Subject: RISKS DIGEST 14.45
REPLY-TO: risks@csl.sri.com

RISKS-LIST: RISKS-FORUM Digest  Thursday 1 April 1993  Volume 14 : Issue 45

        FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS 
   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

  Contents:
Formation of new society/discussion group (Pete Mellor)
Re: Turn of the century date problems (Steve Peterson)
Daylight Savings Time hampers police (Debora Weber-Wulff)
Computer does the right thing -- shuttle launch scrubbed (Pete Mellor)
More on Minnesota Legislature phone fraud (Steve Peterson)
Re: Call for the Class of '88 (Jonathan Rice)
Re: Correcting computer information ... (Pete Mellor)
Re: Dutch hacker in jail for another month (Ralph Moonen)
Credit and Avis rent a car re-visited (Boyd Roberts)
Little green sting (saucers) (Joseph T Chew)
Re: The FORTRAN-hating gateway (Phil Karn)

 The RISKS Forum is a moderated digest discussing risks; comp.risks is its 
 Usenet counterpart.  Undigestifiers are available throughout the Internet,
 but not from RISKS.  Contributions should be relevant, sound, in good taste,
 objective, cogent, coherent, concise, and nonrepetitious.  Diversity is
 welcome.  CONTRIBUTIONS to RISKS@CSL.SRI.COM, with appropriate, substantive 
 "Subject:" line.  Others may be ignored!  Contributions will not be ACKed.  
 The load is too great.  **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS,
 especially .UUCP folks.  REQUESTS please to RISKS-Request@CSL.SRI.COM.     

 Vol i issue j, type "FTP CRVAX.SRI.COM<CR>login anonymous<CR>AnyNonNullPW<CR>
 CD RISKS:<CR>GET RISKS-i.j<CR>" (where i=1 to 14, j always TWO digits).  Vol i
 summaries in j=00; "dir risks-*.*<CR>" gives directory; "bye<CR>" logs out.
 The COLON in "CD RISKS:" is essential.  "CRVAX.SRI.COM" = "128.18.10.1".
 <CR>=CarriageReturn; FTPs may differ; UNIX prompts for username, password.

 For information regarding delivery of RISKS by FAX, phone 310-455-9300
 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@cv.vortex.com).

 ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
 Relevant contributions may appear in the RISKS section of regular issues
 of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.

----------------------------------------------------------------------

Date: Thu, 1 Apr 93 11:10:10 BST
From: Pete Mellor <pm@cs.city.ac.uk>
Subject: Formation of new society/discussion group 

       Society for the Promotion of Ergonomically Reasonable Measurement
                                                Peter Mellor, 1st April 1993

This is to announce the formation of the above-named Society.

Aims:

1. To resist the use of meaningless scales of measurement. 
   
2. To improve the friendliness of information systems. 

3. To resist imposed uniformity. 

4. To counteract official nonsense with unofficial nonsense. 

5. To have a good piss-up at least once a year. 

6. Err...that's it.


Discussion of Aims:

There is a regrettable tendency today to make everything more friendly to 
computers, and less friendly to people. Even some recent changes which were 
intended to make calculations easier for humans have had unfortunate effects. 

For example, when measuring the height and weight of people, is it more 
meaningful to say:

  "Pete Mellor is 1.880 metres tall, and weighs 79.378 kilogrammes stripped." 

or:

  "Pete Mellor is 6' 2" tall, tips the scales at 12 and 1/2 stone, and looks 
  quite striking in a pair of tight-fitting flared jeans."? 

Supporters of the aims of the Society would all agree that the second of 
these descriptions is easier to grasp, and conveys far more information 
that is likely to be of interest than the first. 

The Society therefore supports the use of scales of measurement that are
scaled to people. So, for instance, the inch (length of top joint of thumb) is
more informative than the millimetre when doing anything on a small scale.
Going up one level of scale, the foot (distance from big toe to heel) and yard
(distance from tip of nose to end of middle finger of outstretched arm) have
served architects and furniture makers well for centuries. The metre, by
comparison, is too large for small work, and too small for large. Nobody ever
uses the decimetre or decametre anyway, so most of the metric system is
immediately redundant. Similar remarks apply to grammes and kilogrammes versus
ounces and pounds.

