University of Bielefeld -  Faculty of technology
Networks and distributed Systems
Research group of Prof. Peter B. Ladkin, Ph.D.
Back to Abstracts of References and Incidents Back to Root
This page was copied from:

Previous Issue Index Next Issue Info Searching Submit Article

The Risks Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 18, Issue 57

Tuesday 5 November 1996


o Cutting off husband's cybersex leads to assault
Mich Kabay
o ``Software explosion rattles car makers''
Daniel P. B. Smith
o No power ==> no-see windows
Mich Kabay
o Lawyers eager for millennium cases
o More risks in the supermarket; polymorphic buttons
Dan Ruderman
o ATM Fraud in Israel - The Polish Gang
Jonathan Rosenne
o IRS to send tax information to mortgage brokers by e-mail!
Erann Gat
o Tracking Smart Cash
o Office 97, VBA 5.0, and macro viruses
Rob Slade
o Re: Aeroperu
Peter G. Neumann
o Re: Tote Board Crash at Breeder's Cup
Ben Morphett
o Fault-induced crypto attacks and the RISKS of press releases
Paul C. Kocher
o Re: A new attack on DES
Vadim Antonov
o Unintentional Accesses
John R. LoVerso
o Accidental Shootdown of the F-15, once again
Chiaki Ishikawa
o -32768, hopefully for the last time
Kurt Fredriksson
o Info on RISKS (comp.risks)

Cutting off husband's cybersex leads to assault

Mich Kabay <75300.3232@CompuServe.COM>
01 Nov 96 16:04:02 EST
     Here's yet another RISK, from erasing programs:
     Marion Walton, an Arkansas man, was discovered having a cybersex affair with
     a Canadian woman.  In response, his wife Pat apparently erased his mail
     program.  In retaliation, he apparently beat her, twice.  ``Police are
     suggesting she file charges.''  [Source: Man beats wife after she pulls plug
     on cybersex, Reuters World Report, datelined Little Rock, 31 Oct 1996, via
     CompuServe's Executive News Service, PGN Abstracting.]
       [Perhaps her husband will have to use his credit card to charge files --
       that is, the kind that can be used to file down the iron bars?  PGN]

``Software explosion rattles car makers''

"Daniel P. B. Smith" <>
Tue, 5 Nov 1996 09:29:45 -0500 (EST)
     Automakers [are facing] runaway growth in the lines of code their engineers
     must write and manage as microprocessors take over automotive functions...
     ``Software is where the problem is today,'' said William Powers, VP of
     research at Ford.  ``Today, if you change a line of code, you're looking at
     the potential for some major problems.  Hardware is very predictable, very
     repeatable.  Software is in much more of a transient state.''  The volume of
     code is exploding as processors proliferate behind the dashboard and under
     the hood.  The typical auto has 10 to 15 processors; high-end cars can have
     as many as 80 ... ``An engine controller can have 100,000 lines of code''
     [according to a Bosch VP].  [``Software explosion rattles car makers'',
     *Electronic Engineering Times*, 28 Oct 1996, front page.]
     Daniel P. B. Smith
      [Auto-mation has certainly arrived.  PGN]

No power ==> no-see windows

Mich Kabay <75300.3232@CompuServe.COM>
04 Nov 96 17:01:04 EST
     Here's a tidbit from the ever-interesting INNOVATION 96.11.04 (editors John
     Gehl & Suzanne Douglas <>, <> [The
     folks who bring you Edupage]:
       Electric Shade
       Researchers at Vrije University in the Netherlands have developed a
       light-blocking window film that can be adjusted by turning a switch.  The
       film uses yttrium hydride, a metallic compound, which can block the sun
       completely, partially, or can be made transparent by using a small battery
       to alter the voltage passing across the film.  The higher the voltage, the
       more hydrogen atoms, which causes the film to change from a metal to a
       semiconductor.  The result is a clear window.  Scientists plan to use the
       new product in automobiles, sunglasses, houses and other applications.
       (*Popular Science*, Nov 1996, p31)
     Great, eh?  One needs a voltage in order to have a clear window.  Lose power
     in your automobile and you lose visibility through your window.  Let's hope
     they build in appropriate fail-safes in automotive applications....
     M. E. Kabay, Ph.D. / Director of Education, NCSA (Carlisle, PA)
         [Now you can have an yttrium atrium.  If solar powered, it
         could blacken out on dark days when you need the light most.
         The next step might be pay-per-view windows?  PGN]

