Subject: RISKS DIGEST 18.14 RISKS-LIST: Risks-Forum Digest Weds 22 May 1996 Volume 18 : Issue 14 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** Contents: The National Research Council Study of National Cryptography Policy (Herb Lin) Largest Computer Error in US Banking History: US$763.9 BILLION? (Dave Tarabar, David Kennedy) Credit Lyonnais Fire (Boyd Roberts) Gov't computer break-in in Australia (David Kennedy) Computers facilitate foolishness (Mark Seecof) Another Netscape Bug US$1K (David Kennedy) Screensaviour? (Matthew P Wiener) The risks of calling 800 numbers? (Rob Slade) 12am: noon or midnight? (Ken Knowlton) The `pound' sign (Donald Mackie) Prompt bus sign (Donald Mackie) Addendum to my tirade on bad numbers (Bob Frankston) When your last name's also a first name ... (Scott Alastair) Number cruncher derides numbers (Bertrand Meyer) Call for Participation - SEI Conference on Risk Management (Carol Biesecker) ABRIDGED info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 22 May 96 13:54:00 EST From: "Herb Lin" Subject: The National Research Council Study of National Cryptography Policy Please post this message widely I am writing to let interested parties know about the imminent release of the NRC's study of national cryptography policy. If all goes well, we hope to release it on May 30, 1996. However, prior to that time, we won't be able to comment on its contents. For current information on release, visit the web site http://www2.nas.edu/cstbweb/220a.html When you visit that site, you'll have the opportunity to be put onto a mailing list so that we can inform you by e-mail when the report is available in print and/or electronically, as well as any public events associated with the report (e.g., public briefings). Herb Lin Cryptography Policy Study Director Computer Science and Telecommunications Board National Academy of Sciences/National Research Council 202-334-2605 ------------------------------ Date: Mon, 20 May 1996 09:57:54 -0400 From: dtarabar@systemsoft.com (Dave Tarabar) Subject: Largest Computer Error in US Banking History: US$763.9 BILLION? Approximately 800 customers of the First National Bank of Chicago were surprised to see that their balances were $924 million more than they expected last week. The cause was the traditional ``change in a computer program''. According to The American Bankers Association, the total of $763.9 billion was the largest such error in US banking history. Do the RISKS Archives agree? [Source: an AP story in *The Boston Globe*, 19 May 1996.] Dave Tarabar SystemSoft Corp. 2 Vision Drive Natick, MA 01760 dtarabar@systemsoft.com 508 647-2952 [Yes. PGN] ------------------------------ Date: 22 May 96 08:24:13 EDT From: David Kennedy <76702.3557@CompuServe.COM> Subject: Largest Computer Error in US Banking History: US$763.9 BILLION? When Jeff Ferrera and Cindy Broadwater checked their checking balance at the First National Bank of Chicago, the automated voice gave it as $924,844,208.32. More than 800 other folks had similar stories to tell. The sum total for all accounts was $763.9 billion, more than six times the total assets of First Chicago NBD Corp. The problem was attributed to a ``computer glitch''. [Source: AP US & World, 18 May 1996, By MARIO FOX, Courtesy of Associated Press News via CompuServe's Executive News Service. PGN Abstracting] ------------------------------ Date: Wed, 22 May 96 15:13:13 PST From: boyd@france3.fr (Boyd Roberts) Subject: Credit Lyonnais Fire I'm not sure how widely this was reported, but the head office of the Credit Lyonnais (a bank) in Paris (8e, rue du Quatre Septembre) had a major fire a few weeks ago. I forget the date, but it was a Saturday and the fire burned for quite a while. The investigation is proceeding, but my source of information has some things to say that may be interesting to RISKS readers: 1. The VMS machines in the building were part of a cluster that was replicated remotely. So far so good. 2. There appears to have been no sprinkler system or fire doors in the building. I've seen it, from the outside, and it's more or less gutted. Asking for trouble? 3. The UNIX machines were backed up daily, except for Fridays which was done on Sunday. These machines were backed up to tape and it appears that the tapes stay in the machines until just before the next backup is done. Remember, the fire was on saturday. 24 hour operations are not that expensive. Courier the tapes offsite, after they've been written. Offsite parallel operations? 4. On the Saturday the UNIX machines had the tapes for Thursday night still loaded. They had not yet been put in the fireproof safe and the backup of Friday's data had not commenced. Backup your data ASAP, preferably to a remote site across a network. If the tapes have to stay on site, put them in the safe. 5. In the middle of the _fire_ someone realised this small problem and _while the fire was still burning_ the tapes were rescued from the UNIX machines and from the fireproof safe. I wonder who volunteered? 