Subject: RISKS DIGEST 11.45 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Monday 15 April 1991 Volume 11 : Issue 45 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Simulation: Minus heart disease, life expectancy only 3 years greater! () Accident statistics continued (Paul Smee) Another bogus security system (Gord Deinstadt) Urban Legends crying wolf... (Peter da Silva) Smart traffic: "drive-by-wire" (Rodney Hoffman) Recommended: "Probability Blindness: Why We Misread Risk" (Bob Frankston) Kevin Poulsen Arrested (PGN) Computerized Vote Tallying report (Terry Gauchat) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 11, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. FTPs may differ; e.g., UNIX prompts for username and password. If you cannot access "CRVAX.SRI.COM", try Internet address "128.18.10.1". ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Mon, 15 Apr 91 12:06:46 xxT From: [anonymous] Subject: Simulation: Minus heart disease, life expectancy only 3 years greater! New Heart Disease Study Issued BOSTON (AP) [14 Apr 91] Completely eliminating heart disease, the nation's leading killer, would increase the average 35-year-old American's life span by just three years, a new study concludes. Although the gain in longevity may seem surprisingly small, the finding reflects the difficulty of pushing back the boundaries of old age, the researchers said. Even if people escape the No. 1 killer, a host of other ailments are likely to take its place as people reach their 80s and beyond. "If you wipe out heart disease, people don't live forever," said Dr. Lee Goldman, a co-author of the study. "It is the leading killer, but there are other things people die from," such as cancer, pneumonia and strokes. Similar analyses of cancer have concluded that life expectancy would increase about two years if that disease were conquered. Heart disease kills about 500,000 Americans annually. The average life span in the United States has risen from 47 in 1900 to 75 today. The latest study was based on a computer program developed by Goldman of Brigham and Women's Hospital in Boston and Dr. Milton C. Weinstein of Harvard School of Public Health. The study's principal author was Dr. Joel Tsevat of Boston's Beth Israel Hospital. It was published in the April issue of the journal Circulation. In an accompanying editorial, Dr. Robert M. Kaplan of the University of California at San Diego called the study "well executed, well reported and very provocative." The study asks such questions as: What if all Americans got their cholesterol levels below 200? What if everyone stopped smoking? The computer simulation concludes that achieving such major public health goals add only a year or so to the average life span. However, the authors point out that even though average increases are small, the gains for individuals can be dramatic, especially if healthier habits prevent occasional deaths from heart attacks at age 40 or 50. Among the findings: For the average man who turned 35 last year, getting blood pressure under control will add one year of life. Getting cholesterol under 200 increases longevity by eight months, eliminating smoking adds 10 months and getting weight down to the ideal level adds seven months. For a woman, blood pressure control adds 5 months of life, cholesterol lowering 10 months, smoking cessation eight months and weight loss five months. Individuals who already have one of these risk factors benefit more from eliminating them. For instance, a 35-year-old man who reduces his cholesterol from 250 to 200 gains one year of life. If he reduces his weight by 30 percent to the ideal level, he gains another year. [What are the computer-related risks, you ask? Here are people using computer models to yield results that could have drastic impact on health care and research funding...] [But the results may be quite sound... On the other hand, the elimination of heart disease would undoubtably have many concomitant effects, which overall probably could dramatically increase longevity. PGN] ------------------------------ Date: Mon, 15 Apr 91 11:15:11 BST From: Paul Smee Subject: Accident statistics continued Don't normally follow-up things twice in a row, but apropos the recent thread about interpreting accident statistics (80% of drivers believe themselves to be better than average) I found a relevant article in the Guardian on Saturday, 13 April. I'll try a (probably weak) tie-in with computer risks at the end. Following is quoted without permission. Most road accidents are caused by flouting the law rather than human error, such as a misjudgement, a psychologist said yesterday. Prof Tony Manstead, of Manchester Uni, said most accidents were caused by a small number of drivers who deliberately exceeded the speed limit and enjoyed racing other cars away from traffic lights and driving too closely to cars in front. One study of the Government's road research lab involved 500 drivers, the other 1500. The known accident records of the