Lawyers eager for millennium cases

Mon, 04 Nov 96 20:37:33 -0500
       Lawyers eager for millennium cases: The year 2000 glitch that
       may trip up computer calendars could bring a slew of lawsuits,
         by Christian Plumb, Bloomberg Business News,
         *News & Observer*, Raleigh, NC, Sunday, 3 Nov 1996, page 5F
       "It's just a gold mine", "It's like a law-school case of tort issues".
       Charles R. Merrill, of McCarter & English, Newark, NJ.
     Perhaps IT managers will take better notice of the year 2000 problem --
     if lawyers start getting on their case.
       [The thought of lots of these little cases filled with
       surprises suggests tortellini, he said, saucily.  PGN]

More risks in the supermarket; polymorphic buttons

Dan Ruderman <>
Fri, 01 Nov 1996 15:46:48 -0800
     I was shopping for our Halloween party the other day, picking out all sorts
     of pricey nibbles and alcohol for our guests.  At our local Vons (one of So.
     Cal's biggest supermarket chains) checkout is generally fast and
     straightforward, and I do not out of habit bother to check my receipt.  But
     this time the price just seemed too high (perhaps I should just un-refine my
     A quick glance revealed an obvious suspect: the same entry for a bottle of
     wine, printed and charged twice.  The apologizing checker handed me the
     correct refund, and I asked how this could happen.  Apparently the first
     time you swipe alcohol through for the customer you are supposed to press a
     button which confirms their legal age status.  But from that point on the
     very same button means "buying two of those".  In my case, the checker
     simply forgot that she had run a six pack through already by the time the
     wine came, and so she "confirmed my age" twice.  I do not know how
     widespread this particular system is, but if it is in all Vons stores, then
     it's plenty wide enough to be a potential problem.  She noted and corrected
     the mistake so quickly that I suspect this circumstance is anything but
     RISKS readers are well aware of the danger associated with giving a single
     control two widely different meanings.  If any job leaves a worker
     especially prone to forgetfulness (just through the sheer repetitiveness of
     the work), it's being a grocery store clerk.  Two lessons: 1) check those
     receipts, and 2) keep all your liquor purchases together; that way the
     checker is less likely to forget.
     Dan Ruderman

ATM Fraud in Israel - The Polish Gang

Jonathan Rosenne <>
Sat, 02 Nov 1996 17:05:24 +0200
     Yediot Aharonot, October 23, 1996
     A judge in Tel Aviv has ordered the remand in custody of two additional
     suspects in a major ATM fraud case, who will join five businessmen from
     Poland.  The gang are suspected of having prepared thousands of counterfeit
     ATM cards.  The police claim they had purchased tens of thousands blank
     plastic cards in Greece, on which they recorded the magnetic stripe and on
     each there was a sticker with the PIN.  A Israeli computer expert, Daniel
     Cohen of Ramat Gan, also in custody, obtained the codes and manufactured the
     cards.  The Polish businessmen financed the operation, and planned to bring
     foreign workers from Poland to use the cards to withdraw money from ATMs.
     The police have photographs of suspects standing next to ATMs holding
     quantities of forged cards.  They had used them to withdraw 1,500 Israeli
     Sheqels (500 US Dollars) each, to a total of IS 600,000 (US$200,000).
     Jonathan Rosenne, JR Consulting, PO Box 33641, Tel Aviv, Israel +972 50 246 522
      +972 50 246 522

IRS to send tax information to mortgage brokers by e-mail!

