Subject: RISKS DIGEST 12.05 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Friday 11 July 1991 Volume 12 : Issue 05 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: TRW Accused of Exploiting Consumers (PGN) Dissemination of confidential information (Adam Curtin) Phone disruptions (Ed Andrews) (Im)probability theory (By Arthur Salm) Leaking of Gates memo not an IT risk (Henry J. Cobb) Coding bug (Dennis L. Mumaugh) Re: A RISKy night in Georgia (Trevor Kirby, Bruce Perens, Paul Smee) Risk Preferences [Research effort!] (Kevin Crocker) FINAL CALL, COMPUTING & VALUES CONFERENCE, AUG 12-16 (Walter Maner) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 12, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Thu, 11 Jul 91 15:49:53 PDT From: "Peter G. Neumann" Subject: TRW Accused of Exploiting Consumers Six states have sued TRW Inc., charging that its credit bureau division secretly grades consumers on their bill-paying ability -- sometimes with inaccurate information -- and sells confidential mail to junk mailers. The NY State suit also charges TRW with providing inaccurate information about consumers to banks and other credit grantors, which often results in denied credit. Texas, Alabama, Idaho, Michigan, and California have filed another suit in State District Court in Dallas TX. (Reuters report in the San Francisco Chronicle, 10Jul91, p.C1) ------------------------------ Date: Thu, 11 Jul 91 14:07:43 GMT From: Adam Curtin Subject: Dissemination of confidential information In RISKS-12.03, Klaus Brunnstein mentions: > I personally just received Bill Gates memo on Microsoft's > performance and future problems; .... I assume > that Bill Gates will not be glad that I had it. And in Risks 12.04, Hugh Cartwright comments: > Doubtless it was inept of Microsoft to allow their e-mail to be intercepted, >but if the purpose of those publicising the interception is to expose flaws in >the e-mail system, surely the right course is to deal with Microsoft, not to >disseminate the information more widely. Although it doesn't affect the points made by either party on this topic, this does not seem to be a good specific example, for in the "US View" column in the British trade paper "Computing" (4th July 1991), Tom Foremski looks at the recent spate of industry "leaks", and describes Gates' memo as having been "leaked to a Silicon Valley newspaper" and suggests that "[IBM's John Akers' comments and] Gates' memo were deliberately leaked as US computer companies learn from the White House how to manipulate the media." and describes how "... Gates' memo played an important role in defusing overblown investor confidence in Microsoft." Foremski contrasted this underhand method of reducing stock price with other methods which could lead to panic stock dumping, and described the cost of the defusing: "Microsoft investors dumped stock when they read the newspaper report and the company's share price fell 7% in value in just one day. Gates owns about one-third of Microsoft, a paper loss to him of more than $320 Million." Adam ------------------------------ Date: 10 Jul 91 10:30:55 U From: "Peter G. Neumann" Subject: Software Bugs Blamed for Telephone Outages [Excerpted by PGN] COMPUTER MAKER SAYS TINY SOFTWARE FLAW CAUSED PHONE DISRUPTIONS (EDMUND L. ANDREWS, N.Y. Times, 10 Jul 91) WASHINGTON A manufacturer of telephone call-routing computers said Tuesday [9Jul91] that a defect in three or four lines of computer code, rather than a hacker or a computer ``virus,'' appeared to be the culprit behind a mysterious spate of breakdowns that disrupted local telephone service for 10 million customers around the country in late June and early this month. In congressional testimony [...], an official of the manufacturer, DSC Communications of Plano, Texas, said all the problems had been traced to recent upgrades in its software, which had not been thoroughly tested for hidden ``bugs.'' Although the telephone companies that experienced failures were using slightly different versions of the software, the company said, each version was infected with the flaw. ``Our equipment was without question a major contributor to the disruptions,'' Frank Perpiglia, DSC's vice president for technology and product development, told the House telecommunications subcommittee. ``We must be forthright in accepting responsibility for failure.'' The flaws disclosed Tuesday are a dramatic example of the disastrous consequences that can flow from tiny software glitches buried amid millions of lines of computer code. [...] In making what seemed to be an innocuous change, he said, DSC dropped several algorithms, or processing instructions, that apparently caused the computers to go berserk when they experienced routine malfunctions. The flawed software was shipped by DSC beginning in March and installed at different times by the phone companies. Officials do not know why the system breakdowns did not begin until June or why they occurred within a short time span. In response to the breakdowns, the Federal Communications Commission on Tuesday announced it was assembling a special team