Subject: RISKS DIGEST 12.56

Subject: RISKS DIGEST 12.56
REPLY-TO: [email protected]

RISKS-LIST: RISKS-FORUM Digest Friday 25 October 1991 Volume 12 : Issue 56

FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Contents:
More O'Hare-raising experiences
Swedish election results were delayed (Martin Minow)
Campaign against telco info services (Mark Seecof)
The computer is always right. (E. Kristiansen)
1-900 scam (Torsten Lif)
RISKS of Electronic Credit Card Authorization (Derek Atkins)
Australian Software Quality Management Standard (Douglas Thomson)
AT&T/ATC outage revisited (Alfred H. Scholldorf via PGN)
Re: Single Point of Failure in L-1011 Intercom (Brinton Cooper)
Re: Law requiring bug fixes (Geoffrey H. Cooper)
Re: Prodigy (Jamie Saker, Fred Gilham, Ronald Hale-Evans, Greg Brail)

The RISKS Forum is moderated. Contributions should be relevant, sound, in
good taste, objective, coherent, concise, and nonrepetitious. Diversity is
welcome. CONTRIBUTIONS to [email protected], with relevant, substantive
"Subject:" line. Others may be ignored! Contributions will not be ACKed.
The load is too great. REQUESTS please to [email protected]. For
vol i issue j, type "FTP CRVAX.SRI.COM<CR>login anonymous<CR>AnyNonNullPW<CR>
CD RISKS:<CR>GET RISKS-i.j<CR>" (where i=1 to 12, j always TWO digits). Vol i
summaries in j=00; "dir risks-*.*<CR>" gives directory; "bye<CR>" logs out.
The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1".
<CR>=CarriageReturn; FTPs may differ; UNIX prompts for username, password.
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.

----------------------------------------------------------------------

Date: Thu, 24 Oct 91 13:15:02 PDT
From: "Peter G. Neumann" <[email protected]>
Subject: More O'Hare-raising experiences

Radar equipment at O'Hare International Airport in Chicago has been
malfunctioning for months, losing track of planes, and giving images of ghost
planes in empty airspace. FAA's Jim Dermody said radar images appear and
disappear for 15 to 20 seconds. Controllers have also reported seeing double
images of airplanes. [Summary of an AP item, greatly foreshortened in the San
Francisco Chronicle, 25Oct91]

Dermody said the FAA suspects T-CAS may be emitting too many electronic
signals, causing the radars to malfunction, although the problems seem confined
to the Chicago area.

In previous incidents, an American Airlines jet came within 50 feet of a
smaller plane Saturday in the Chicago area, the FAA reported. Three passenger
planes nearly collided near Chicago's Midway Airport on Oct. 3 in an incident
the FAA blamed on an error by air-traffic controllers. On Sept. 26, a Southwest
Airlines jet was forced to veer sharply as it approached Midway to avoid a
smaller plane. [From the full AP report]

[The short version was also noted by
Rodney Hoffman <[email protected]>.]

------------------------------

Date: Wed, 23 Oct 91 20:35:48 PDT
From: Martin Minow <[email protected]>
Subject: Swedish election results were delayed

The following is a sidebar -- in its entirety -- from the Stockholm newspaper
Expressen, Monday, September 16: the day after the Swedish national election.
Expressen is an afternoon paper that would have gone to press sometime Monday
morning: it includes photos taken early Monday morning.
(My translation, with apologies for inaccuracies.)

Miscalculation last night
Riksskatteverket [RSV, the national tax authority] could not successfully
count the parlimentary election because of computer error. At this
edition's press-time, there is conflicting information about the exact
parliment seat distribution.

However, the difference is on the order of a few tenths of a percent
and the balance [of seats between parties] will not be affected.

The rest of the page is taken up by a large table showing vote percentages
and seat distribution among the eight parties and 28 electoral districts.

A two-page article inside the paper has the title "Gigantic Foul-up by
Riksskatteverket." Some quotes follow:

All night, 120 people from RSV and the newspapers' telegram bureau
[the Swedish equivalent to AP] worked to get out the Stockholm election
results. The work was often chaotic, and early this morning it became
clear that RSV couldn't determine all the results. Thus, the following
tables are missing ... [local and province results by electoral district].

