Subject: RISKS DIGEST 15.58
REPLY-TO:
[email protected]
RISKS-LIST: RISKS-FORUM Digest Weds 23 February 1994 Volume 15 : Issue 58
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
***** See last item for information on RISKS (comp.risks) *****
Contents:
E-Mail blunder at Olympics (David G. Novick)
Dog Gets Card With $10G Limit (marc via PGN)
Computer error adds to ad valorem tax for 300,000 people (James E. Burns)
Embezzler caught by computer trail (James E. Burns)
Software testing at Sizewell (Brad Dolan)
Clipping Clinton and the Executive Branch... (Peter Wayner)
Clipper: Love your country, don't trust its government (David Honig)
Re: CompuServe Offers Credit Info (Steve Bellovin)
Social RISKS of Universal IDs (John Oram)
Re: SimHealth (Gerd Meissner, Bob Frankston)
Re: Telephone Card Audit Trails (Jonathan I. Kamens)
Re: E-Mail Courtesy (Jim Haynes, Bob Frankston)
Re: Electronic Food Stamps (Colby Kraybill)
Re: International Internet Association (Jeff Porten)
Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc.
----------------------------------------------------------------------
Date: Tue, 22 Feb 94 22:08 PST
From:
[email protected] (David G. Novick)
Subject: E-Mail blunder at Olympics
Here's another example of a familiar problem with a topical twist,
as reported by the Portland "Oregonian" February 22, 1994, p. C5:
"Access Violation: Several U.S. reporters were contacted by Mike
Moran, the U.S. Olympic Committee chief press attache, after they got
Portland figure skater Tonya Harding's Olympic identification number
and broke into her computer mail program.
"All persons with Olympic credentials have access to a computer mail
system on which they can send notes to others and receive information.
Access is is through an individual's Olympic ID number and a password,
typically the user's birthdate.
"The reporters got Harding's ID number through a blown-up photo and
typed her birthdate to gain access to her messages.
"The skater had received 61 messages by Sunday."
David G. Novick, Dept of Comp Sci & Eng, Oregon Grad. Inst. of Sci. & Techn.,
P.O. Box 91000, Portland, OR 97291-1000
[email protected] (503) 690-1156
------------------------------
Date: Wed, 23 Feb 94 00:57:23 EST
From:
[email protected]
Subject: Dog Gets Card With $10G Limit
We've all read stories here of how credit agencies have make mistakes.
Sometimes, it isn't the consumer who loses. Marc
[The PGN Excerpting Service provides the following summary of
an AP item from Ballston NY, relayed by
[email protected],
14 Feb 1994. PGN]
An eight-year old Brittany spaniel has her own $10,000 line of credit. Her
owner began using her name on coupons and warranties, which then resulted in
solicitations and finally an offer of a credit card. [Her pawtograph is
apparently enough when she charges dog food. Perhaps she pours arf-and-arf
over it.] PGN
------------------------------
Date: Wed, 23 Feb 94 15:48:27 EST
From:
[email protected] (James E. Burns)
Subject: Computer error adds to ad valorem tax for 300,000 people
The Atlanta Journal of 18 Feb 1994 carried an article by Chris Grimes
describing an error in 300,000 auto tax bills (about 5% of the total). The
error added $10 to $30 to the ad valorem portion of the bill. Apparently the
mistake was caused by a patch added to correct a similar problem from the
previous tax season. (Once again, the rule of thumb that a change to fix a
bug has a 50% chance of introducing a new one seems to hold.) Officials
expect the problem to be fixed for next year's tax season. (One wonders if
the have a "three strikes and you're out" rule :-)
Apparently, the State is not notifying motorists directly of the incorrect
amounts --- they must contact their local tag offices to ask if there was an
error. The article warns, however, that this might result in a higher bill
since the errors apparently were both postive and negative.
James E. Burns, Bellcore, NVC-3X114, 331 Newman Springs Road,
Red Bank, NJ 07701-5699
[email protected] (908) 758-2819
------------------------------
Date: Wed, 23 Feb 94 15:34:33 EST
From:
[email protected] (James E. Burns)
Subject: Embezzler caught by computer trail
An article by Davidson Taylor appeared in the 18 Feb 1994 issue of the Asbury
Park Press (NJ) described the arrest a teller of a local credit union for
embezzling $15,000. The embezzling was allegedly done on the teller's last
day of work, 8 Mar 90. There is a supposition that the teller might have
destroyed the paper trail; she was apparently caught through computer auditing
by the Federal Reserve, which notified the credit union on 19 Mar 90. No
clear explanation was given for the nearly four year delay in filing charges.
