Subject: RISKS DIGEST 17.82
RISKS-LIST: Risks-Forum Digest Friday 1 March 1996 Volume 17 : Issue 82
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
***** See last item for further information, disclaimers, etc. *****
Contents:
Dominican Republic 757 crash (PGN)
Software backdoor on the news (John Liptak)
Re: Happy Leap-Birthday! (PGN)
A major OS leap year glitch (Warren R Carithers)
Arizona lottery blottery on 29 Jan 1996 (Jot Powers)
Leap-day not insurable (Alan Hamilton)
Time Bomb Still Ticking For Year 2000 (Edupage via Monty Solomon)
Japanese credit cards and the year 2000 (Chiaki Ishikawa)
Re: Year 2000 banking disasters (Steve Elliott)
Re: Risks of year-2000 precautions (Barry Mulligan)
Positive feedback and the law of averages (John Light)
Re: Risks of year-2000 precautions (L. P. Levine)
Year-2000 question on defensive software tools (Gretchen Herbkersman)
Incorrect ATM menus (Jimmy Aitken)
Online Cyberlaw Workshop (Dick Moores)
ABRIDGED info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Fri, 1 Mar 96 7:51:09 PST
From: "Peter G. Neumann" <
[email protected]>
Subject: Dominican Republic 757 crash
Investigators have concluded their analysis of the 6 Feb 1996 Boeing 757
flight that ended in the ocean, killing all 189 people aboard. The disaster
was apparently due to a faulty velocity indicator that misled pilots,
leading them to believe that their speed was adequate when they were flying
at 7000 feet.
------------------------------
Date: Thu, 29 Feb 1996 11:34:30 -0700
From: John Liptak <
[email protected]>
Subject: Software backdoor on the news
The Denver area's new car-emission testing program was spotlighted on the
local TV news.
It seems that given the two passcodes 00010 and E35E, the computerized
system will pass any car regardless of the emissions results.
Disciplinary action has been taken against the people involved, including
the two people who reported the abuse.
John Liptak, U S WEST Communications, 931 14TH Street, Denver, Colorado 80202
WK (303) 624-0140 PG (303) 820-9284
[email protected] [email protected]
[Is this a case of shooting the emissionger? PGN]
------------------------------
Date: Fri, 1 Mar 96 7:59:18 PST
From: "Peter G. Neumann" <
[email protected]>
Subject: Re: Happy Leap-Birthday! (PGN, RISKS-17.81)
Some of you
[email protected] (Robert Herndon)
"George C. Kaplan" <
[email protected]>
Rich Wales <
[email protected]>
"Clive D.W. Feather" <
[email protected]>
noted the flaky calculations of Pirate Frederick, because of the
leap year in 1900.
What we know for sure is that Frederick, when confronted by the Pirate King
with the news that he had not actually reached his 21st birthday and
therefore could not be freed from his indentures, calculated that he would
have his 21st birthday in 1940. I cited the libretto in RISKS-17.81.
The first performances of *Pirates* were at the end of 1879. The official
opening was in New York at the Fifth Avenue Theatre on 31 Dec 1879, with a
sneak preview at the Royal Bijou in Paignton, Devonshire, the night before
-- which had been postponed by one day; perhaps W.S. Gilbert had desired to
have the sneak preview on *29* December!).
I presume that Gilbert did the calculation on Frederick's behalf, and did
*not* know about the 1900 anomaly. I also presume that Frederick did not
know about the 1900 anomaly, because he had been brought up by his nursemaid
Ruth and the pirates mostly at sea. On the other hand, the pirates were not
really pirates, but rather noblemen who had gone wrong (as we discover in
Act Two), in which case they probably wouldn't have known anyway.
If we assume that Gilbert and Frederick both did not know about the 1900
anomaly, then Frederick must have been born in 1856. If, on the other hand,
Gilbert endowed Frederick with modern algorithmic powers, then perhaps
Frederick was indeed born in 1952. I doubt it very much.
However, I have spent so much time lately correcting folks who think 2000 is
NOT a leap year (including one would-be contribution that warned about all
the folks who seem to think 2000 *is* a leap year) that I neglected to
remark on the 1900 glitch.
Incidentally, Clive also noted Isaac Asimov's *Black Widowers* story, which
raises the 1856/1900/1940 question and the fact that *Pirates* might not
actually be set in 1877, the year that *H.M.S.Pinafore* was written. Asimov
seems to have thought of *everything* long before everyone else, but I still
suspect Gilbert did not know about, or simply ignored, the 1900 glitch.
