Subject: RISKS DIGEST 17.81

Subject: RISKS DIGEST 17.81

RISKS-LIST: Risks-Forum Digest Thursday 29 February 1996 Volume 17 : Issue 81

FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

***** See last item for further information, disclaimers, etc. *****

Contents:
Risks of Leap Years and Dumb Digital Watches (Mark Brader)
Year 2000 problems, what about Feb 29??? (Earle F. Ake)
Happy Leap-Birthday! (Peter G. Neumann)
Faulty program gets one person shot, one roughed up (Tom Ritchford)
Rude bus stops / silent radios / unofficial broadcasts (Philip Overy)
Keyboard RISK [accidental deletion] (Eric Roode)
Trademarks in Cyberspace [such as newton.com] (Simson L. Garfinkel)
Electronic Banking conditions (Paul van Keep)
Re: Libel and censorship issues (Edwin Wiles)
Re: Indecent domain names (Chris Purdom)
Re: NYNEX Web and Web Robots (Russ Broomell)
Re: NYNEX and SurfWatch (Ann Duvall, David B. Slifka)
Re: Risks of year-2000 precautions (Amos Shapir, Dick Mills, RSRMadison)
ABRIDGED info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Thu, 29 Feb 96 06:38:31 EST
From: [email protected] (Mark Brader)
Subject: Risks of Leap Years and Dumb Digital Watches [quadrennial posting]

All right now, how many people reading this...
-> saw a previous appearance of this message in Risks 6.34 or 13.21,
-> have watches that need to be set back a day because they went
directly from February 28 to March 1,
-> and *hadn't realized it yet*?

Mark Brader, SoftQuad Inc., Toronto, [email protected]

------------------------------

Date: 29 Feb 1996 11:30:42 -0500
From: [email protected] (Earle F. Ake)
Subject: Year 2000 problems, what about Feb 29???

We are so worried about the year 2000 and what it will do to our
programs, we fail to realize that 29 Feb still causes headaches with
programs. We are running an older version of a mail package called em on
our unix systems. Seems em went nuts today trying to interpret the date Feb
29. I captured the output of a few commands and no, I have not just put in
the weird dates. This is what em gave me.

For those interested, "i" is used to get an index of mail messages,
"r" to normally read a message, "R" to head the message including the
headers, and "$" refers to the last message in the mailbox.

Script started on Thu Feb 29 10:17:47 1996
akee@wpdis01 (1)% em
ASCENT*Mail Version 2.3
(C) Copyright 1987, 1991 Control Data Corporation - All rights reserved
Portions (C) Copyright 1987 The Regents of the University of California

You have 58 messages (2 new).
Index of unread messages in standard mailbox:

> From: To: Date: Status: Tag: Subject: Lines:
57 HORNC AKEE 28 Feb 96 N This is interesting 30
58 rmorse akee 28 Feb 96 N date 2
END OF FILE - (q)uit, (b)ack, (h)elp
mail >>i 57-$
Index of messages in standard mailbox:

> From: To: Date: Status: Tag: Subject: Lines:
57 HORNC AKEE 1 May 131 N This is interesting 30
58 rmorse akee 1 May 131 N date 2

mail >>i57
Index of messages in standard mailbox:

> From: To: Date: Status: Tag: Subject: Lines:
57 HORNC AKEE 1 Jan 70 N This is interesting 30

mail >>i 57-$
Index of messages in standard mailbox:

> From: To: Date: Status: Tag: Subject: Lines:
57 HORNC AKEE 1 Jan 70 N This is interesting 30
58 rmorse akee 1 Jan 70 N date 2

mail >>i58
Index of messages in standard mailbox:

> From: To: Date: Status: Tag: Subject: Lines:
58 rmorse akee 1 Jan 70 N date 2

mail >>r58
Message 58

SENT BY : rmorse (Richard T. Morse S/A)
DATED : 10 Jan 1936 at 0802 GMT+196:16
SUBJECT : date
SENT TO : akee
STATUS : new, not read