The scales of measurement that have evolved with us are the ones that we find
most natural to use. This applies even when it comes to measuring new things,
like software. The Society therefore promotes the measurement of source code
in hands (applied vertically up the side of a pile of print-out, in the same
way that the height of a horse is measured).

The Biblically minded may use the cubit for medium-scale measurement,
otherwise the use of the rod, pole or perch is recommended.

The system of units that the Society favours will be known as the "ton, 
furlong, fortnight" system. 


Political Allegiance:

In the UK, the society will seek the support of the Rainbow Alliance, and the 
personal patronage of Screaming Lord Sutch and Cynthia Paine. 

In Italy, it is hoped that La Cicciolina will be persuaded to sponsor us. 

In other countries, all suggestions welcome. 


Diversity:

Any Eurocrap aimed at doing away with our essential differences is deprecated. 

For example, in the UK pillar boxes and telephones should be red, in Germany 
they should be yellow. 

The Society believes that books written in Britain should be spelt according
to the Oxford Dictionary. Americans who do not wish to follow this standard
are encouraged to use Mencken. The Society fully supports the Academie
Francaise in its attempt to prevent its fine language from being corrupted by
either American or English. In fact, it would like to see the Germans doing
more, such as reintroducing Gothic script. The same goes for the Welsh, Irish,
Russians, etc.

The intention is to cause a fragmentation of knowledge across language 
boundaries. Since there is already far too much information around for anyone 
to use sensibly, this would be entirely beneficial. 

Any academic who really wants to know what is going on in artificial 
intelligence at the University of Beijing should have the dedication to 
learn Mandarin Chinese! 


Membership:

The fee is 17s. 6d. per annum, payable to: "P. Mellor Ethanol Supplies Ltd." 

Annual meetings will be held in the King's Head, Upper Street, Islington, 
London, where beer is still sold at 1 pound 16 shillings per pint. 
(Dates to be arranged to suit members.) 

Paid-up members may charge for consultations on any matter regarding 
measurement, provided fees are quoted in the appropriate national currency, 
e.g., a UK member should quote a consultancy rate in guineas per fortnight. 
(Any attempt to quote in ECUs will result in immediate expulsion.) 


Other points:

The use of metric sizes of nuts and bolts in the UK should be discontinued 
in favour of Whitworth. 

Aeroplane prices should be quoted in the currency of the country of origin. 
For example, British aeroplanes should be sold at so many pounds sterling per 
hundredweight, like everything else of a comparable size. 

If this causes a problem in purchasing an A320, it is recommended that the
individual bits be bought independently from the various members of the Airbus
Industrie consortium in the appropriate national currencies and that these are
assembled by the buyer, rather like the purchase of a motorcycle in "kit"
form.

Since the Society opposes the use of acronyms, anything that you might have 
thought the initial letters of the Society's name might have spelt is 
irrelevant. 

Peter Mellor, Centre for Software Reliability, City University, Northampton 
Sq., London EC1V 0HB, Tel: +44(0)71-477-8422, JANET: p.mellor@city.ac.uk 

------------------------------

Date: Mon, 29 Mar 93 18:24:35 CST
From: Steve Peterson <peterson@fs.fs.com>
Subject: Re: Turn of the century date problems (Ravin, RISKS-14.44)

In a humorous vein, I've regularly proposed a "programmer's cruise" that would
depart on December 30, 1999.  The cruise would be 30 days long and would come
with the following guarantees:

* The ship would be be controlled by mechanical or simple electric
  controls -- no computers in the loop.

* The crew would be tested on their ability to navigate via dead reckoning
  and celestial navigation.

* It's route would avoid going under established routes for airliners and
  would stay out of the normal shipping lanes.

* It would be impossible for anyone on-board to be contacted from the shore.

* Anything else that could be done to avoid date-related failures.

Given the spate of date-related failures, I'm starting to give it serious
consideration.

Steve Peterson, FOURTH SHIFT Corporation, 7900 International Drive,
                Bloomington, MN 55425 USA 612 851 1523 peterson@fs.com

------------------------------

Date: Wed, 31 Mar 1993 08:55:52 GMT
From: dww@math.fu-berlin.de (Debora Weber-Wulff)
Subject: Daylight Savings Time hampers police

The "Tagespiegel", a Berlin daily, carried an article on Monday describing the
problems encountered switching from Middle European Time to Middle European
Summer Time on Sunday. It seems that the Bavarian Police Computer System was
caught unawares, and responded by closing down. "Inpol", which stores all
information about persons the police are looking for, as well as having
connections to the car and stolen car registries and other databases, just
stopped.

