Subject: RISKS DIGEST 10.68

Subject: RISKS DIGEST 10.68
REPLY-TO: [email protected]

RISKS-LIST: RISKS-FORUM Digest Friday 14 December 1990 Volume 10 : Issue 68

FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Contents:
Recent RISKS Mail to CSL.SRI.COM (PGN)
Many Bills Are Found Incorrect on Adjustable Rate Mortgages (Saul Tannenbaum)
Loughborough (Rob Thirlby via Brian Randell)
Gender and computer anxiety (Rob Gross)
Computerized USA Phone Directory (Allan Meers)
Getting out of Lotus' "Household Marketplace" (TDN)
Re: a fondness for turkeys (Haynes)
Call for Papers - 14th National Computer Security Conference (Jack Holleran)

The RISKS Forum is moderated. Contributions should be relevant, sound, in
good taste, objective, coherent, concise, and nonrepetitious. Diversity is
welcome. CONTRIBUTIONS to [email protected], with relevant, substantive
"Subject:" line. Others ignored! REQUESTS to [email protected].
FTP VOL i ISSUE j: ftp CRVAX.sri.com<CR>login anonymous<CR>AnyNonNullPW<CR>
CD RISKS:<CR>GET RISKS-i.j<CR>; j is TWO digits. Vol summaries in
risks-i.00 (j=0); "dir risks-*.*<CR>" gives directory; bye logs out.
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.

----------------------------------------------------------------------

Date: Thu, 13 Dec 1990 15:52:40 PST
From: "Peter G. Neumann" <[email protected]>
Subject: Recent RISKS Mail to CSL.SRI.COM

Well, we survived the move to another building (I'm now in EL-243), although
for a variety of reasons the servers could not be moved on schedule and getting
everything working again was decidedly nontrivial. But the resulting outage of
five days meant that some mail to CSL.SRI.COM was rejected. So, if you got
BARFmail indicating your mail to CSL was undeliverable, PLEASE TRY AGAIN NOW.
Sorry for the inconvenience. Peter

------------------------------

Date: Wed, 12 Dec 90 19:30 EDT
From: Saul Tannenbaum <[email protected]>
Subject: Many Bills Are Found Incorrect on Adjustable Rate Mortgages

The New York Times reports (13 Dec 90) that, according to a General Accounting
Office study, as many as 25% of all adjustable rate mortgage bills may
be incorrect as a result of bank errors in calculating their interest
rates. These error were found as part of routine audits done as failed
savings and loan institutions were taken over by Federal regulators.

A former Federal mortgage banking auditor says that that estimate is
too low, putting the problem at 30-35% of adjustable rate mortgages.
In some cases, this auditor says, the errors resulted from "human mistakes" at
small S&Ls, that often calculated adjustable mortgages by hand. In other
cases the problems were caused by "computer glitches." One failed S&L,
the Victor Federal Savings and Loan of Muskogee, Okla, was audited
by the Bennington Group for the Federal Saving and Loan Insurance Corp.
The audit, which sampled 96 adjustable mortgages, found that the
bank's computer system contained logic error. The bank, among other
things, rounded rates upward, instead of downward and "pulled" the
index on the wrong date, when it might be higher or lower than on
the correct date. Other errors resulted from "poor recordkeeping",
where the indices on which the adjustable rates wer based couldn't be found,
or did not match the FSLIC computer programs [which begs an obvious
question]. Some adjustable mortgages have never been adjusted.

In one example given, a woman took out 3 identical adjustable rate mortgages
from the same bank at the same time. Now, all three have wandered off in
different directions. She has 3 different monthly payments, 3 different
balances, and 2 payment schedules.

According to the article, it is the opinion of Federal regulators that the
Truth In Lending Law "probably does not" require lenders to repay overcharges
in any form.

Saul Tannenbaum, USDA Human Nutrition Research Center on Aging at Tufts
University, 711 Washington St., Boston, MA 02111 [email protected]

------------------------------

From: Brian Randell <[email protected]>
Date: Tue, 11 Dec 90 16:38:05 GMT
Subject: A White Xmas?

Date: Tue, 11 Dec 90 11:03:24 GMT
>From: Rob Thirlby <[email protected]>
Subject: Loughborough
To: uk-mail-managers @ uk.ac.newcastle

We are back in the world, the little, forgotten, black hole in the East
Midlands is now up and running after over 60 hours of no electricity, often no
water, dodgy phones, and just to finish it off this morning a suspected gas
leak and a heating fault (or at least I presume its a fault its not very
warm!).