Check out the date on this one!!!!
Richard

mail >>R58
Message 58

>From rmorse Thu Feb 29 10:03:07 1996
Date: Thu, 29 Feb 96 10:03:07 -0500
From: rmorse (Richard T. Morse S/A)
Subject: date
To: akee
Status: N

Check out the date on this one!!!!
Richard

mail >>x
Are you sure you want to exit?y
akee@wpdis01 (2)% exit
exit

script done on Thu Feb 29 10:19:23 1996

[The last segment has been reinserted into the ARCHIVE COPY,
for completeness. I departed from my usual habits and
deleted it from the original for space reasons, PGN]

So we have four different date interpretations for 29 Feb 1996. They are:
"28 Feb 96", "1 May 131", "10 Jan 1936", and "1 Jan 70". Actually another
one I saw but was unable to reproduce was "29 Dec 95"!

[Actually, Earle forgot to count 29 Feb 96! PGN]

Earle Ake, Hassler Communication Systems Technology, Inc. [email protected]
2332 Grange Hall Rd; Beavercreek, OH 45431-2345 513-427-9000 Based at WPAFB

------------------------------

Date: Thu, 29 Feb 96 07:59:07 PST
From: "Peter G. Neumann" <[email protected]>
Subject: Happy Leap-Birthday!

Frederick, apprenticed to a PIRATE instead of a PILOT in Gilbert and
Sullivan's *Pirates of Penzance*, would have had his thirty-fifth birthday
today. In the operetta, at the time he had lived for 21 years in 1877, he
was informed that his indentures were not over because he had not reached
his 21st birthday -- which he then figured out would occur in another 63
years, on 29 Feb 1940.

Frederick: "In 1940 I of age shall be.
I'll then return and claim you, I declare it."
Mabel: "It seems so long!"

(This was the operetta in which the Major General wanted to have his
Kate and Edith too. Pun by PGN, not W.S. Gilbert)

------------------------------

Date: Tue, 27 Feb 96 15:41:57 EST
From: [email protected] (Tom Ritchford)
Subject: Faulty program gets one person shot, one roughed up

>From *The New York Daily News*, Tuesday, February 27:

The Police Department's stolen-car computer system has brought grief to
still another motorist. Lester Luis, 23, of Elmhurst, Queens, said
yesterday he was roughed up and arrested Friday after cops pulled over his
car -- because the computer said it was stolen.

In a similar case two weeks ago, Lebert Folkes, 30, was shot in the face
by police who stopped him after the computer told them he was driving a
stolen car. Police later admitted they made a mistake. ...

Both cases involved cars that had been reported stolen -- but then
recovered without being cleared from a police computer that tracks stolen
vehicles.

The risks are obvious... no word yet on who's to blame. TR

Tom Ritchford [email protected], [email protected]

------------------------------

Date: Fri, 02 Feb 1996 12:09:43 +0000
From: [email protected] (Philip Overy)
Subject: Rude bus stops / silent radios / unofficial broadcasts

Hackers in the UK managed to amend the software of a talking bus stop- it
gives spoken information(as written information and display screens are
vandal-prone and useless to partially- sighted people). The talking bus
stops became quite abusive. The RISK is that when a drunk on the last bus
home hears a lot of swearing and you are the only other person in sight, you
might be assumed to be the source of the insults, and of course the
passengers might take the wrong bus or miss the last one - a passenger who
has been taken miles out of his way in bad weather can be a big risk for the
driver of a one-"man" bus. These risks can be exaggerated - the talking bus
stops I have come across work so rarely that any sound from them comes as a
surprise.

In the same vein, a car I once owned was fitted with a radio which
suppressed all hiss when there was no signal. It worked so well that I
didn't even know it was left switched on - the waveband it received seemed
to apply only to Japan or Korea. When I moved to Brighton, the radio
suddenly boomed into life and I nearly drove off the road in shock.

