University of Bielefeld -  Faculty of technology
Networks and distributed Systems
Research group of Prof. Peter B. Ladkin, Ph.D.
Back to Abstracts of References and Incidents Back to Root
This page was copied from:

Previous Issue Index Next Issue Info Searching Submit Article

The Risks Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 18, Issue 63

Tuesday 26 November 1996


o Mars Probe crashes
Ben Morphett
o Massive NY tax fraud
Mich Kabay
o Complexity of the airplane pilot's interface
Mich Kabay
o Bell Atlantic 411 outage
Rich Mintz
o DIMACS Network Threats workshop, Rutgers, 4-6 December 1996
Rebecca Wright
o Year 2000 Problem Will Cause Lawsuits, Bankruptcies
o Y2K *Guardian* article on retroactive liability
Martin Minow
o Danish government puts its own records on the Web, illegally
Ketil Perstrup
o Badly placed hardware
o Digital footprints on the Internet
Martin Minow
o "Disappearing Cryptography" by Peter Wayner
Rob Slade
Peter Wayner
o Re: Effects of the next cycle of solar interference
o Risks of believing what you read: Re: Irish rock band
Stuart Woodward
o The SEI Conference on Risk Management
Carol Biesecker
o Abridged info on RISKS

Mars Probe crashes

Ben Morphett <>
Thu, 21 Nov 1996 09:28:23 +1100 (EST)
     When the Russian Mars probe crashed earlier this week, it provided an
     interesting example of the difference between precision and accuracy.
     The first reports said that the probe would crash land in central Australia,
     bringing with it 200 g of plutonium.  State emergency services all over
     Australia went into yellow alert.  Soldiers were mobilised.
     >From the TV pictures, the first estimates of where it would land were
     anywhere in an area about 2000 km across.  The next reports said that it
     would be landing at about the New South Wales/Queensland border, and they
     seemed to think it would come down somewhere in an area about 500 km across.
     The next reports said that it would come down somewhere in an area in the
     north west of New South Wales, and the precision of this estimate seemed to
     be about 100 km.
     As it turned out, it came down about 2000 km west of Chile, in the Pacific
     Ocean, a third of the way around the world from Australia.
     So as the precision of the reports was increasing, the accuracy of the
     reports was about staying about the same - very wrong. 
     Ben Morphett

Massive NY tax fraud

Mich Kabay <75300.3232@CompuServe.COM>
22 Nov 96 12:36:43 EST
       Hacker Scheme, By KAREN MATTHEWS, Associated Press Writer
       NEW YORK (AP) -- City workers, in exchange for bribes from property
       owners, falsified computer records to eliminate nearly $13 million in
       unpaid taxes in a scheme called the largest tax fraud	case in New York
       City history.  [Associated Press news wire via CompuServe's Executive News
       Service, AP US & World, 22 Nov 1996]
     The author makes the following key points:
     o Some tax records erased.
     o Other records falsely indicated as paid using funds from legitimate
       payments by innocent victims.
     o So far, 29 people charged in federal court.
     o 200 more expected to be charged.
     o $13M of debts erased.
     o $7M in interest lost.
     o Fraud thought to have started in 1992.
     o Investigation started in 1994.
     o In a section particularly intriguing for RISKS and NCSA FORUM participants,
       the author writes, ``Three employees of the city collector's offices 
       exploited computer "glitches" to make it appear that unpaid taxes had 
       been paid, officials said.
     More, no doubt, as the case unfolds.
     M. E. Kabay, Ph.D. (Kirkland, QC), Director of Education
     National Computer Security Association (