[Typo in 1856 corrected in Archive. PGN]
------------------------------
Date: Fri, 1 Mar 1996 13:06:07 -0500 (EST)
From: Warren R Carithers <
[email protected]>
Subject: A major OS leap year glitch
We received the following announcement from our Institute computer center
(ISC) regarding the operating system on many of their computers (names of
individuals and systems, and phone numbers, elided):
> Date: Thu, 29 Feb 1996 13:26:19 -0400 (EDT)
> From: xxxxxx
> Subject: FYI... an oops on the part of DEC and OSF
>
> 29-Feb-1996 - Digital UNIX/DCE leap year bug
>
> ISC's UNIX computing systems have encountered a severe bug in the
> operating system. The bug prevents DCE from functioning at all between
> February 29th and March 31st during a leap year. To allow our DCE
> systems to continue functioning, the date on all of ISC's system has
> been set to April 1st.
>
> This affects the following systems:
>
> ...
>
> and the following services:
>
> Web Server, Listserver, Dial-IP, News Server
>
> Digital is working very hard to correct this problem as it affects all
> of their DCE customers. As soon as Digital has a solution it will be
> installed and the date will be returned to normal on these systems.
>
> Please contact the ISC HelpDesk at nnn-nnnn voice or nnn-nnnn v/tty,
> stop by our office in Ross room A291, or use ASK Information Systems and
> Computing for questions or concerns.
True to the message, the system date on the affected systems continues to
be one month ahead (today, for instance, is April 2, 1996 according to
these systems).
One wonders exactly how an extra day in February causes the loss of an
entire month in this particular OS.... In any event, there will be many
unexpected side-effects of this glitch; at a minimum, once the bug is
corrected and the date can be restored, software which examines timestamps
such as modification dates on files may be in for an interesting few weeks.
Warren R. Carithers, RIT Dept. of Computer Science, Rochester NY 14623-5608
[email protected],
[email protected] (716) 475-2288
http://www.cs.rit.edu/~wrc/
------------------------------
Date: Fri, 1 Mar 1996 12:37:50 -0700 (MST)
From:
[email protected] (Jot Powers)
Subject: Arizona lottery blottery on 29 Jan 1996
[A little bit of background: Here in Arizona, about 6 months ago
they changed vendors for the machines for the state lottery. Evidently
this company bid lower, and would require 1 fewer keypress per ticket
sale. The initial install was a debacle, with roughly 40% of the machines
not being brought on-line in time because of communications problems
and weather problems at the time. And so the saga continues...]
Machines refuse to recognize 29 Feb 1996 (*Arizona Republic*, 1 Mar 1996)
[typo on the first 1996 corrected in ARCHIVE COPY. PGN]
Chuck Brooke, executive vice president of AWI's [the lottery machine
vendor] Phoenix office, said the glitch was the result of an error made by
the corporation's software designers in Hackensack, N.J. The leap-year
glitch did not affect AWI's other state lottery clients in Delaware,
Florida, Michigan, Minnesota, Pennsylvania, South Dakota and Washington
state, he said.
It is estimated that roughly 60,000 people were unable to purchase tickets.
This only affected the Fantasy 5, and not Powerball, Lotto and the
Scratchers tickets.
I never buy lottery tickets anyway, but I wouldn't plan on buying any at
the end of 1999. ;)
[Why not? It might be the best gamble of all! PGN]
Jot Powers Unix System Administrator, Medtronic Micro-Rel (602) 929-5418
[email protected]
------------------------------
Date: Thu, 29 Feb 1996 21:30:19 -0700
From: Alan Hamilton <
[email protected]>
Subject: Leap-day not insurable
Another leap-day bug....
I was shopping for a new auto insurance policy today, and found one I
liked. When I went to the agent's office, though, he told me that he
couldn't write a one year policy. The computer that sets up the policies
adds one to the year to get the expiration date. A policy written on Feb.
29, 1996 would expire at 12:01am Feb. 29, 1997. Uh oh. He my the policy
up to start March 1, and I'll keep my old policy for one more day.