the drivers was compared with the way they described their driving. Those involved in two or more accidents shared certain characteristics, he said. They were likely to be young males who believed themselves to possess above-average driving skills. There was no correlation between people who admitted making driving errors, such as misjudging distances when overtaking, and accidents. But there was a strong link between accidents and people who admitted frequent traffic violations such as speeding or overtaking on the inside. Prof Manstead said: "At the risk of oversimplifying the picture, it appears that those who are involved in accidents are not those who tend involuntarily to make errors of judgement when driving but rather those who wittingly drive in a manner which flouts social and legal conventions. "... the strategy for promoting greater driver safety should be to identify the beliefs and values that underlie the commission of violations and then target those beliefs and values for change." This fits in with a sample of one, known to me. My friend James, whose driving is such that I refuse to ride with him, even if that means we need to take two cars rather than one. He regularly ignores the 'social and legal conventions'. His rationale is that the conventions were designed to allow average drivers to drive safely. Since (of course, and according to him) his reactions are both faster, and more accurate, than average, the rules cannot possibly be meant to apply to him. Terrifies me. Apropos technorisks, my intuition has long told me that similar principles apply to product design. I've known programmers, for example, who felt that they could dodge, where possible, company standards for testing and design reviews, on grounds that they were too competent to make silly mistakes. I suspect that the observations of Professor Manstead's study could equally be applied to most human activities. Paul Smee, Computing Service, University of Bristol, Bristol BS8 1UD, UK P.Smee@bristol.ac.uk - ..!uunet!ukc!bsmail!p.smee - Tel +44 272 303132 ------------------------------ Date: Fri, 12 Apr 1991 19:52:14 -0400 From: gd@geovision.UUCP (Gord Deinstadt) Subject: Another bogus security system A local muckazine (Ottawa Frank) reports that a student at Carleton University used the touch-tone registration system to deregister another student from all her courses. Apart from the political interest (the alleged practical joker is the son of the Governor General), this is another story of ill-conceived computer security. When you enroll at Carleton you are issued a student id number, and a student card with the number displayed. Since the card is used to get into pubs and get discounts at off-campus bookstores, your id number is effectively public knowledge. The touch-tone system responds to your id number and a "password". The "password" is your day and month of birth. No, you can't change it. Harrrumph. ------------------------------ Date: Sat, 13 Apr 1991 15:38:39 GMT From: peter@taronga.hackercorp.com (Peter da Silva) Subject: Urban Legends crying wolf... > The following posting recently appeared in several newsgroups and forums: > >Subject: MODEM TAX > As soon as it is posted again, it is immediately flamed down as bogus. Now > further suppose that what the message claims *comes to pass!* How would > this information be disseminated?? People don't apply equal weights to any source. For example, if this article comes from Joe_User@fred.fidonet.org it will likely be ignored. If it comes from Henry Spencer or Mike Godwin it'll be closely examined. > Even were it discovered that someone was exploiting this security hole, how > would information of this discovery be communicated?? Through postings in moderated groups of known reliability, and references in other groups. (peter@taronga.uucp.ferranti.com) ------------------------------ Date: Sun, 14 Apr 1991 20:22:22 PDT From: Rodney Hoffman Subject: Smart traffic: "drive-by-wire" The 14 April issue of the 'Los Angeles Times Magazine' features two articles on Mobility 2000, an Intellignet Vehicle / Highway System or "drive-by-wire" (my term, not theirs): THE BIG FIX by J.E. Ferrell and STREET SMART by Ronald B. Taylor. The last major 'Los Angeles Times' article on this was in July '89 (see RISKS 9.10 et seq.). California Dept. of Transportation (CalTrans) researchers project "no revolutionary technological advances, just evolutionary applications" which "will allow platoons of cars, separated by only a few feet, to zoom along at 90 mph while their drivers read the newpaper." Similar moves are under study or development elsewhere in the U.S., Japan, and Europe. Planners see financial, political, and cultural obstacles, but they are adamant that smart traffic systems are "the only way to keep things moving." They also say automated travel will be much safer, since more than 90% of all vehicular accidents today are caused by human error. According to one UCBerkeley researcher, future accidents will resemble