The reason for the mess-up was that RSV used a new computer system for
the first time this year. "The idea behind the new system is that we
will be able to serve all mass-media by the network. So it will be
easier for mass-media to process the data themselves," says election
chief Lennart Berg.

According to Bo Beergrehn, computer cheif for the tax authority in
Stockholm, priority was given to results in electoral districts that
were meaningful for mandate allocation. Those results were delivered
successfully.

In the future, the new computer system will require fewer personnel and
get the results out quicker.

Martin Minow [email protected]

------------------------------

Date: Thu, 24 Oct 91 10:20:39 -0700
From: Mark Seecof <[email protected]>
Subject: campaign against telco info services

The American Newspaper Publisher's Association, Consumer Federation of America,
Dialog Information Services, Graphic Communications Int'l Union, National
Newspaper Association, and Weatherline, Inc. have published a full page ad in
the L.A. Times (and, I presume, in other pubs) inviting people to support a bill
called HR 3515 which would restrict the LOC's entry into the "information
services" arena. The ad appeals to peoples' interest in their own privacy. The
number to call to support HR 3515 is 800-54-PRIVACY and the ad (after drawing a
scary picture of what the telcos will do if unleashed) says "We need to stop
this potential invasion of privacy. We need to keep the already thriving
information services industry competitive and independent of the Bell monopoly.
You can help by urging your U.S. Representative to support HR 3515. And by
calling 1-800-54-PRIVACY. Because if you remain silent now, everything you say
later can, and just might, be used against you."

Mark Seecof <[email protected]>
In this case, I think what I've reported really does represent the opinion
of my employers, at least in part.
[Wow! A nondisclaimer!!! PGN]

------------------------------

Date: Thu, 24 Oct 91 11:32:46 CET
From: "E. Kristiansen - WMS" <[email protected]>
Subject: The computer is always right.

"Flying Dutchman", KLM Royal Dutch Airline's magazine for frequent travellers,
October/November 1991, has an article on Eurocontrol,the pan-European
organization coordinating air traffic control of some European countries. The
article is written by Hans Bouman. I quote without permission. Translation from
Dutch is mine.

After quite an interesting presentation of Eurocontrol, the author pays a visit
to the Maastricht ATC centre. This visit is reported mainly as a dialog
between the author and Operations Officer Willy Withofs. In a presentation of
"Conflict Alert Messages" and proposed recovery actions displayed on a VDU,
Withofs is quoted to say:

> Now, we only have to follow the advice of the computer. Because it is
> always right. The system is one hundres percent waterproof.

I sincerely hope this quote was invented/enhanced/embellished/distorted
(pick your choice) by the author, not a verbatim of what the Operations
Officer said!

Erling Kristiansen - ESTEC, Noordwijk, The Netherlands.

------------------------------

Date: Thu, 24 Oct 91 09:38:59 +0100
From: [email protected]
Subject: 1-900 scam

A brief note in a local newspaper the other day told the story of a
simple but effective scam to draw money out of public institutions.

A couple in southern Sweden set up a "singles hot-line" service using a
071x-number (our equiv. of the 1-900-numbers in the US where the Telco
and the called party split the charges paid by the caller). [note to
moderator: fell free to correct if I'm mistaken about the number]

Apparently, the income from this hot-line was not enough to satisfy
them so they decided to increase revenue in a simple but effective
fashion. They went all around town to libraries and other public
buildings, looking for phone extensions that were not too closely
guarded. They'd then pick up the receiver, call the hot-line number and
leave the phone with the receiver off-hook. One extension in a library
was reported as having been connected to the hot-line for over a week!
At a cost of over $0.50/minute, this came as quite a shock to the
people in charge of economy at the library when the bills arrived, some
months later.

The RISK of this is the old one of not letting a stranger use your phone but
with a new twist. Normally you'd be worried about him actually USING your phone
to call long-distance. In this case, it was enough for him to merely initiate a
call and then go away. How many employees in a large office will think twice
about a phone being off-hook? Most people will simply assume somebody else is
using it and has gone away temporarily. As long as the phone in question is not
on your own desk, you're not likely to replace the receiver.

