough stadium crush: 95 dead. July: 2 die, 80 ill in salmonella outbreak. August: Marchioness river boat sinks; 51 dead. December: Royal Oldham Hospital salmonella outbreak; 3 dead. 1990 -January: 29,998 cases of salmonella in humans in past year, up from 27,478 in the previous year. Brian Randell, Computing Laboratory, University of Newcastle upon Tyne, UK EMAIL = Brian.Randell@newcastle.ac.uk PHONE = +44 91 222 7923 FAX = +44 91 222 8232 ------------------------------ Date: Mon, 26 Mar 90 09:50:20 From: Eric Roskos Subject: More on Prodigy's Updating of a User's Disks In a recent RISKS posting, I responded to Donald B. Weschler's statement that Prodigy could update arbitrary files on the user's hard disk by saying that it appeared that Prodigy only does cache management of data in a single file, STAGE.DAT, via this method. In response to my comment I received mail from Simson Garfinkel, who wrote the recent Christian Science Monitor article on Prodigy. He said that Prodigy's manager of software services had told him that they could indeed update other files, including .EXE files, thus avoiding the need to send out update disks. Seeking an explanation, I asked what could be updated by this method on Prodigy's technical service bulletin board about a week ago, and also wrote to one of their technical support people asking for clarification. In response to this, Prodigy, who has always previously answered my technical questions immediately, simply ignored the question altogether. It has now been deleted from the bulletin board by Prodigy's automatic article-expiration software. Harold Goldes, the Prodigy representative who I asked about the updating, likewise did not reply. There were several messages by users who read my posting; they all said the same thing -- that Prodigy could update .EXE files. One person said that he had expressed concerned about the problem, but that Prodigy had replied "trust us, no one has the access needed to cause an unauthorized update." None of the posters said where they obtained their information, but all postings are screened by Prodigy's staff before appearing on the board, and Prodigy did nothing to correct these statements. Thus, I tend to believe them, since they support the statement made by the Prodigy manager. Needless to say, this is not encouraging. I re-checked my files in the Prodigy directory this evening, and found that no file but STAGE.DAT has been updated since I installed the software nearly a year ago. I examined the contents of STAGE.DAT with a disassembler, and it does not seem to be 8086 code. It has always been my belief that STAGE.DAT contains code interpreted by the main Prodigy program, since Prodigy also runs on the Macintosh and since STAGE.DAT seems from Prodigy's previous descriptions to contain definitions of graphics screens and windows displayed while the system is operating. If it is indeed an interpreted environment, it would be relatively easy for Prodigy to prevent unauthorized updates of anything but STAGE.DAT. If, however, the claims are correct, the Prodigy updating mechanism would seem to be a considerable risk to Prodigy and its users, as in the case of a disgruntled employee who arranged for an "update" to occur after leaving the company, or of someone who discovered a way to circumvent Prodigy's access controls. Prodigy acknowledges the possibility of such unauthorized access by outsiders in its membership agreement: "Unauthorized access to the PRODIGY service or to restricted portions of the service is a breach of this agreement and a violation of law." This same agreement also tries (in capital letters) to limit Prodigy's liability: "ANY LIABILITY OF PRODIGY, INCLUDING WITHOUT LIMITATION ANY LIABILITY FOR DAMAGES CAUSED OR ALLEGEDLY CAUSED BY ANY FAILURE OF PERFORMANCE, ... DELETION, ... THEFT OR DESTRUCTION OR UNAUTHORIZED ACCESS TO, ALTERATION OF, OR USE OF RECORDS ... [including] TORTIOUS BEHAVIOR ... SHALL BE STRICTLY LIMITED TO THE AMOUNT PAID BY OR ON BEHALF OF THE MEMBER TO PRODIGY FOR THE PRODIGY SERVICE IN THE PRECEDING 12 MONTHS." At current service fees, this would be a maximum of $120 liability on the part of Prodigy for damage to a user's data. ------------------------------ Date: Wed, 28 Mar 90 13:48:37 PST From: eggert@twinsun.com (Paul Eggert) Subject: Risk-free PRODIGY Here's what the PRODIGY folks say about risks in using their service. In junk mail I just got from them, the front teaser says: A second chance to try the most exciting new personal computer service ever. But you have