Subject: RISKS DIGEST 17.20

Subject: RISKS DIGEST 17.20
REPLY-TO: [email protected]

RISKS-LIST: Risks-Forum Digest Weds 26 July 1995 Volume 17 : Issue 20

FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

***** See last item for further information, disclaimers, etc. *****

Contents: [finally back in gear; remember 1 August anniversary issue(s)]
Woman electrocuted using hotel card-key (Karl W. Reinsch)
My Grammar is a Dame? (PGN from The New Yorker)
Pushbutton ignition code blamed for NY City bus theft (George Mannes)
New Pittsburgh Jail (Alan Tignanelli)
Bell Atlantic Goofs (Mich Kabay)
Risks of misreporting risks? (Jeremy Epstein)
No laughing matter: hospital database misuse (Jan Joris Vereijken)
Automated performance reviews (Geoff Kuenning)
Runaway E-Mail (Mich Kabay)
Two Short-Courses on Software Engineering (Dave Parnas)
ISOC Symposium on Network and Distributed System Security (Clifford Neuman)
Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc.

----------------------------------------------------------------------

Date: Sat, 8 Jul 1995 00:25:34 -0400 (EDT)
From: "Karl W. Reinsch" <[email protected]>
Subject: Woman electrocuted using hotel card-key

The Washington Post on Tuesday, 27 June 1995, tells of an 18-year-old
Cincinnati woman who was electrocuted Friday at a New Carrollton hotel.
Police said that she was barefoot, wet, and standing on wet concrete. The
door was apparently charged with electricity from a faulty air-conditioning
unit in the wall near the door. An electrical engineer inspected the room.
Police spokesman Sgt. Rick Morris said, ``They found a faulty air
conditioner emitting some sort of electric charge, and the charge was
transcending to the door." Steiner Oftgard, vice president of VingGuard,
the manufacturer of the door lock, says the system uses only 9 volts, which
is supplied by six 1 1/2-volt batteries. Anthony G. Marshall, who writes
the ``At Your Risk" column for Hotel and Motel Management magazine, said,
``This has to be right out of 'Believe It or Not'." The hotel removed all
guests from rooms that open directly outside, pending further investigation.

I'm sure there are plently of risks to discuss. I don't think this happened
with old-fashioned door locks. I also can't decide if Sgt. Morris really
said that, or if some "intelligent" software made a substitution.

Karl Reinsch, [email protected]

------------------------------

Date: Tue, 25 Jul 95 8:28:57 PDT
From: "Peter G. Neumann" <[email protected]>
Subject: My Grammar is a Dame?

_The New Yorker_ issue of 10 Jul 1995 has a cute squib on page 33, quoting
the output from the grammar checker in Microsoft Word for Windows in
response to the sentence, "I graduated from the University of Notre Dame."

Sexist expression. Avoid using Dame except as a British title.

TNY's traditional retort was quite worthy:

They don't call them P.C.s for nothing.

------------------------------

Date: 13 Jul 95 16:53:10 EDT
From: George Mannes <[email protected]>
Subject: Pushbutton ignition code blamed for NY City bus theft

According to an article by Garry Pierre-Pierre in the July 8, 1995, New York
Times (p.23), two unidentified youths stole a parked 38,000-pound, 40-foot
NYC bus and took it on a six-block joyride, colliding with seven cars and
smashing the bus into a subway station entrance. The bus, which cost the
city $235,000, suffered "extensive damages."
The bus was vulnerable, the article says, because it was parked on
the street in front of the depot in which it was supposed to be parked. In
the article, a Transit Authority spokesman theorizes that the thieves pried
open the bus door and pushed a sequence of buttons necessary to start the
bus; the vehicle needs no ignition key.
"It's not top-secret information," the spokesman is quoted saying
about the ignition code. "It's certainly information that can be obtained
from watching operators start the buses."
As a New York City taxpayer, resident and vulnerable pedestrian, I'm
somewhat concerned when a T.A. spokesman admits that the ignition code is an
open secret. Several questions come to mind. How many city buses use
pushbutton ignition and not a key? To make it easier on drivers, do all the
pushbutton buses use the same code? Are the codes changeable? How often, if
ever, does the T.A. change them? Who decided that buttons were better than
keys? The article notes that the bus was built in 1994 and is among the
newest in the city's fleet. So much for progress.