Erann Gat <>
Sun, 3 Nov 1996 10:23:09 -0800 (PST)
       A prototype e-mail program linking IRS tax databases with participating
       mortgage lenders is scheduled to get underway in the next few months in
       California, run by the Fresno IRS office.  Under the prototype program,
       lenders will e-mail authorizations by home-loan applicants to the IRS,
       allowing the agency to quickly e-mail tax data -- typically the applicants'
       adjusted gross income for one or more years -- back to the lender.
       [*LA Times*, 3 Nov 1996, Business section first page]
     The article goes on to say that this information will be used both to verify
     the information on the loan application, and to trigger IRS audits in cases
     where the income reported on loan applications is more than what was
     reported on tax returns.
     There is no mention in the article about what if any measures are being
     taken to ensure that this sensitive data is protected and authenticated.
     Given the ease and regularity with which e-mail is misdirected, intercepted,
     and forged, and the power that the IRS has to completely screw up your life,
     I'd say this is the scariest thing I've seen in a long time (and as recent
     readers of RISKS can attest, that is saying something).
     Erann Gat

Tracking Smart Cash (Edupage, 3 November 1996)

Edupage Editors <>
Sun, 3 Nov 1996 15:41:37 -0500 (EST)
     A senior Justice Department official has urged makers of smart carts to
     include a mechanism for tracking transactions over a certain dollar amount.
     Assistant Attorney General Robert Litt also called for "sensible limits" on
     how much value can be stored or transferred on a single card or PC.  The
     government hopes it can work with industry without stifling smart card
     development, and without compromising individual rights.  "We don't want to
     dictate how these features are designed, but there are certain reasonable
     parameters that industry should build into their systems," says Litt.  (BNA
     Daily Report for Executives 29 Oct 96 A24)

Office 97, VBA 5.0, and macro viruses

Rob Slade <>
Thu, 31 Oct 1996 15:47:41 EST
     Good news from those fun guys and gals at Microsoft!  According to an
     article on page 19 of the October 1996, edition of Datamation, Office 97
     will include VBA (Visual Basic for Applications) 5.0 as the scripting and
     integration language for Access, Excel, PowerPoint, and Word.  Not only
     that, but Microsoft has followed up on its promise to license VBA to other
     vendors: upcoming releases of Visio (Visio), Chameleon (NetManage),
     Photoshop (Adobe), and even AutoCAD (Autodesk) will use VBA 5.0.
     To date, with the possible (though unlikely) exception of the recent Excel
     macro virus, successful macro viruses in the wild have been confined to
     Visual Basic for Word.  The report has no details regarding the level of
     "backward compatibility" of VBA 5.0 with VBW, so I don't know yet whether
     Concept and its ilk will continue to propagate on through Office 97 and
     other VBA 5 compliant applications.  Even if they require patching, the new
     VBA 5 viruses will have a much greater platform base, and therefore faster
     creation and wider spread.
     Office 97 shipments will begin to selected customers in December, with boxes
     due on retail shelves in late January of 1997.
     link to virus, book info at

Re: Aeroperu crash (Ladkin, RISKS-18.51)

"Peter G. Neumann" <>
Tue, 5 Nov 96 8:31:05 PST
     A possible cause of the Aeroperu crash is mentioned in the media this
     morning.  Crash investigators are considering whether some of the plane's
     sensor ports (``static ports'') might have been left with protective duct
     tape covering them when the plane took off.  (*San Francisco Chronicle*,
     CNN, etc.)  It is apparently normal maintenance procedure to cover the ports
     (marking them with bright "Remove Before Flight" markers), to prevent them
     from getting clogged.  [Indeed, it might seem surprising that forgetting to
     remove the covers does not happen more often.]

Re: Tote Board Crash at Breeder's Cup (Harminc, RISKS-18.56)

