|
RISKS newsbytes - from Dept. of Standards
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
RISKS-LIST: RISKS-FORUM Digest Sunday 10 May 1992 Volume 13 : Issue 48
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
Farmer receives $4M US Government check by mistake (Fernando Pereira)
Daylight savings time started early this year (David J. Fiander)
C-17 software problems (Mark Seecof)
Composite Health Care System at Walter Reed Hospital (PGN)
Microsoft advocates killing of Jews (Aaron Dickey via Jim Horning)
DATATAG (Brian Randell)
Re: $70 million bank scam (Tom Perrine)
Re: April Fools' Meteorology (Bear Giles)
Re: Free TRW Credit Report (Mary Culnan)
Risk of direct deposit (Stuart Bell)
The RISKS Forum is moderated. Contributions should be relevant, sound, in
good taste, objective, coherent, concise, and nonrepetitious. Diversity is
welcome. CONTRIBUTIONS to [email protected], with relevant, substantive
"Subject:" line. Others may be ignored! Contributions will not be ACKed.
The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS,
especially .UUCP folks. REQUESTS please to [email protected].
Vol i issue j, type "FTP CRVAX.SRI.COM<CR>login anonymous<CR>AnyNonNullPW<CR>
CD RISKS:<CR>GET RISKS-i.j<CR>" (where i=1 to 13, j always TWO digits). Vol i
summaries in j=00; "dir risks-*.*<CR>" gives directory; "bye<CR>" logs out.
The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1".
<CR>=CarriageReturn; FTPs may differ; UNIX prompts for username, password.
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.
----------------------------------------------------------------------
Date: Fri, 8 May 92 20:30:35 EDT
>From: [email protected] (Fernando Pereira)
Subject: Farmer receives $4M US Government check by mistake
The Associated Press reports today from Crosby, N.D, that farmer Harlan Johnson
who was expecting a $31 check from the U.S. Agricultural Stabilization and
Conservation Service received instead one for $4,038,277.04. Dale Ihry, head of
the agency's office in North Dakota said that their computer program
occasionally picks that particular amount and prints it out on something,
although this is the first time that it was printed on a check. The farmer
returned the check the day after.
It's wonderful how the agency seems to accept the bug as an act of God. Looks
to me instead like an act of off-by-one indexing into an inappropriate memory
location...
Fernando Pereira, 2D-447, AT&T Bell Laboratories, 600 Mountain Ave, PO Box 636
Murray Hill, NJ 07974-0636, [email protected]
------------------------------
Date: Sat, 9 May 1992 08:50:58 -0400
>From: "David J. Fiander" <[email protected]>
Subject: Daylight savings time started even earlier this year
The following excerpt is taken from shortwave radio magazine _Monitoring
Times_, May 1992 issue:
Does anyone have the correct time?
When subscriber Fred Latus ... came in at 5 a.m. to "open up" station WKTV-TV
... he felt something was amiss with the clock - an ESE NBS Master Clock
receiver, locked to WWV's time signal. Not having time to check it, however,
it wasn't until a second engineer arrived and asked why the digital clock was
one hour fast, that it hit him. [...]
"Having had problems with our receiver and antenna the past few months, we
thought it could be our problem. By eight a.m. I had reset the system twice
and it still was in error."
"About 9:15 a.m. I finally got an engineer at WWV, just coming on duty at 7 a.m.
MST." ... Keeping Fred on the phone while he checked the computer, he came
back to report that, sure enough, a "3" had been entered instead of a "4" for
the month starting Daylight Savings Time.
... The United States had been on Daylight Savings Time for about nine
and a half hours a month early and only half a dozen people caught it!
Since the rule for determining the start of daylight savings time is so simple
(in the US), why isn't there an easy way to describe the rule, rather than
punching in a date every year (as would seem to be the case).