6. Apparently the fireproof safe was not deemed to be waterproof or taking the tapes _during_ the fire was deemed a better choice than maybe getting them later. Water follows fire. 7. From the news reports it appeared that there was also some concern over whether safe deposit boxes (in the basement?) were waterproof. All of this is unconfirmed, but I think my source is ok. BTW: I bank with the Societe Generale. Boyd Roberts boyd@france3.fr ------------------------------ Date: 22 May 96 08:24:11 EDT From: David Kennedy <76702.3557@CompuServe.COM> Subject: Gov't computer break-in in Australia Courtesy of Australian Associated Press via CompuServe's Executive News Service: QLD: THIEVES RAID GOVERNMENT BUILDING Australian Associated Press 5/18/96 6:21 AM Copyright 1996 The Australian Associated Press. >> BRISBANE, May 18 AAP - Computer thieves raided one the >>Queensland government's most sensitive buildings today, >>ransacking three floors and dismantling around 55 computers, >>police said. >> A spokesman for Premier Rob Borbidge said the >>break-in at the executive building annexe in George Street had >>prompted a review of security at all government buildings. o About 55 computers were taken apart and the HD and memory removed. >> The spokesman for Mr Borbidge said the break-in in the >>sensitive treasury area did not appear to be politically motivated. [DMK: "Appear?" Kinda depends on what data "appears" on those Hard Drives doesn't it?] [DMK#2: Murphy's Laws of Combat #14: When you secure the area be sure to let the enemy know.] Dave Kennedy [CISSP] Information Security Analyst, National Computer Security Assoc. ------------------------------ Date: Sun, 19 May 1996 13:44:01 -0700 From: Mark Seecof Subject: Computers facilitate foolishness I saw a demonstration of modern computer-voice-recognition s/w tied to modern ideographic text-processing software. It appeared to me to work pretty well (given that I didn't understand the language involved). Even a few years ago, it appeared that the "information age" was generating forces which would push people away from ideographic writing systems. Most intellectual work would be supported by computerized systems running on alphabetic text; ideographic processing when available was costly, awkward, and slow. Furthermore, hardly anyone could program his computer (in the general sense) using ideograms. Though people using different alphabets could exchange information fairly easily, ideographic data was not very portable. These forces seemed progressive. Alphabetic writing systems are much more convenient for most purposes than ideographic ones. Worse, cultures using ideographic systems force their young to spend tremendous amounts of time and effort memorizing ideograms--time which they could otherwise devote to productive or entertaining activities. Ideographic systems are bad for people with poor visual memories; though they may be capable of intellectual work, they find themselves crippled by their obdurate writing system. But now computer advances (not unanticipated) will relieve some pressures which worked to push people away from ideographic systems. The tedium of penmanship will go away. Recognition of ideograms for programmatic purposes will become widely available. Most computer systems will become able to process and display ideographic text. I fear that the usual forces of reaction and inertia which operate to maintain the cultural status quo may overpower the diminished forces of progress. Even though ideographic writing systems are demonstrably counter-productive, the slow-to-accrue benefits of abandoning them may never outweigh the instantaneous costs of doing so in the minds of adult (already ideographized) decision-makers. Advances in computer systems will enable us to avoid advances in our "human systems." Heck, it's worse than "will enable us to avoid advances." It's more like "will actively retard us..." Mark Seecof ------------------------------ Date: 22 May 96 08:24:09 EDT From: David Kennedy <76702.3557@CompuServe.COM> Subject: Another Netscape Bug US$1K Courtesy of the Dow Jones News Service via CompuServe's Executive News Service Princeton Team Finds Bug In Part Of Netscape Program Dow Jones 5/20/96 6:02 AM From The Wall Street Journal >> MOUNTAIN VIEW, Calif. -- Netscape Communications Corp. said a >>team of Princeton University computer sleuths found another bug >>in the company's popular Internet browser, but said the flaw >>has been corrected and no information was lost or damaged. >>Jeff Trehaft, Netscape's director of security, said the bug was >>buried "deep in the source code" of its Navigator browser, and >>that it was so esoteric that only experts searching for months >>could find it. The bug was found in Navigator versions that >>support Sun Microsystems Inc.'s Java computer language. o Third bug identified by the team. This one found by Thomas Cargill, a consultant. o Netscape delivered a fixed version within 24 hours. Cargill still gets the $1000 reward. >> Mr. Trehaft added that Navigator is safe. "This product has >>been out almost a year and only a few bugs have been found, and >>as far as we know there's been no damage," he said. Dave Kennedy [CISSP] Information Security Analyst, National Computer Security Assoc [John Markoff had an article on this topic (See also RISKS-18.13) in *The New York Times*, Saturday 18 May 1996.] ------------------------------ Date: Sun, 19 May 96 19:11:19 EDT From: weemba@sagi.wistar.upenn.edu (Matthew