Ben Morphett <>
Tue, 5 Nov 1996 16:16:40 +1100 (EST)
     > Hmmm... $35,000.  Do you suppose a bet of oh, say $32,767 might have
     > worked?
     I'm tired of dumb bugs like this tripping us up.
     To my mind they are as silly as bugs which arise in programmes because of
     fixed length strings, such as the famous one in sendmail where it didn't
     check the size of a string it was strcpy'ing into a fixed length buffer.
     (Internet worm bug - brought down 10% of the Internet.)
     Fixed length integers have the same kind of problems.  If they are limited
     to 2 bytes or 4 bytes at compilation time (either because the author
     "knows" that there will never be the need for them to be any bigger, and
     then the programme is used by someone else, or more usually, the author
     didn't think about it at all), then all someone needs to do is enter
     5000000000 at the prompt, and it will behave much more stupidly than if you
     try a number in the range that the programme is expecting.
     What I'd like is compiler support for integers, not a subset of them, in
     much the same way that you get compiler support for strings, not just
     strings of a fixed length.
     Presumably it would malloc some space, and might have to do arithmetic in
     more than one machine instruction, and yes, this would be much slower than
     having a fixed 4 bytes sitting there.  But often I don't care if programmes
     are slow, just as long as they are correct.
     Ben Morphett  (02) 9935 5746  International: +612 9935 5746

Fault-induced crypto attacks and the RISKS of press releases

"Paul C. Kocher" <>
Fri, 1 Nov 1996 05:59:54 -0800
     I've been watching the recent announcements about fault-induced
     cryptanalysis with interest [e.g., RISKS-18.50,52,54,55,56].  Whereas the
     attacks are extremely powerful tools, they aren't at all new to the crypto
     community -- there has been widespread discussion for years about these,
     they've been implemented by criminals and security system evaluators, and
     they are reasonably well documented.
     For example, NIST specifically discuss such attacks and the need to prevent
     them.  FIPS PUB 74-1 (see, "Guidelines for
     Implementing and Using the NBS Data Encryption Standard," was published way
     back in 1981 and says in section 5.2.2 on Error Handling:
     >       Errors associated with the primary encryption device should be
     > detected and handled by the secondary device. Physical tampering detectors
     > (vibration or intrusion sensors) may be used to detect physical tampering
     > or unauthorized access to the encryption unit. Sensors which detect
     > abnormal changes in the electrical power or the temperature may be used to
     > monitor physical environment changes which could cause a security problem.
     > However, the major requirement for error detection or correction involves
     > the application itself. The type of error control utilized will depend on
     > the sensitivity of the data and the application. The method selected may
     > range from no error handling capability for some systems to full redundancy
     > of encryption devices in other systems. Errors may be ignored when detected
     > or the entire system may be immediately shutdown.  Errors which could
     > compromise the plaintext or key should never be ignored.
     Anyone interested in issues relating to secure hardware design should also
     study FIPS 140-1, "Security Requirements for Cryptographic Modules."  It's
     the best public document I know of for anyone designing tamper resistant
     hardware and does a great job of covering the basics and also describes
     measures to prevent these attacks, suggests using "two independent
     cryptographic algorithm implementations whose output are continually
     compared in order to ensure the correct functioning of the cryptographic
     algorithm," etc.  In general, these attacks are fairly straightforward to
     implement once the appropriate errors are available.
     In addition to published sources, I've had many discussions with other
     cryptographers error attacks and other hardware issues.  (Ross Anderson in
     particular is extremely knowledgeable about hardware attacks and has done
     much to raise awareness about them.  [See RISKS-18.52]) It's also important
     to note that there are also quite a few other attacks which haven't been
     published but which are widely known to the community.  (For example, I've
     discussed widely my work on using timing attack math to analyze power
     consumption, use of error analysis to reverse-engineer secret algorithms,
     implementations of attacks using software pointer errors to damage secret
     keys and encryption function tables, etc.)
     With the timing attack I was alarmed by the amount of confusion and
     misinterpretation that followed my initial release of the paper (though I
     didn't send out any press releases or contact any reporters), even though
     it been reviewed by many cryptographers prior to its release and was
     available online.  I haven't seen the actual Bellcore paper yet and don't
     know whether it was reviewed before they sent press releases to the media,
     but in general I worry about the consequences of the public trying to
     evaluate the importance, novelty, and quality of unreviewed work.
     Paul Kocher (or

Re: A new attack on DES (Lauck, RISKS-18.54)