I also used to work for a telephone company. The salesmen spent a lot of
time in Singapore, where you could buy a highly-illegal hand-held radio
which could broadcast on the most popular BBC news channel ("Radio 4"). If
drivers annoyed him, the salesman would point the transmitter at the
offending car and could usually make a rude message come out of the driver's
car radio. In view of some of the cases of "road rage" we have had here, the
radio was probably more of a risk to its owner than to anyone receiving the
messages - if the listeners ever realised how the message got to their car
radio.

Phil Overy, RAL UK

------------------------------

Date: Wed, 28 Feb 1996 20:50:07 -0500 (EST)
From: Eric Roode <[email protected]>
Subject: Keyboard RISK [accidental deletion]

I had an interesting, if minor, accidental deletion today. Granted,
it turned out to be my fault, but it is instructive anyhow.

I came back to my PC, which had Windows for Workgroups 3.11 up, to find
it displaying a dialog box asking me to confirm the deletion of a program
icon. I clicked "no", then poked around and noticed that another program
icon (the DOS prompt) was missing.

Then I noticed a stack of papers that I had carelessly flopped onto my
desk, and, incidentally, onto the lower right corner of my keyboard. What
had apparently happened when I flopped the papers down was that the DEL key
had been hit, followed by the ENTER key, followed by the DEL key again. (On
nearly every PC keyboard made today, the DEL and ENTER keys appear in the
extreme lower-right corner).

The currently-selected icon had been the DOS prompt; Windows had
interpreted the DEL as my wanting to delete it, and the ENTER keystroke as
my having confirmed the deletion. It then selected the next icon, and
processed the DEL keystroke similarly.

The RISKs: First and foremost, having "yes" selected as the default
confirmation selection. Second, the position of the DEL/ENTER keys. Having
(relatively) powerful actions assigned to keys that are in easy-to-strike
positions is asking for problems.

Another anecdote along the lines of that latter RISK: I work in a
support group servicing several hundred users, a large portion of whom have
new Gateway computers. The Gateway keyboard has a nifty key remap facility:
you press the "REMAP" key, then press the key you wish to modify, then you
press the key you wish to assign to the first key. Sounds nifty until you
have to support it: the REMAP key is in the very upper-right corner, just
hanging out in the breeze, waiting for some unsuspecting user to tap it by
accident. Which happens several times a week.

------------------------------

Date: Wed, 28 Feb 1996 11:25:57 -0500
From: [email protected] (Simson L. Garfinkel)
Subject: Trademarks in Cyberspace [such as newton.com]

[Based in part on my article which appeared in the *San Jose Mercury News*,
26 Feb 1996, with additions. SLG]

TRADEMARKS IN CYBERSPACE

Over the past year, the Internet has been struggling with the role
trademark law should play in cyberspace. The problem is that while Apple
Computer Inc. might want a name like newton.com for a Web site to help
promote its Newton personal digital assistant computer, Nabisco might want
newton.com to advertise its Fig Newtons.

Complicating the matter still is Mark Newton, a computer enthusiast in
Brighton, Mich., who runs a bulletin board called the Newtonian BBS. Newton
obtained the domain name newton.com in April 1994.

For years, Internet domains were registered on a first-come, first-serve
basis. Last summer, Network Solutions Inc., the company that runs the
InterNIC, decided to change the policy.

The InterNIC rules are complicated. But they work roughly as follows,
according to David Graves, NSI's business manager:

A person or company can register any domain name not already taken. But if
another person or company then says it holds a ''valid and existing
trademark that is identical'' to that domain name, and if the trademark was
registered before the domain name was awarded, the party holding the
trademark has the right to get that name. The party that registered the
domain name first then has the right to prove that it also has a federal
trademark on the name.

Assuming the party that registered the domain doesn't hold the federal
trademark, NSI gives that person or company ''the ability to register a
different name, and will give them 90 days of simultaneous use. The purpose
for that is to give them the opportunity,'' to migrate to the new name,
said Graves.

In the case of newton.com, both Newton and his Internet service provider,
Innovative Concepts of Ann Arbor, Mich., say they have been contacted by
Apple, which has threatened a lawsuit unless they relinquish the name.