P Wiener) Subject: Screensaviour? The 17 May 96 FORWARD (an American Jewish interest weekly newspaper), page 5, has a brief article about a Jewish CD-ROM put out by the Jewish Publications Society that had a Christian gospel screensaver by mistake. JPS is a large Jewish publisher. But they had never done a CD-ROM before, so they asked Logos Research Systems, a leader in Christian software products, to do the scutwork. Apparently the screensaver was added in at the last minute, and since there were no instructions regarding it, the generic Logos screensaver was packaged in, and presumably nobody beta (beth?) tested it. JPS and Logos are now splitting the cost of replacing hundreds of CD-ROMs already sold, and are pulling off those on the shelves. -Matthew P Wiener (weemba@sagi.wistar.upenn.edu) The Wistar Institute of Anatomy and Biology ------------------------------ Date: Tue, 21 May 1996 18:10:14 EST From: "Rob Slade" Subject: The risks of calling 800 numbers? Ah, the things we don't know about 800 service. Like: Call(er ID) Blocking doesn't work: the owner of the 800 number gets your number anyway. And now this: >From: Abram the spammer >Newsgroups: alt.books (no less!) >Subject: HAIR LOSS?....MINOXIDIL USERS? > >Now available in the U.S. XXXXXXXXXX AND XX-XXX XXXX. >Japan and West Germany's leading treatment for thinning hair. >2.5X more effective than minoxidil. Featured on CNN, NEWSWEEK, >NEW YORK TIMES. DOCTOR recommended. For FREE information, >please call 1-800-555-XXXX Ah, but here's the cute part: >*PLEASE NOTE THAT ANY CALLS NOT PERTAINING TO INFORMATION REQUESTS >WILL BE AUTO-BILLED TO ORIGINATING NUMBER UTILIZING >LONG DISTANCE SURCHARGES. In other words, he is quite willing to spam news, but he doesn't want anyone spamming his 800 number in retaliation. Of course, he could just be bluffing. Any telco people know if this is available? ------------------------------ Date: Tue, 21 May 1996 22:02:15 -0400 From: KCKnowlton@aol.com Subject: 12am: noon or midnight? There are compelling reasons to consider "12 am" to mean noon, as in the hour-by-hour sequence 10 am, 11 am, 12 am. But just as compelling is the minute-by-minute sequence 12:00 pm, 12:01 pm, 12:02 pm. People generally duck (actually clarify) the issue by saying "12 noon" and "12 midnight." Another dodge is to make rules and laws go into effect at such times as 12:01 am. But is there a more or less universally understood meaning of 'am' or 'pm' as applied to exactly 12? If there isn't, what should it be? The truly logical answer to this, of course (try to get this one through Congress) is to replace 12 by 0: there's no confusion about what 0 am and 0 pm would mean. Not to me anyway. Ken Knowlton [Lots of folks around the world solve this by going from 00:00 through 12:00 to 23:59 each day. Who needs am, p, n, and m? So, perhaps a correct answer to the Subject line is *neither*. PGN] ------------------------------ Date: Tue, 21 May 1996 22:22:53 +1200 From: donald@iconz.co.nz (Donald Mackie) Subject: The `pound' sign The pound sign `#' is often used as shorthand for the word `fracture' by medical staff from the UK and other countries. For example, "Mrs Smith has a # radius and ulna". Our hospital computer systems move data from one system to another. If Mrs Smith's diagnosis is entered as above on the administrative system and then her information is called up from the pathology system the diagnosis appears as "=A3 radius and ulna". Of course, the same problem may occur in transmission of this message. The pound or hash sign is replaced by the stylised L used to designate the pound sterling (currency). RISK: the patient's arm may be more valuable to pathology than anyone else. Donald Mackie FANZCA FRCA=20 Middlemore Hospital, Auckland, New Zealand ph +64 9 276 0168 fax +64 21 785 378 ------------------------------ Date: Tue, 21 May 1996 22:22:58 +1200 From: donald@iconz.co.nz (Donald Mackie) Subject: Prompt bus sign Our local buses have electronic signs on the front, rather like those used for airport departure boards. The sign shows the destination of the bus and scrolls through stops it is yet to make. As the bus passes each stop it is removed from the list. Yesterday I saw a bus apparently destined for >:run64 I suspect the driver needed to hit just one more time. Donald Mackie FANZCA FRCA Middlemore Hospital, Auckland, New Zealand ph +64 9 276 0168 fax +64 21 785 378 ------------------------------ Date: Tue, 21 May 1996 12:58 -0400 From: Bob_Frankston@frankston.com Subject: Addendum to my tirade on bad numbers (... Births, RISKS-18.10) I'm watching CNN as background noise and they are touting the use of Astrology for investing. The problem is just another illustration of how difficult it is to get straight information to form ones one judgment. They noncritically report that three successful predictions including the Gulf war. There is not an iota of incredulousness -- not only does the reporter not do fact checking (what is a prediction?) there isn't even the idea of checking to see if there is any significance against the larger set of predictions. Astrology is an obvious target but there is no reason to assume any of the other reports are any better researched. Reminds me of the great Dilbert strip