Complexity of the airplane pilot's interface

Mich Kabay <75300.3232@CompuServe.COM>
25 Nov 96 16:06:50 EST
     This item from last week in Executive News Service on CompuServe caught my eye:
       Pilots said stretched to limit by cockpit high-tech
       Reuters World Report, 20 Nov 1996
       LONDON, Nov 20 (Reuter) - Airline pilots are being stretched
       to the limit by increasingly complex cockpit technology and need
       radically different training methods to cope in future, a top
       medical aviation specialist said on Wednesday.
     The article makes the following key points:
     o	Dr Michael Bagshaw is head of aviation medical services at 
     	British Airways.  He wonders, "Are we perhaps reaching the 
     	limit to pilots' mental processing capacity?"
     o	However, he answered in his address in London to the Royal 
     	Society in London , "On the face of it we may have reached a 
     	plateau. But experience shows that having 	reached a plateau, 
     	we then move on again."
     o	According to the expert, "In both military and commercial 
     	aviation the complexity of the environment is increasing. 
     	Automation is being developed but the question remains 
     	as to whether the automation relieves workload or increases it."
     o	"If we examine the accident rate by type of aircraft, it
     	can be seen that although the overall trend is down ... new
     	highly-automated types have a relatively higher accident rate."
     o	In some cases, plane design prevents manual overrides
     	even if the automated system is in trouble.
     o	The increasing use of CRT and LCD displays means that what
     	used to be on separate dials now appears, in the words of the
     	author of the article, "on one cluttered computer
     	display, which meant pilots needed to spend more time
     	interpreting what they were seeing."
     o	Dr Bagshaw added, "We are starting to see some of the 
     	limitations of information processing. This is the weak 
     	link -- information is derived from a number of sources. 
     	It has to be integrated, then interpreted, and the appropriate
     	action taken to use that information appropriately."
     o	The changes in technology necessitate new methods of training:
     	"I think we can move on from the plateau by altering the
     	way we approach training. We've now reached a watershed by
     	accepting that human error is normal," said Baghshaw after his
     	speech.  "The old approach was to think that human error was a
     	mistake which should be avoided. Now we have to assume it will
     	happen and instead assess how pilots cope with error."
     M. E. Kabay, Ph.D. / Director of Education
     National Computer Security Association (NCSA)

Bell Atlantic 411 outage

Rich Mintz <>
Tue, 26 Nov 1996 11:18:10 -0500
     On Monday 25 Nov 1996, Bell Atlantic -- the local telephone company serving
     the mid-Atlantic region of the USA, including Philadelphia and Washington,
     D.C. -- saw an outage of several hours in its telephone directory assistance
     service, due (apparently) to an errant operating system upgrade on a
     database server.  For unknown reasons, the backup system also failed.  The
     result was that for several hours, telephone operators ended up taking
     callers' requests and telephone numbers, looking the requested information
     up in printed directories, and calling the callers back with the
     Apparently, the problem was solved by backing out the software upgrade.
     Significantly (in my opinion), the Washington Post's article on the outage
     mentioned this fact (albeit in slightly less technical language), which is
     yet another indication of the pervasiveness of software, and of the growing
     number of people in society at large that are generally aware of software
     and how it works.