to investigate issues of network performance. The FCC also said it would meet with representatives from all parts of the communications industry to address issues raised by the recent disruptions, including risks facing the networks and the way technical standards are set. At the House hearing, officials at Pacific Telesis Group and Bell Atlantic, which own the telephone companies that experienced the trouble, said they were almost certain that the ``silver bullet'' behind the problems had been identified. ``We have found the culprit that caused the serious service disruptions,'' said Ross Ireland, general manager of network services for Pacific Bell, the telephone subsidiary of Pacific Telesis. Working with DSC, engineers at Pacific Bell were able to duplicate the malfunctions that occurred and successfully tested software containing corrective ``patches.'' But telephone officials cautioned that they may still not have all the answers, and they plan further tests. Telephone company officials emphasized that all the evidence thus far points away from the likelihood of computer viruses or sabotage by computer ``hackers.'' ``To this date, we have found absolutely no evidence of sabotage or a virus,'' said Fred D'Alessio, vice-president for operations and engineering at Bell Atlantic. But other troubling questions remain. It is still unclear, for example, whether the highly complex computer systems that run today's telephone networks have been tested rigorously enough. Officials at DSC admitted that they had not put the software upgrade through a customary 13-week test, because the change entailed only a few lines of new code. ``In hindsight, that was a huge mistake,'' Perpiglia said. Telephone company officials said they continue to have confidence in Signaling System 7, the basic design of the advanced new network management systems being installed by all the regional Bell companies. But they did not rule out the possibility of more fundamental design flaws. [One moral of the story is of course that even a one-line change can sink the ship... But there is a more fundamental question for RISKS-motivated folks: can there be adequate assurances that the system will not have such fault modes? Even the most elaborate testing in the testbeds will not always exhibit the stranger fault modes, particularly those that are dependent on subtle distributed control interactions, timing, load, etc. PGN] ------------------------------ Date: Thu, 11 Jul 91 9:13:16 PDT From: "Peter G. Neumann" Subject: (Im)probability theory INSIDE PEOPLE `Why We Know What Isn't So', By Arthur Salm, Copley News Service You're about to learn something new, something that has been demonstrated, mathematically, to be true yet probably you won't believe it. Ready? There's no such thing as a "hot hand" in basketball. Players who seem to be shooting in a hot streak or, for that matter, a cold streak are just hitting and missing at random, playing out the inevitable results of whatever each man's shooting percentage happens to be. If a player shoots 50 percent, for example, the odds of his hitting any one shot are exactly the same as a coin toss coming up heads. That's easy enough to accept. But if you toss a coin 20 times, there is a 50-50 chance of getting four heads (or, of course, tails) in a row, and a 25 percent chance of getting five in a row. Should you see a basketball player with a 50 percent shooting average take 20 shots in a game and, at one point, hit five in a row, it's almost impossible not to conclude that he's "hot." The player himself will no doubt say that when he's hot he feels more relaxed, that he just "knows" that the ball is going in. Yet, although analysis of shooting patterns has shown that his chances of hitting a shot after just having hit another are exactly the same as when he has just missed, try to convince him. You're not convinced either, are you? (Neither is the Boston Celtics' Red Auerbach: "Who is this guy?" he said of the author. "So he makes a study. I couldn't care less.") This, "The Clustering Illusion," is one of the many psychological phenomena discussed in Thomas Gilovich's "How We Know What Isn't So: The Fallibility of Human Reason in Everyday Life" (The Free Press: 194 pages; $19.95). "Random distributions seem to us to have too many clusters or streaks of consecutive outcome of the same type," Gilovich writes, "and so we have difficulty accepting their true origins. The term illusion is well-chosen because, like a perceptual illusion, it is not illuminated by repeated examination." Gilovich says that people do not hold questionable beliefs simply because they aren't supplied with relevant data. Rather, we tend to be unduly influenced by expectation, and to misinterpret the data we have: "It is widely believed that infertile couples who adopt a child are subsequently more likely to conceive than similar couples who do not. Clinical research has shown this to be untrue." Why do people believe it? Because they expect it to be so. No one notices when an infertile couple adopts and does not subsequently conceive. We tend to count only