airliner crashes: "You'll be trading 100 accidents in which a total of 105 people get killed for two accidents in which 30 people get killed." Here are some of the pieces discussed in the stories: * Pathfinder, an in-car navigational computer and information system. * Advanced Traffic Management System to monitor and control traffic flow via computers, sensors, and communications. * Advanced Traveler Information System to link drivers with the management system. * Advanced Vehicle Control System -- high-tech vehicles and roadways. * Freeway Real-Time Expert System Demonstration (FRED), a UCIrvine project to "capture the expertise, judgment and knowledge of the best traffic controllers and put it into a computer program." * Parataxi, a computerized system to link up commuting drivers with passengers on the spur of the moment. * Transportation Resources Information Processing System (TRIPS) allows travelers to tap into bus schedules and the parataxi service * Roadway Electric Powered Vehicle, powered by batteries continually charged by cables built into the roadway. * Automated Traffic Surveillance and Control, installed for the 1984 Los Angeles Olympics, monitors corridor traffic lane-by-lane, and controls stoplights and freeway on-ramp meters. ------------------------------ Date: Mon, 15 Apr 91 01:58 GMT From: Bob Frankston Subject: A recommended article: "Probability Blindness: Why We Misread Risk" I'll start out with the citation for the article on Probability Blindness (Neither Rational nor Capricious): Bostonia Magazine, March/April 1991 issue. Author: Massimo Piattelli-Palmarini at the MIT Center for Cognitive Science. I recommend the article to readers of this forum. It does a good job of exploring how people assess risks and probabilities with a number of examples. I found it much better than Nova's "Living Against the Odds". While there are many real risks in the world, I felt the Nova show emphasized risks rather than unlikelyhoods. Perhaps that was their intent. My problem is that I feel that people are acutely tuned to risks and not the unlikelyhood of many occurrences. The Bostonia article was a more balanced piece. I'm more accepting of the emphasis on risks in this forum not only because of the name, but because I see its purpose as making people aware of possible implications of the technology we are responsible for. Even here, I'd like to see more discussion of engineering tradeoffs. Back to the citation problem. I'm used to electronic distribution (such as Risks Forum). If I want people to read something, I either mail it out or announce a means of accessing it online. Recommending an article in the print media is not the same. The effort to actually obtain a copy is relatively large and unaided -- it involves either phoning or writing for a back issue or a reprint. If people actually did follow through the volume might be larger than the publication is ready to handle. If you do want to contact Bostonia Magazine, their subscription number is 617-353-2055 (yes, that is the Boston University phone exchange). Too bad they (nor the author) didn't publish an email address. ------------------------------ Date: Mon, 15 Apr 91 11:25:07 PDT From: Peter G. Neumann Subject: Kevin Poulsen Arrested Today's papers (e.g., NY Times, LA Times) note that Kevin L. Poulsen (Dark Dante) had been arrested after 15 months, under a variety of computer-fraud charges, while entering the canned vegetable section of a supermarket in Los Angeles. Poulsen and co-defendants Robert Gilligan and Mark Lottor were charged with using stolen Pacific Bell access codes to invade a U.S. Army computer network, eavesdrop on telephone security personnel and obtain information used in an FBI investigation of former Philippine President Ferdinand Marcos, said Richard W. Held, special agent in charge of the FBI's San Francisco office. Gilligan has pleaded guilty to one count of illegally obtaining telephone access codes and agreed to cooperate with authorities. Lottor pleaded not guilty and declined a similar plea bargain, officials said. ------------------------------ Date: Thu, 11 Apr 91 23:12:39 EDT From: Terry Gauchat Subject: Computerized Vote Tallying report [Terry sent me a rather long term paper on the subject of computerized vote tallying, which I have edited for net use. Those of you with a burning interest in the subject may find it useful. The original is available from him, and my slightly edited version can be obtained from the CRVAX.SRI.COM archive, as CD RISKS: and GET GAUCHAT.VOTING . Apparently his net address is about to change, however, so I hope he will advise us when it does. PGN] (PLEASE REMEMBER THE COLON IS ESSENTIAL. I KEEP GETTING COMPLAINTS THAT FTP DOES NOT WORK, MOST OF WHICH ARE DUE TO IGNORED COLONS. OTHERS ARE DUE TO LOCAL FTP VARIANTS... AND IF YOU DON'T LIKE "CD RISKS:", you may happily type "cd sys$user2:[risks]" instead, courtesy of VMS. PGN) ------------------------------ End of RISKS-FORUM Digest 11.45 ************************