From 3 a.m. on no checks could be made at the borders or for stopped cars,
except for alcohol tests. A dragnet action, scheduled for 4 a.m. was carried
out despite the data loss, but only resulted in 16 arrests for DUI. The cause
of the error was still being feverishly searched for as the paper went to
press.  [no update in Tuesday's papers, so they must have found it ;-)]

Debora Weber-Wulff, Professorin fuer Softwaretechnik, Technische 
Fachhochschule, FB Informatik, Luxemburgerstr. 10, 1000 Berlin 65 GERMANY

------------------------------

Date: Thu, 1 Apr 93 10:05:37 BST
From: Pete Mellor <pm@cs.city.ac.uk>
Subject: Computer does the right thing -- shuttle launch scrubbed

An item on BBC news a few days ago described how the latest shuttle launch was
aborted when the control computers closed down the main engines 3 seconds
before lift-off.

It was reported that the system had detected a stuck fuel valve. 

If so, this appears to be a case of a computer system doing the 
right thing for once, and probably saving the lives of the astronauts. 

Does anyone have any more information on the incident? 

Peter Mellor, Centre for Software Reliability, City University, Northampton 
Sq., London EC1V 0HB, Tel: +44(0)71-477-8422, JANET: p.mellor@city.ac.uk 

------------------------------

Date: Tue, 30 Mar 93 11:24:27 CST
From: Steve Peterson <peterson@fs.fs.com>
Subject: More on Minnesota Legislature phone fraud

There was an item a couple issues ago about a phone fraud case in the
Minnesota Legislature.  Events since then may be of interested to RISKS
readers.

As reported previously, the Majority Leader of the Minnesota House of
Representatives (the second most powerful position in the House) hid an
$85,000 phone fraud problem for several months.

The fraud occurred because the Majority Leader's son revealed his father's
access code to the state phone system to a few of his friends, who then told
it to others, and so on.  The system was set up to allow users to dial in on
an 800 number, enter the code, then dial any number.

Once the fraud was publicly revealed the scandal has grown and the leadership
of the DFL (the Minnesota Democratic party) has been working overtime on
damage control.  Already there are articles in the local press (normally
supporters of the DFL) suggesting that they has become "too arrogant" in its
power.

Since the discovery of the fraud the following has occurred:

* The Majority Leader was forced to resign from his post.

* There has been an effort by the Democrats to shift the blame to MCI, who is
  the Legislature's long distance provider.  The Republicans, sensing a
  political opportunity, are battling efforts to shift the blame.

* The House suspended its rules to approve an amendment to Minnesota's Open
  Meeting act, which restricts what types of public business can be conducted
  in private.  The amendment adds the Legislature to the list of public bodies
  which are affected by the law, which is a step that many have felt desirable
  for years.

The case has recently taken a turn into the realm of privacy law.  The Ramsey
County Attorney (the county in which the state Capitol is located) yesterday
issued a grand jury subpoena for the detailed phone records of every member of
the House.  Many members are opposed to this on the grounds that
communications between them and their constituents are privileged.  State law
is unclear on the issue and it is likely that the subpoena will be challenged
in court.  Separately, the House Speaker has asked the District Court to rule
on whether she can release the records.

In addition to the investigation by the County Attorney, State Attorney General
Hubert H. Humphrey III has opened a criminal investigation into the matter.

Steve Peterson, FOURTH SHIFT Corporation, 7900 International Drive,
                Bloomington, MN 55425 USA 612 851 1523 peterson@fs.com

------------------------------

Date: Wed, 31 Mar 93 14:02:13 CST
From: rice@tamarack.cray.com (Jonathan Rice)
Subject: Re: Call for the Class of '88 (Ravin, RISKS-14.44)

The local paper had a bit more information.  I believe that the database in
question was one maintained by the church that Mary Bandar belongs to, in
which she is listed by consent.  This does not seem to be the usual bugbear 
of huge and ill-controlled government databases.