Of interests to RISKS readers was the quote from Assistant U.S.
Attorney Jay McMahon regarding the detection of the fraud:
"You can't destroy computer records."
James E. Burns, Bellcore, NVC-3X114, 331 Newman Springs Road,
Red Bank, NJ 07701-5699
[email protected] (908) 758-2819
------------------------------
Date: Wed, 23 Feb 1994 12:32:02 -0800
From: Brad Dolan <
[email protected]>
Subject: Software testing at Sizewell [Note: British NII is not US NII]
TESTING THE SOFTWARE [Nuclear Engineering International, 12/93, p.10]
Britain's Nuclear Installations Inspectorate is satisfied that the software
for the Sizewell B Primary Protection System (PPS) will be adequate for its
role - provided that no further major issues arise from NII's continuing
assessment or from the commissioning trials now underway, that the various
ongoing independent assessments are completed successfully, and that a
"clean" dynamic testing demonstration is achieved.
The NII does not believe that Nuclear Electric's original PPS integrity target
(10E-04 probability of failure per demand as proposed in the Pre-Construction
Safety Report) has been fully demonstrated - it was always regarded as a very
tall order by the regulators - but it does accept that the overall safety case
for the plant "can accommodate, without significant detriment, a lower
integrity for the PPS."
These conclusions are part of a status report on NII's assessment of the PPS
presented by NII staff to the Advisory Committee on the Safety of Nuclear
Installations on 1 July. In October, the UK trade newspaper _Computer Weekly_
took the innovative step of helping the nuclear industry in its mission to be
more transparent by making the leaked report available to readers (at 2 pounds
to cover copying and postage).
The NII notes that two main themes have emerged from its assessment of the
Sizewell B PPS software. On one hand there is complexity of design, which "has
made the task of demonstrating a high integrity for the system particularly
difficult." On the other hand there is the compensatory effect of examination
and testing, not only by the supplier, Westinghouse, but also by a range of
organisations in the UK: "no other reactor protection system in the world,
past or present, has received more attention than the PPS" (see NEI, March
1993, pp. 28-33, for a flavour of the 500 person-year effort).
Because of the difficulties of quantitative demonstration of software
reliability, NII has adopted a "special case procedure" consisting of two
legs: demonstrating excellence of production; and an onerous programme of
confirmatory independent assessment, to build confidence that the required
dependability has been delivered (see NEI, September 1991, pp. 38-40).
The independent assessment is still going on. Because of the huge effort
entailed, it was always expected to "run right up till the eleventh hour" says
David Hunns of the NII.
The dynamic testing, which has received a good deal of publicity recently, is
just one part of the independent assessment programme. Originally offered by
the utility on a voluntary basis, the dynamic testing uses a "test harness" to
subject an actual guardline of the PPS to a sample of the inputs it might see
during selected fault scenarios and then to compare the output from the
guardline against what it should have been according to a logical model based
on the specifications of the PPS.
Unfortunately, in about 52% of the 49694 valid tests performed in the 6 month
programme ending December 1992 there was a discrepancy between the actual and
expected PPS output. About 90% of the failed runs have been ascribed to
inadequacies of the test harness (in particular limitations in its modelling
of PPS characteristics) rather than the PPS itself, but the NII wants a
complete explanation of all the reasons for failure and demonstration of a
"clean" test run the the test harness performing satisfactorily. More tests
are underway.
Brad Dolan
[email protected] 10ATT.0.700.NUCLEAR ask me about PGP
------------------------------
Date: Wed, 23 Feb 1994 13:28:19 -0500
From: Peter Wayner <
[email protected]>
Subject: Clipping Clinton and the Executive Branch...
In a recent samizdat, I've heard that the National Intelligence Agencies are
urging the White House to use Clipper for its own internal system. It sounds
like a good plan to lead by example, right?
Unfortunately, I would resist using such a system if I was the President.
Why? Because Washington is filled with intramural spooks watching other
branches of the government. Most of the folks in privacy groups like to
imagine the Clipper chip as an instrument of government oppression directed
toward the common folks. In reality, I would bet that a number of phone taps
are agency-vs-agency, intramural things.
For instance, Bill Safire found out that his phone was tapped while he was a
speechwriter for Nixon. A recent internal investigation by the DOJ revealed
that there was an internal eavesdropping system for listening into different
branches of the DOJ. Internal Phone calls were routinely recorded.
This is why, I believe, that 13 state legislatures ban their state and local
police from using phone taps. These taps would give the folks who run the
local police a good deal of intelligence about state-wide issues and spending.