DIMACS Network Threats workshop, Rutgers, 4-6 December 1996

Rebecca Wright <>
Mon, 25 Nov 1996 14:57:02 -0500 (EST)
     DIMACS Workshop on Network Threats
     Sponsored by the DIMACS as part of the 1996-97 Special Year on Networks
     December 4-6, 1996
     DIMACS Center, CoRE Building (Computer Research and Education)
     Rutgers University Busch Campus
     New Brunswick, New Jersey, USA
     Workshop organizers:
          Steve Bellovin, AT&T Labs - Research,
          Peter G. Neumann, SRI International,
          Rebecca Wright, AT&T Labs - Research,
     As the use of computer networks, and in particular the Internet, has
     increased, so has the potential threat to security. In the last several
     years, we have seen numerous security-related attacks on Netscape, Java, and
     the Internet protocols. New protocols and systems for electronic commerce,
     secure financial transactions, and other applications are being introduced,
     and are being deployed quickly, and on a large scale. This workshop aims to
     bring together theorists and practitioners working in areas related to
     network security in an informal setting to foster discussion regarding the
     nature of the threat and what we, as researchers, can do to help manage it.
     Confirmed speakers:
          Steven M. Bellovin (AT&T Labs - Research)
          Bill Cheswick (Bell Labs)
          Shiu-Kai Chin (Syracuse University)
          Cindy Cullen (Bellcore)
          Drew Dean (Princeton University)
          Yvo Desmedt (University of Wisconsin - Milwaukee)
          Ed Felten (Princeton University)
          Robert J. Hall (AT&T Labs - Research)
          Catherine Meadows  (Naval Research Laboratory)
          Peter G. Neumann (SRI International)
          Sarvar Patel (Bellcore)
          Jean-Jacques Quisquater (Universite de Louvain)
          Alexis Rosen (PANIX Public Access Networks Corporation)
          Avi Rubin (Bellcore)
          Adam Shostack (Consultant)
     There is still room in the schedule for a few more talks.  If you
     would like to give a talk describing current, unpublished work, please
     e-mail a 1-2 page abstract (postscript or plain ASCII text) to Rebecca
     Wright at
     The full workshop program, plus information regarding registration,
     travel and local arrangements for this workshop can be found at:


Year 2000 Problem Will Cause Lawsuits, Bankruptcies

Edupage Editors <>
Sun, 24 Nov 1996 15:12:08 -0500 (EST)
     At a recent meeting sponsored by the Electronic Banking Economics Society,
     one speaker predicted that a bankruptcy rate of between 1% and 5% could
     result directly from costs related to fixing the notorious "Year 2000
     Problem."  "If you have not yet begun a Year 2000 conversion today, you will
     not be able to convert by 2000," he said, noting that there are only 150
     weekends left to work on systems affected by the problem.  If companies
     choose to ignore the problem, they'll be liable for millions in lawsuits
     brought by shareholders when company stock prices begin to plummet.  Only
     one third of U.S. companies are addressing the problem, with another third
     entering the preliminary discussion phase, and the other third doing
     nothing.  Still, that's better than the rest of the world: "Britain is three
     steps behind the United States on this issue, Europe about 10 steps behind
     the United States on the issue, and Japan is about 15 steps behind the
     United States on the issue," the consultant said.  (*BNA Daily Report for
     Executives*, 20 Nov 1996, A16; Edupage, 24 Nov 1996)

Y2K *Guardian* article on retroactive liability

Martin Minow <>
Thu, 21 Nov 1996 16:26:33 -0800
     The online edition of the Guardian newspaper has an interesting article on
     the year 2000 problem; concentrating on the legal responsibility of software
     and hardware vendors.
     The article quotes Stephen Castell, a consultant in computer technology:
     "Castell believes that around the beginning of 1992 is the earliest time
     from which suppliers may be liable. He says, "The problem was sufficiently
     recognised in the industry from around then, and systems developers should
     have considered moving on from the two-figure date."  However, if it is
     correct that the potential problem should have been obvious, courts may be
     less indulgent to developers who overlooked it even before 1992."
     (Note that the Guardian may only archive articles for a short time.)
     Martin Minow