Many of the surrounding villages are still without power and in some cases
water and phones. And all this in the Soar valley with one of the lowest
average snowfalls in England! The University cedar tree which features on much
of our publicity has lost its top half and I suspect there has been more
arborial damage than in the hurricane year.

For the technically minded the main problem was due to the incredibly wet
sudden snowfall which stuck to anything it touched even in a gale. The
Loughborough 132KV grid feed wires and gear fell onto a host of lower voltage
feeders causing massive damage to both. It must have made firework night look
tame. All our water is pumped by (non backed-up) electric pumps from
Derbyshire and hence the chaos. There's nothing more irritating than being
told on the radio to boil all the water when you havent any means of heating
it. Mind you we can see the plumes of vapour from some of the countries
largest power stations on the Trent and that doesnt improve ones temper when
trying to bake potatoes on a log effect, real-flame, gas fire!

I hope you all had a nice week-end.

Rob Thirlby, Postmaster@lut

------------------------------

Date: Sat, 8 Dec 90 00:22 EST
From: <[email protected]> (Rob Gross)
Subject: Gender and computer anxiety

The following is excerpted from the "Faculty File" column in the
Princeton Alumni Weekly of December 5, 1990:

In general, [Joel] Cooper [chairman of the psychology department
at Princeton] has found, females are more subject to computer
anxiety than males are, and as a result, they perform
computer-related tasks worse. But there's an important contextual
component to these findings: the performance differential appears
only when there's someone else in the room with the female who's
using the computer. Just the presence of another person-male or
female, no matter what he or she is doing-seems to be enough to
generate computer anxiety. By contrast, when they're alone in a
room with a computer, females generally show no appreciable
difference in performance compared to males.

In the course of this study, Cooper examined a group of
middle-school children in Princeton...The children were asked to
solve arithmetic problems on a computer. In group settings, the
girls in the class often did worse than the boys, whose
performance actually improved when other people were around. In a
test of university students, Cooper had groups of men and women
play an adventure game called Zork on a computer; some played with
other people present, other were alone. The middle school results
were replicated.

``We tried to get a fix on what the other people in the room had
to do to provoke the computer anxiety,'' Cooper recalls. ``It
turned out to be almost nothing. They could be writing a letter
in the corner, totally ignoring the woman at the keyboard, but
still her performance would drop. They just had to be there.''

Rob Gross
Department of Mathematics BITNET: GROSS@BCVMS
Boston College Internet: GROSS%[email protected]
Chestnut Hill, MA 02167

------------------------------

Date: Thu, 13 Dec 90 00:03:32 PST
From: [email protected] (Allan Meers - Sun Education)
Subject: Computerized USA Phone Directory

Mercury News - 90-Dec-12

Compuserve has introduced the FIRST computerized national phone book, listing
the name, address, ZIP, and phone number of 80 million households in the US who
have a listed number. As of December 1, the Phonefile service allows the
725,000 Compuserve subscribers to search the phone lists of the USA by:

name & address - for updating your christmas card list or
for telemarketing reasons. This is
just a computerized version of the
current phone book - but without needing
hundreds of phone books for the whole USA.

name & state - to find long-lost relatives or to find
someone who has relocated (out of state).
Examples include old classmates for class
reunions, and birth parents of adoptees.

phone number - like a "reverse" directory, where you can
get any listed name & address just by
looking up the phone number.

The cost of retrieving the information is 25 cents per minute in
addition to Compuserve's standard on-line charge of $12.80 per hour
(21 cents per minute). The cost is considered not much more than
a call to directory assistance, and can be even cheaper considering
the aquiring and search costs of all the phone books for the USA.

The Phonefile database is compiled by a direct marketing company, Metro Mail
Corp. of Illinois, from phone directories, computerized real estate
transactions, and other sources. It was not speculated on what the "other"
sources might be, but I would suspect other telemarketing databases, magazine
subscriptions, credit services, Usenet email alias lists :^}) , and other
public sources of name/address information.

A Bellcore New Jersey privacy issues expert, James E. Katz, indicated that a
likely consequence of the directory will be an even greater increase in the
number of unlisted phone numbers in the United States. It was noted that Japan
and European countries have practically no unlisted numbers, while the United
States runs about 25% of its phone number unlisted, with 33% of California
numbers unlisted.