[... It is not trivial, however, because any program older than a few
years will get the shift wrong! The switchover used to occur on the LAST
Sunday in April, and now is on the FIRST Sunday. PGN]
------------------------------
Date: Fri, 8 May 92 15:34:32 -0700
>From: Mark Seecof <[email protected]>
Subject: C-17 software problems
In a story by Ralph Vartabedian on page D-12, Friday, 8 May '92,
the Los Angeles Times reported [brutally condensed by M. Seecof]:
GAO Says C-17 is Riddled With Computer Problems
The McDonnell Douglas C-17 cargo jet is plagued with serious computer hardware
and software problems, resulting in part from shortcuts taken by the company
... according to a General Accounting Office report obtained Thursday.
The GAO report is the first public finding that the C-17 has serious
computerization problems, though Air Force documents have hinted before that
the computer system lacks adequate capacity and that its development has fallen
behind schedule.
The GAO report asserts that the software ... has been ``a major problem...''
It found that the Air Force wrongly assumed that the software portion of the
program would be low-risk and ``did little to manage its development or oversee
the contractor's performance.''
The C-17 is the most software-intensive transport aircraft ever developed. The
report said the aircraft has 19 different on-board computers, using 80
microprocessors and functioning in six different computer languages.
The GAO found that the Air Force ``made a number of mistakes,'' including
underestimating the size and complexity of the task, waiving many Pentagon
standards for software development and awarding a contract to McDonnell that
gave the firm control over software.
McDonnell officials declined to comment on the GAO report. But the report
notes that both the Air Force and McDonnell concurred with its findings.
END OF STORY. Mark Seecof asks: has anyone seen the report itself? I'd like
to know in what way it was a mistake to give McDonnell-Douglas control over
software development for a plane it was building?
------------------------------
Date: Sun, 10 May 92 14:07:57 PDT
>From: "Peter G. Neumann" <[email protected]>
Subject: Composite Health Care System at Walter Reed Hospital
Walter Reed Army Medical Center has a $1.6 billion computer system intended to
streamline health care in the U.S. military. It has gotten low marks from
WRAMC personnel, who attribute bungling of prescriptions, patient-care records,
and doctors' orders to software glitches. One doctor said that use of the
system increased his workload by up to two hours per day.
The system had been used for two years for admissions and general
record-keeping, but the problems began when laboratory and pharmacy orders were
incorporated. One doctor stated that his name was linked with patients he had
never seen. Another noted that access to narcotics was not secure.
About half of the 625 doctors do not use the system for in-patient lab orders,
although most do use it for radiology and pharmacy orders.
[Source: An article by Christine Spolar in the Washington Post, appearing in
The Times-Picayune, New Orleans, 2 Feb 1992, p.A-22, and submitted (somewhat
belatedly) to RISKS by Sevilla Finley.]
[I missed this one altogether at the time. A review was held later, in
March. I hope a reader can provide an update -- including someone from
SAIC in San Diego, which designed the system. PGN]
------------------------------
Date: Fri, 08 May 92 14:28:56 -0700
>From: [email protected]
Subject: A Newspaper Risk?
------- Forwarded Message
>From: [email protected] (Aaron Dickey)
Newsgroups: alt.folklore.computers,alt.folklore.urban
Subject: Microsoft advocates killing of Jews
Date: 29 Apr 92 23:24:20 GMT
Hey everyone!! Did you know that Microsoft is advocating the killing of Jews
in New York City? I sure didn't! But it's true! I read it in the paper!
Get ready for a whopper. Once again the news media proves that it doesn't
know the first thing about computers. The entire story, retransmitted
without permission, is below, as it appeared in today's New York Post.
For those who don't know, the Post is a tabloid paper, where the entire front
page is one huge headline. So, screaming out at millions of New Yorkers this
morning was the headline, "PROGRAM OF HATE". Above the headline is a photo
of one of those old PC green-screen displays, with "NYC" = <skull> <Star of
David> <thumbs-up sign> superimposed on the screen. Above that is a
subheadline, "Millions of computers carry secret message that urges death to
Jews in New York City..."