Danish government puts its own records on the Web, illegally

Ketil Perstrup <>
Fri, 22 Nov 1996 15:28:58 +0100
     Many of the requests processed by local government offices are requests for
     information from government records. This fact has given the Danish
     Ministry of Research a seemingly brilliant idea: Making government records
     available on the World Wide Web would free local government officials from
     processing these requests.
     The first government records were made public on October 1 on
     <>. The information was taken from
     the land and building property evaluation records of the Danish Tax
     Ministry. These records are used by employees in the tax offices of the
     local government for taxation of land and building property. The published
     information included the following for each piece of land and building
     property in Denmark: Location, owner, estimated value, date and price
     (including down payment) of last sale (if sold since last evaluation of the
     property in 1992), debts to local government, rental value for
     non-residential property (if rented) and further notes intended to assist
     On the October 15 the records were made inaccessible when the large,
     reputable Danish newspaper Berlingske Tidende published a critique by
     professor Erik Frøkjær from the Department of Computer Science at
     Copenhagen University. Two thing were criticized:
     1. The records could be copied without explicit permit by anyone with
     access to the Internet, something which is not allowed according to the
     Danish Public Authorities' Registers Act.
     2. The last three items in the list above were confidential information and
     could not legally be published under Danish law.
     Access to the records was reestablished the next day when the offending
     items had been removed. At that time the publisher, Kommunedata, assured
     the public and the Danish Data Surveillance Authority ("Registertilsynet")
     that the records could not be copied. The company also publicly explained
     that Erik Frøkjær could not possibly have copied the records except by
     means that were not entirely legal.
     Soon after this a group of researchers contacted the Danish Data
     Surveillance Authority to demonstrate that the records are easily copied
     (with entirely legal means), but the offer of a demonstration has been
     declined by the Authority. Copies of the case obtained from the Authority
     under the Danish Freedom of Information Act show that the Authority has been
     made aware by other means that copying is possible. Despite this the
     Authority refuses to take action based on this evidence so WWW access is
     still possible. The only change since the reopening has been removal of most
     of the information about sales when the Court in Århus informed the
     Authority that this information is not and should not be publicly available.
     This is the first case known to me of government records being published on
     the World Wide Web. The case is instructive: There has been repeated valid
     objections to the legal basis on which the records are made available. This
     and the fact that the continuing operation of this service is not important
     for anything but the reputation of the parties involved, leads me to expect
     that access ought to be at least temporarily suspended until the questions
     were resolved.
     This case demonstrates a large collection of security problems inherent to
     World Wide Web publication of government records as well as a lot of legal
     problems that will not be mentioned here. These problems are probably
     compounded because both the Danish government and Kommunedata wants to be
     perceived as technologically advanced and "Internet-friendly".
     1) The original records were used by the employees in local tax offices, so
     information that was not meant to be disclosed publicly was maintained
     together with the evaluation of each piece of property. When the records
     were made available on the World Wide Web without cleanup, confidential
     information was disclosed. Moral: When sensitive information is put to use
     in a new way it should be checked to make sure that all information is
     appropriate for the new use.
     2) The Danish Data Surveillance Authority does not have its own technical
     staff, so it wasn't able to asses the correctness of the claim made by the
     publisher, Kommunedata, that the records could not be copied. Moral:
     Government authorities should not rely on experts employed by the companies
     that are checked. When new types of problems are encountered the government
     should use their own or independent security experts to assess the claims
     made by companies.
     3) It is not possible to prevent information published on the Internet from
     being copied, so information that must not be copied should not be available
     on the Internet.
     4) Until now the companies and government authorities involved has ignored
     criticism from computer professionals. Moral: Government officials does not
     automatically listen when professionals criticize security. If the critique
     goes against official policy you might very well be ignored or worse, no
     matter how serious the problem is.
     5) Denmark prides itself on its large information systems in the public
     administration. These information systems have been accepted by the public
     because of a set of very restrictive laws governing these records and strict
     attention to security. Other governments may be tempted to publish similar
     records on the World Wide Web because when the security-conscious Danes do
     it, it must be OK.
     6) To add insult to injury the programs used by Kommunedata to control
     access to the records performs no parameter validation which shows that
     this publication probably has yet more security problems in store.
     Despite the problems with publication of the records the Ministry of
     Research and Kommunedata wants to make even more sensitive and personal data
     available on the World Wide Web in the future. I shudder as I contemplate
     the consequences.
     Ketil Perstrup (

