Subject: RISKS DIGEST 10.84 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Wednesday 30 January 1991 Volume 10 : Issue 84 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: It's not always pilot error" - Official! (Pete Mellor) IRS overbills for $1B interest (PGN) Re: Patriots (Dave Parnas) Re: Risks of automatic flight (flying at low level) (Brinton Cooper) Automated brokerage service (Kent M Pitman) Re: Broadcast local area networks are a'comin (Brinton Cooper, P.J. Karafiol) Re: Electronic cash (Bob Stratton, Rick Smith, Stephen Perelgut, Art Medlar, who-news?, Ed Ravin, Leslie DeGroff) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j (where i=1 to 10, j is always TWO digits. Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Tue, 29 Jan 91 22:00:48 PST From: Pete Mellor Subject: It's not always pilot error" - Official! Tube train's open doors beat fail-safe (By-line: Dick Murray) London Evening Standard, Thursday, 24 January, 1991 A tube train travelled four stops with a set of double doors open after its "fail-safe" system broke down, it was revealed today. The driver was not aware of what had happened until alerted by an off-duty Tube manager who was travelling on the Circle-line tube at the time. London Underground has always described such an incident as "the one which could never happen", and now seriously concerned engineers are worried that a similar fault might occur on other trains. The train has had a detailed examination and a full inquiry began today. Luckily, the incident happened at one of the quietest times of the week, early on a Saturday morning, but drivers are now worried about the consequences of a similar incident taking place on a crowded rush-hour train. London Underground says the driver of the train, which travelled between Aldgate and Farringdon [the stop at which I get off! - PM], was not at fault. A light in the cab's control panel tells a driver when all doors are closed. If a door does not close, the "fail-safe" system should come into operation and prevent it from moving off. But in this case - the train was driver-only with no guard [Sorry to say "I told you so!", but see my previous mailing! - PM] - it seems the fault may have affected the panel light operation and the automatic "fail-safe" system. One driver said: "He got the light that that everything was OK. He acted by the book." An Underground spokesman confirmed the incident took place on Saturday, 12 January, and said: "The 6.18am from Aldgate was taken out of service at Farringdon after a report from a supervisor on the train. A set of doors remained open but it appears the driver was not aware of this. It would appear to have been a train malfunction." Peter Mellor, Centre for Software Reliability, City University, Northampton Sq.,London EC1V 0HB +44(0)71-253-4399 Ext. 4162/3/1 p.mellor@uk.ac.city (JANET) ------------------------------ Date: Wed, 30 Jan 1991 10:15:21 PST From: "Peter G. Neumann" Subject: IRS overbills for $1B interest Having ruled that Dickie Ann Conn of San Jose CA owed $67,714 in back taxes, the IRS billed her for more than $1 billion (including penalties). (The ruling was based on the precedent of a recent court case, and stemmed from charitable deductions to the Church of Scientology that Conn had claimed over six years.) When she called the IRS to object, she was told by a clerk that her only recourse was to sue the government. Yesterday the IRS admitted that they had found a mistake in the interest calculations, and said they will correct it. [Source: San Francisco Chronicle, 30 Jan 91, p.4] (Conn is a computer consultant and part owner of Connsult Inc. She is probably used to jokes about Conn Jobs, but in this case it sounded as if the IRS was trying to be Conniverous.) ------------------------------ Date: Tue, 29 Jan 91 17:35:20 EST From: parnas@qucis.queensu.ca (Dave Parnas) Subject: Re: Patriots (Wegeng, RISKS-10.83) Don Wegeng writes that sensors that were developed as part of the SDI research program, and first tested about six months ago, are now deployed on the thousands of Patriots in the field. This is so inconsistent with my experience with DoD deployment that I would not believe it unless the source was willing to be identified. There is a long road between first tests and deployment and it is not usually travelled in six months. One should also note that this would mean that SDI money was used to enhance the Patriot, not that SDI software technology was used to enhance the Patriot. Dave Parnas ------------------------------ Date: Wed, 30 Jan 91 9:39:30 EST From: Brinton Cooper Subject: Risks of automatic flight (flying at low level) (RISKS-10.83) Olivier M.J. Crepin-Leblond reports on the risks of automatic flight (flying at low level) incurred by fighter pilots: Perhaps the U.S. Air Force should consider abandoning HUMAN pilots for very low altitude flights of this type. As the proposal often begins, "Research is required..." ------------------------------ Date: Thu, 20 Dec 1990 15:38 EST [recently resent, never previously received] From: Kent M Pitman Subject: Automated brokerage service My company's stock recently did a one-for-ten reverse split and I wanted to follow the changes in its price. I figured I might as well use the Charles Schwab 24-hour 800 number with `automated telebroker,' so I could just punch in the stock symbol and get info automatically. I did this a few times at intervals after the split, and it kept telling me that it was bid at 2-1/4, and asking 2-7/8. Eventually I became suspicious. Finally I heard a different price from someone and decided to call Schwab and find out the straight story. The guy tried to call up the price of SMBX on his computer and said it wasn't there. I assured him it had worked when I tried. Then he said, ``oh, it's trading under a new