Alan Hamilton
[email protected]
------------------------------
Date: Fri, 1 Mar 1996 08:24:37 -0500
From: Monty Solomon <
[email protected]>
Subject: Time Bomb Still Ticking For Year 2000 (Edupage, 15 Feb 1996)
The Gartner Group predicts that half of all companies affected by the year
2000 date field problem will still be unprepared when the fateful day
arrives. "A lot of companies are like deer frozen in the headlights of a
big truck coming right at them," says a Gartner analyst. Some industry
experts estimate the cost of fixing the problem at $40 million per large
corporation, with the global price tag pegged at $400 billion to $600
billion. Many corporations are wondering if their old systems are worth all
the trouble: "Do we just fix the millennium bug, or should we take this as
an opportunity to put in some new systems?" asks one CIO. (Information Week
5 Feb 1996, p30)
------------------------------
Date: Fri, 1 Mar 1996 19:37:12 +0900 (JST)
From: Chiaki Ishikawa <
[email protected]>
Subject: Japanese credit cards and the year 2000
Japanese newspaper Asahi-shimbun had a large news article concerning the
year 2000 and computer programs. From the article, I learned that many
Japanese offices of credit card companies are now refusing to issue credit
cards of which expiration date is later than December 1999. (I didn't know
this. A clever interim solution, I have to agree.) They are trying to
upgrade all the verification devices(?) at cooperating stores before issuing
such cards.
I also got the impression that the biggest problem is who is going to pay
for the upgrade of such machines.
Chiaki Ishikawa, Personal Media Corp. Shinagawa, Tokyo, Japan 142
[email protected]
------------------------------
Date: Fri, 1 Mar 1996 15:32:28 +-1100
From: Steve Elliott <
[email protected]>
Subject: Re: Year 2000 banking disasters
At 1500 31Dec99 I plan to send all of my money from my Sydney bank to my
London bank where it will arrive at 0400 31Dec99.
At 1500 31Dec99 I will instruct my London bank to send all of my money
to my New York bank where it will arrive at 1000 31Dec99.
At 1500 31Dec99 I will instruct my New York bank to send all of my money
to my Sydney bank where it will arrive at 0700 1Jan00.
My money will therefore be out of Sydney from 1500 31Dec99 .. 0700
01Jan00, in London from 0400 .. 1500 31Dec99, in New York from 1000 ..
1500 31Dec99 and NOWHERE from 2359 31Dec99 .. 0001 01Jan00.
The risks? I may get so drunk celebrating the new year that I am incapable
of signalling my London and New York banks to make the transfers!
Steve Elliott, NORESE Pty. Ltd. 4, Glassop St. Balmain NSW 2041 Australia
+61 (41) 12 608 12
[email protected] Home: www.world.net/~selliott
------------------------------
Date: Fri, 01 Mar 1996 01:09:17 -0600 (CDT)
From:
[email protected]
Subject: Re: Risks of year-2000 precautions (Mills, RISKS-17.81)
> Is it a flaw in our risk perception where we incorrectly equate
> infrequent==unlikely or infrequent==insignificant?
Perhaps the options should include: c) infrequent==I'll take care of that
later; and d) infrequent==It will be someone else's problem.
Having been through the turn of the century problem once already (the 19th
century), I've watched the discussions with a certain bemusement. In the
early 70's I inherited a system with several accounts that were in arrears
since 1895. The key program subtracted the original date from the current
one and tried to calculate interest for -24 years.
As might be imagined, it was a government system. A legal fight had been
abandoned by both sides, but no one was prepared to write off the charges
without a final court decision. The clerks had been dutifully copying the
items from ledger to ledger for 75 years.
I applied option (d) and patched around the affected accounts, leaving the
proper resolution to _my_ successor. Since then I've applied option (c) more
often I'd like to admit. Even though I knew better, human nature is perhaps
the biggest risk of all.
barry
------------------------------
Date: Thu, 29 Feb 96 13:08:00 PST
From: John Light <
[email protected]>
Subject: Positive feedback and the law of averages (Re: Brader, RISKS-17.80)
Mark Brader's article "Risks of year-2000 precautions" (RISKS-17.80) is a
specific case of a risk that is growing every day.
During a typical day we count on the law of averages treating us reasonably
well. For example, not everybody will choose to eat at the restaurant you
go to for lunch today. Not everyone will take a sidetrip on the freeway you
commute on today. Not everyone will access your favorite web site when you
want to use it.
Only recently has news about local events been so readily and quickly
available that the law of averages may fail to be a friend. A review of a
luncheon special at your restaurant on the net at 10 a.m. could mean that
half your town decides to go there for lunch. A mention at 4 p.m. of a
store giveaway off your freeway may send half the city on the freeway you
need. And a positive review in a magazine of your favorite website may send
millions of people to it over a weeks time, making it useless to you.
