Subject: RISKS DIGEST 17.17
REPLY-TO: [email protected]

RISKS-LIST: Risks-Forum Digest  Weds 7 June 1995  Volume 17 : Issue 17

  FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
  ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

<<<<< The annual RISKS Summer Slowdown has begun. >>>>>
***** See last item for further information, disclaimers, etc.       *****

 Contents: [Also working on big backlog]
Placing the blame, Part N+1: New York City subway crash (PGN)
Former IRS employee indicted (PGN)
The Internet is a Dangerous Place (Mycal Johnson)
Telecom records non-privacy at Ameritech (Lauren Weinstein)
*California Lawyer*, June 1995 (Martin Minow)
Copyright infringed via WWW? (Gregor Ronald)
User-friendly E-mail systems ()
Re: Ariane-5 test aborted (Erling Kristiansen)
Re: Drug Addicted Geniuses Built Cyberspace (Carlton Hogan)
Re: New Yorker Article on The 59-Story Crisis (Bob Frankston)
Compuserve addresses and a sparse name-space (Erik Corry)
Europe - Central Air Traffic Control (Mike James)
Re: The standard notion of a `field' (Peter Ladkin, Rob Horn)
Telematic Sculpture 4 (T.S.4)
Privacy Digests (PGN)
Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc.

----------------------------------------------------------------------

Date: Wed, 7 Jun 95 9:07:09 PDT
From: "Peter G. Neumann" <[email protected]>
Subject: Placing the blame, Part N+1: New York City subway crash

A NYC subway train on the Williamsburg Bridge crashed into the rear end of
another train on 5 June 1995.  The motorman apparently ran through a red
light, and was still applying power at the time of the crash.  The safety
system is supposed to apply emergency brakes whenever a train runs a red
light, but it seems that did not happen.  (Subway officials said they had
never seen that failure mode before.)  So, we must add to the RISKS annals
yet another case in which human error and system failure acted in
combination.  Here, neither of the two sets of safety measures was able to
rely on the other.  [Source: various news services on 6 and 7 June 1995.]

------------------------------

Date: Wed, 7 Jun 95 11:45:11 PDT
From: "Peter G. Neumann" <[email protected]>
Subject: Former IRS employee indicted

A former employee of the Internal Revenue Service, Walter C. Higgins of
Salem, NH, has been indicted on wire-fraud charges for illegally browsing
through IRS computers to gather information on Thomas Quinn, a candidate in
an election for the House of Representatives.  (Quinn lost the election to
Martin Meehan, D-MA from Lowell; Meehan says he knew nothing about Higgins.)

A current IRS employee, consumer representative Richard W. Czubinski, of
Dorchester, MA, was indicted for misusing his computer access privileges to
obtain information on 30 taxpayers, including members of the campaign
committee of South Boston City Council President James Kelly.  He apparently
also accessed the tax files of a Suffolk County assistant district attorney
who had unsuccessfully prosecuted Czubinski's father.  Disciplinary action
is being considered by the IRS.  (Czubinski was also described as a sometime
political candidate and a member of the Ku Klux Klan.)

[Source: The Boston Globe, 3 June 1995, pp. 1 and 15.]

  [Recognizing the importance of preventing and monitoring both browsing
  and improper data modification, the IRS is making a considerable effort
  in its Tax Systems Modernization efforts to base the new system designs
  on stringent privacy and security requirements.  I wish them luck!  PGN]

------------------------------

Date: Wed, 7 Jun 1995 09:27:50
From: [email protected] (Mycal!)
Subject: The Internet is a Dangerous Place

I just learned yesterday that the Internet is a dangerous place.  It seems
someone up in Canada posted a message about a bomb and made it look like I
wrote the message.  Well, guess what happened, I got a visit from the U.S.
Secret Service.  It seems that they don't quite understand the Internet and
think that, just because my name and E-mail address appeared in the text of
the document, I wrote it.

If anyone knows of any `bomb' files that have my name on them, would you
please tell me what archive they are stored at, because I didn't write them
and I want my name off them?

