Subject: RISKS DIGEST 10.68 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Friday 14 December 1990 Volume 10 : Issue 68 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Recent RISKS Mail to CSL.SRI.COM (PGN) Many Bills Are Found Incorrect on Adjustable Rate Mortgages (Saul Tannenbaum) Loughborough (Rob Thirlby via Brian Randell) Gender and computer anxiety (Rob Gross) Computerized USA Phone Directory (Allan Meers) Getting out of Lotus' "Household Marketplace" (TDN) Re: a fondness for turkeys (Haynes) Call for Papers - 14th National Computer Security Conference (Jack Holleran) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j; j is TWO digits. Vol summaries in risks-i.00 (j=0); "dir risks-*.*" gives directory; bye logs out. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Thu, 13 Dec 1990 15:52:40 PST From: "Peter G. Neumann" Subject: Recent RISKS Mail to CSL.SRI.COM Well, we survived the move to another building (I'm now in EL-243), although for a variety of reasons the servers could not be moved on schedule and getting everything working again was decidedly nontrivial. But the resulting outage of five days meant that some mail to CSL.SRI.COM was rejected. So, if you got BARFmail indicating your mail to CSL was undeliverable, PLEASE TRY AGAIN NOW. Sorry for the inconvenience. Peter ------------------------------ Date: Wed, 12 Dec 90 19:30 EDT From: Saul Tannenbaum Subject: Many Bills Are Found Incorrect on Adjustable Rate Mortgages The New York Times reports (13 Dec 90) that, according to a General Accounting Office study, as many as 25% of all adjustable rate mortgage bills may be incorrect as a result of bank errors in calculating their interest rates. These error were found as part of routine audits done as failed savings and loan institutions were taken over by Federal regulators. A former Federal mortgage banking auditor says that that estimate is too low, putting the problem at 30-35% of adjustable rate mortgages. In some cases, this auditor says, the errors resulted from "human mistakes" at small S&Ls, that often calculated adjustable mortgages by hand. In other cases the problems were caused by "computer glitches." One failed S&L, the Victor Federal Savings and Loan of Muskogee, Okla, was audited by the Bennington Group for the Federal Saving and Loan Insurance Corp. The audit, which sampled 96 adjustable mortgages, found that the bank's computer system contained logic error. The bank, among other things, rounded rates upward, instead of downward and "pulled" the index on the wrong date, when it might be higher or lower than on the correct date. Other errors resulted from "poor recordkeeping", where the indices on which the adjustable rates wer based couldn't be found, or did not match the FSLIC computer programs [which begs an obvious question]. Some adjustable mortgages have never been adjusted. In one example given, a woman took out 3 identical adjustable rate mortgages from the same bank at the same time. Now, all three have wandered off in different directions. She has 3 different monthly payments, 3 different balances, and 2 payment schedules. According to the article, it is the opinion of Federal regulators that the Truth In Lending Law "probably does not" require lenders to repay overcharges in any form. Saul Tannenbaum, USDA Human Nutrition Research Center on Aging at Tufts University, 711 Washington St., Boston, MA 02111 STANNENB@TUFTS.BITNET ------------------------------ From: Brian Randell Date: Tue, 11 Dec 90 16:38:05 GMT Subject: A White Xmas? Date: Tue, 11 Dec 90 11:03:24 GMT >From: Rob Thirlby Subject: Loughborough To: uk-mail-managers @ uk.ac.newcastle We are back in the world, the little, forgotten, black hole in the East Midlands is now up and running after over 60 hours of no electricity, often no water, dodgy phones, and just to finish it off this morning a suspected gas leak and a heating fault (or at least I presume its a fault its not very warm!). Many of the surrounding villages are still without power and in some cases water and phones. And all this in the Soar valley with one of the lowest average snowfalls in England! The University cedar tree which features on much of our publicity has lost its top half and I suspect there has been more arborial damage than in the hurricane year. For the technically minded the main problem was due to the incredibly wet sudden snowfall which stuck to anything it touched even in a gale. The Loughborough 132KV grid feed wires and gear fell onto a host of lower voltage feeders causing massive damage to both. It must have made firework night look tame. All our water is pumped by (non backed-up) electric pumps from Derbyshire and hence the chaos. There's