George Mannes [email protected]

------------------------------

Date: 03 Jul 95 09:06:47 EDT
From: Alan Tignanelli <[email protected]>
Subject: New Pittsburgh Jail

Summarized from the Pittsburgh Post-Gazette, July 2, 1995 (Direct quotes
from the article are in [ ]):

The new jail in Pittsburgh took 2 and a half years and $147 million to
build, and has been open since early May. But, there are apparently tons of
problems with the new facility, including:

1. Dozens of computer terminals that are unusable because, while the data
jacks were connected and wired, nobody bothered to put electrical outlets
in.

2. A computer system to track inmate information is still off-line for two
reasons. One, the software is from a Canadian company and is not formatted
to the American justice system (whatever that means - AT). Two, nobody has
been trained on how to use the system.

3. Guards carry an electronic personal alarm. These alarms are supposed to
send out signals when there is a security problem, but are prone to false
alarms. [A few weeks ago, one of the personal alarms accidentally went off
and almost every light and audio alarm on the nuclear sub-like control panel
lit up, said Bruce Helt, a guard who is the union vice president. As a
result, there was no way to locate where the crisis would have been if the
alarm had been a real emergency, he said.] In another incident with these
alarms, a female guard had to work an entire shift last week without an
alarm because her battery went dead and there were no spares.

4. There was another electrical malfunction which left jail employees
unable to unlock the doors to three pods, leaving one guard isolated with 56
inmates in each pod. (According to a TV report, the malfunction not only
locked the guards in, but the cells were left _unlocked_!) The president of
the jail guards' union, John Pastor, said ["Fortunately, there was no type
of altercation. But if there had been, we couldn't have gotten help to
anybody."] The malfunction lasted about two hours and knocked out the air
circulation system on half of the second floor.

5. [The ventilation system occasionally shuts off for no apparent reason.]

6. [The fire alarms go off at all hours for no apparent reason.] (I guess
that means there's a faulty switch somewhere, but they haven't been able to
figure out how to find it.)

7. The employee elevator in the high-rise jail only works sporadically.

8. [In an emergency, guards could use the pod phones to dial 911. But it
wouldn't do them any good. The outside lines to each pod have been
disconnected. In fact, jail officials mistakenly had the phone company
block all but a few phones from being able to place or receive outside
calls] said Allegheny county Director of Criminal Justice Bob Coll.

Perhaps the most incredible quote of the entire article was attributed to
James J. Gregg, Jr., the deputy warden for operations. He said ["Everything
is working as scheduled."] (Who the hell approved that schedule????- AT)

The guards' union president attributed some of the problems to political
maneuvering. He charged that County Commissioners Tom Forester and Pete
Flaherty rushed the new facility into at least partial use two months early
to show they were tough on crime. Incidentally, they were both defeated in
the Democratic primary.

I don't think the risks need to be pointed out. I'm certainly glad I'm
not a guard in this place. Fortunately, I don't know of any friends or
relatives who are guards there either. It always makes me shake my head
in wonderment when I see a project finish up like this. Makes you wonder
who supervises this stuff.

Alan Tignanelli

------------------------------

Date: 25 Jul 95 05:50:56 EDT
From: "Mich Kabay [NCSA Sys_Op]" <[email protected]>
Subject: Bell Atlantic Goofs

>From the Washington Post news wire via CompuServe's Executive News Service,
25 July 1995:

Three Little Digits, One Big Goof; Bell Atlantic Errs in
Telling N.Va. Residents of New Area Code

By Mike Mills
Washington Post Staff Writer

Sorry, wrong number.

In a gaffe that would give any public relations manager intestinal
trouble, Bell Atlantic Corp. late last week sent notices to 388,000
Northern Virginia homes and businesses, telling them that their 703
area code would soon be changed to 540.