Many modern phone systems offer their subscribers blocks against calls to
certain numbers or area codes, forcing users to either "unlock" the phone with
a certain code sequence or to order e.g. international calls through the
switchboard operator. This opens up a new can-o'worms in the matter of personal
integrity and your boss knowing who you call, but it prevents the kind of abuse
described here. However, it requires somebody to explicitly request this
locking service for an office/PABX/whatever. The default, as that library found
out the hard way, is to have all calls enabled.
+46 8 719 4881
Torsten Lif, Ericsson Telecom AB, EO/ETX/TX/ZD, S-126 25 STOCKHOLM, SWEDEN

------------------------------

Date: Thu, 24 Oct 91 13:43:15 EDT
From: Derek Atkins <[email protected]>
Subject: RISKS of Electronic Credit Card Authorization

I was at a store buying something with a credit card the other day,
and when the clerk ran my card through, found that the printer was out
of paper. (It was one of those machines where you run the card
through, it calls up the card agency for an Authorization, and then
prints the receipt on a thermal two-copy printer)...

Well, after he figured out that there wasn't a receipt, and found more
paper to fill the printer, he punched a few numbers and it printed out
a WHOLE NEW receipt! (Receipts are the equivalent to the old carbon
receipts, except you dont need to physically imprint it with the card
-- the card information is printed on the receipt for you)....

He printed this receipt WITHOUT the use of the card! Now, what's to stop him
from printing a second copy, etc... It seems like a risk to let that
information be that easily obtained.
-derek [email protected]

[Nothing TECHNOLOGICAL stops him, although there are other considerations
such as good business practice, hiring of honest employees, and fraud laws.
This is a classical RESIDUE problem of an incomplete deallocation. The
notion of TRUSTED SYSTEMS in this notion usually means that the customer
must blindly trust the system and the system people, not that the system is
trustworthy. PGN]

------------------------------

Date: Fri, 25 Oct 91 13:43:01 est
From: [email protected] (Douglas Thomson, ...!munnari!goanna!giaea!doug)
Subject: Australian Software Quality Management Standard

I thought the following might be of interest (our news feed is a bit
slow, so this may well be old news by now...). I am pleased to find
the state of the art is sufficiently mature to warrant such a
standard; I had formed a different impression from reading RISKS :-)

Excerpted from an advertising blurb (without permission):

> * Software Quality Management System
>
> AS 3563-91 is a major two-part Australian standard which establishes
> the key elements required to operate an effective quality management
> system during the development of computer software.
>
> * Indispensable wherever software is developed
>
> AS 3563 encourages a controlled approach to all stages of software
> development and can be used as the basis for a cost-effective in-house
> quality assurance program. It is also specifically designed to be
> called up as a contractual requirement in agreements for the
> development of software. By adopting the quality practices defined in
> AS 3563, both the developer and the customer can agree on a set of
> quality assurance procedures designed to ensure the finished
> software achieves its specifications. [...]

> * International acceptance
>
> The prestigious US-based Institute of Electrical and Electronic
> Engineers (IEEE) is currently adopting this Australian-prepared
> document as the US standard for quality management in software
> development. [...]
>
> * How to Order
>
> AS 3563 Part 1-91 (Requirements) AU$18.50
> AS 3563 Part 2-91 (Implementation guide) AU$42.00
> [plus P&P - no idea of rates outside Australia] [...]
>
> Mail: Standards Australia, National Sales Centre, PO Box 1055,
> Strathfield, NSW 2135, AUSTRALIA FAX: +612 746 3333
> VISA, MASTERCARD, or cheque drawn on Australian bank

------------------------------

Date: Fri, 25 Oct 91 14:42:51 PDT
From: "Peter G. Neumann" <[email protected]>
Subject: AT&T/ATC outage revisited

Alfred H. Scholldorf, Manager of Info Services, Reuters Information Services,
Inc., sent me two clippings on the aftermath of the AT&T outage, from the
30Sep91 issue of Network World. An article by Ellen Messmer is mostly familiar
stuff to RISKSers. An editorial considers the increased awareness of
reliability problems that this outage has brought about, and "the need for the
federal government to step up efforts to guarantee the reliability of the
public network." [No GUARANTEES are possible, of course.] "Rep. Robert Wise
[D.-W.Va] was right when he said, ``The nation must have some assurance that
the FCC is providing the proper oversight to ensure that carriers fulfill their
responsibilities to provide reliable service to the public.'' ... The
government needs to act now, before a network crisis cripples the U.S."