the hits, and not the misses. Another good example is that of "precognition." You'll happen to think of your former roommate, and the next day she calls; you dream of death and two days later Uncle Murray keels over. Amazing! Except that every day hundreds of random thoughts whiz through our heads, largely ignored and certainly forgotten unless statistically, "until inevitably" one jibes with reality. Then it's, "It was so weird I just had a feeling." Never mind the 2,878 other "feelings" that have come and gone and predicted nothing. (And what if Uncle Murray had cashed in three days later? Four days? Five weeks? It's so open-ended that you can't lose: Either "you had a feeling about it just recently" a period of time to be determined in retrospect in which case it's determined to be extrasensory perception; or you didn't, making it a non-event signifying nothing.) Ironically, these misperceptions are the result not of human frailty but of the very abilities that make us human: Pattern recognition and the ability to connect cause and effect. "Many of the mechanisms that distort our judgment," Gilovich writes, "stem from basic cognitive processes that are usually quite helpful in actually perceiving and understanding the world." Unfortunately, so powerful is this tendency that we tend to overgeneralize to see patterns where none exists, to insist that an effect be paired with a cause (if no plausible cause is evident, glom onto an implausible one) ... in short, to impose order upon chaos. The implications of misguided reasoning, Gilovich points out, go beyond the NBA and betting pools among adoptive parents' friends. Misunderstanding of regression (extreme results, on a second test, tend to deviate toward the norm) can lead dying patients, tragically, to an unshakable reliance on alternative medicines: Since they tend to resort to them when at their worst, they will almost assuredly feel better soon after administering the quack remedies. Open-endedness also comes into play here: If a patient miraculously recovers, as happens occasionally, the alternative medicines get credit; if the patient dies, he started the new program "too late." ------------------------------ Date: Wed, 10 Jul 91 00:56:24 PDT From: hcobb@fly2.Berkeley.EDU (Henry J. Cobb) Subject: Leaking of Gates memo not an IT risk. Mr Gates should have expected a memo he sent to all of his employees to be quickly made public. The only difference being that the e-mail memo would need to be printed by a Microsoft employee before being handed off to the press. I suspect that Gates himself planned the leak for the publicity value. (Perhaps to distinguish himself from the other Gates in the news? :) Henry J. Cobb hcobb@fly2.berkeley.edu SFB Tyrant Ph# (415) 233-7432 6527 Morris Ave. El Cerrito, Ca 94530 ------------------------------ Date: Wed, 10 Jul 91 15:42 CDT From: dlm@cuuxb.att.com (Dennis L. Mumaugh) Subject: Coding bug (Minow, RISKS-12.03) In RISKS-12.03, Martin Minow writes on finding a coding bug in the Time Server Daemon: /* this piece of code is critical: DO NOT TOUCH IT */ ... i++ if (i = j) j++; ... And had some reflections: [...] I wish to make a couple of comments: The new ANSI C compiler package provided by AT&T UNIX Systems Laboratories (USL) has added features to lint (C semantic error anaylyzer) to provide warnings about this and other common coding errors (legal but not wanted). These additions were originally developed by the people supporting the switching machines software (5ESS). C Language tools are availble but not used (such as lint) to point out the bad code cited above. The problem is two-fold: First the UNIX paradigm of separating semantic error analysis into a separate program (e.g. lint) mens that the developer must take special action to discover the potential; problems. Second, designing a language to use a minimal number of characters (e.g. C) and overload their meaning, causes potential errors due to mind sets and patterns. Note that C++ is even worse (by design) in overloading and attibuting meaning - varables are type converted (e.g. string to integer) without warning. The RISK is that most programmers never lint their code, much less use the other available tools. The imfamous network outage the AT&T had last year might have been found if the code had been checked with a special version of lint. =Dennis L. Mumaugh, ATT Computer Systems, Computer Systems Technical Services, Lisle, IL ...!