This is also why the recent Bush-to-Clinton transition was such a mess. The
clintonians arrived to find computers stripped of their hard disks. Why?
Because it is possible to retrieve info from hard disks long after they've
been erased. Also, the Clintons stripped out the phone system and had a new
one installed? Why? Who knew what bugs were left in place.
Of course the most important reason not to adopt the Clipper for White House
use was on the cover of the NYT today. A CIA analyst was finally caught spying
for the Soviets. He was supposed to have netted at least 1.5 million dollars
for his information.
I was particularly struck by the size of the house that he bought for $500,000
in allegedly ill-gotten cash. It wasn't that big. Life in Washington is very
expensive-- especially for the clerks and career employees of NIST and the
Treasury Dept. If you need to sell out to get this house, it must be tough to
sit there on top of hte keys to every conversation in america and be happy in
your rundown bungalow and Reagan era sedan.
------------------------------
Date: Wed, 23 Feb 1994 11:31:11 -0800
From: David Honig <
[email protected]>
Subject: Clipper: Love your country, don't trust its government
[... Further comment after noting the CIA story:]
So, you can buy a high ranking CIA person (who ran the *counter*intelligence
branch for 2 years) for a measly $1.5 million. I wonder how much a pair of
Clipper-key-escrow agency people will cost?
------------------------------
Date: Tue, 22 Feb 94 22:49:24 EST
From:
[email protected]
Subject: Re: CompuServe Offers Credit Info
CompuServe Inc. and National Information Bureau Ltd. (NIB)
have agreed to give CompuServe users access to NIB's credit
information, as well as motor vehicle, workers' compensation, ...
The AP ran a correction to this story today. They noted that only National
Information Bureau customers would have access to the information. (But the
article did not say how that would be enforced.)
[Also noted by Chuck Weinstock <
[email protected]>. PGN]
------------------------------
Date: Wed, 23 Feb 1994 01:00:23 -0800
From:
[email protected] (John Oram)
Subject: Social RISKS of Universal IDs
This was in the op-ed section of the Globe & Mail last Friday (23 Feb). As it
is a relatively non-technical description, I'm not sure how appropriate it is
for this forum, but it presents a fairly eloquent argument outlining the
potential social RISKS of universal ID cards.
=-=-=-=-=-=-=
*Your identity card please*
Ontario's Social Services Minister is worried about welfare fraud, but doesn't
want to stigmatize welfare recipients by singling them out for fingerprinting.
So Tony Silio has seized on a clever alternative: require _everyone_ in
Canada, whether or not they are on welfare, to carry a universal identity
card. Citizens wouldn't have to clutter their wallets with a separate
driver's license, age-of-majority card, health card and so on. It would be
adorned with a photograph and (possibly) a digitized fingerprint. How
efficient. How practical. How unwise.
It's always difficult to argue against such schemes because they are, on the
surface, so sensible. There is no doubt at all that a universal ID card would
make life easier for all kinds of authorities, from the welfare people (who
could easily prevent multiple claims) to health care administrators (who could
catch out-of-province and out-of-country freeloaders) to the police (who could
quickly check the identity of suspected wrong-doers, whether or not they are
licensed to drive). For honest Canadians, they would make daily life a little
more convenient without posing any immediate threat -- just as photo radar on
the highways poses no immediate threat to people who do not speed, or video
cameras on street corners pose no immediate threat to people who don't
vandalize public property. Why, then, do all these things give us a chill?
Critics would say it is irrational fear, an automatic reaction to any measure,
however reasonable, that reeks of Big Brother. They would be partly right.
Few opponents of identity cards really expect Canada to become a police state
the day after they are introduced. Their opposition springs instead from
instinct, a gut feeling that a society that makes its members carry an
identity card is, however intangibly, less free. It is, on the whole, an
admirable instinct.
There are many practical objections, too. The very existence of a unified
identity card would invite invasions of privacy. Advances in microchips and
other technologies have made it possible to put an immense store of
information on a simple plastic card. If such a card can carry a digitalized
fingerprint, it can also be designed to contain the holder's medical history
(handy for insurance companies), credit record (convenient for banks and
stores) or criminal record and probation status (nice for the police). Thanks
to computer networks, this sort of information can easily be shard among
various agencies.
At present, we are at least partially protected by the fact that we carry
separate cards for separate things. A person who is pulled over by the police
for speeding expects to hand over his driver's licence because he knows that
holding such a license is required to operate a car. He does not expect
simultaneously to hand over his welfare, medical or employment ID. The merit
of separate cards is that each agency of the government has access only to the
information that it clearly and demonstrably needs.