"Welcome to 540 Country, from Bell Atlantic" read the cheerful
notices, which included little stickers for people to place on
their phones as a helpful reminder of the impending change.

The problem is, they told the wrong people.

It seems the Bell Atlantic staff should have sent the notices to the more
westerly region of VA. A company spokesperson blamed a programming error for
the $100,000 blunder. The writer defines the correct area as follows:

The real boundaries of the new 540 area code stretch from the
southwestern tip of Virginia northeast along both sides of the
Blue Ridge to the Potomac River and east to Fredericksburg.
Prince William County -- which is served by GTE Corp. and did
not receive the mailing -- remains in 703, as do eastern
Loudoun County and Leesburg; western Loudoun County and
Stafford County join Fredericksburg in the new 540 area.
Leesburg also had been originally included, but the map was
modified to exclude the town after many residents complained
that they wanted to remain in the 703 code.

The article mentions gleefully that Bell Atlantic could have done worse; after
all, AT&T recently used the number of a sex-line instead of its own toll-free
information line.

[Comment by MK: Another illustration of why quality assurance is needed in
everything. Also an example of the tendency to blame the I.T. staff:
"programming error" indeed! I wonder how many people approved this farce
before the mail got out the door?]

M.E.Kabay,Ph.D. / Dir. Education, Natl Computer Security Assn (Carlisle, PA)

------------------------------

Date: Tue, 27 Jun 1995 11:34:51 -0400
From: [email protected] (Jeremy Epstein -C2 PROJECT)
Subject: Risks of misreporting risks?

The Washington Post Monday business section has a regular "shorts"
called "Digital Flubs", in which they report on interesting goofs.
Many of them appear to be culled (without attribution) from RISKS.

The June 26 edition reads as follows:
A piece of security software widely used on computer networks has
a hole in it. [CERT] said it has distributed instructions on how
to correct the problem in FreeBSD, a program created by a software
engineer in the Netherlands. In some circumstances, the hole lets
people tapping into a computer see and alter information that should
be off-limits to them. FreeBSD is an "enhancement" to S/Key, a
program that controls password access to networked computers.
S/Key itself does not have the problem.

I'm not sure what this is actually trying to say, but whatever it is, it's
wrong. FreeBSD is an operating system, not security software or an
enhancement to S/Key. FreeBSD wasn't developed by an engineer in the
Netherlands, although it's possible that S/Key was ported to FreeBSD by some
such person.

The risk is that someone might read this, think it actually describes
a weakness, and mistakenly take action (or not take action) without
knowing that the article is confused.

------------------------------

Date: Tue, 27 Jun 1995 11:28:47 +0200 (MET DST)
From: [email protected] (Jan Joris Vereijken)
Subject: No laughing matter: hospital database misuse

The 13-year-old daughter of a hospital records clerk in Jacksonville,
Fla., used her mother's computer during an office visit and printed
out names and numbers of patients previously treated in the hospital's
emergency room. According to police, she then telephoned seven people
and falsely told them that they were infected by the HIV virus. One
person attempted suicide after the call. Upon arrest, the girl told
police the calls were just a prank.

Source: _Communications of the ACM_, Volume 38, Number 5, May 1995.

------------------------------

Date: Wed, 28 Jun 1995 10:10:25 -0700
From: Geoff Kuenning <[email protected]>
Subject: Automated performance reviews

An article by Richard O'Reilly in the business section of the June 28, 1995,
Los Angeles Times describes and evaluates two products intended to help
managers write performance reviews of their employees, Performance Now! from
Knowledge-Point and Employee Appraiser from Austin-Hayne Corp. Given the
time spent on this task in the typical company, and its (non-)popularity
among managers, I am sure that both products will quickly find a marketplace
niche. But I am very concerned about the RISKS of hype and legal liability.