Vadim Antonov <>
Fri, 1 Nov 1996 15:07:24 -0800
     I would venture to guess that a simple replication of the encryption
     circuitry, combined with a circuit that would suppress output if results are
     different would make the box fairly resistant against DFA.
     That can be improved further if several substantially different
     implementations are used, so that identical environmental factors will not
     cause identical failures.  The added benefit is better resistance against
     current-draw and timing attacks.
     : It seems reasonable that NSA knew of Differential Fault Analysis in the
     : 1970's.
     The idea to break the "black box" to learn something about it is certainly
     not new.  In fact, this is one of the most powerful tools in neuroscience
     and psychology (applying chemicals or current and watching the results,
     or investigating injuries to different parts of brain).  However, there's
     a long way from the idea to the practical application.
       [A similar replication notion was also suggested by
         Laurentiu Badea <>.]

Unintentional Accesses (Re: Wanted Poster, Eckenwiler, RISKS-18.51)

"John R. LoVerso" <>
Fri, 11 Oct 1996 15:10:47 -0400 (EDT)
     In RISKS-18.51, Mark Eckenwiler wrote:
     > Of course, the FBI has had the Ten Most Wanted up in a web page here
     > in the US for some time; see
     My favorite thing to do when handed such a URL is to strip off the filename
     and try to access the directory.  The URL
     brings up a conveniently hyper-linked listing of all the contents of that
     directory.  This is usually not what the creator of those web pages
     intended.  Sometimes there are additional documents or images that you
     wouldn't otherwise be able to find, because they are not referenced from any
     of the links in an advertised URL.
     Using the terms "filename" and "directory" in the previous paragraph is
     old-style web talk.  New-speak suggests the terms "trailing path component"
     and "containing object", respectively.  This is to emphasize that "web
     space" doesn't necessarily map into files and directories, but can be
     ephemeral data.
     Unfortunately, the use of abstract terminology combined with the default
     settings on web servers tend to confuse the neophyte "web designer".  Their
     lack of understanding leads them to create collections of pages in which
     there are files that they *think* are hidden from view.
     In the FBI example, everything in the directory listing was referenced from
     a link on original URL.  Many times this is not the case.  Another example
     comes from a company that hired an outside `expert' to create a survey for
     people visiting their web site to fill out.  The survey was made accessible
     at a URL ending in ".../survey/surveyform.htm".  Trying a URL with just the
     ending directory component (".../survey/") brought up a surprise.  Not only
     did it give a directory listing showing the files making up the survey, but
     also included the a file holding the results posted to the survey form!
     Very interesting reading, especially for their competitors!
     Not all web servers will automatically convert directory accesses into fancy
     indices this way.  Most have this as an option.  Usually an index is created
     only when there is no manually created index file (commonly called
     "index.html").  In fact, had the files "topten.htm" or "surveyform.htm" in
     these examples been called "index.html", then not only would the URLs have
     been shorter, but a directory listing would have been made unobtainable.
     Hence, the solution is a combination of: avoid letting neophytes create your
     web pages, fix your server, and know what you are doing before you release
     it to the world.  Of course, there is far too much momentum on the WWW for
     any of these to come into play these days.
     As a parting thought, I wonder if any of the common web search engines strip
     off trailing path components when indexing sites.  Normally a spider will
     work by collecting the graph of pages available by walking the "advertised"
     pages (which, in my own work, is called a "weblet").  By trying a path
     stripping approach, they might end up with a slightly "richer" index.
     John R. LoVerso, Open Group Research Institute