While Compuserve assures that the directory was designed to discourage the
compilation of marketing lists for junk mail and telemarketing, privacy experts
assume that such use is inevitable. A magazine for instance, could compile
phone numbers for a telemarketing campaign targeted at reader's whose
subscriptions have lapsed.

------------------------------

Date: Wed, 12 Dec 90 09:44:29 -0800
From: [email protected]
Subject: Getting out of Lotus' "Household Marketplace"

If you don't want to be listed in the "Household Marketplace" database but you
don't have enough energy to write a letter, you can also do the following:

Dial 1-800-343-5414
press 3, then 2 (I don't know what to do if you don't have a
touch-tone phone.)

This will get you a human who will want to send you information about
"Household Marketplace." However, you can also say that you want to
be removed from the database. You will then be given the choice of mailing
to Lotus or you can tell them your name and address and they say they will
remove you from the database and send you written confirmation. I did this
yesterday, so I know they will take your name and address. I can't vouch that
they send the confirmation, the U.S. Mail isn't that fast.

If you are energetically opposed to this product, here are some names
and addresses you might want to have for your own database:
Lotus Development Corp.
55 Cambridge Pkwy.
Cambridge, MA 02142
(Mary Ann Malloy Coffey, Marketing Programs Manager)
(Jim P. Manzi, Chairman, President, and CEO)

Equifax, Inc.
1600 Peachtree St. N.W.
Atlanta, GA 30309
(Jeff V. White, Chairman of the Board)
(C.B. Rogers, Jr., President and CEO)

Equifax is the original collector of the data which Lotus is selling. /tdn

------------------------------

Date: Wed, 12 Dec 90 13:54:14 -0800
From: [email protected]
Subject: update on Lotus

Someone told me that they phoned Lotus today about getting off the Marketplace
Household database and were told something different than I was told yesterday.
Apparently, today's story is that if you want written confirmation that you've
been removed from the database, you have to send mail to:
Lotus Development Corp.
Attn: Marketplace Name Removal
55 Cambridge Pkwy.
Cambridge, MA 02142

If you just phone them, they now say they won't send written confirmation.
I wonder what they'll say tomorrow. /tdn

------------------------------

Date: Fri, 7 Dec 90 23:30:41 -0800
From: [email protected] (99700000)
Subject: Re: a fondness for turkeys (Re: Mellor, RISKS-10.65)

I'll suggest a third reason [for the problems Pete Mellor discussed in modern
weapons system development], that I like to call Model Railroading. Designing
a complex electronic system to solve some warfare problem is interesting,
challenging, and fun; and somebody else is paying the bills. As long as we're
not in a war, as long as the system doesn't have to solve some real problem, it
is a delightful toy; and as with a model railroad we get to keep arranging the
scenery so it appears to be doing the Real Thing.

------------------------------

Date: Sat, 8 Dec 90 23:32 EST
From: Jack Holleran <[email protected]>
Subject: Call for Papers - 14th National Computer Security Conference

CALL FOR PAPERS
14th NATIONAL COMPUTER SECURITY CONFERENCE
Sponsors:
National Computer Security Center and
National Institute of Standards and Technology

Theme: Information Systems Security: Requirements & Practices

OCTOBER 1-4, 1991 OMNI SHOREHAM HOTEL WASHINGTON, D.C.

The focus of the 14th NCS Conference will be on the "Experiences in our
Applications". These applications include, but are not limited to, efforts to
meet the policy requirements required by law or corporate policy. We would
like you to share your learning curve with the Computer Security Community. We
also encourage submission of papers on the following topics of high interest:

Systems Application
* Access Control Strategies
* Achieving Network Security
* Application of Trusted Technology
* Integrating INFOSEC into Systems
* User Experience with Trusted Systems
* Secure Architectures
* Securing Heterogeneous Networks
* Small Systems Security

Criteria, Evaluation and Certification
* Assurance and Analytic Techniques
* Conducting Security Evaluations
* Federal Computer Security Criteria
* Experiences in Applying Verification
* Integrity and Availability
* Formal Policy Models

Management and Administration
* Accrediting Information Systems and Networks
* Specifying Computer Security Requirements
* Life Cycle Management
* Managing Risk
* Role of Standards
* Preparing Security Plans

International Computer Security Activities
* Conformance Test Development and Evaluation
* Harmonized Criteria
* International Evaluation Infrastructure
* Prototype Development
* Research Activities