symbol--SMBXD. It's at--'' and I forget exactly what price he quoted but it was in the low 1's. So my stock [fortunately not major dollars] had lots half its value and they hadn't kept me aware. Great. [I wondered if there was any recourse, but somehow doubt it.] The guy agreed it was a problem that should be fixed and promised to notify the appropriate people. Pretty clearly the bug was [and perhaps still is] the presence of an open record for an account that was `renamed' when the reverse split occurred. I called a couple days later to see if it had been fixed. Nope. At first the attendant denied that you could call up such a record, and then said ``oh, are you using that telebroker service?'' What did he think I was using? The first thing it says when I call up is to press `1' for the service if I'm using a touch-tone phone. Then when I explained the story about how I'd asked that it be fixed, he said (as if this explained off the problem) ``well, that's an automated service.'' He went on to add something to the effect of ``If you really cared, you should have followed it more closely and noticed the problem sooner yourself.'' >From a corporate point of view, I thought he put forward a phenomenally bad image for his company and I will pursue my that gripe via the company's customer relations department. But from a pragmatic technological standpoint, he was probably right. Being in the computer business, I should probably have known enough to understand that even an automated system like that still relies on lots of human care and feeding, and is likely to have lots of problems. Still, I wonder how many non-computer people understand that risk. The other thing that bugged me in talking to him was the fact that I tried to explain why it was a bug that when I asked for the dead account, it echoed back ``Symbolics Incorporated'' when all I'd punched in was its code, 73612292 [their telephone keypad code for "SMBX"]. But even now, when I punch in the right symbol, 7361229231 ["SMBXD"], it echos back "ess em bee ex dee" and doesn't give me tons of confidence that I'm even asking about the right thing. He didn't seem to see why that was a problem. I tried explaining several different ways why it was important for the system to echo back something meaningful after I pressed a bunch of digits so I could know I'd pressed the right ones, and he couldn't seem to grasp why I felt that hearing the right name after punching the wrong digits contributed to my feeling of having been deceived, or why it bothered me that even now if you pressed the right digits you heard something that was not the name of the company. There should be a place in the world where you can send bug reports about companies whose facilities for accepting bug reports are broken. In the long run, the free market may attend to these things, but in the short run that's not much of an answer. ------------------------------ Date: Wed, 30 Jan 91 9:44:24 EST From: Brinton Cooper Subject: Re: Broadcast local area networks are a'comin (Tom.Lane, RISKS-10.83) Tom.Lane@G.GP.CS.CMU.EDU reports on the filing by Apple computer for allocation of radio bandwidth to implement wireless local radio networks. He correctly observes >The risks should be pretty obvious to readers of this digest. Somebody in >the next building could eavesdrop on your traffic, or actively connect into >your net, with NO special hardware. I sure hope Apple is at least planning >to encrypt the packets... (But if they are going to support 10Mb/sec data rates, the >encryption would have to be fairly weak, methinks.) ... Beyond this, the risk for spectral chaos seems to be quite high. Imagine the RFI (radio frequency interference) implications of a central city full of wireless ethernets(tm?) attempting to coexist with cellular phone, radio paging systems, public safety radio, business use of dispatch radio, amateur radio repeaters, etc. Pulsed signals 10 Mb/s may well wreak havoc in many such receivers. _Brint ------------------------------ Date: Wed, 30 Jan 91 09:52:44 -0500 From: karafiol@husc8.harvard.edu (P.J. Karafiol) Subject: Broadcast local area networks are a'comin This summer I saw ads for a similar product: Appletalk LANS created by a system of infrared transmitters and receivers. The idea was that each desk would have a doodad that would bounce the signals off the ceiling; the system was designed for a cubicle-type environment where offices were reconfigured frequently. It was about $500/connection. This seems more reasonable than the radio LAN because we are talking about a true line-of-sight kind of communication; besides, the beams were only sufficiently intense for about 150'. To intercept this LAN would require a listening (watching?) post *outside*the*window* of the offices in question. The obvious defense would be to locate on the 56th floor . . . == pj karafiol ------------------------------ Date: Tue, 29 Jan 91 15:51:10 EST From: Bob Stratton Subject: Re: Re: Electronic cash completely replacing cash (Lamb, RISKS-10.82) > ...There's a prophecy in Revelations about "the mark of the Beast" without > which one could neither buy or sell. ... As I understand it, the world's largest EFT (electronic funds transfer) computer, which I believe to be in Switzerland, is affectionately nicknamed "The Beast", and more than one religious group has capitalized on this fact in its literature. (I've seen some of it, but it was a while ago...) Bob Stratton, Stratton Systems Design, strat@ai.mit.edu +1 703 823 MIND ------------------------------ Date: Tue, 29 Jan 91 17:35:19 CST From: smith@SCTC.COM (Rick Smith) Subject: Re: Electronic cash completely replacing cash (`witt', RISKS-10.81) As a "cash resistant" individual, I enjoyed reading the proposals to "eliminate cash." Personally, I usually carry only enough