''I haven't done anything wrong,'' Newton said. ''Do I need to trademark my
last name to use it?''

Apparently so. Under Network Solution's policy, Mark Newton's newton.com
domain has been turned off until the dispute is resolved. That's left more
than 300 people who were using newton.com stranded without a domain, says
Mr. Newton. So he's looking for people who can help him fight the billion
dollar company. He says that any lawyer interested in helping---especially
an attorney who specializes in intellectual property---should send him mail
at [email protected]. Don't send mail to [email protected], says Mr. Newton,
because it doesn't work.

Newton points out that Apple doesn't really need the newton.com , because
the company is already using newton.apple.com.

Apple never comments on threatened lawsuits, said Lynne Keast, a company
representative.

------------------------------

Date: 29 Feb 96 09:35:00 EST
From: "[email protected] (Paul van Keep)" <[email protected]>
Subject: Electronic Banking conditions

Just last week I applied for the new Abn-Amro (a very large Dutch bank)
OfficeNet Electronic Banking product. The general conditions that come with
the product are worth a mention here. I've tried to make a reasonable
translation of the pertinent parts of the liability clause. (BTW. this is a
business product, not for private banking)

"9 Liability

9.1 Bank agrees to ensure complete and secure EB (Electronic Banking; pvk) to
the best of its powers.

9.2 Bank is not to be hel liable for any damage whatsoever incurred by Client,
Bank and/or third parties c.q. Client absolves Bank of claims from third
parties pertaining to:
-...(passing software on to third parties)
-...(misuse or abuse of security measures)
- not, not timely, not correctly and/or not completely functioning of EB, the
Software and/or the EB-Server, unless and in as much as damage is attributable
to malicious intent or gross error by Bank. ... (disclaimer for changing of
software or running software on a PC-platform other than specified by Bank)

The risks? How well has this software been tested? How reliable is it? What
are the incentives for the bank to ensure the reliability and security of the
software if they can never be blamed for errors?
The 'PC-platform' thing is another strange one. No platform has been specified
in the general conditions or any accompanying form or contract. The sales
documentation states using MS-Dos 3.3 (or higher). This would invalidate using
the software on a Unix system, Windows, NT, OS/2, even IBM-Dos.

Paul van Keep ([email protected])

------------------------------

Date: Tue, 27 Feb 1996 16:23:27 -0500 (EST)
From: Edwin Wiles <[email protected]>
Subject: Re: Libel and censorship issues (Ebright, RISKS-17.77)

> But if you don't go there, they can't do anything to you :)

I believe that Airbus Industries is based out of France.

I also believe that France has an extradition treaty with the U.S.

Given those two points, "they" certainly CAN do things to you, such
as charging you with libel under their laws, and asking to have you
extradited so that they can prosecute you for your crimes.

At that point, I think it would be up to the government agency
handling extraditions to decide whether or not they are going to
proceed. In cases involving "individual vs individual", I suspect
that the government agencies are unlikely to act. Simply because of
the effort involved in such a request.

However, in the case of a semi-governmental entity, like Airbus, such
a request for extradition of an individual might well be carried through.

While I feel for the individual so charged, the actual prosecution of
such a case would be an incredible precedent setter the internet.

If the case were dismissed due to the fact that the supposed offense
originated in a foreign country, and therefore the laws of that country
apply, it would be a large step towards creating a network for global
free expression.

If the case were carried to the limit, and the decision went against
the individual, it would be a horrid precedent that the tightest laws
in the world control what you can and cannot prudently say on the network.

Edwin Wiles | Sterling Software, Inc. ITD | McLean, VA, USA
Preferred..: [email protected] [email protected]

------------------------------

Date: Tue, 27 Feb 1996 13:58:09 -0500 (EST)
From: Chris Purdom <[email protected]>
Subject: Re: Indecent domain names

Akin to the "xxx" in NYNEX's URL's, but much worse if the CDA survives,
there are domain names with "indecent" words in them which do not actually
have any obviously indecent material on them. Merely by providing a link to
these pages you will be causing most web browsers to display the indecent
words when the user moves the mouse over the hypertext link.