Badly placed hardware

"Abigail" <>
Thu, 21 Nov 1996 01:52:04 -0500 (EST)
     Two days ago, I was in a computer room of a large financial institution. A
     whole range of different computers is in that room. One (PC) setup consisted
     of a tower on the ground, and a monitor and keyboard on a table. Nothing
     usual here.  But the monitor was placed on a box which had switches for the
     monitor, the tower, and a printer, and a masterswitch, on one end, and
     cables on the other. The switches where facing forward.
     The machine was happily minding its own - important - business.
     My partner and I were working on a different machine. At one moment, he
     gives way to let me handle the machine. He puts his elbow on the table,
     slightly disturbing the keyboard, which is moved enough to just have the
     master switch break the contact for a moment, causing the machine to crash.
         - "Is that serious?", he asked.
         - "It is a live machine..." 
     When I left two hours later, at least 5 people had been trying to get it
     working again, and at least 10 nervous people asked what was going on. They
     were still trying to boot it.
     Today I was in the room again. They had turned the box 90 degrees.

Digital footprints on the Internet (Article in UK Guardian)

Martin Minow <>
Thu, 21 Nov 1996 12:21:15 -0800
     The online edition of the UK Guardian newspaper has a long article on the
     way that "Internet users leave traces and records of every online action,
     from sending e-mail or posting to newsgroups to visiting Web sites."
       ... At the moment unwanted e-mail is about the limit of the intrusion, but
       this could change. Internet commentator Dominique Paul Noth points out:
       "You have no guarantee that the information is intelligently or even
       accurately employed to your benefit." As more information is collected, it
       is more useful to those collecting it - and less easily controlled.
       ... One alternative is making yourself anonymous by deleting cookie files
       and using mail programs that disguise your identity.
       However, making yourself anonymous online means that you cannot
       personalise Web pages, ask for information via e-mail, or join mailing
       lists. The issue, as Noth and other commentators recognise, is more to do
       with how this information is used. Credit card companies know what we are
       buying, and there is a legal framework to control their use of this
       information. There is no such framework in force for online information.
       It seems that the very lack of "real world" controls over online activity
       which many Internet users favour has created the environment in which
       marketing companies can thrive. As long as the Internet is seen as somehow
       outside the reach of the law, then there will be those who abuse its
       freedom. So as you surf for Christmas presents, look out for surprises in
       your mailbox as a result.
     The full article is at
     (However, note that newspaper articles on the Web are often only 
     visible for a short time.)
     Martin Minow

"Disappearing Cryptography" by Peter Wayner

"Rob Slade" <>
Mon, 25 Nov 1996 11:15:46 EST
     BKDSCRPT.RVW   960902
     "Disappearing Cryptography", Peter Wayner, 1996, 0-12-738671-8, U$29.95
     %A   Peter Wayner
     %C   1300 Boylston Street, Chestnut Hill, MA   02167
     %D   1996
     %G   0-12-738671-8
     %I   Academic Press Professional
     %O   U$29.95 +1-617-232-0500 +1-800-3131277
     %P   295
     %T   "Disappearing Cryptography"
     The title seems to allude to, and the book jacket definitely trumpets,
     steganography, the act or art of "hiding in plain sight".  An example of a
     steganographic message would be one which appears to be an innocuous and
     ordinary family letter, but which carries detailed information in the
     background.  One chapter of the book does deal with this type of encryption,
     although only in terms of hiding text data in pictures.  The book as a whole
     seems more like a collection of essays on topics related to encryption.
     The topics represented cover a broad range of information science.  The level
     of detail provided varies, but in general the explanations are fairly simple.
     copyright Robert M. Slade, 1996   BKDSCRPT.RVW   960902
     Vancouver Institute for Research into User Security Vancouver Canada V7K 2G6