So, without further ado, here's the story:
ANTI-JEWISH CODE LURKS IN POPULAR SOFTWARE, by Don Broderick
One of the world's best-selling computer programs contains a secret
anti-Semitic message apparently urging death to Jews in New York City.
A computer consultant discovered the diabolic message while installing
Microsoft's new Windows 3.1 software for a client yesterday.
The consultant was testing a mailing-address use of the program when he
noticed the letters "NYC" had been replaced by a hateful message - a skull
and crossbones, the Star of David and an approving thumbs-up symbol.
Microsoft strongly denies any hidden message. Others disagree.
"There's no way it could be a random coincidence," said Brian Young, a
friend of the consultant, who does not wish to be named.
"It's pretty scary. I was pretty shocked by the whole thing."
Computer owners who use Microsoft Excel, Microsoft Word or any other Microsoft
program containing a print font named "Wingdings" can duplicate the
anti-Semitic message by typing the letters "NYC" on their screen.
Microsoft said "Wingdings" was designed by Bigelow and Holmes, an outside
vendor, and denied that Microsoft intentionally designed the secret message.
Prof. Charles Bigelow confirmed that his company provided the symbols, but
insisted that Microsoft made the final "mapping" decisions assigning his
symbols to specific keys on the keyboard.
But a senior Microsoft spokesman said the charge that the fonts contain a
hidden message is "outrageous."
"It's like saying that if you randomly type out characters on a keyboard to
spell 'Satan', you can do that, but it's incredible to say that there's
anti-Semitism in Microsoft or one of its vendors," said Charles Hemingway.
But Young, who discussed the matter with other computer consultants, isn't
so sure it's just a coincidence.
The "Wingdings" font contains no letters - just 255 symbols.
Young calculated the odds of three letters of the alphabet being combined
with 255 symbols, and said he found that the odds of obtaining the message
were less than one in a trillion.
"It's mind-blowing," said Young. "Somebody's responsible for this. This
is very offensive."
"I found it hard to believe some of the stories about the resurgence of
Nazi sympathizers - but this puts things back into perspective."
Microsoft, based in Seattle, is the world's biggest software publisher,
with 100 million customers around the world and sales of more than $2.3
billion in 1991.
When Windows 3.0 was introduced in 1990, customers were snapping it up at
the rate of 30,000 a week.
-- end of article
Above the story is a line of some of the various symbols in the "Wingdings"
font, with the caption: "LOADED: When a specific font is used in Microsoft's
Windows, these symbols, which correspond to the alphabet, appear. Type the
letters NYC, you get the death sign, the Star of David and the thumbs-up."
So what do you all think? Should we load up the buses and make a pilgrimage
to Redmond to firebomb Bill Gates's mansion, or what?
Aaron Dickey Bitnet: axd7104@nyuacf
New York University Internet: [email protected]
------- End of Forwarded Message
[EVERY computer-mapped linguistic utterance will correspond to some
sequence of symbols in this alphabet, so there are certainly many other
combinations that will be offensive to someone. For example, the word
CYNIC will begin with thumbs-up, Star of David, and skull and crossbones,
and end with another thumbs-up. Two thumbs-up are not necessarily good.
PGN]
------------------------------
Date: Fri, 8 May 1992 11:31:37 +0100
>From: Brian.Randell@newcastle.ac.uk
Subject: DATATAG
The following article appeared in The Independent (do I have to keep on
explaining to RISKs readers that this is one of the "quality" national
newspapers here in the UK?) and is reprinted in its entirety without
permission.
Typically of such articles, there is only a discussion of the advantageous
uses, rather than the possible risky misuses of the device described. I smiled
wryly at the claim that "We haven't thought of a question yet which we could
not answer in our favour" - perhaps they should have asked RISKS! :-)
Incidentally, I wonder how this device relates to the similar devices that are
being being advocated, and perhaps already used, for tagging pet dogs by
implanting a the device under the skin. (This idea was a hot topic a year or so
here in Britain, after some horrific incidents involving pit bull terriers
mauling and indeed killing children.) Brian Randell
--------------
FIRM OFFERS "FOOLPROOF" CAR SECURITY SYSTEM, by John Arlidge
A "FOOLPROOF" car security system could be available this year. Datatag,
which uses hidden microchips to identify vehicle owners, was launched for
motor cycles yesterday and car owners could be using it this summer.