cash to pay for lunch for the week, and use credit cards for everything else. But I don't think the "Americard" proposal would work. Not in America. The author's recommendations require the assignment of a unique number that gets copied and used in virtually every transaction. This sounds like a clone of the Social Security Number, and I think the current trend in restricting use of SSNs bodes ill for the implementation of similar numbers. It is also not clear whether the author expects that private credit card organizations will be put out of business for this government boondoggle, but it seems to be implied. Most people know that their credit card numbers and Social Security numbers are sensitive information. You don't give your credit card number to just anyone. Right now, credit card numbers are used by a fairly restricted set of organizations. The banks who process credit card purchases for stores are very careful about the stores they work with. The bank and store are very, very interested in the security of these transactions. The store doesn't want any improper credits and the bank doesn't want any improper sales. Credit slips go into a special pile that unauthorized people can't go looking through. But if every Tom, Dick, or Harriet can plug in their Americard reader and post "payments" from other people, how soon will it be before someone builds the new generation "blue box" that steals money electronically? >... Muggers and bu[r]glars would be out of business: no one would >be carrying cash and stolen property would be difficult to sell >because there would be records of all transactions.... Burglary begins at home. Why hit the streets if you can steal it all with a little box of electronics? > Think about it. Drug deals, muggings, corruption, businesses >concealing their income - they all require cash and secrecy. A >monetary system bases solely on electronic currency would leave a >trail that would cripple such enterprises. And people will establish electronic laundries to undo all of this. Transactions will identify buyer and seller, and probably include some transaction-specific code agreed on by the buyer and seller. For example, if I'm paying my phone bill I use code 1234506 and if I'm paying for overpriced repair services I use code 9876765, both paid to the phone company. Or, if I'm trying to launder a transaction, I funnel it through some bizarre set of recepients with a peculiar set of transaction codes. The recipients have to be in on it, of course, so a good laundry would probably be a regional fast food chain, for example. In order to trace laundry transactions you'd have to reconstruct numerous "small" transactions and follow them through accounts that would be gone when investigators went looking for them. The only way to prevent such laundering would be to pass laws, laws, and more laws, trying to stay ahead of potential data paths. Most of the laws would be unenforceable without a platoon of data police. You'd bind up business with so many transaction regulations that the economy would grind to a halt. And we'd get a centralized economy that even Josef Stalin would envy. As it is, a variety of small businesses have special treatment under currency reporting regulations. That keeps them from going out of business due to excessive regulatory paperwork. >... The benefits would be tremendous. Individuals and businesses >would no longer be able to conceal income. All transactions would be >recorded in a computerized bank file and would be easy for the I.R.S. >to check.... This is a benefit? I don't think the proposer has any idea how massive such a file would be. It took the IRS years to set up a fairly mundane procedure to cross check income reports against individual tax returns. That handled millions of transactions per year. The other database would be millions per day, if not per hour. People could conceal income by just refusing to report it twice. Data like that can only be used after they filter it. The only things they'll find are things they look for. You bypass such things by hiding the "bad" transaction behind a set of "good" ones. And it's just a case of staying one step ahead of their filtering program, which can't look for everything. After all, it's only a computer. Finally, some economic considerations: > In place of paper money, we would receive new cards - let's >call them Americards - each bio-mechanically impregnated with the >owner's hand and retina prints to insure virtually foolproof >identification. ... >At lunchtime, you would go to your favorite [restaurant] - or the local >hot dog stand - and instead of paying cash, you'd use your Americard. This is the technological battering ram hitting the proverbial fly. Each hot dog stand needs a high reliability, secure, bidirectional link to the international electronic funds financial network (typical hotdog stands don't even have telephones, after all). This link is connected to a device that does pattern recognition on fingerprints or retinas, and reads some data off of a card. Finally we find it attached to a numeric keypad. And it's probably as easy to use as a helicopter. As a kid I remember predictions of the "mass market personal airplane." It never happened. Some technological systems are too costly. I expect the bio-identification and the security problems will keep the costs of "Americard" very high indefinitely. In any case, how do you know you can trust a cheesy vending machine at some gas station to charge you a quarter and not $25.00 ?? We already have that problem with pay phones. Rick Smith, SCTC, Arden Hills, Minnesota ------------------------------ Date: Tue, 29 Jan 91 21:59:13 EST From: Stephen Perelgut Subject: Re: RISKS DIGEST 10.82 More cash-card questions (from an infrequent reader). What happens to people travelling