"Disappearing Cryptography" by Peter Wayner

Peter Wayner <>
Tue, 26 Nov 1996 09:43:08 -0500
     Rob Slade is right.  Much of my book, _Disappearing Cryptography_ is filled
     with simple discussion.  It was intended to offer many casual readers some
     insight into how morphable information can be.  This is a highly important
     technical topic these days because of the battles over encryption
     regulation.  Sure, I could have written a nerd opera, but that wouldn't have
     helped people without an advanced degree in number theory.  This topic is so
     important for policy that I wanted to try and spread the knowledge around a
     I think he's wrong on other counts.  The book discusses how to use
     error-correcting codes, encryption, dining cryptographers networks,
     compression functions, and compiler technology to make information look like
     something else.  I think that each of these solutions offers a unique way to
     make information `disappear' because, if it looks like something innocuous,
     then it escapes detection.
     My home page ( has the table
     of contents for those that are interested.  Feel free to write if you have
     more questions.  [A minireview by your moderator is in RISKS-18.17. PGN]

Re: Effects of the next cycle of solar interference (RISKS-18.62)

McInnis <>
Thu, 21 Nov 1996 10:52:43 -0600 (CST)
     I guess one's man's poison is another man's feast.
     I got a kick out of the article about the problems that could be caused by
     the next peak of the 11-year sunspot cycle.  Most of us amateur radio
     operators are waiting in breathless anticipation for the sunspots to pick up
     because it "turns on" some of the radio frequencies to long range
     communications.  It's sort of like a starry-eyed 4 year old kid waiting for
     Christmas hearing someone grumbling about how they don't like Christmas.
     Also, the 11-year sunspot cycle has been going on for several hundred years
     since the last gap in the cycle.  It says something about our technology
     that some systems might not be prepared for it.  It's like someone being
     surprised that it's getting cold as winter approaches.  ("Gee, didn't it
     start getting cold about this time last year, too?")
     73 de KB5YAC  Mickey McInnis -

Risks of believing what you read: Re: Irish rock band (RISKS-18.62)

Stuart Woodward <>
Fri, 22 Nov 1996 17:13:18 GMT
     > ... first group to be burglarized on the Internet [?]
     Those who are following this story will already know that the samples from
     U2's new album were not ""siphoned off" along cables feeding the band's own
     video camera", that provides a one day delayed view of U2's studio
     activities, but were copied from a promotional video that was sent out from
     Island Records to their office in Hungary. The video was reported to have
     been borrowed and samples taken from it - a purposely degraded recording -
     were uploaded to a web page on the Internet.
     The story seems to have got very quickly elaborated to include hackers. The
     hacker aspect appears to have come from the quote in the Sunday Times from a
     "former hacker":
       Hackers may have used the camera as a door into the studio's computers
       where the new songs are stored.
     The real risk here is that it seems that newspapers don't employ anyone
     qualified to proofread and follow up their Internet related stories. (Also
     c.f. the recent Observer story about pornography on the Internet).

The SEI Conference on Risk Management

Carol Biesecker <cb@SEI.CMU.EDU>
25 Nov 1996 20:30:22 GMT
     The SEI Conference on Risk Management: Managing Uncertainty in a Changing
     World April 7-9, 1997, The Cavalier Hotel, Virginia Beach, Virginia.
     Planned in cooperation with the Society for Risk Analysis, the IEEE Computer
     Society, the Hampton Roads SPIN, and the Best Manufacturing Practices
     Association; cooperation with Software Program Managers Network is pending.
     [Featured renowned keynote speakers, distinguished presenters, contributed 
     presentations, papers, tutorials, workshops...]
     For additional information about the conference, contact 
       SEI Customer Relations, Software Engineering Institute
       Carnegie Mellon University, Pittsburgh, PA 15213
       Phone, Voice Mail, and On-Demand FAX 412 / 268-5800
       World Wide Web:
     Event Registration: Contact 
       Events, Software Engineering Institute
       Carnegie Mellon University, Pittsburgh, PA 15213-3890
       Phone, Voice Mail, and On-Demand FAX 412 / 268-7388
       FAX 412 / 268-7401

Previous Issue Index Next Issue Info Searching Submit Article

Report problems with the web pages to
This page was copied from:
Last modification on 1999-06-15
by Michael Blume