Police, ministers and insurers have praised the system, the first of its
kind offered to road users.
Hugh Chamberlain, managing director of Chamberlain Engineering, who will
head a company to be formed next week which will market Datatag for cars,
said he thought the new system was foolproof "It is a watershed. We haven't
thought of a question yet which we could not answer in our favour."
Motorists would install microchips - about the size of a 5p coin - anywhere
in their vehicles. Each chip would have a unique, pre-programmed code
number which could be "read" using a special electro-magnetic "gun" which
will be distributed to police forces around the country.
The codes would be logged on a secure police computer with engine and
chassis numbers and the owner's name. Motorists could install as many
microchips as they wanted. Five chips and registration would cost about
(pounds) 40 - less than half the price of an alarm.
Hologram stencils which could not be removed or window etchings would warn
potential thieves that the vehicle had been tagged.
An estimated 2,500 motorcyclists are already using the system to prevent
theft and the sale of bikes and bike parts. Two hundred motorcyclists a day
are tagging their machines.
Commander George Ness, of the Metropolitan Police stolen vehicles squad,
said the system was very good. "It will help police re-cover stolen
property and will have a considerable deterrent effect on the thief." But
he added: "lt is early days. It is the front edge of technology" The new
system would not prevent joyriders stealing cars.
Mr Chamberlain, who predicted do-it-yourself Datatag kits would be on sale
by July, said microchips hidden in inaccessible places - inside seats or
down tubes - would mean that even if they could locate the chips, thieves
could not remove them without damaging the car, reducing its value.
Thieves could never be sure that they had removed all the chips and if they
tried to sell a car, prospective buyers could check if it was stolen.
Michael Jack, Minister of State at the Home Office, speaking at the launch
of Datatag yesterday praised it as "part of industry's efforts to find the
solutions" to auto crime.
>From this summer Norwich Union, which insures more of Britain's 22 million
vehicles than any other company, will send leaflets to motorcycle policy
holders informing them of the advantages of Datatag.
Vehicles are stolen at a higher rate in Britain than any other European
country. More than 580,000 vehicles were stolen in England and Wales last
year and more than 913,000 thefts from vehicles were recorded. Auto crime
accounts for almost a third of all recorded crime.
Experts believe Datatag could be used to "owner code" almost any item -
from videos to antiques.
------------------------------
Date: Fri, 8 May 92 10:00:47 PDT
>From: [email protected]
Subject: Re: $70 million bank scam (RISKS-13.47)
It appears that the attempted $70 million bank scam may be affecting bank
customers. All of our employees received a phone mail message from our
corporate payroll department warning us that "due to bank difficulties", our
bank (First Interstate Bank of California) would be slow in processing
automatic payroll deposits; we could expect that deposits which normally are
made to accounts Thursday night (May 7) would not be made until Friday night at
the earliest, but would not be made any later than Saturday night. No other
reason was given.
Since this is the first delay in the nine years I have been here, I find is
*interesting* that this coincides with FIBoC other difficulties.
(It could be due to difficulties in Los Angeles, but as the bank corporate
offices are nowhere near the riot area, I consider that a remote possibility.)
Tom E. Perrine (tep), [email protected]
------------------------------
Date: Fri, 8 May 1992 18:37:10 -0600
>From: Bear Giles <[email protected]>
Subject: Re: April Fools' Meteorology
I just wanted to let you know that I did _not_ know the report of hunters
vandalizing a profile was bogus. The information posted on our bulletin board
had no originating information on it, but _did_ have a "approved by" stamp in
the corner indicating the office of the Director of the Boulder Labs had
reviewed it.