Chris Purdom phone:610-993-1134
Development Team Leader e-mail: [email protected]
Tangram Enterprise Solutions homepage: http://www.tesi.com/~cpurdom/

------------------------------

Date: Wed, 28 Feb 96 08:48 EST
From: "Broomell, Russ" <MARKETING/MARKETING/RUSS%[email protected]>
Subject: Re: NYNEX Web and Web Robots

Our earlier discussion about web robots' troublesome habits came back to me
when I read about the name of a NYNEX web page dealing with ISDN access
which contained the letters XXX. While SurfWatch and other programs might
block this, NYNEX may have done some clever marketing.

ISDN is very useful to people who download large files (maybe naughty
pictures?) from internet sites. By putting XXX in the HTML code of their
page (i.e. in one of the links), NYNEX would get their ISDN page to be
located by web robots searching for "XXX" - and would address this market
segment. Either a clever marketing ploy or an accidental misfortune.

------------------------------

Date: Wed, 28 Feb 1996 18:15:16 -0800
From: [email protected] (Ann Duvall)
Subject: Re: NYNEX and SurfWatch (Slifka, RISKS-17.80)

> ... SurfWatch, deftly noting the "xxx," decided I was trying to
> access something naughty and blocked the page.

SurfWatch responded to the e-mail by immediately unblocking all blocked
NYNEX locations. As a company, we are trying to provide tools for parents
and teachers to help them choose what they want to see on the Internet. We
have found, in our surfing, that sites with "XXX" in the URL almost always
contain sexually explicit material. In fact, many Adult content providers
have used the "XXX" as a tag to indicate adult-only material. Therefore, we
block those sites. In some cases when we have explained this to webmasters,
they have quickly changed their URL addresses, but we are also willing to
unblock individual pages if the address change is not appropriate.

SurfWatch continues to work to keep the Internet an open and free place for
people to communicate and exchange ideas. We believe that software such as
SurfWatch provides an alternative to Internet censorship by empowering
individuals to make choices.

Ann W. Duvall, President, SurfWatch Software, 105 Fremont Ave Suite F,
Los Altos, CA 94022 [email protected] 415-948-9500 415-948-9577 (FAX)

------------------------------

Date: Thu, 29 Feb 96 12:15:09 EST
From: [email protected] (David B. Slifka)
Subject: Re: NYNEX and SurfWatch (Duvall, RISKS-17.81)

I received a very nice letter today from Ann Duvall, president of SurfWatch
Software, in response to my submission to RISKS 17.80. She explained the
company's (understandable) rationale that most pages with "xxx" in their
name do contain "sexually explicit material," as I had guessed. She also
informed me that NYNEX's site is now exempted from SurfWatch restrictions,
in order to resolve this particular instance of the conflict.

In the area of software company responses to user complaints, this is
certainly top-notch. I somehow can't picture Bill Gates writing to people
who post to RISKS about Microsoft products, much less seeing that the issues
they mention are resolved. :-)

David

------------------------------

Date: Thu, 29 Feb 1996 11:26:52 GMT
From: [email protected] (Amos Shapir)
Subject: Re: Risks of year-2000 precautions (Brader, RISKS-17.80)

Mark's scenario is avoidable, if we, the experts, do our best to make sure
the public is aware of one fact: That the worst that can happen at the
consumer level, is slower processing for a while; no data -- and more
important, no customer money -- will be lost, and all miscalculations could
be backtracked and amended later.

Amos Shapir, nSOF Parallel Software, Ltd., Givat-Hashlosha 48800, Israel
[email protected] Tel: +972 3 9388551 Fax: +972 3 9388552

------------------------------

Date: Wed, 28 Feb 1996 21:24:00 -0500
From: [email protected] (Dick Mills)
Subject: Re: Risks of year-2000 precautions (Brader, RISKS-17.80)

If one exaggerates a little bit on Mark's theme, we are discussing the end
of civiliation caused by the turn of the millennium. It reminds me of Isaac
Asimov's classic story; "Nightfall".