Thanx, Mycal Johnson  [email protected]

------------------------------

Date: Tue, 6 Jun 95 21:38 PDT
From: [email protected] (Lauren Weinstein)
Subject: Telecom records non-privacy at Ameritech

In a recent issue of the TELECOM digest, it was reported that Ameritech now
allows anyone to obtain bill payment information for any Ameritech line
(unless blocked by specific subscriber request)--a true bonanza for snoops
in general and for folks trolling for big bill customers to target for
marketing.

Obviously, this is a terrible policy.  It is unfortunately not a unique
situation.  Ameritech's explanation (as reported in TELECOM) has been
spouted by numerous other utilities, banks, and other entities.  If a
subscriber complains, they are frequently told that "hardly anyone else has
complained about the system".  If 1000 people complain, they may each
individually be told that they're essentially the "lone wolf".

The "solution" is obvious.  Ameritech should return to a "random" passcode
system, and allow customers who have a problem remembering the code to
either choose something simple ("0000") or opt for no code at all.  But such
a choice of no security should be made by the individual customer--to make
it the default condition for all customers is very bad policy.

Experience has shown that the only effective way to deal with these types of
situations is to complain loudly to the highest level you can reach.  In the
case of Ameritech, complaints (and suggestions for "fixing" the problem, as
mentioned above) should be made to the billing supervisor level at
least--better yet, speak to the managers.  And while it means taking the
time to put it down in written form, letters to state PUCs are *extremely*
important with such matters.

I'm sure there are just a *few* Ameritech subscribers reading this now.  If
each of you expressed your opinion (one way or another) to the PUC and
Ameritech regarding their system, I suspect you could have considerable
impact.

--Lauren--

------------------------------

Date: Wed, 7 Jun 1995 12:09:13 -0700
From: [email protected] (Martin Minow)
Subject: *California Lawyer*, June 1995

*California Lawyer*, June 1995 is a "High Tech" issue that RISKS readers
might find moderately interesting, if for no other reason than to see
another view of the computer field. Here's a brief summary of the contents:

-- An article on how software games developer Electronic Arts learned
  about Hollywood dealmaking.
-- An article on the First Amendment and the Internet.
-- How a midsize law firm incorporated computers into its "culture."
-- Cybercrime "police worry about savvy criminals."
-- A map of Silicon Valley with law firms identified.
-- Worries about digital piracy (copying laser disks, copying documents).
-- A lawyer's viewpoint of the Intel Pentium problem.
-- Repetitive-motion injury problems.
-- Techno Tools.

Readers may also find the proliferation of computer-based legal tools
interesting: as usual the advertisements are often more fascinating than
the articles.

A few random quotes:

Electronic Arts: ``Securing the rights [to rock music] took almost as
long as producing the game.''

Hate speech: ``The first time you get a first-run film sent over the
Internet, you'll get lots of lawyers involved." "The First Amendment allows
hate speech [on the Internet] to persist.''

Cybercrimes: ``For the most part, the computer has not introduced any new
types of crimes, but it has introduced new methods, time frames, and
languages for committing theft, manipulation, destruction, and espionage.''

Digital Piracy: ``Today's ability to create perfect copies over the Internet
has frightened people.''

Intel: Disclosing bugs gains advantage in public-relations, but that doesn't
take into account the business ramifications, including product replacement,
numbers of customers, .... ``Legal ramifications are often secondary to
corporate concerns.''  ``The Intel case study offers more public-relations
lessons than legal ones, attorneys agree.''  ``The legal effect ... is about
nil, Vendors have protected themselves with so many warranty clauses ...
that they can get away with anything.''

>From California Lawyer, June 1995. 1390 Market St., Ste 1210,
San Francisco, CA 94102. (415) 252-0500. The issue may be difficult
to find, as I obtained the last one available at my doctor's office.

Martin Minow  [email protected]

------------------------------

Date: Wed, 7 Jun 1995 13:22:32 +1300
From: "Gregor Ronald, Wanaka, New Zealand" <[email protected]>
Subject: Copyright infringed via WWW?