nothing more irritating than being told on the radio to boil all the water when you havent any means of heating it. Mind you we can see the plumes of vapour from some of the countries largest power stations on the Trent and that doesnt improve ones temper when trying to bake potatoes on a log effect, real-flame, gas fire! I hope you all had a nice week-end. Rob Thirlby, Postmaster@lut ------------------------------ Date: Sat, 8 Dec 90 00:22 EST From: (Rob Gross) Subject: Gender and computer anxiety The following is excerpted from the "Faculty File" column in the Princeton Alumni Weekly of December 5, 1990: In general, [Joel] Cooper [chairman of the psychology department at Princeton] has found, females are more subject to computer anxiety than males are, and as a result, they perform computer-related tasks worse. But there's an important contextual component to these findings: the performance differential appears only when there's someone else in the room with the female who's using the computer. Just the presence of another person-male or female, no matter what he or she is doing-seems to be enough to generate computer anxiety. By contrast, when they're alone in a room with a computer, females generally show no appreciable difference in performance compared to males. In the course of this study, Cooper examined a group of middle-school children in Princeton...The children were asked to solve arithmetic problems on a computer. In group settings, the girls in the class often did worse than the boys, whose performance actually improved when other people were around. In a test of university students, Cooper had groups of men and women play an adventure game called Zork on a computer; some played with other people present, other were alone. The middle school results were replicated. ``We tried to get a fix on what the other people in the room had to do to provoke the computer anxiety,'' Cooper recalls. ``It turned out to be almost nothing. They could be writing a letter in the corner, totally ignoring the woman at the keyboard, but still her performance would drop. They just had to be there.'' Rob Gross Department of Mathematics BITNET: GROSS@BCVMS Boston College Internet: GROSS%BCVMS.BITNET@MITVMA.MIT.EDU Chestnut Hill, MA 02167 ------------------------------ Date: Thu, 13 Dec 90 00:03:32 PST From: allans@ebay.sun.com (Allan Meers - Sun Education) Subject: Computerized USA Phone Directory Mercury News - 90-Dec-12 Compuserve has introduced the FIRST computerized national phone book, listing the name, address, ZIP, and phone number of 80 million households in the US who have a listed number. As of December 1, the Phonefile service allows the 725,000 Compuserve subscribers to search the phone lists of the USA by: name & address - for updating your christmas card list or for telemarketing reasons. This is just a computerized version of the current phone book - but without needing hundreds of phone books for the whole USA. name & state - to find long-lost relatives or to find someone who has relocated (out of state). Examples include old classmates for class reunions, and birth parents of adoptees. phone number - like a "reverse" directory, where you can get any listed name & address just by looking up the phone number. The cost of retrieving the information is 25 cents per minute in addition to Compuserve's standard on-line charge of $12.80 per hour (21 cents per minute). The cost is considered not much more than a call to directory assistance, and can be even cheaper considering the aquiring and search costs of all the phone books for the USA. The Phonefile database is compiled by a direct marketing company, Metro Mail Corp. of Illinois, from phone directories, computerized real estate transactions, and other sources. It was not speculated on what the "other" sources might be, but I would suspect other telemarketing databases, magazine subscriptions, credit services, Usenet email alias lists :^}) , and other public sources of name/address information. A Bellcore New Jersey privacy issues expert, James E. Katz, indicated that a likely consequence of the directory will be an even greater increase in the number of unlisted phone numbers in the United States. It was noted that Japan and European countries have practically no unlisted numbers, while the United States runs about 25% of its phone number unlisted, with 33% of California numbers unlisted. While Compuserve assures that the directory was designed to discourage the compilation of marketing lists for junk mail and telemarketing, privacy experts assume that such use is inevitable. A magazine for instance, could compile phone numbers for a telemarketing campaign targeted at reader's