As our access to timely news about specific future events grows, along with
our improving mobility in real and cyber space to take advantage of them, we
may be overcome with instant, temporary fads that sweep across the landscape
like tsunamis. People who are listened to (e.g., Dyson) will have to be
very careful what they say for fear of the effect. In the worst case of the
frenzy chasing ephemeral fads, people may die (in collisions and crushes),
so self-censorship will become the norm.
The engineering principle of positive feedback can be applied to the time
constants involved to predict this risk. And the more tied into cyberspace
we all are, the worse it can get. (Of course, this has been covered in the
Science Fiction literature, but I can't remember which ones.)
John Light
[email protected]
------------------------------
Date: Fri, 1 Mar 1996 14:11:43 -0600 (CST)
From: "Prof. L. P. Levine" <
[email protected]>
Subject: Re: Risks of year-2000 precautions (Madison, RISKS-17.81)
Some time ago we had a scare about the an oil crisis. People changed
their gas buying habits, filling the tank up more often than normal.
This alone caused a shortage. Let me illustrate:
Consider a population of 100 million vehicles each with a ten gallon
gas tank. Assume that each driver fills the tank when it is empty.
This results in 100 million tanks with 5 gallons each or 500 million
gallons of gas in a "rolling reserve" of fuel.
Now assume that a shortage is announced and that people fill their
tanks when they are half empty rather than when they are empty, after
all with a shortage you don't want to run out of gas.
This will result in cars running around with 7.5 gallons of gas in
their tanks. The "rolling reserve" now is raised to 750 million
gallons. Whatever the situation was when the shortage was proclaimed
it is now 250 million gallons worse.
Conclusion, shortages and the hoarding that results will make
situations worse or will make bad situations appear where there was
nothing to drive them in the first place other than a rumor.
Leonard P. Levine, Professor, Computer Science, Univ. of Wisconsin-Milwaukee
Box 784, Milwaukee, WI 53201
[email protected] 1-414-229-5170
------------------------------
Date: Fri, 1 Mar 96 13:13:30 PST
From:
[email protected] (Gretchen Herbkersman Dept 5428)
Subject: Year-2000 question on defensive software tools
One of my colleagues is looking for software which will scan code and
identify any that might not work, come the year 2000. Having seen
discussion in comp.risks about this topic, I wonder if perhaps you might
know where we could direct such a question in hopes of an answer--assuming
your forum is NOT the place to do it. My colleague has no Internet access
at all, and mine is somewhat limited. Any suggestions you might have would
be received with gratitude.
Please reply by email to
[email protected]. [and we hope Gretchen
will share her results with RISKS. PGN]
Gretchen
------------------------------
Date: 29 Feb 1996 15:51:58 -0800
From:
[email protected] (Jimmy Aitken)
Subject: Incorrect ATM menus
I've just managed to sort out a problem with my Visa credit card here which
all stems back to a poorly worded (if not downright wron) menu on an ATM
screen.
At work our local credit union have installed an ATM for our convenience.
When you go up to it and swipe your card, it brings up menu items, including
one that says it can transfer money between accounts. I got my Visa card
from the credit union, so this seemed a good way of paying my bill fast and
not have to worry about mail delays etc.
I selected "transfer money", "from checking", "to credit card", keyed in the
amount and got a receipt for it. All good and well. 2 weeks later I got a
letter from Visa saying that I had exceeded my credit limit and they had not
received my payment for the last statement. I phoned up the local branch
and was informed that the ATM at work, is only for dispensing cash and not
other transaction.
My account history doesn't show me trying to take money from my checking
account, so if I didn't have the receipt I would have been out in the cold.
If anyone out there works for banks/etc., it would perhaps be a good idea to
put code in to say "you can't do that from here..." and *not* issue a
receipt that says the amount has been paid.
Jimmy
[email protected] [work]
[email protected] [home]
------------------------------
Date: Thursday, February 29, 1996 7:26 AM
From: Dick Moores <
[email protected]>
Subject: Online Cyberlaw Workshop
[via blanc <
[email protected]> and
[email protected] (Martin Minow)]
CYBERSPACE LAW FOR NONLAWYERS
Three highly respected law school professors (Professor Larry Lessig,
University of Chicago Law School; Professor David Post, Georgetown
University Law Center; and Professor Eugene Volokh, UCLA School of Law)
have written a *FREE*, online cyberlaw workshop called, appropriately,
"CYBERSPACE LAW FOR NONLAWYERS." CYBERSPACE LAW is specifically written
for lay people like you and me, and the workshop's lessons use
easy-to-understand English -- NOT legalese and Latin!