where the Boss is determined to track down the miscreants since a full 40% of the sick days were on Monday or Friday. But it's not just innumeracy. Lest we be smug (whoever "we" are) the same naivete appears in assuming that one can simply design a system and deploy it without a continual learning and refinement cycle. (formerly known by its denigrated name of "maintenance"). ------------------------------ Date: Mon, 20 May 1996 09:07:24 +0100 From: "Scott Alastair (Exchange)" Subject: When your last name's also a first name ... I have the misfortune to have both an unusual first name (Scottish Gaelic) and a last name which passes muster as a first name in most, if not all, of the English-speaking parts of the world. Our Microsoft Exchange mail system stores names as . So I am seen by the world as "Scott Alastair" when Exchange puts its own header at the top of mail messages I send. Despite many variations - of increasing literary violence - of signature most (about 75%) of my Internet email is addressed, "Dear Scott". I am told that names are stored as because, for example, the sender can type "Scott Al" and Exchange will match my name automatically without the poor sender having to spell "Alastair" correctly. A fix has been considered - storing the names as , - but was rejected as too risky because people would forget the comma. So I can't win! If an Alistair Scott (note the spelling, which is actually more common than my spelling) joins, I'm Alastair Scott; MS Exchange calls me Scott Alastair scotta@logica.com +44 (0)171 446 4899 Logica UK Limited [Not to mention the confusion between Li Gong and Gong Lim although the former name has been Westernized. PGN] ------------------------------ Date: Sat, 18 May 96 14:19:08 PDT From: bertrand@eiffel.com (Bertrand Meyer) Subject: Number cruncher derides numbers A story in the 29 Apr 1996 issue of Web Week, a magazine devoted to the World-Wide Web, describes new developments in the controversy between Nielsen Media Research and a group of academics from Vanderbilt and North Carolina, who criticized an earlier Nielsen study as overstating Internet usage in the US and Canada. The magazine quotes the following from David Harkness, senior VP of Nielsen Media Research: "What doesn't matter now, in my opinion, is how many users there were in August of last year, because the Internet is growing so fast. The Internet is not being served by this debate". The last comment may cause anyone who has forked out $5,000 - what the magazine says it takes to buy a copy of the Nielsen report - to raise an eyebrow or two. Are we to understand that the purpose of such a study is to "serve the Internet", that is to say cheer up everyone in the Internet industry by reporting good news, rather than provide a snapshot of the reality? But the most interesting part remains the first sentence in Mr. Harkness's comment. If I understand properly: let's not quibble about minor differences between the two studies (a mere 8 million people - or actually 20 million, making the result more than 100% off target, if you compare Nielsen's "Internet access" numbers with the academics' estimates of actual Internet use!); we all know the Internet is expanding by leaps and bounds. Which of course brings up the whole question of why we should trust Nielsen's numbers any more than Mr. Harkness seems to. For example, according to his study, 1.51 million people have used the Web to make a purchase. Even if you bought the report, better double-check before making a major policy decision based on such statistics. -- Bertrand Meyer, ISE Inc., Santa Barbara, Posting applying the SELF-DISPLINE rules, see http://www.eiffel.com/discipline ------------------------------ Date: 22 May 1996 18:43:34 GMT From: cb@SEI.CMU.EDU (Carol Biesecker) Subject: Call for Participation - SEI Conference on Risk Management Call for Participation Software Engineering Institute (SEI) Conference on Risk Management: acquisition, programs, projects, systems, and software Managing Uncertainty in a Changing World Hotel Cavalier Virginia Beach, Virginia April 7-9, 1997 In today's world of downsizing and reengineering, you're moving into uncharted territory. You've been asked to acquire and develop systems with less money, and said, "I can do that." You've been asked to succeed with shorter schedules, and said, "I can do that." You've been asked to use fewer people, and said, "I can do that." So, how can you do that? You need to improve your ability to acquire systems, to proactively manage your resources, people, schedules, and budgets--to predict and avoid problems before they occur. You must rapidly integrate, under controlled conditions, the acquisition of complete systems providing end users with predictable system performance. You need to determine which risks are more critical to the success of your program to make effective use of scarce resources. You need proven methods and techniques as well as suggestions for advanced capabilities. Acquisition practices and risk management are being implemented and improved throughout the government and industry. To maintain your competitive edge in this uncertain world, you need effective acquisition and risk management practices. This conference is a way to find out