whose subscriptions have lapsed. ------------------------------ Date: Wed, 12 Dec 90 09:44:29 -0800 From: todd@atd.dec.com Subject: Getting out of Lotus' "Household Marketplace" If you don't want to be listed in the "Household Marketplace" database but you don't have enough energy to write a letter, you can also do the following: Dial 1-800-343-5414 press 3, then 2 (I don't know what to do if you don't have a touch-tone phone.) This will get you a human who will want to send you information about "Household Marketplace." However, you can also say that you want to be removed from the database. You will then be given the choice of mailing to Lotus or you can tell them your name and address and they say they will remove you from the database and send you written confirmation. I did this yesterday, so I know they will take your name and address. I can't vouch that they send the confirmation, the U.S. Mail isn't that fast. If you are energetically opposed to this product, here are some names and addresses you might want to have for your own database: Lotus Development Corp. 55 Cambridge Pkwy. Cambridge, MA 02142 (Mary Ann Malloy Coffey, Marketing Programs Manager) (Jim P. Manzi, Chairman, President, and CEO) Equifax, Inc. 1600 Peachtree St. N.W. Atlanta, GA 30309 (Jeff V. White, Chairman of the Board) (C.B. Rogers, Jr., President and CEO) Equifax is the original collector of the data which Lotus is selling. /tdn ------------------------------ Date: Wed, 12 Dec 90 13:54:14 -0800 From: todd@atd.dec.com Subject: update on Lotus Someone told me that they phoned Lotus today about getting off the Marketplace Household database and were told something different than I was told yesterday. Apparently, today's story is that if you want written confirmation that you've been removed from the database, you have to send mail to: Lotus Development Corp. Attn: Marketplace Name Removal 55 Cambridge Pkwy. Cambridge, MA 02142 If you just phone them, they now say they won't send written confirmation. I wonder what they'll say tomorrow. /tdn ------------------------------ Date: Fri, 7 Dec 90 23:30:41 -0800 From: haynes@ucscc.UCSC.EDU (99700000) Subject: Re: a fondness for turkeys (Re: Mellor, RISKS-10.65) I'll suggest a third reason [for the problems Pete Mellor discussed in modern weapons system development], that I like to call Model Railroading. Designing a complex electronic system to solve some warfare problem is interesting, challenging, and fun; and somebody else is paying the bills. As long as we're not in a war, as long as the system doesn't have to solve some real problem, it is a delightful toy; and as with a model railroad we get to keep arranging the scenery so it appears to be doing the Real Thing. ------------------------------ Date: Sat, 8 Dec 90 23:32 EST From: Jack Holleran Subject: Call for Papers - 14th National Computer Security Conference CALL FOR PAPERS 14th NATIONAL COMPUTER SECURITY CONFERENCE Sponsors: National Computer Security Center and National Institute of Standards and Technology Theme: Information Systems Security: Requirements & Practices OCTOBER 1-4, 1991 OMNI SHOREHAM HOTEL WASHINGTON, D.C. The focus of the 14th NCS Conference will be on the "Experiences in our Applications". These applications include, but are not limited to, efforts to meet the policy requirements required by law or corporate policy. We would like you to share your learning curve with the Computer Security Community. We also encourage submission of papers on the following topics of high interest: Systems Application * Access Control Strategies * Achieving Network Security * Application of Trusted Technology * Integrating INFOSEC into Systems * User Experience with Trusted Systems * Secure Architectures * Securing Heterogeneous Networks * Small Systems Security Criteria, Evaluation and Certification * Assurance and Analytic Techniques * Conducting Security Evaluations * Federal Computer Security Criteria * Experiences in Applying Verification * Integrity and Availability * Formal Policy Models Management and Administration * Accrediting Information Systems and Networks * Specifying Computer Security Requirements * Life Cycle Management * Managing Risk * Role of Standards * Preparing Security Plans International Computer Security Activities * Conformance Test Development and Evaluation * Harmonized Criteria * International Evaluation Infrastructure * Prototype Development * Research Activities Innovations and New Products * Approved/Endorsed Products * Audit Reduction Tools and Techniques * Biometric Authentication * Data Base Security * Personal Identification and Authentication * Smart Card Applications * Tools and Technology Awareness, Training and Education * Building Security Awareness * COMPUSEC Training: Curricula, Effectiveness, Media * Curriculum for Differing Levels of Users * Keeping Security In Step With Technology * Policies, Standards, and Guidelines * Understanding the Threat Disaster Prevention and Recovery * Assurance of Service * Computer Viruses * Contingency Planning * Disaster Recovery * Malicious Code * Survivability Privacy and Ethical Issues * Computer Abuse/Misuse * Ethics in the Workplace * Laws * Privacy and Individual Rights * Relationship of Ethics to Technology * Standards of Ethics in Information Technology We are pleased to invite academic Professors to recommend Student papers in the application of Computer Security methodology. Three student submissions will be selected by the Technical Committee for publication in the 14th NCS Conference Proceedings. To be considered, the submission must be solely authored by an individual student and be recommended by an Academic Professor. Only one copy for student submission is required. BY FEBRUARY 15, 1991: Send eight copies of your draft paper* or panel suggestions to one of the following addresses. Include the topical category of your submission, author name(s), address, and telephone number on the cover sheet only. (* Government employees or those under Government sponsorship must so identify their papers.) BY MAY 11, 1991: Speakers selected to participate in the conference will be notified when their camera-ready paper is due to the Conference Committee. All referee comments will be forwarded to the primary author at this time. For additional information on submissions, please call (301) 850-0272. Mailing Information: 1. FOR PAPERS SENT VIA U.S. or Foreign Government MAIL ONLY: National Computer Security Conference ATTN: NCS Conference Secretary National Computer Security Center 9800 Savage Road Fort George G. Meade, MD 20755-6000 2. FOR PAPERS SENT VIA COMMERCIAL COURIER SERVICES (e.g.- UPS, FEDERAL EXPRESS, EMERY, etc.) National Computer Security Conference c/o NCS Conference Secretary National Computer Security Center 911 Elkridge Landing Road Linthicum, MD 21090 Please note that the US Government Postal System does not deliver to Elkridge Landing Road. 3. FOR Electronic Mail: NCS_Conference@DOCKMASTER.NCSC.MIL (1 copy only; no figures or diagrams) Preparation Instructions for the Authors To assist the Technical Review Committee, the following is required for all submissions: Page 1: Title of paper, submission, or panel suggestion Focus & keywords (e.g. - Innovations and New Products - Biometric Authentication, Tools and Technology) Author(s) Organization(s) Phone number(s) Net address(es), if available Point of Contact Additionally, submissions sponsored by the U.S. Government must provide the following information: U.S. Government Program Sponsor or Procuring Element Contract number (if applicable) U.S. Government Publication Release Authority Note: Responsibility for U.S. Government pre-publication review lies with the author(s). Page 2: Title of paper or submission - do not include author(s) or organization(s) Abstract (with keywords) The paper (Suggested Length: 8 pages, double columns, including figures and diagrams; pitch: no smaller than 8 point.) A Technical Review Committee, composed of Government and Industry Computer Security experts, will referee submissions only for technical merit for publication and presentation at the National Computer Security (NCS) Conference. No classified submissions will be accepted for review. The Conference Committee provides for a double "blind" refereeing. Please place your names and organizations on page 1 of your submission, as defined above. Failure to COMPLY with the instructions above may result in non-selection BEFORE the referee process. Papers drafted as part of the author's official U.S. Government duties may not be subject to copyright. Papers submitted that are subject to copyright must be accompanied by a written assignment to the NCS Conference Committee or written authorization to publish and release the paper at the Committee's discretion. Papers selected for presentation at the NCS Conference requiring U.S. Government pre-publication review must include, with the submission of the final paper to the committee, a written release from the U.S. Government Department or Agency responsible for pre-publication review. Failure to comply may result in rescinding selection for publication and for presentation at the 14th NCS Conference. Technical questions can be addressed to the NCS Conference Committee by mail (see Mailing Information) or by phone, (301) 850-0CSC [0272]. ------------------------------ End of RISKS-FORUM Digest 10.68 ************************