As an aside, I am reflect on the unintended irony of the word `oversight' in
such a context. Government (FCC, Congress, etc.) is supposedly dedicated to
oversight [overseeing], but is often guilty of oversight [overlooking].
Something about being Over The Hill? PGN

------------------------------

Date: Thu, 24 Oct 91 13:21:41 PDT
From: [email protected] (Geoffrey H. Cooper)
Subject: Re: Law requiring bug fixes (Mark Seecof, RISKS-12.54)

Certainly such laws are already on the books for hardware products. My
understanding of this is that a vendor must be willing to repair (stock spair
parts, maintain expertise) a computer hardware product for up to 5 years after
the product ceases to be sold by the vendor.

This costs a vendor lot, but it does provide a basic protection for the
consumer. One technique used by vendors is to buy their way out of the
problem. I can recall several dead end product situations, where a vendor
simply gave all users free upgrades to a better product, to avoid having to
maintain the old product anymore. This technique is likely even more
applicable to software than hardware.

Regarding Brooks' problem of fixes causing new bugs, the vendor might not be
required to fix ALL the bugs for everyone. After all, if you didn't report
other bugs, you might not care (e.g., color display problem but you have only a
B&W). Or you might even like the product better with some of the bugs in it!

If a bug requires a simple patch, the patch itself might be sent out and
registered as a delta from the released sources (or, all too often, the
released binaries...). By tracking many different deltas but not allowing the
original QA'd product to evolve, the few users who are "bitten" by a particular
bug may be satisfied. Clearly this doesn't get around Brooks' "two steps back"
problem, but does it does prevent the problem from compounding over time.
Geof

------------------------------

Date: Fri, 25 Oct 91 17:45:43 EDT
From: Brinton Cooper <[email protected]>
Subject: Re: Single Point of Failure in L-1011 Intercom (Seidel, RISKS-12.55)

Craig Seidel ([email protected]) writes that the intercom harness in the TWL
L-1011 is "wired like christmas tree lights where any failure in the chain
causes a complete failure and requires a check of each component." He then
goes on to wonder if a redundant (parallel?) system wouldn't be bettter because
it would prevent total system disability if one component were to be broken in
an emergency.

On the other hand, it seems that this risk must be balanced against the risk of
the redundancy masking the loss of one part of the intercom (probably because
of imperfect status checking or poor system design/installation).

At least, in a total series configuration, you *know* that every part of the
system is working, and you know when even one goes down.

I suppose a quantitative "risk assessment" (oh, no, not *that* again) should
compare these (and other) alternatives.
_Brint

------------------------------

Date: Thu, 24 Oct 91 15:26:40 -0500
From: [email protected] (Jamie Saker)
Subject: Re: Risks of double standards (on PRODIGY)?

There was an excellent write-up in the Wall Street Journal (cover of second
section) yesterday about this situation - apparently some reports indicate that
while the Prodigy censor staff allowed anti-semitic comments past their review,
they were not allowing others who opposed such views to reply and were
censoring such messages. According to the Prodigy representative cited in the
article, they were censoring them since they were argumentative in nature.

I certainly would look for this to become an excellent test case in terms of
liability issues. Since Prodigy did act as a guarantor of the information
presented in their forums (remember their claim that they were following the
"newspaper" analogy instead of the "telephone" analogy?), they quite possibly
accepted liability for any information that is slanderous, defamatory, etc. Now
all it takes is for some "harmed" party (possibly the ADL???) to take Prodigy
to court.

Jamie Saker, The Penny Network Foundation, P.O. Box 138, Blair, NE 68008-0138

------------------------------

Date: Thu, 24 Oct 91 13:43:59 PDT
From: quail!fred (Fred Gilham)
Subject: Prodigy (RISKS-12.55)

Someone has posted a message explaining the situation; apparently Prodigy will
not post attacks on individual subscribers. Thus a subscriber can say, ``Jews
deserved Hitler's treatment,'' and that's OK because Prodigy doesn't censor
ideas, but if someone says, ``That was an anti-semitic sentiment,'' that's not
OK because it is an attack on a subscriber.