The article describes both products as being expert systems, but to me
they sound more like a collection of canned phrases and paragraphs
with a little bit of software to select them. Each product asks you
to numerically rate the employee in a number of different categories,
then suggests an evaluation paragraph. Convenient menu buttons allow
you to "tune" the paragraph by making it slightly more negative or
positive. Both products allow post-customization of the text.
Performance Now! will also combine some categories into a single
paragraph when they are related. It also warns you when you give a
negative review, so that you can add supporting material.

This is bad enough, with its tendency to encourage lazy managers to
give an employee exactly the same review, word for word, in successive
years. But much more worrisome are the extended features offered by
the two programs. Performance Now! will combine all the numerical
categories into an overall 1-through-5 rating of the employee, with no
chance for the manager to specify which categories are more important
for that particular job. This is a classic example of using computers
to dehumanize underlings. Employee Appraiser skips this feature, but
instead invents evaluations out of whole cloth. For example,
according to O'Reilly:

If you choose "generally understands job," the program
proposes an evaluation that says, "You generally understand
the duties and responsibilities of the job. As a result, you
are often able to act on your own initiative."

As O'Reilly notes, the manager has not given the program any indication that
the employee has initiative, and the manager must remember to remove this
sentence if it is false. One can well imagine the glowing review that might
be given Beetle Bailey by this software!

To be fair to these programs, I am sure that many savvy managers already
have canned paragraphs stored in their word processors to ease the task of
writing reviews. In that sense, these programs are probably an advance,
because they can integrate multiple factors into their prepackaged writing.
(Besides, one can at least hope that they will use good English!) But RISKS
readers will be most unhappy about Performance Now!'s attempt to squash all
of this information into a 1-5 numerical rating, and about Employee
Appraiser's tendency to insert things that managers never intended to say.
Especially with the latter, I predict that a wrongful-discharge suit a few
years from now will be quoting a glowing automatically-written performance
review that a manager never intended to be so positive.

Geoff Kuenning [email protected] [email protected]
http://www.cs.ucla.edu/ficus-members/geoff/

------------------------------

Date: 13 Jul 95 02:50:52 EDT
From: "Mich Kabay [NCSA Sys_Op]" <[email protected]>
Subject: Runaway E-Mail

>From the Associated Press news wire via CompuServe's Executive News Service:

Pilot-Electronic Mail

WASHINGTON (AP, 11 July 1195) -- To the embarrassment of the Pentagon, a
detailed account of the June rescue of Capt. Scott O'Grady in Bosnia --
sprinkled with salty language and a dig at the United Nations -- found its
way onto the global Internet computer network. It was written by Air
Force Capt. Scott Zobrist, an F-16 pilot based with O'Grady at Aviano,
Italy, just hours after O'Grady's rescue by Marines. Zobrist was flying an
F-16 on the periphery of the operation; he listened in on the rescue
team's conversations and tape-recorded them.

The article explains that Zobrist sent his personal thoughts on the events
to friends, and ZOT! it ended up in wide distribution through AOL. DoD
officials were embarrassed by Zobrist's language and hostility to the
Bosnian Serb forces. However, there was apparently no classified
information at all in the document.

This incident _could_ have happened if Zobrist had sent printed messages to
his friends, but it might have taken longer to spread the photocopies of
photocopies of photocopies to an audience of millions.

Anyone sending any information that should remain moderately confidential
should include a warning in their message so that the author's intentions
can be clear to all; e.g., "Please do not copy this message to anyone else
and do not post it publicly." This, too, would not prevent the information
from going out of control, but it might slow down the explosion of copies.

The following section of the article was particularly interesting:

A separate question for the Pentagon is whether it can control the
spread of sensitive or embarrassing military information on the
Internet computer network.

"We need to either control it ourselves or figure out some way to
control it," Brig. Gen. Ron Sconyers told the Detroit Free Press,
which reported on the case in Tuesday's editions. "It's growing
faster than we can keep up with."

The Internet originated in ARPANET, funded by the Defense Advanced Research
Projects Agency 30 years ago. Maybe the piper wants to start calling the
tune again.