YEAH, BUT WILL I *UNDERSTAND* IT?
Actually, yes. The workshop's authors really are writing CYBERSPACE LAW's
lessons for educated lay people, *NOT* lawyers.
I took a look at an earlier article written by one of the workshop's
professors (Eugene Volokh, "Cheap Speech and What It Will Do", 104 Yale
L.J.1805 (1995)), and I have to say that I am quite impressed ... although I
have to say that I am quite disappointed that Volokh did not have a single
Southern word *anywhere* in his article :)
WHAT WILL THE WORKSHOP COVER?
CYBERSPACE LAW is going to help you learn the basic principles of -- and
unlearn some common myths about copyright law, free speech law, libel law,
privacy law, contract law, and trademark law, as they apply on the Net.
Each CYBERSPACE LAW "lesson" should be about the size of an average TOURBUS
post (about a page or two), and will e-mailed to you through an e-mail
distribution list. The CYBERSPACE LAW workshop will last a couple of weeks,
and you'll get two or three letters a week from the authors ... and, best of
all, the entire workshop is FREE!
THE INSTRUCTORS
Professor Larry Lessig clerked for U.S. Supreme Court Justice Antonin
Scalia, and now teaches constitutional law and the law of cyberspace at the
University of Chicago Law School. He's written about law and cyberspace for
the Yale Law Journal and the University of Chicago Legal Forum
(forthcoming).
Professor David Post practiced computer law for six years, then clerked for
U.S. Supreme Court Justice Ruth Bader Ginsburg. He now teaches
constitutional law, copyright law, and the law of cyberspace at the
Georgetown University Law Center. He's written about law and cyberspace
for the University of Chicago Legal Forum (forthcoming) and the Journal of
Online Law, and writes a monthly column on law and technology issues for
the American Lawyer.
Professor Eugene Volokh worked as a computer programmer for 12 years, and
is still partner in a software company that sells the software he wrote for
the Hewlett-Packard Series 3000. He clerked for U.S. Supreme Court Justice
Sandra Day O'Connor, and now teaches constitutional law and copyright law
at the UCLA School of Law. He's written about law and cyberspace for the
Yale Law Journal, Stanford Law Review, Michigan Law Review (forthcoming),
and the University of Chicago Legal Forum (forthcoming).
TO SUBSCRIBE
The CYBERSPACE LAW workshop probably won't start for a month or so, but you
should sign up as soon as you can. To subscribe to the workshop (for
FREE!) send an e-mail letter to
[email protected]
with the command
SUBSCRIBE CYBERSPACE-LAW yourfirstname yourlastname
in the body of your e-mail letter, replacing "yourfirstname" and
"yourlastname" with your first and last names.
------------------------------
Date: 27 February 1996 (LAST-MODIFIED)
From:
[email protected]
Subject: ABRIDGED info on RISKS (comp.risks)
The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks.
SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on
your system, if possible and convenient for you. BITNET folks may use a
LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. [...]
DIRECT REQUESTS to <
[email protected]> (majordomo) with one-line,
SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:]
INFO [for unabridged version of RISKS information]
CONTRIBUTIONS: to
[email protected], with appropriate, substantive Subject:
line, otherwise they may be ignored. Must be relevant, sound, in good taste,
objective, cogent, coherent, concise, nonrepetitious, and without caveats
on distribution. Diversity is welcome, but not personal attacks. [...]
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
By submitting an item that is accepted for publication in RISKS, the author
grants permission for unlimited noncommercial public distribution and
redistribution in electronic and print form. Relevant contributions may
appear in the RISKS section of regular issues of ACM SIGSOFT Software
Engineering Notes or SIGSAC Review.
RISKS can also be read on the web at URL
http://catless.ncl.ac.uk/Risks
RISKS ARCHIVES: "ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>
cd risks<CR> or cwd risks<CR>, depending on your particular FTP. [...]
[Back issues are in the subdirectory corresponding to the volume number.]
Individual issues can be accessed using a URL of the form
http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]
ftp://ftp.sri.com/risks
PRIVACY: For info on the PRIVACY Forum Digest and Computer PRIVACY Digest,
see the unabridged INFO file at RISKS-Request (send one-line message INFO
to
[email protected] as noted above).
------------------------------
End of RISKS-FORUM Digest 17.82
************************