Canadians already must carry a host of identification cards they did not need
on the past. Ontario, for example, only recently required residents to
present a health card when visiting the doctor. Until 1964, there was no such
thing as a social insurance number. But if a citizen is not applying for a
job, paying his taxes, going to the doctor or driving a car, he can still
leave his wallet and home and walk down the street without a scrap of
identification in his pocket, defined not by a piece of plastic but by his
status as an individual. That is a feeling that citizens of most countries do
not enjoy. It is one Canadians should not let slip away.
------------------------------
Date: 23 Feb 94 05:19:42 EST
From: Gerd Meissner <
[email protected]>
Subject: Re: SimHealth (RISKS-15.57)
SimHealth, introduced in Washington D.C. last November, was developed by Maxis
Business Simulations, which is a special unit of that company. It was
developed, as I`ve learned, for the Markle Foundation as kind of
"demonstration/educational tool" for students and community colleges etc. to
show, discuss and learn about some basics of health reforms and politics. The
only "risk" I see is that the result is better informed, critical citizens.
Regards, Gerd
------------------------------
Date: Wed, 23 Feb 1994 00:40 -0400
From:
[email protected]
Subject: Re: SimHealth
One general issue of the Sim series is that they portray certain viewpoints of
how the world operates and don't pretend to be objective. As noted, there is a
danger in using the simulations to understand public policies where just about
every parameter is debatable. One benefit is making people appreciate the
complexity of interacting systems.
I'm reminded of the Apple ads of a decade ago arguing that pretending to
dissect a frog on an Apple ][ was just as good as cutting open a real frog.
It also worth noting that the Psychic Hotlines on the 900 #'s are listed in
small type as "for entertainment purposes only". How much of their audience
consists of people who are spending $300/hr just to play a game.
Maxis makes fine software and great games with a number of valid lessons. Too
bad schools don't teach much about models vs reality.
------------------------------
Date: Wed, 23 Feb 1994 09:34:56 -0500
From: "Jonathan I. Kamens" <
[email protected]>
Subject: Re: Telephone Card Audit Trails (Baube, RISKS-15.57)
What happens when the police arrest a suspect in some crime, find a prepaid
phone card on him, take the phone card to the telephone company, and say,
"Tell us what calls were made with this card?"
What happens if the enemies of a prominent businessman engaged in private
negotiations hire someone to mug him to get his phone card, take the phone
card to the telephone company pretending to be the legitimate owner, and claim
that it malfunctioned? Will they be able to look at the screen the operator
pulls up with the phone numbers called on it? What happens if they don't
bother to go to the telephone company directly, and instead just break into
the telephone company's computers and read the number off of the stolen card
themselves?
This doesn't sound like an "anonymous" system at all.
An alternative system that would do a much better job of protecting users'
privacy would be to allow users to type a special code on the pay phone if
their card malfunctions while placing a call. That code would cause *that
call only* to be recorded in the telephone company's computers. No explicit
action by the user means no records in the computer.
Jonathan Kamens | OpenVision Technologies, Inc. |
[email protected]
------------------------------
Date: Wed, 23 Feb 1994 09:21:55 -0800
From:
[email protected] (Jim Haynes)
Subject: Re: E-Mail Courtesy (RISKS-15.57)
The flip side of this issue (inappropriate questions posted to news or list
server when the questioner should have used the library first) is that it's
ego-gratifying to answer questions. So for every simple question there are
likely to be dozens of answers, some sent to the asker in private e-mail but
many posted back to the list or newsgroup. There is, however a socially
redeeming aspect of all this. When dozens of answers are posted many of them
will be slightly or completely wrong. One learns, over a period of time, just
how unreliable information obtained on the net can be, and whose answers tend
to be the most reliable.
------------------------------
Date: Wed, 23 Feb 1994 00:41 -0400
From:
[email protected]
Subject: Re: E-Mail Courtesy
I'd pose the complaint differently. The argument that one should trek miles to
the public library to look at the berries on wood pulp before querying the
electronic medium is misdirected. There is a valid complaint that reasonable
discussions should be stratified according to some measure of common interest
or expertise. This is going to be an increasingly serious issue as the network
grows, especially in the absence of control mechanisms such as financial
incentives and/or an established etiquette.
Asking questions online is more a symptom of the lack of effective
information retrieval technology in this medium (net surfing is not the final
answer) and is more a teething problem. Yes, deciding not to don ones winter
gear and head out into the blizzard is laziness. But it is precisely this
laziness that will force the issues and encourage people to make this new
medium work. If it breaks, fix it. You can ask people to hold back until the
problem is solved but don't blame them for the problem.