just 7 days left to take advantage of this _risk-free_ offer. Inside, there's more: Now you can use your computer in ways you never did (or could) before. But hurry, this RISK-FREE Offer expires in 7 days. [...] And now you can try the PRODIGY service...RISK-FREE. There's absolutely no obligation. [...] Risk-Free OFFER TERMS: If you are not completely satisified with the PRODIGY service during your first month, simply mark your first bill ``cancel'' when it comes, return it, and owe nothing. [...] ------------------------------ Date: Mon, 2 Apr 90 06:58:26 PDT From: "Martin Minow, ML3-5/U26 02-Apr-1990 0957" Subject: April Fools Day on the net [an explanation for Risks redistribution problems?] (I removed some page separators). Network Working Group D. Waitzman Request for Comments: 1149 BBN STC 1 April 1990 A Standard for the Transmission of IP Datagrams on Avian Carriers Status of this Memo This memo describes an experimental method for the encapsulation of IP datagrams in avian carriers. This specification is primarily useful in Metropolitan Area Networks. This is an experimental, not recommended standard. Distribution of this memo is unlimited. Overview and Rational Avian carriers can provide high delay, low throughput, and low altitude service. The connection topology is limited to a single point-to-point path for each carrier, used with standard carriers, but many carriers can be used without significant interference with each other, outside of early spring. This is because of the 3D ether space available to the carriers, in contrast to the 1D ether used by IEEE802.3. The carriers have an intrinsic collision avoidance system, which increases availability. Unlike some network technologies, such as packet radio, communication is not limited to line-of-sight distance. Connection oriented service is available in some cities, usually based upon a central hub topology. Frame Format The IP datagram is printed, on a small scroll of paper, in hexadecimal, with each octet separated by whitestuff and blackstuff. The scroll of paper is wrapped around one leg of the avian carrier. A band of duct tape is used to secure the datagram's edges. The bandwidth is limited to the leg length. The MTU is variable, and paradoxically, generally increases with increased carrier age. A typical MTU is 256 milligrams. Some datagram padding may be needed. Upon receipt, the duct tape is removed and the paper copy of the datagram is optically scanned into a electronically transmittable form. Discussion Multiple types of service can be provided with a prioritized pecking order. An additional property is built-in worm detection and eradication. Because IP only guarantees best effort delivery, loss of a carrier can be tolerated. With time, the carriers are self- regenerating. While broadcasting is not specified, storms can cause data loss. There is persistent delivery retry, until the carrier drops. Audit trails are automatically generated, and can often be found on logs and cable trays. Security Considerations Security is not generally a problem in normal operation, but special measures must be taken (such as data encryption) when avian carriers are used in a tactical environment. Author's Address David Waitzman, BBN Systems and Technologies Corporation, BBN Labs Division, 10 Moulton Street, Cambridge, MA 02238 Phone: (617) 873-4323 EMail: dwaitzman@BBN.COM ------------------------------ Date: Mon, 02 Apr 90 13:41:01 PDT From: davy@itstd.sri.com Subject: Automated Fast Food Went to the local Arby's today... They don't have cash registers anymore. Instead, they've got touch-screens in the counter, and the customer is expected to navigate through a series of menus, touching the items he wants. Some notes: - The screens are IBM PS/2 color monitors, with a "micro-touch" label stuck on them - The menus are reasonably well designed, with large squares to push, etc. Unfortunately, the screens are positioned such that the glare makes them hard to read. I expect people with bad eyesight, or who forgot their glasses, would also have problems. - There is a "delete" option for when you screw up, or have fat fingers - The manager thought the system was the best thing since sliced bread and pop-top beer cans. I unfortunately was there during the lunch hour, so didn't have time to engage him in conversation to find out just why he liked it so much, even in face of the obvious problems the system has. - There is *no* way to do a special order from the customer screen. When I complained about this to the manager (who was standing there making noises about how great this system was), he said "yes you can, we do it from back here". When I asked him what the point of me doing my own order was if he had to come over and adjust it for the special-ness, he just didn't seem to see the problem. Sigh. - After you enter your stuff and press "finished order", then the person behind the counter comes up and takes your money, just like before, and they get your order for you. The whole time we were ordering, these folks were just standing around watching us. So I'm not sure how these devices are supposed to save any money/time/whatever. - It took me about three times as long to place my order and get my food as it did before, when I'd just say "super, no sauce, fries, large coke". And I had to fill my own soft drink, too. Another example of adding technology "becuase it is there", and taking a giant step backwards as a result. Dave Curry, SRI International ------------------------------ Date: Wed, 21 Mar 90 18:23:30 PST From: Pete Mellor Subject: Re: PSU Hackers thwarted (Angela Marie Thomas, RISKS-9.74) David C. Lawrence (RISKS-9.75) questions the validity of assigning amounts of cash to computer time and other services allegedly 'stolen' by hackers. Obviously, the sums quoted depend on what the services *could have* been sold for *if* the owner of the system had been running a bureau service. Where the service is charged for only in "funny money" for departmental accounting purposes, such figures should be regarded with suspicion. Some years ago, I was working in a department which owned an ICL 1904S running the GEORGE 3 operating system. This had an automatic accounting system which calculated charges via a complex algorithm whose parameters were defined by the system manager (so much per Kbyte of filestore space, so much per mill second, etc.), and printed cash invoices to users every month. Our system manager, a man not known for wasting resources, had been very successfully augmenting the departmental budget by cross-charging for bureau services provided to other departments. One Friday afternoon, after the department had celebrated someone's imminent departure in the traditional way at the pub, he noticed that the system was clogged up by several very large core images whose size and mill consumption could only indicate mass playing of Star-Trek. He therefore ran the accounting package, traced the individuals by their account names, and duly presented them with personal bills of several hundreds of pounds each for 'computing services'. Nobody paid up, but a few programmers got a nasty shock! Peter Mellor, Centre for Software Reliability, City University, Northampton Square, London EC1V 0HB ------------------------------ Date: Mon, 2 Apr 90 13:09:51 PDT From: eggert@twinsun.com (Paul Eggert) Subject: UNIX Trix The following note is taken in its entirety from page 1 of CommUNIXque 1:1 (Second Quarter 1990), a quarterly newsletter put out by ASCAR Business Systems, Glendale, CA. UNIX Trix For those of you in the reseller business, here is a helpful tip that will save your support staff a few hours of precious time. Before you send your next machine out to an untrained client, change the permissions on /etc/passwd to 666 and make sure there is a copy somewhere on the disk. Now when they forget the root password, you can easily login as an ordinary user and correct the damage. Having a bootable tape (for larger machines) is not a bad idea either. If you need some help, give us a call. I wonder how many UNIX machines have their security turned off this way? ------------------------------ Date: 4 Apr 90 08:37:00 From: Peter G. Neumann Subject: Three Australians indicted for computer tampering John Markoff's article in the 4 April 1990 NY Times notes the indictment and arrest of three Australians for breaking into and tampering with computers in the U.S. and Australia, after a two-year investigation. Computers included Citicorp as well as many on the Internet -- at Los Alamos National Laboratory, Harvard University, Digital Equipment Corp., Lawrence Livermore National Laboratories, Boston University, New York University, the University of Texas and Bellcore. The three were identified as Nanshon Even-Chaim, 18; Richard Jones, 20, and David John Woodcock, 21. Jones and Even-Chaim are students and Woodcock is a computer programmer. (Handles are Phoenix, Electron and Nom.) "Dave" had previously called the NY Times. ------------------------------ End of RISKS-FORUM Digest 9.78 ************************