M.E.Kabay,Ph.D. / Dir. Education, Natl Computer Security Assn (Carlisle, PA)

------------------------------

Date: Mon, 3 Jul 95 21:47:34 EDT
From: [email protected] (Dave Parnas)
Subject: Two Short-Courses on Software Engineering

McMaster University
Faculty of Engineering
presents
Two Short-Courses on Software Engineering

SOFTWARE DESIGN: AN ENGINEERING APPROACH
-----------------------------------------
August 8-12, 1995

INSPECTING CRITICAL SOFTWARE
----------------------------
August 15-17, 1995

instructed by
Prof. David L. Parnas
Department of Electrical and Computer Engineering

McMaster University's Faculty of Engineering is pleased to present two
courses on Software Engineering. "Inspecting Critical Software" was
presented last summer and was well received by all who attended. "Software
Development: An Engineering Approach" a course previously taught on-site at
several development organizations, provides a broader, more basic,
introduction to software design principles and will be useful for those
developing software that does not require critical inspection. It is aimed
at engineers who want to know how to design software well.

Inquiries should be directed to
Jan Arsenault
McMaster University
Phone: (905) 525-9140, ext. 24910
Fax: (905) 577-9099
e-mail: [email protected]

[Dave is one of the earliest contributors to RISKS, and internationally
known for his work in software engineering. He pioneered many concepts
of modularity, information hiding, object orientation, etc. This is a
rare opportunity for any of you seriously interested in software
engineering, system design, and critical software.

The full course information is also available for FTP in the UNIX.SRI.COM
risks ftp directory, as risks-17.parnas . PGN]

------------------------------

Date: Wed, 19 Jul 1995 07:05:37 -0700
From: Clifford Neuman <[email protected]>
Subject: ISOC Symposium on Network and Distributed System Security--Second CFP

SECOND CALL FOR PAPERS
Submission deadline is 14 August

The Internet Society Symposium on
Network and Distributed System Security

February 22-23, 1996
San Diego Princess Resort, San Diego, California

GOAL: The symposium will bring together people who are building hardware
and software to provide network and distributed system security services.
The symposium is intended for those interested in the practical aspects of
network and distributed system security, focusing on actual system design
and implementation, rather than theory. We hope to foster the exchange of
technical information that will encourage and enable the Internet community
to apply, deploy, and advance the state of available security technology.
Symposium proceedings will be published by the IEEE Computer Society Press.
Topics for the symposium include, but are not limited to, the following:

* Design and implementation of communication security services:
authentication, integrity, confidentiality, authorization,
non-repudiation, and availability.

* Design and implementation of security mechanisms, services, and
APIs to support communication security services, key management
and certification infrastructures, audit, and intrusion detection.

* Requirements and designs for securing network information resources
and tools -- WorldWide Web (WWW), Gopher, archie, and WAIS.

* Requirements and designs for systems supporting electronic commerce --
payment services, fee-for-access, EDI, notary -- endorsement,
licensing, bonding, and other forms of assurance.

* Design and implementation of measures for controlling network
communication -- firewalls, packet filters, application gateways, and
user/host authentication schemes.

* Requirements and designs for telecommunications security especially
for emerging technologies -- very large systems like the Internet,
high-speed systems like the gigabit testbeds, wireless systems, and
personal communication systems.

* Special issues and problems in security architecture, such as
interplay between security goals and other goals -- efficiency,
reliability, interoperability, resource sharing, and cost.

* Integration of security services with system and application security
facilities, and application protocols -- including but not limited to
message handling, file transport, remote file access, directories, time
synchronization, data base management, routing, voice and video
multicast, network management, boot services, and mobile computing.

GENERAL CHAIR:
Jim Ellis, CERT Coordination Center

PROGRAM CHAIRS:
David Balenson, Trusted Information Systems
Clifford Neuman, USC Information Sciences Institute

LOCAL ARRANGEMENTS CHAIR:
Thomas Hutton, San Diego Supercomputer Center

PUBLICATIONS CHAIR:
Steve Welke, Institute for Defense Analyses

REGISTRATIONS CHAIR:
Donna Leggett, Internet Society

PROGRAM COMMITTEE: [deleted for space]

SUBMISSIONS: The committee invites technical papers and panel proposals
for topics of technical and general interest. Technical papers should
be 10-20 pages in length. Panel proposals should be two pages and
should describe the topic, identify the panel chair, explain the format
of the panel, and list three to four potential panelists. Technical
papers will appear in the proceedings. A description of each panel will
appear in the proceedings, and may at the discretion of the panel chair,
include written position statements from each panelist.