------------------------------

Date: Thu, 24 Oct 1991 15:08 EDT
From: Ronald Hale-Evans <[email protected]>
Subject: An inside look at Prodigy's `double standard' (Spector, RISKS-12.55)

My wife is a Prodigy editor (probably known to you as a "censor"), and she
gives me the following information. The incident in question happened about a
year ago. First, the bulletin in question was not posted; it was private email.
The receiver of the bulletin tried to post the email in full some fifteen times
in order to open discussion and it was rejected as inappropriate by the editors
every time. I suggest you read more recent news releases.

>Some of the messages _advocate_ "another holocaust", etc, etc...

My wife says messages advocating "another holocaust" are not posted. Perhaps
you are again confusing email and bulletin board messages.

>The ADL (Anti-Defamation League) has protested to the PRODIGY management who
>responded that they "oppose anti-semitism", but they "encourage the free
>expression of ideas".

This is in keeping with Prodigy practice; controversial ideas may be posted to
the boards, but not personal insults. My wife tells me that what happened in
this case was that some Holocaust Revisionists (people who believe the
Holocaust never happened) were posting to the bulletin boards. Many people were
angered and tried to reply, but their responses were usually rejected because
they called the Holocaust Revisionists "Nazi *ssh*l*s" and so on (I don't know
the exact language, but the Prodigy editors understood it to be personally
insulting).

>Is this the same PRODIGY that makes decisions about what
>acceptable "free expression" is when it comes to use of electronic mail, and
>what are "acceptable" topics in their Health forums? Hmmm.. sees like a pretty
>scary double standard to me....

Prodigy editors do not and cannot read private email between members. If a
member complains that another member is harrassing them through email, Prodigy
will often warn the harrasser and sometimes remove them from the service. By
the way, Prodigy no longer has a Health forum.

As for the "double standard", the editors find it both disturbing and amusing
that they are usually criticised for censorship, and now they are criticised
for lack of it. If Prodigy had caved to the demands of the ADL in the first
place, none of this would have happened, and the ACLU would not have to step
forward and speak for Prodigy, as they now are doing.

Ron Hale-Evans, Brandeis University, [email protected]

------------------------------

Date: Thu, 24 Oct 91 23:04:08 EDT
From: [email protected] (Greg Brail)
Subject: Anti-semitism controversy on Prodigy

The Wednesday, 10/23 issue of New York Newsday features on the front cover
a large color photo of a Macintosh II with the headline "High-Tech Hate:
Computer Network Used for Anti-Semitic Venom." The article reads that Prodigy
was taken to task by the Anti-Defamation League for allegedly allowing anti-
Semitic messages to appear. The second two paragraphs of the article, which
appear as if they might have been pasted in at the last minute, say Prodigy
reviewed its records and found the messages were sent in private e-mail.
Geoffrey Moore, a company spokesman, told the Associated Press that Prodigy
was "100 percent sure" the messages were not in a public bulletin board. The
ADL, however, said some anti-semitic messages could be seen by the public.

Rich Klein, an ADL spokesman, told Newsday he was concerned about Prodigy's
guidelines, which call for censorship of other types of messages, but not
anti-Semitic ones.

Newsday quotes from some of the messages in question, and even blows four of
them up in the left-hand two columns of page five. "The holocaust itself is
really an edifice, a monument so to speak, to the naive gullibility of the
world," reads one. The ADL said this particular message appeared in a
public forum.

The article goes on to quote Gerard Van der Leun of the Electronic Frontier
Foundation, plus others, in a discussion of free speech on computer networks.
It does not mention the call for "another holocaust" that another poster
mentioned.

The quotes I read don't sound too much different from the calls
for people to "prove the holocaust really happened" and other such talk that
goes on regularly in Usenet groups like alt.conspiracy and soc.history. It
appears there is some confusion over whether these messages appeared in public
bboards, in private e-mail, or somewhere else. (I am not a Prodigy user.) If
they were in private e-mail, then how did this become a controversy, and why
do other Prodigy users and/or administrators read e-mail?

The local New York TV news was sure to mention this incident, basically taking
the tone that computer people were out to spread hate electronically. It seems
there is some risk in this sort of thing. I don't see a risk of a Fourth Reich
forming on Prodigy, but of society placing restrictions and expectations
on electronic speech that it claims not to place on other forms of expression.

Greg Brail, Citibank [email protected] uunet!ibism!gjb

------------------------------

End of RISKS-FORUM Digest 12.56
************************