Accidental Shootdown of the F-15, once again

Chiaki Ishikawa <>
Fri, 1 Nov 1996 21:41:12 +0900 (JST)
     Earlier [RISKS-18.18, 18.41], I reported on the accidental shootdown of a
     Japanese air force F-15 plane by a sidewinder missile from another plane
     during training and the subsequent handling of the case by the air force and
     the prosecutor's office.
     Now, the Japanese Air Force has taken an unusual step of adding a new
     finding to its previous report citing that the 30 years pilot in question
     changed its testimony to "he may have possibly turned off the safety
     mechanism although he had no clear recollection of having done so" from the
     earlier "he had not touched the safety mechanism".  (Translation mine.)
     This additional finding to the accident investigation has been reported in
     at least one Japanese national newspaper(ASAHI) and a major news channel,
     NHK this morning. According to the NHK news the change of a finding issued
     by an investigation committee has been very rare among defense community.
     A little more detail.  After the case was sent to the local prosecutor's
     office, the prosecutor's office decided that the pilot cleared the safety
     mechanism. (I have absolutely no idea how the office reached this
     conclusion.)  However, his case has not been sent to the court.  The
     prosecutor's office decided not to pursue the case there.  (I don't know the
     English phrase for this, but the office seems to think the merit of doing so
     is considered less than the hassle/time/money of pursuing the case in the
     court and is not worth the crime(? I am not sure if this is the right word
     here.) committed.)
     After the prosecutor's office concluded differently from its own
     investigation committee, the Japanese air force questioned the pilot again,
     and his testimony changed as noted above.  Originally, the report mentioned
     possible unknown hardware (electric circuit and such) malfunction.
     So the cause finally seems to me a human error of a sort.  Pilot himself,
     and my main contention that whoever organized the training ought to have
     missiles removed in the first place, and maybe ordered a placement of a
     little gadget (even a paper cup will do as the previous discussion showed.)
     over the safety switch to avoid accidental touching. I wish the higher-ups
     are criticised more in the press, but not so far.
     PS: I missed joining the discussion of publicly discussing the cause of
     (air) accident in an open forum, which took place after my previous post re
     prosecutor's office receiving the case of pilot.  Problem was that my
     workstation was replaced and the printer hooked to it had to be
     reconfigured. I usually print Risks digest on paper, and read it on the
     commuter train. Only recently, the printer became back online and I printed
     the backlog issues on paper and followed the thread. I can only observe the
     following myself now.
      - Public scrutiny is not necessarily a bad thing during a formal
        investigation continues provided that the
        information accessible to the chosen "experts" is also made available.
        Beside the chosen experts, there are equally qualified people elsewhere.
      - Of course, the information may not be released to the public due to
        legal and other reasons. This makes it very difficult to expect
        "intelligent" discussion from the public, I agree.
      - I noticed that the military wanted to make sure the career of the
        pilot is not unnecessarily destroyed. His name was only revealed
        after there was news that his case was now handled by the local
        prosecutor's office.
        Today's Asahi newspaper, and NHK news in the morning
        didn't mention the name. Maybe because the prosecutor's office
        decided not to pursue the case in court?
      - When I think about this, the public debate can ruin the career of
        possibly innocent people. If the shoot down of the F15 had been
        really due to flakey hardware, the pilot would have been really
        in an uncomfortable position to convince others that it was the fault
        of hardware produced by contractors with billion-dollar budgets.
        The recent plight of a security guard who found the bomb in Atlanta
        during Olympics games comes to my mind.
        So we must consider about this human element when we discuss these
        things in an open forum, too. Someone pointed this out to me and
        this point is well taken.
     At the same time, not that I want to take side in this discussion, but
     please bear in mind that all the pieces I reported have already been
     reported in Japanse mass media such as national newspapers (each has
     circulation of a few million, I think) and national TV. (PGN kindly noted
     this.) So, by the time you read about the topic, at least a few million
     Japanese readers must have seen it already.
     Anyway, just wanted to let you know what is going on in Japan.
     Chiaki Ishikawa  Personal Media Corp.  Shinagawa, Tokyo, Japan 142

-32768, hopefully for the last time (Re: Brader, RISKS-18.55)

Kurt Fredriksson <>
Thu, 31 Oct 96 13:00:46 +0100
     I read Mark Brader's contribution (18.55) and was a bit lost.  I can well
     understand that badly designed compilers can cause problems, but what
     puzzles me is that this discussion misses the fundamental background with
     2's-complement representations: with 16 bits, -32768 is the smallest value
     that can be represented, and 32767 is the largest value that can be
     represented.  What more is there to say?
     Kurt Fredriksson, Moelndal
       [Last time in RISKS?  That would be a first time!  The saga continues.  PGN]

Previous Issue Index Next Issue Info Searching Submit Article

Report problems with the web pages to
This page was copied from:
Last modification on 1999-06-15
by Michael Blume