Furthermore, none of the people I discussed this with knew it was a joke
either. At our site/floor it appeared a legitimate news report. It didn't
even seem unreasonable, knowing some of the situations others have reported.
(The hippies who sued the National Park Service after being struck by lightning
-- while holding a metal railing on a stony outcrop in a thunderstorm -- comes
to mind).
I'll protest this on Monday. I have no problem with April Fool's jokes (as the
original article was clearly intended) which can be identified as April Fool's
jokes, but posting an April Fool's joke a month later with no indication of its
nature is a different matter. At least the newspaper clippings on my door,
e.g. "Mom carried 12 miles by Tornado!" are clearly from the _Weekly World
News_!
Bear Giles [email protected]
Apologies for any inconvenience my misinterpretation of the article may have
caused.
------------------------------
Date: Fri, 8 May 1992 08:10 EDT
>From: [email protected]
Subject: Re: Free TRW Credit Report (Turner, RISKS-13.47)
Re Dave Turner's accurate assessment of the RISK of blindly mailing private
information to an address posted in a computer bulletin board, you may verify
the earlier posting from USA Today (Money section, P. 1B, April 27 1992, Final
Edition).
Second, people have expressed concerns about TRW building a database from the
information people supply when they request their credit rpt. The research I
have done on direct marketing over the past two years suggests that TRW won't
learn *anything* new from us if people do supply all the info they ask for
because TRW already has this AND MORE.
TRW maintains an extensive marketing database on individuals from which it
sells mailing lists. The source of this information includes public records
(drivers license, deeds, USPS change of address information), credit reports,
and information it has purchased from mail order companies.
Names and addresses may be selected based on such factors as exact age, height,
weight or whether or not you wear glasses (from drivers license records),
information about a home mortgage (amount, type), recording date and whether or
not the transaction was a purchase or a refinance (deed/tax assessor records),
whether you are a "new mover," the distance of your move and whether it is
local, regional or out-of-state as well as the date (USPS change of address
information), whether you are a credit shopper, an active credit shopper, your
purchasing power (credit report) and whether you shop by direct mail, are a
multi-category buyer, recent purchase date, and category of purchases (e.g.
collectors, crafts, high tech, sports, etc. etc) (information purchased from
unspecified third parties).
TRW is not the only company in this business. There are a number of
large direct marketing firms which sell similar types of lists.
We would all be able to exert much more control over the secondary use of our
personal information if public records came with a check-off box, allowing each
person to decided whether or not he/she wanted to received solicitations
because they bought a house or car, moved and changed their address, or got a
drivers license. Currently you can only ask these companies not to resell your
name by writing to them directly or by signing up for the DMA's Mail Preference
Service. This will keep your name off of mailing lists, but it's not clear if
it stops your name from moving around for those who are concerned about this.
Mary Culnan, School of Business Administration, Georgetown University
MCULNAN @ GUVAX.GEORGETOWN.EDU
------------------------------
Date: Friday, 8 May 1992 09:23:17 EDT
>From: [email protected].org (Stuart Bell)
Subject: Risk of direct deposit
I, and my brother, use direct deposit to avoid the risk of lost, stolen or
forgotten pay checks. Nice deal. Last week, the company apparently decided
he was paid a bonus check in error. Several days after the check had been
electronically deposited to his account - and he had been notified of the
amount - they reversed the deposit and withdrew the amount. He was not
notified the bonus was withdrawn, nor was he notified (until the overdrafts
arrived) that his account was reversed.
He is disputing the reversal of the decision to pay the bonus - and the company
and bank are cooperating in notifying the folks who got the bounced checks and
reversing the associated charges - but, it seems quite a risk to know that if
you authorize direct deposit, you are also authorizing an implicit direct
withdrawal.
Maybe I'll ask to be paid in cash! The company is a large one and is in no
financial difficultly so the problem was human or computer-to-computer and
just left the poor worker out of the loop. /Stu Bell
MS=NASA (713) 333-0906 [email protected]
------------------------------
End of RISKS-FORUM Digest 13.48
************************
|
|