New Zealand Press Association carried this story on Wed 7 June 1995:

INTERNET COPYRIGHT FEARS

Internet users could be breaking the law every time they transfer a file
from the global computer network to their own computer, said Ross Johnston,
a copyright lawyer of Kensington Swan, speaking at a seminar in Wellington.
He said that as well as printing copies or storing them on a computer disk,
simply browsing articles on the Internet using a computer screen could be
infringing the law.  He described the World Wide Web part of the Internet as
a giant copying machine.

New Zealand's Copyright Act defines copying to include "storing the work in
any medium by any means". When a computer user browses information on the
Internet, an electronic copy is temporarily created in the computer's
memory.  Mr Johnston said a copy did not have to be permanent.

Copyright specialist Ken Moon, of A.J.Park & Son, in Auckland, echoed this
view: "I believe that transient copying is an infringement," he said.

------------------------------

Date: Wed, 7 Jun 1995 12:00:10 (xxT)
From: [identity withheld by request]
Subject: User-friendly E-mail systems

Our organization has a mail system which permits a "user-friendly"
addressing scheme.  Mail can be addressed to either a userid or part of a
user's full name.  If there are multiple users with the same last name, mail
to that last name will be bounced, with the bounce message listing the
names, departments, and userids of all matching users.

The following [sanitized] message was recently posted by someone in the
Payroll department to an internal group for departmental administrators.

 I request that all administrators sending me XXX E-mail specifically list
 my user ID (XXXXX) on the E-mail address.  Several E-mail messages addressed
 to my last name have gone to other XXXX's on the XXX system.  Because both
 my wife and son have E-mail addresses, some of the messages have gone to
 them.  If your request contains specific data relating to an employee,
 please be sure it is addressed properly.  [...]

------------------------------

Date: Wed, 7 Jun 95 08:36:55 +0200
From: [email protected] (Erling Kristiansen)
Subject: Re: Ariane-5 test aborted (RISKS-17.16)

The accident that caused the death of two technicians was not exactly
"failure of the main cryogenic motor".

I excerpt from the ESA press release:

- The accident happened on May 5 in the Ariane 5 launch area at the
 Guiana Space Centre.

- The cause of death was asphyxiation through inhalation of air having
 an excessively low oxygen contents.

- The reduced oxygen contents was due to a major nitrogen leak into the
 confined structure of the umbilical mast on the launch table.

- The nitrogen leak originated in a nitrogen/iced water exchanger,
 whose drainage plug was found to be missing.

I have not seen any announcement of a delay of tests, so I cannot comment on
whether, and how, that may be related to the mentioned accident.

------------------------------

Date: Mon, 5 Jun 1995 15:20:15 -0500 (CDT)
From: Carlton Hogan <[email protected]>
Subject: Re: Drug Addicted Geniuses Built Cyberspace

In RISKS-17.15, Daniel Frankowski comments on the moronic thrill-piece
"Cyberstoned", Originally from Boston Magazine, and reprinted in the
Minneapolis Star Tribune. I too noticed this offensive piece of fluff, and
sent the following letter to the editor:

To the Editor:

"Cyberstoned", in Monday's opinion section is just the latest attempt to
demonize the Internet for all of Mankind's pre-existent woes. In the last
couple of months, people with no great liking or understanding of the net
have cited such spectres as kiddie porn, drug dealing, and even the Oklahoma
bombing as compelling reasons to dramatically limit the operation of the
net, often in a ham-handed manner. Senator James Exon's (D-NE) recently
defunct "Digital Decency Act" would have required all Internet providers to
read and censor each of millions of messages a day.

Early denizens of the Internet created a benign anarchy, where free speech
was it's own best remedy. Ironically, pressure to change the net comes from
newcomers, who bought a modem specifically because they heard that there was
something new happening on the net. This dynamic reminds me of the process
of gentrification, where artists and other fringes types will reclaim urban
wasteland. Once the quality of the neighborhood improves, more genteel types
move in, and systematically erase all signs of bohemia. Our response to the
possibilities offered by the net should not be the neanderthal reflex of
killing it because we don't understand it.