More interesting to me from a RISKS perspective is that the clerk who
generated the form letters to potential kindergarteners actually *typed*
"1988" -- it was the program itself that accepted but discarded the leading
digits, without notice.  Sorry, no idea what software was in use.

Jonathan C. Rice  |   rice@zizania.cray.com  |  ...uunet!cray!rice

------------------------------

Date: Tue, 30 Mar 93 11:27:56 BST
From: Pete Mellor <pm@cs.city.ac.uk>
Subject: Re: Correcting computer information ... (Debenham, RISKS-14.44)

Further to the mailing by Peter Debenham <PPXPMD@ppn1.nott.ac.uk> in 
RISKS-14.44: 

> Recently a television advert has been running showing clips of actors
> mentioning problems that can happen with computer systems  ... 

It is interesting that the government is embarking on a publicity campaign 
now. I do not recall a comparable campaign when the act first came into 
force, though this may be due to erasable memory chips between the ears. 
DP professionals certainly had it drawn to their attention by poster 
campaigns and training sessions provided internally by large computer 
manufacturers, but I don't *think* there were any TV ads. 

> Under the Data Protection Act (1986) in this country a Data Protection 
> Registrar was set up to monitor uses of computers to store personal 
> information and to be an independent source of help to get faulty data 
> corrected.

This poses certain risks for computer users. Suppose that I keep 
the following information on-line for my own reference: 

a) Names and addresses of professional contacts. 

b) Notes on their research interests. 

c) Names and birthdays of members of their families. (It might be good for 
   business if I sent their kids birthday cards! :-) 

d) Comments such as: "This guy is an idiot. Don't get into any more projects 
   with him!" 

As I understand it, I am not required to register as a data holder if I 
merely keep type a) data. I am *probably* required to register if I keep  
b), and more so if I keep type c). 

In any case, it is extremely unlikely that I would be prosecuted for failing 
to register unless I were foolish enough to keep type d) data and also to 
supply a copy of my file to someone who passed it back to the person about 
whom I had written nasty comments. 

The University keeps computer files with staff and student records. Naturally 
it is registered and every employee or student has the right to see the 
information held and demand that it be corrected if it is error. (In fact, 
hard copies are posted to staff periodically to remind them to update their 
records, e.g., change of address.) 

What about e-mail, though? Suppose I send a piece of vitriolic e-mail about 
a particular student to another member of staff (not that I would, of 
course! :-). Am I in breach of the Act by sending the e-mail? Am I in breach 
of the Act if I keep an on-line copy? Is the recipient in breach by filing 
an on-line copy, and if the recipient keeps one but I don't, am I still 
liable? Is the recipient in breach while it resides in the destination 
mail-box before it is read? Are we both covered by the fact that the 
University is registered? (In fact I *think* the Act requires registration 
of particular systems.)  

Regardless of whether we should register or not, does every student in the 
University have the right to read every e-mail memo about them sent between 
staff if these have been stored on-line? If comments are felt to be unfair, 
should the student be able to demand that the record of past correspondence 
be toned down even though the vitriolic original was read and acted upon 
long ago, or would it suffice simply to print and file a hard copy of the 
memo and delete it from the on-line file, thereby removing it from the terms 
of the Act? 

I am not thoroughly familiar with the wording of the Act, but I suspect the 
answers to some of the above questions are far from obvious. 

Does anyone know how successful the Act has been in terms of prosecutions 
for unregistered holding of data or justified demands for corrections? 
Have any test cases established precedents for the points I have raised? 

Perhaps a publicity campaign should be aimed at holders of data who might 
be unwittingly breaking the law (as was the earlier campaign at the time the 
Act came into force). 

Peter Mellor, Centre for Software Reliability, City University, Northampton 
Sq., London EC1V 0HB, Tel: +44(0)71-477-8422, JANET: p.mellor@city.ac.uk 

------------------------------

Date: Tue, 30 Mar 93 08:26 GMT
From: rmoonen@ihlpl.att.com
Subject: Re: Dutch hacker in jail for another month (from: Hans van Staveren)

->According to the papers, forged credit cards were found while searching his
->home, and that also will not help his case.  He is supposedly unwilling to
->answer any questions at this point, but is charged with crimes that could 
->send him to jail for a maximum of four years.