Deadline for paper submission: August 14, 1995

Submissions must be received by 14 August 1995. Submissions should be made
via electronic mail. Submissions may be in either of two formats:
PostScript or ASCII. If the committee is unable to print a PostScript
submission, it will be returned and hardcopy requested. Therefore,
PostScript submissions should arrive well before 14 August. If electronic
submission is difficult, submissions should be sent via postal mail.

All submissions and program related correspondence (only) should be directed
to the program chair:

Clifford Neuman
University of Southern California
Information Sciences Institute
4676 Admiralty Way
Marina del Rey, California 90292-6695
Phone: +1 (310) 822-1511
FAX: +1 (310) 823-6714
Email: [email protected]

Dates, final call for papers, advance program, and registration information
will be made available at the URL: http://nii.isi.edu/info/sndss

[Contact Clifford for further info. This is a shortened announcement.
PGN]

------------------------------

Date: 24 March 1995 (LAST-MODIFIED)
From: [email protected]
Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc.

The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks.
Undigestifiers are available throughout the Internet, but not from RISKS.

SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on
your system, if possible and convenient for you. BITNET folks may use a
LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. U.S.
users on .mil or .gov domains should contact <[email protected]>
(Dennis Rears <[email protected]>). UK subscribers please contact
<[email protected]>. Local redistribution services are
provided at many other sites as well. Check FIRST with your local system or
netnews wizards. If that does not work, THEN please send requests to
<[email protected]> (which is not yet automated). SUBJECT: SUBSCRIBE
or UNSUBSCRIBE; text line (UN)SUBscribe RISKS [address to which RISKS is sent]

CONTRIBUTIONS: to [email protected], with appropriate, substantive Subject:
line, otherwise they may be ignored. Must be relevant, sound, in good taste,
objective, cogent, coherent, concise, and nonrepetitious. Diversity is
welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS
MESSAGES in responses to them. Contributions will not be ACKed; the load is
too great. **PLEASE** include your name & legitimate Internet FROM: address,
especially from .UUCP and .BITNET folks. Anonymized mail is not accepted.
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.
All other reuses of RISKS material should respect stated copyright notices,
and should cite the sources explicitly; as a courtesy, publications using
RISKS material should obtain permission from the contributors.

RISKS can also be read on the web at URL http://catless.ncl.ac.uk/Risks
Individual issues can be accessed using a URL of the form
http://catless.ncl.ac.uk/Risks/VL.IS.html
(Please report any format errors to [email protected])

RISKS ARCHIVES: "ftp unix.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>
cd risks<CR> or cwd risks<CR>, depending on your particular FTP.
Issue J of volume 17 is in that directory: "get risks-17.J<CR>". For issues
of earlier volumes, "get I/risks-I.J<CR>" (where I=1 to 16, J always TWO
digits) for Vol I Issue j. Vol I summaries in J=00, in both main directory
and I subdirectory; "bye<CR>" I and J are dummy variables here. REMEMBER,
Unix is case sensitive; file names are lower-case only. <CR>=CarriageReturn;
UNIX.SRI.COM = [128.18.30.66]; FTPs may differ; Unix prompts for username and
password. Also ftp [email protected]. WAIS repository exists at
server.wais.com [192.216.46.98], with DB=RISK (E-mail [email protected] for info)
or visit the web wais URL http://www.wais.com/ .
Management Analytics Searcher Services (1st item) under http://all.net:8080/
also contains RISKS search services, courtesy of Fred Cohen. Use wisely.

------------------------------

End of RISKS-FORUM Digest 17.20
************************