I do get a cultural jolt when I use an online catalog only to find I've
actually got to find the pbook.
------------------------------
Date: Wed, 23 Feb 94 11:12:58 MST
From:
[email protected] (Colby Kraybill)
Subject: Re: Electronic Food Stamps (Kabay, RISKS-15.54)
The same program has been floating about New Mexico over a year now. It works
very well, I should know, I use it. It is very convenient. My card has a
little 'Money card' symbol on the back, name of the service is called
Electronic Benefits Transfer or EBT. Some of the propaganda on the card and
it's protective sheath :
Warning : It's a crime to illegally use, transfer, acquire, alter or possess
food stamps or authorized cards. Persons convicted may be FINED
AND/OR IMPRISONED. PENALTIES ARE SEVERE.
(on the card)
This card remains the property of the State of New Mexico Human
Services Department and is subject to the terms and conditions
under which it is issued. If found etc.. etc..
In any case, I think that the security of the card is much better than
carrying around paper food stamps which someone without the knowledge of your
PIN could use.
Colby Kraybill - University of New Mexico - I.F.A.-H.E.P
[email protected]
------------------------------
Date: Tue, 22 Feb 94 13:53:51 EST
From:
[email protected]
Subject: Re: International Internet Association (RISKS-15.49)
Concerning the Washington Post article about the International Internet
Association that was mentioned in RISKS-15.49:
The tone of the original article in the Post and the RISKS followup were along
the lines of "Gee, isn't it a shame that this legitimate organization has had
its reputation impugned by someone who was took quick on the trigger in his
e-mail." There's another side to this story that I'd like to share.
I'm a member of an informal network of organizations in the DC area that work
with student and youth activists. We meet for dinner once a month, and a
running joke for the last few meetings has been the IIA. Several of us have
gotten faxes from the IIA, which promised free Internet access and a
forthcoming larger packet of information that never materialized.
Contact was frequent enough to keep us joking and wonder who these people
were, but the whole thing had a very fly-by-night feel to it. First off, an
organization called the International Internet Association appears out of
nowhere... one would have thought that an organization like that would have
made itself known *on* the Internet in order to build its reputation. Second,
the letterhead consisted of clip art of a world map with IIA typed over it --
materials that could have been thrown together in about 15 seconds with no
monetary investment, especially since everything we saw arrived by fax.
All of this was merely quaint, until they asked us for a credit-card number
for a *free* account. As soon as I saw that, I told the rest of the group to
stay as far away from these people as possible; the whole thing just screamed
"scam", and I am still not convinced otherwise.
------------------------------
Date: ongoing
From:
[email protected]
Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc.
The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks.
Undigestifiers are available throughout the Internet, but not from RISKS.
SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup on your system, if possible
and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA)
with SUBSCRIBE RISKS or UNSUBSCRIBE RISKS as needed. Users on US Military
and Government machines should contact <
[email protected]> (Dennis
Rears). UK subscribers please contact <
[email protected]>.
Local redistribution services are provided at many other sites as well.
Check FIRST with your local system or netnews wizards. If that does not
work, send requests to <
[email protected]> (not automated).
CONTRIBUTIONS: to
[email protected], with appropriate, substantive Subject:
line, otherwise they may be ignored. Must be relevant, sound, in good taste,
objective, cogent, coherent, concise, and nonrepetitious. Diversity is
welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS
MESSAGES in responses to them. Contributions will not be ACKed; the load is
too great. **PLEASE** include your name & legitimate Internet FROM: address,
especially from .UUCP and .BITNET folks. Anonymized mail is not accepted.
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.
ARCHIVES: "FTP CRVAX.SRI.COM<CR>login anonymous<CR>YourName<CR> CD RISKS:<CR>
GET RISKS-i.j<CR>" (where i=1 to 15, j always TWO digits) for Vol i Issue j.
Vol i summaries in j=00; "dir risks-*.*<CR>" gives directory; "bye<CR>"
logs out. The COLON in "CD RISKS:" is vital. CRVAX.SRI.COM = [128.18.30.65];
<CR>=CarriageReturn; FTPs may differ; UNIX prompts for username, password.
WAIS and
[email protected] are alternative repositories.
FAX: ONLY IF YOU CANNOT GET RISKS ON-LINE, you may be interested in receiving
it via fax; phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for info
regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL
RISKS COMMUNICATIONS; as a last resort you may try phone PGN at
+1 (415) 859-2375 if you cannot E-mail
[email protected] .
------------------------------
End of RISKS-FORUM Digest 15.58
************************