what's going on and what's applicable and useful to you. The SEI Conference on Risk Management will provide a forum that brings together the government, industry, and academic managers, practitioners, change agents, and researchers using and exploring risk management and acquisition. The conference will provide a unique forum for exchanging ideas and experiences with experts and professionals who practice or study acquisition and risk management. This is a tremendous opportunity to increase your awareness and to advance your knowledge and skills by being exposed to the latest methods, tools, and techniques, and some of best practices in the field of system development and acquisitions. Managers will find the means to improve their ability to make informed decisions and to gain better control of their project's cost, schedule, and technical contents. Practitioners will find the ways to increase awareness of risks and their ability and skills to avoid or mitigate them. Both development and acquisition professionals will gain insight from the experiences of leading experts and professionals, learn about the latest developments and technological issues, and learn how to manage uncertainty in a changing world. The SEI Conference on Risk Management will feature keynote speakers, distinguished presenters, selected presentations from invited speakers, panel discussions with experts and professionals, and exhibitors. It will also provide learning opportunities with hands-on tutorials and opportunities to accomplish work to advance the practices of acquisition and risk management through mini-workshops. The conference will further provide value for different audiences such as managers and practitioners, beginners and advanced professionals, or development and acquisition professionals through separate tracks for presentations and panels. Opportunities to mingle with people who have similar interests will be provided through birds-of-a-feather sessions. The Hotel Cavalier in Virginia Beach provides beach-side accommodations. The Virginia Beach area is convenient to Washington, D.C. and offers golfing, deep-sea and freshwater fishing, tennis, hiking, historic dwellings, museums, shops, and restaurants. The Norfolk International Airport serves the Virginia Beach area with more than 200 flights daily to all major hubs and most major cities. The oceanfront is a 20-minute drive from the airport. Important Dates September 19, 1996: deadline for submitting papers and workshop proposals October 17, 1996: deadline for mailing acceptance notification to participants January 24, 1997: deadline for submitting camera-ready materials For more information about the conference, contact-- SEI Customer Relations Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Phone 412 / 268-5800 FAX 412 / 268-5758 Email customer-relations@sei.cmu.edu World Wide Web http://www.sei.cmu.edu For more information about vendor exhibits, contact-- Heather Stupak, as above, with Phone 412 / 268-1587, FAX 412 / 268-5758 Email hstupak@sei.cmu.edu [Truncated for RISKS. PGN] ------------------------------ Date: 18 March 1996 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: ABRIDGED info on RISKS (comp.risks) The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. [...] DIRECT REQUESTS to (majordomo) with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] INFO [for unabridged version of RISKS information] CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, nonrepetitious, and without caveats on distribution. Diversity is welcome, but not personal attacks. [...] ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Particularly relevant contributions may be adapted for the RISKS sections of issues of ACM SIGSOFT Software Engineering Notes or SIGSAC Review. * Submissions: By submitting an item that is accepted for publication in RISKS, the author grants permission for unlimited public distribution and redistribution in electronic or other form. * Reuse: Blanket permission is hereby granted for reuse of all materials in RISKS, under the following conditions. All redistributed items must include the Risks-Forum masthead line. All reuse must be accompanied by the following statement: Reused without explicit authorization under blanket permission granted for all Risks-Forum Digest materials. The author(s), the RISKS moderator, and the ACM have no connection with this reuse. As a courtesy, reusers of individual items (as opposed to forwardings of entire issues) should notify the authors, and should pay particular attention to any subsequent corrections. RISKS ARCHIVES: "ftp ftp.sri.comlogin anonymous[YourNetAddress] cd risks or cwd risks, depending on your particular FTP. [...] [Back issues are in the subdirectory corresponding to the volume number.] Individual issues can be accessed using a URL of the form http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] ftp://ftp.sri.com/risks The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS PRIVACY: For info on the PRIVACY Forum Digest and Computer PRIVACY Digest, see the unabridged INFO file at RISKS-Request (send one-line message INFO to risks-request@CSL.sri.com as noted above). ------------------------------ End of RISKS-FORUM Digest 18.14 ************************