Carlton Hogan, Editor, PWAlive

Community Programs for Clinical Research on AIDS Statistical Center, School
of Public Health, University of Minnesota, Minneapolis MN 55414 1-612-626-8899

------------------------------

Date: Mon, 5 Jun 1995 00:33 -0400
From: [email protected]
Subject: Re: New Yorker Article on The 59-Story Crisis (RISKS-17.16)

I do recommend reading the Citicorp article. The scary part is that this
problems were only uncovered by accident. Also, while the idea of a 1 in 700
year event is considered far-fetched, the midwest floods, which partially
recurred this year, Mt St Helen's and imply that somewhere, a very unlikely
event will occur. And then there's the World Trade Center.

The John Hancock building in Boston, AKA The Plywood Palace, is another
example. It got that nickname because its windows were falling out and had to
be replaced with plywood. Eventually the problem was solved by simply making
the glass a little thicker.

But the problems caused some additional attention to be paid to the building
including further wind tunnel testing. The building is a flat rectangle
(almost) and designers assured it wouldn't fall over on its short side. The
surprise was that the building was in danger of collapsing on its long axis!
Considering the height, it does make sense that the center of gravity can go
far out of alignment, at least, in hindsight. The solution was to be put an
active damping system at the top -- pioneered in the Citicorp building. The
Citicorp article noted that the damping provides stability but not safety
since the power supply is a point of vulnerability.

The main lesson is that despite all the writing in this forum about proper
procedures, things will go wrong. The question is not so much how to prevent
problems but how to respond and recover. Prevention is only an optimization
of this process and shouldn't overwhelm the process. A full discussion of
this topic is a large topic in its own right, but I'll limit my self to
riling the audience in this missive.

As a PS, there was an article in the Sunday New York Times (May 29th) about
lawyers descending upon Norplant, a long term contraceptive. The article
noted that these are the same lawyers who got rich on Silicone (not to be
confused with Silicon!) implants. While the Citicorp article emphasized the
exemplary behavior of all those involved, reality, if anything, is becoming
more problematic. Responsible behavior is often severely punished. If you
take any responsibility, you might be liable for punitive damages. It is
better not to investigate an area at all, than to learn of a problem and
calculate the tradeoffs of dealing with it. Again, this is another topic
which would take too much space to fully address in a short not. I've also
got to add that I'm not a lawyer and probably don't look much like one either.

------------------------------

Date: Mon, 5 Jun 95 22:33 MET DST
From: [email protected] (Erik Corry)
Subject: Compuserve addresses and a sparse name-space

Don Faatz relates that his boss regularly gets E-mail at his Compuserve
account that is destined for somebody else whose account differs by only
digit.

This is another case of a namespace not being sparse enough.  It is too
simple to hit another real Compuserve address by hitting one wrong number.
The risk could be reduced with checksum digits like those used for ISBN and
credit card numbers. Other small-namespace culprits include the telephone
system (especially when used by semi-automated systems like faxes) and some
computer languages (changing a random piece of punctuation in a C program
has a chance of resulting in a different, valid program. APL is probably
much worse.)

To make matters worse, he probably has to pay for the incorrectly sent mail
(I have heard this is how Compuserve works, but am not sure).

Erik Corry, Freiburg, Germany, +49 761 406637 [email protected]

------------------------------

Date: Mon, 05 Jun 1995 22:15:35 GMT
From: Mike James <[email protected]>
Subject: Europe - Central Air Traffic Control

Here in Europe we have had central Air Traffic Control for a couple of
months. A few weeks back , I was on a flight from Preveza (Western Mainland
Greece to London Gatwick). First the flight was delayed by an autopilot that
refused to permit the flight from London earlier in the day from climbing
above 10000 feet (something to do with fuel load trimming), so they had to
turn back, and change the 757 for a Lockheed L1011 (impressive landing on
short runway - almost aircraft carrier performance, as the runway wasn't
really long enough).