from outside the U.S. Do we stop at immigration and get an Americard? Is it a credit card, debit card, ??? What about Americans travelling outside the country? Surely they would use the appropriate currency. I'd guess that Canadian $'s would become the coinage of the underground marketplace thereby artificially inflating the value of $CDN thereby destroying one of our economic underpinnings. ------------------------------ Date: Tue, 29 Jan 91 20:27:09 PST From: Art Medlar Subject: Electronic cash completely replacing cash > If all the people who do business in cash were forced to report >their incomes accurately - if the under-ground economy were forced to the >surface - the Government could collect an additional $100 billion a year >for the nation[a]l treasury - without raising taxes. States and cities, many >in serious financial trouble, would also benefit from collecting >previously unpaid income and sales taxes. Though not all would agree that this is a RISK of the technology (as opposed to a benefit), certainly one potential outcome of Mr. Wachsman's scheme would be the enhancement and strengthening of the very underground economy he seeks to destroy; and consequentially the elimination of even more tax income from the national treasury. An active, established barter system, and a thriving black market economy based on the easily convertible currency of some foreign country, would tend to destabilize and decentralize the control of the monetary system. But it's in the subtext of Mr. Wachsman's loopy proposal that the real RISK lies. I've heard that there's a delightful Yiddish word, "farpotchket" I think, which means not simply broken, but broken because somebody tried to fix it. The danger of the haphazard application of computer technology to situations that are really getting along just fine in the first place should be apparent to all. --art ------------------------------ Date: Wed, 30 Jan 91 09:37:22 -0500 From: news@eng.umd.edu (C-News) Subject: Cashless society The risks of a cashless economy are charmingly illustrated in the fiction of Frederik Pohl. I especially recommend The Space Merchants by Pohl and C. M. Kornbluth. [The c-news are tensed these days? Who are you?] ------------------------------ Date: Wed, 30 Jan 91 08:59:54 EST From: elr%trintex@uunet.UU.NET (Unix Guru-in-Training) Subject: Re: Electronic Cash For an excellent treatment of how easily an electronic cash system can be abused by the government in power, check out "The Handmaid's Tale" by Margaret Atwood. The theme is a Christian Fundamentalist takeover of the US Government. In one scene, the new government in power decides that women shouldn't be allowed to handle money (hmm... sounds like Saudia Arabia, doesn't it). Everyone in the country was already using an "Electrobank" card system, and women's account numbers ended in an even numbered digit. One day everyone wakes up and women's cash cards don't work anymore. All their balances were switched to their husband's, father's or other patriarchal figure (such as the government itself). The simplicity of Atwood's scenario and its nearness to our current reality is chilling. (This applies to most of the scenarios in the book.) I was especially struck by this section, perhaps because in spite of the fact that I work with computer networks every day and consider myself well informed on these threats to our civil liberties, 1984 just never seemed so close as when I read this novel. Ed Ravin, Prodigy Services Company, White Plains, NY 10601 philabs!trintex!elr +1-914-993-4737 ------------------------------ Date: Tue, 29 Jan 91 14:02:53 PST From: Leslie DeGroff Subject: Comment on all electronic currency Being a day behind on reading risks many of my comments have been made by others but I would like to make two additions to the commentary, The "Underground" economy is a vigorous part of the system and in many places and times when the official currency of a country is at risk, either by price and bank controls or by simply not being worth much you find that the most valued street money is some other countries currency. For example in many parts of asia or eastern europe a greatly desired street currency is US dollars... which are generally not easily exchanged locally for official goods or currency. The coupling of the official currency and the subeconomy by cash is not typical or required for it to work. Note also the current Soviet attempt to withdraw large bills from circulation... partly to try and weaken the subeconomy. A second point that I think is critical is that such a scheme has many attractions to banks and government officials and in a severe financial crisis might be sold to the American public (or at least to the elected officials) Among it's attractions besides better control of taxation; more precision in economic statistics, ability to quickly deflate/inflate currency especially in regards to foreign exchanges (out of one currency into another). Such a system is an attractive trap and one that one can slip slowly into.. today (credit and debit cards (more than one per American) legally mandated reporting of large cash transactions S&L and bank problems and discussion about limits on government backed deposit insurance) tomorrow (tax's need to be paided by transaction card with valid ID Social Security cards that are magnetic media encoded (there was a note recently in Risks about California Drivers Licences on encoded cards) Costs continue to decline for access and software systems. end point A primary cashless system (by law and by withdrawal of currency and coin) and an underground economy back to specie (gold and silver), barter and other countries currency. Leslie DeGroff Degroff@Intellicorp.com ------------------------------ End of RISKS-FORUM Digest 10.84 ************************