This is a particular risk I don't recall having seen before in Risks. i.e.
The event so infrequent, that no matter how predictable it is, or how
much advance warning we have, society never does prepare to deal with it.

Is it a flaw in our risk perception where we incorrectly equate
infrequent==unlikely or infrequent==insignificant?

Dick Mills +1(518)395-5154 http://www.pti-us.com
AKA [email protected] http://www.albany.net/~dmills

------------------------------

Date: Thu, 29 Feb 1996 11:31:32 -0500
From: [email protected]
Subject: Re: Risks of year-2000 precautions (Russell, RISKS-17.80)

In his book "A Mathematician Reads the Newspaper" (BasicBooks, 1995, hc,
ISBN 0-465-04362-3, 203 pages), John Allen Paulos has a chapter entitled
"Researchers Look to Local News for Trends". In it, he mentions Robert Louis
Stevenson's story, "The Imp in the Bottle". Here's what he says:

The story is about "a genie in a bottle who will satisfy your every wish for
love, money, and power. You can buy this amazing bottle for any amount that
you care to offer. The only constraint is that when you are finished with
the bottle, you must sell it for less than what you paid for it. If you
don't sell it to someone for a lower price, you will lose everything and
suffer everlasting torment in hell. What would you pay for such a bottle?

"Certainly you won't pay 1 cent for it because then you won't be able to
sell it for a lower price. You won't pay 2 cents for it either, since no one
will buy it from you for 1 cent for the same reason. Neither will you pay 3
cents for it; the person to whom you would have to sell it for 2 cents
wouldn't be able to sell it for 1 cent. A similar argument applies to a
price of 4 cents, 5 cents, 6 cents, and so on. Mathematical induction can be
used to formalize this argument, which proves conclusively that you
shouldn't buy this magic bottle for any amount of money. Yet you would
almost certainly buy it for $1,000. I know I would. At what point does the
argument against buying the bottle become practically convincing?"

Sounds like we should all withdraw our savings NOW!! But we won't, because we
trust everyone else in the world to behave just as irrationally as we do.

Readers of the Risks forum will particularly appreciate Paulos's chapter
"Ranking Health Risks: Experts and Laymen Differ", but really the whole book
is well worth checking out.

------------------------------

Date: 27 February 1996 (LAST-MODIFIED)
From: [email protected]
Subject: ABRIDGED info on RISKS (comp.risks)

The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks.
SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on
your system, if possible and convenient for you. BITNET folks may use a
LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. [...]
DIRECT REQUESTS to <[email protected]> (majordomo) with one-line,
SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:]
INFO [for unabridged version of RISKS information]

CONTRIBUTIONS: to [email protected], with appropriate, substantive Subject:
line, otherwise they may be ignored. Must be relevant, sound, in good taste,
objective, cogent, coherent, concise, nonrepetitious, and without caveats
on distribution. Diversity is welcome, but not personal attacks. [...]
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
By submitting an item that is accepted for publication in RISKS, the author
grants permission for unlimited noncommercial public distribution and
redistribution in electronic and print form. Relevant contributions may
appear in the RISKS section of regular issues of ACM SIGSOFT Software
Engineering Notes or SIGSAC Review.

RISKS can also be read on the web at URL http://catless.ncl.ac.uk/Risks

RISKS ARCHIVES: "ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>
cd risks<CR> or cwd risks<CR>, depending on your particular FTP. [...]
[Back issues are in the subdirectory corresponding to the volume number.]
Individual issues can be accessed using a URL of the form
http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]
ftp://ftp.sri.com/risks

PRIVACY: For info on the PRIVACY Forum Digest and Computer PRIVACY Digest,
see the unabridged INFO file at RISKS-Request (send one-line message INFO
to [email protected] as noted above).

------------------------------

End of RISKS-FORUM Digest 17.81
************************