Then we sat in the L1011 and waited while the crew tried to:

Contact Athens ATC - couldn't give a slot to take off, as Brussels was
 uncontactable.
Contact Brussels Central ATC direct  by phone - no answer.
Contact London , and get their airline headquarters to phone Brussels - no
 answer.

So we sat for 3 hours until the crew nearly ran out of hours in charge of the
plane, until Brussels ATC  came back on line.

Question : What happens if the ATC goes off-line while you are in the air ?
How does the system fall back ? Does it go off-line regularly ?

-- Mike James G6IXE

------------------------------

Date: Tue, 6 Jun 1995 19:05:05 +0200
From: [email protected]
Subject: Re: The standard notion of a `field' (Re: Horn, RISKS-17.15)

Rob Horn's article in RISKS-17.16 misuses the concept of `field'.  Horn was
talking about commutative rings with unit. The standard definition of
`field' trivially entails that a division operation is available. The
integers don't form a field.  However, the integers modulo p, for p a prime
number, under addition and multiplication, do.

Fields have been studied in mathematics for a long time, well over a
century. The standard terminology is at least a half-century old.  The
definition is given in the following widely available texts:
B. van de Waerden, Algebra, a standard reference for a half century
and still in print (the oldest reference I could find today is to the
3rd edition in 1950; see p39 of the Springer German edition); S. Lang,
Algebra (3rd edition p93); S. Maclane and G. Birkhoff, Modern Algebra
(1967, p133); and T. Hungerford (1973, Springer edition 1980, p116).

Peter Ladkin

------------------------------

Date: Tue, 6 Jun 1995 21:19:34 +0059 (EDT)
From: Robert J Horn <[email protected]>
Subject: Re: The standard notion of a `field'

Sorry, you're right.  Somewhere along the years I did a mental slip.  I
should have been using the term commutative ring.  I've probably left behind
a few years of confused people.  Actually computer integers are suffer
further in that they are not actually a ring either, because there is a
maximum value beyond which addition or multiplication fail.

I should not have been using the term finite field, it should have been
commutative ring.  And my apologies to the readership.

R Horn

------------------------------

Date: Thu, 07 Jun 95 19:35:55 GMT
From: [email protected]
Subject: Telematic Sculpture 4 (T.S.4)

A mobile sculpture (length 21,8 meters, weight 1800 kg) by R. Kriesche is
physically positioned in the Austrian Pavilion during the Venice Biennale.

T.S.4 is driven by the data flow in the Internet, according to the ratio of
the worldwide COMPUTER newsgroups versus worldwide ART newsgroups.
According to this relation, T.S.4 is expected to transcross the Austrian
pavilion during the time of the biennale and might even break through the
wall of the pavilion.

You are invited to become part of T.S.4 by:

 o  visiting its www homepage
    http://iis.joanneum.ac.at/kriesche/biennale95.html
 o  discussing T.S.4 on usenet news
 o  sending E-mail to T.S.4 (mailto:[email protected])

Your participation will slow down the movement of T.S.4 and prevent it
crashing.

  [The risks of such an event are left as an exercise for the reader. PGN]

------------------------------

Date: Wed, 7 Jun 95 12:05:09 PDT
From: "Peter G. Neumann" <[email protected]>
Subject: Privacy Digests

Periodically I remind you of TWO useful digests related to privacy, both of
which are siphoning off some of the material that would otherwise appear in
RISKS, but which should be read by those of you vitally interested in
privacy problems.  RISKS will continue to carry general discussions in which
risks to privacy are a concern.

* The PRIVACY Forum Digest (PFD) is run by Lauren Weinstein.  He manages it as
 a rather selectively moderated digest, somewhat akin to RISKS; it spans the
 full range of both technological and non-technological privacy-related issues
 (with an emphasis on the former).  For information regarding the PRIVACY
 Forum, please send the exact line:

information privacy

 as the BODY of a message to "[email protected]"; you will receive
 a response from an automated listserv system.  To submit contributions,
 send to "[email protected]".