Don't forget that when he was arrested the previous time, he also was
unwilling to answer any questions. This gives a good motive for 'nailing' this
guy. The credit cards shouldn't be much of a problem for him, because
possession of them is not as big an offense as actually using them, and that's
hard to prove.

->Although I am definitely not suggesting he is a nice guy, somehow I have some
->difficulty connecting this nervous kid in our room with a sentence of four
->years. I hope that being the first to be caught under the new law, and in the
->act to boot, is not going to give him too much extra attention from law
->officers.

I'm afraid that being the first will only make for a harsh trial, to set an
example.  It's not only the first time a hacker will go to trial under the new
law, it's also the first time one was caught red-handed. A sentence of four
years will not only ruin those four years for him, but the rest of his career
will also be in severe danger. I hope the judge has done his homework on
computers though...

(Trials in the Netherlands do not work with juries, which might be to his 
advantage, because in this case, the parties involved will at least know what
they are talking about...)

--Ralph Moonen

------------------------------

Date: Tue, 30 Mar 1993 18:49:43 +0200
From: Boyd Roberts <boyd@prl.dec.com>
Subject: Credit and Avis rent a car re-visited

On returning from my US vacation yesterday, I found a strange letter asking me
to contact my old bank whose accounts I'd closed more than a year and a half
ago.  On calling the bank today, they tell me that an Avis car rental was
billed to my old VISA card I had with then, although I'd charged it to another
card when I made the rental.  The a/c number they used was the one used on the
application form.  Must be yet another benefit of having an Avis ``Wizard
Card''.

So, this begs the question: Will any random digit sequence work as long as the
leading digits point to a real bank?  [Not if they do a real-time check.  PGN]

This is just another problem caused by renting from Avis.  The last time I did
it, their data on me was misused and cost me some US$2000 through fraudulent
`telephone' transactions of which I've only recoved half of, some 6 months
later.
            Boyd Roberts  boyd@prl.dec.com

------------------------------

Date:     Tue, 30 Mar 93 13:54:21 PST
From: jtchew@Csa3.LBL.Gov (Joseph T Chew)
Subject:  Little green sting (saucers, Cooper/Maeda, RISKS-14.44)

A reading from RISKS-14.44...

> [I have seen this on several groups.  There is a question whether it
> is actually illegal if you are merely listening, as opposed to doing
> something about it.  PGN]

Might as well indulge my sense of the obvious by inserting, "...under UK
laws."  I don't know if they subscribe to the idea, as we do in the US, that
most things heard on the air may be listened to and even acted upon with
impunity.  (Newsies with a police/fire scanner take advantage of this, for
instance.)  According to my faulty memory of possibly obsolete US broadcast
law, *disclosing* the contents of non-broadcast transmissions is the no-no.

--Joe

------------------------------

Date: Tue, 30 Mar 93 14:58:06 -0800
From: karn@qualcomm.com (Phil Karn)
Subject: Re: The FORTRAN-hating gateway

I had a very similar problem last year with the SLIP link to my house.  Every
time I tried to FTP the individual files making up the infamous PC game
Wolfenstein 3D, the transfer hung at the same point in one particular file. A
compressed archive of the same files went over fine.

Investigation showed that the offending data sequence was a long string of
ascii '+' characters.  This is the default "command escape" character on a
modem with the Hayes command set. To escape from data mode to command mode,
you send '+++' preceded and followed by at least a second of idle time. But I
*wasn't* triggering the command escape. The modem stayed in data mode. It just
corrupted my packets.

The modems in question were Motorola/Codex 3260 FASTs, which support DTE
speeds up to 115.2 kb/s. It seems that at such a high link speed,
whatever special processing the modems do on the '+' character (e.g.,
restarting a timer) takes more than one character time. So if you send
too many '+' characters in a row the modem's fifo eventually overflows.

The workaround was to change the command escape character to 128, which
effectively disabled the in-band escape feature, and to use DTR to control the
modem state. Not only is this completely reliable, it's faster too. And it
avoids Hayes' stupid patent on the "+++" sequence, a worthwhile goal in
itself.

Phil

------------------------------

End of RISKS-FORUM Digest 14.45
************************