Innovations and New Products
* Approved/Endorsed Products
* Audit Reduction Tools and Techniques
* Biometric Authentication
* Data Base Security
* Personal Identification and Authentication
* Smart Card Applications
* Tools and Technology

Awareness, Training and Education
* Building Security Awareness
* COMPUSEC Training: Curricula, Effectiveness, Media
* Curriculum for Differing Levels of Users
* Keeping Security In Step With Technology
* Policies, Standards, and Guidelines
* Understanding the Threat

Disaster Prevention and Recovery
* Assurance of Service
* Computer Viruses
* Contingency Planning
* Disaster Recovery
* Malicious Code
* Survivability

Privacy and Ethical Issues
* Computer Abuse/Misuse
* Ethics in the Workplace
* Laws
* Privacy and Individual Rights
* Relationship of Ethics to Technology
* Standards of Ethics in Information Technology

We are pleased to invite academic Professors to recommend Student papers
in the application of Computer Security methodology. Three student submissions
will be selected by the Technical Committee for publication in the 14th NCS
Conference Proceedings. To be considered, the submission must be solely
authored by an individual student and be recommended by an Academic Professor.
Only one copy for student submission is required.

BY FEBRUARY 15, 1991: Send eight copies of your draft paper* or panel
suggestions to one of the following addresses. Include the topical category of
your submission, author name(s), address, and telephone number on the cover
sheet only. (* Government employees or those under Government sponsorship must
so identify their papers.)

BY MAY 11, 1991: Speakers selected to participate in the conference will be
notified when their camera-ready paper is due to the Conference Committee.
All referee comments will be forwarded to the primary author at this time.

For additional information on submissions, please call (301) 850-0272.

Mailing Information:
1. FOR PAPERS SENT VIA U.S. or Foreign Government MAIL ONLY:

National Computer Security Conference
ATTN: NCS Conference Secretary
National Computer Security Center
9800 Savage Road
Fort George G. Meade, MD 20755-6000

2. FOR PAPERS SENT VIA COMMERCIAL COURIER SERVICES (e.g.- UPS, FEDERAL
EXPRESS, EMERY, etc.)

National Computer Security Conference
c/o NCS Conference Secretary
National Computer Security Center
911 Elkridge Landing Road
Linthicum, MD 21090

Please note that the US Government Postal System does not deliver to
Elkridge Landing Road.

3. FOR Electronic Mail:
[email protected]
(1 copy only; no figures or diagrams)

Preparation Instructions for the Authors
To assist the Technical Review Committee, the following is required
for all submissions:

Page 1: Title of paper, submission, or panel suggestion
Focus & keywords (e.g. - Innovations and New Products - Biometric
Authentication, Tools and Technology)
Author(s)
Organization(s)
Phone number(s)
Net address(es), if available
Point of Contact

Additionally, submissions sponsored by the U.S. Government must provide the
following information:
U.S. Government Program Sponsor or Procuring Element
Contract number (if applicable)
U.S. Government Publication Release Authority
Note: Responsibility for U.S. Government pre-publication review lies with
the author(s).

Page 2:
Title of paper or submission - do not include author(s) or organization(s)
Abstract (with keywords)
The paper (Suggested Length: 8 pages, double columns, including figures
and diagrams; pitch: no smaller than 8 point.)

A Technical Review Committee, composed of Government and Industry
Computer Security experts, will referee submissions only for technical merit
for publication and presentation at the National Computer Security (NCS)
Conference. No classified submissions will be accepted for review.

The Conference Committee provides for a double "blind" refereeing.
Please place your names and organizations on page 1 of your submission, as
defined above. Failure to COMPLY with the instructions above may result in
non-selection BEFORE the referee process.

Papers drafted as part of the author's official U.S. Government duties
may not be subject to copyright. Papers submitted that are subject to
copyright must be accompanied by a written assignment to the NCS Conference
Committee or written authorization to publish and release the paper at the
Committee's discretion. Papers selected for presentation at the NCS
Conference requiring U.S. Government pre-publication review must include,
with the submission of the final paper to the committee, a written release
from the U.S. Government Department or Agency responsible for pre-publication
review. Failure to comply may result in rescinding selection for publication
and for presentation at the 14th NCS Conference.

Technical questions can be addressed to the NCS Conference Committee by
mail (see Mailing Information) or by phone, (301) 850-0CSC [0272].

------------------------------

End of RISKS-FORUM Digest 10.68
************************