* The Computer PRIVACY Digest (CPD) (formerly the Telecom Privacy digest) is
 run by Leonard P. Levine.  It is gatewayed to the USENET newsgroup
 comp.society.privacy.  It is a relatively open (i.e., less tightly moderated)
 forum, and was established to provide a forum for discussion on the
 effect of technology on privacy.  All too often technology is way ahead of
 the law and society as it presents us with new devices and applications.
 Technology can enhance and detract from privacy.  Submissions should go to
 [email protected] and administrative requests to
 [email protected].

There is clearly much potential for overlap between the two digests, although
contributions tend not to appear in both places.  If you are very short of time
and can scan only one, you might want to try the former.  If you are interested
in ongoing detailed discussions, try the latter.  Otherwise, it may well be
appropriate for you to read both, depending on the strength of your interests
and time available.
                                                 PGN

------------------------------

Date: 24 March 1995 (LAST-MODIFIED)
From: [email protected]
Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc.

The RISKS Forum is a moderated digest.  Its USENET equivalent is comp.risks.
Undigestifiers are available throughout the Internet, but not from RISKS.

SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on
your system, if possible and convenient for you.  BITNET folks may use a
LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS.  U.S.
users on .mil or .gov domains should contact <[email protected]>
(Dennis Rears <[email protected]>).  UK subscribers please contact
<[email protected]>.  Local redistribution services are
provided at many other sites as well.  Check FIRST with your local system or
netnews wizards.  If that does not work, THEN please send requests to
<[email protected]> (which is not yet automated).  SUBJECT: SUBSCRIBE
or UNSUBSCRIBE; text line (UN)SUBscribe RISKS [address to which RISKS is sent]

CONTRIBUTIONS: to [email protected], with appropriate, substantive Subject:
line, otherwise they may be ignored.  Must be relevant, sound, in good taste,
objective, cogent, coherent, concise, and nonrepetitious.  Diversity is
welcome, but not personal attacks.  PLEASE DO NOT INCLUDE ENTIRE PREVIOUS
MESSAGES in responses to them.  Contributions will not be ACKed; the load is
too great.  **PLEASE** include your name & legitimate Internet FROM: address,
especially from .UUCP and .BITNET folks.  Anonymized mail is not accepted.
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.
All other reuses of RISKS material should respect stated copyright notices,
and should cite the sources explicitly; as a courtesy, publications using
RISKS material should obtain permission from the contributors.

RISKS can also be read on the web at URL http://catless.ncl.ac.uk/Risks
  Individual issues can be accessed using a URL of the form
  http://catless.ncl.ac.uk/Risks/VL.IS.html
  (Please report any format errors to [email protected])

RISKS ARCHIVES: "ftp unix.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>
cd risks<CR> or cwd risks<CR>, depending on your particular FTP.
Issue J of volume 17 is in that directory: "get risks-17.J<CR>".  For issues
of earlier volumes, "get I/risks-I.J<CR>" (where I=1 to 16, J always TWO
digits) for Vol I Issue j.  Vol I summaries in J=00, in both main directory
and I subdirectory; "bye<CR>"  I and J are dummy variables here.  REMEMBER,
Unix is case sensitive; file names are lower-case only.  <CR>=CarriageReturn;
UNIX.SRI.COM = [128.18.30.66]; FTPs may differ; Unix prompts for username and
password.  Also ftp [email protected].  WAIS repository exists at
server.wais.com [192.216.46.98], with DB=RISK (E-mail [email protected] for info)
  or visit the web wais URL http://www.wais.com/ .
Management Analytics Searcher Services (1st item) under http://all.net:8080/
also contains RISKS search services, courtesy of Fred Cohen.  Use wisely.

------------------------------

End of RISKS-FORUM Digest 17.17
************************

You are viewing proxied material from gopher.quux.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.