{att,attmail}!cuuxb!dlm OR dlm@cuuxb.att.com [For archivalists gathering lint lore, see RISKS-9.54 and 56.] ------------------------------ Date: Thu, 11 Jul 91 11:43:22 BST From: Trevor Kirby Subject: re: A RISKy night in Georgia (Robert E. Van Cleef) In Risks-12.04 Robert E. Van Cleef writes :- >To protect the child from being recognized, they are doing something to the >video of his face so that it consists of several large squares that change as >he moves. This seems to be the standard way to hide things on TV now. >Is this safe? [...] The answer is the human eye can sort it out. Just try squinting at the picture and it becomes recognisable. It might prevent the film being used as evidence in a court of law but provides minimal protection against people who know you. TRev ------------------------------ Date: Thu, 11 Jul 91 14:29:49 PDT From: bruce@pixar.com (pixar!news@ucbvax.berkeley.edu) Subject: Re: hiding a face on television The process used to hide a face on television is called "pixellation". An area of the screen is imaged at a reduced resolution. Image processing can allow one to smooth the image, and make it somewhat more recognizable, but does not recover lost information. There IS sometimes a way to recover more information: If the sampling method used to make the squares is simple point sampling of a single point under the square, one could recover some of the lost information by watching the face MOVE under the squares and tracking the position and value of the sample points. These could then be combined into a still picture. If the value of the square is an average of the pixels under it, this gets harder. If there isn't much movement, or there are too few squares, you won't have enough pixels. You can also recover the original voice from those voice-distorter boxes. Most of the modern ones use commutation, and I think older ones used a hetrodyne. Both processes can be reversed. Defeating this kind of thing takes an engineer with the right equipment, and a willingness to put in the time to guide the process manually. Bruce Perens ------------------------------ Date: Thu, 11 Jul 91 15:16:14 BST From: Paul Smee Subject: Hiding a face on television > Is this safe? Seems to depend on the version of the video processor used. Certainly, with the earlier versions at least, you could get a very clear visual image of what was being hidden by simply squinting while watching the picture. Popular folklore, over here at least, had it that the image you got WAS in fact a reasonable reconstruction of what they were trying to hide, and at least one of the broadcasters paid lip service to this by switching to a different video processor which was said to garble things more efficiently. A good artist (or someone with a PhotoFit identification kit) could of course convert their visual impression to a hardcopy one. There was always the question of how accurate this visualisation effect was. The problem being, of course, that the human mind tends to fill in details that it can't see but that it knows should be present. So, is the visualisation really an accurate reconstruction of what they are trying to hide? To my mind, this question is a red herring. If the impression is accurate, then you are (potentially) endangering the person you are trying to protect. If the impression is inaccurate, it is still likely to resemble SOMEBODY, so putting them at risk. (I'd guess that the latter case, inaccurate mental reconstruction, would probably be worse, in fact. I'd suspect that if the image you get is really due to your brain 'filling in' the missing parts, it would be likely that it is using people you know for reference.) Paul Smee, Computing Service, University of Bristol, Bristol BS8 1UD, UK P.Smee@bristol.ac.uk - ..!uunet!ukc!bsmail!p.smee - Tel +44 272 303132 ------------------------------ Date: 11 Jul 91 22:43:25 GMT From: risk@cs.athabascau.ca (Kevin Crocker) Subject: Risk Preferences [Research effort!] Hello everyone! I'm doing some research on Risk Preferences (specifically computer users attitudes towards risks - both endogenous and exogenous) and am seeking some volunteers to complete a survey. If you are interested in participating in this endeavour you can ftp the files from: 131.232.10.8 (aupair.cs.athabascau.ca) in the directory /risk/ps for the postscript files /risk/txt for the text files, and /risk/scr for the screen files. Please make sure that you take all the files in whichever form you wish. Each directory has several files in it. Please also e-mail me telling me what you took so that I can keep track of what's what! risk@cs.athabascau.ca Thanks for your indulgence and assistance. Kevin Crocker, Assistant Professor, Finance Studies, Athabasca University [If you cannot FTP, contact Kevin, NOT RISKS! Also, I presume KEVIN will share any interesting results with all of us. PGN] ------------------------------ Date: 12 Jul 91 03:00:52 GMT From: bgsuvax!maner@cis.ohio-state.edu (Walter Maner) Subject: FINAL CALL, COMPUTING & VALUES CONFERENCE, AUG 12-16 FINAL CALL FOR PARTICIPATION N C C V / 91 THE NATIONAL CONFERENCE ON COMPUTING AND VALUES August 12-16 in New Haven, Connecticut USA o CURRENT STATUS The workshop structure of N C C V / 91 limits participation to approximately 500 registrants, but space is still available at this time (mid-July). Registration is $225 for the full conference, $100 for any of the special one-day workshops. Limited scholarships are available for persons with disabilites. Deeply discounted motel rates (Quality Inn, 203/387-6651) and air fares (USAir Gold File #36470000) remain available. o MORE THAN 50 DISTINGUISHED SPEAKERS Ronald E. Anderson, Daniel Appleman, John Perry Barlow, Tzipporah Ben Avraham, Tora Bikson, Timothy Binkley, Della T. Bonnette, Leslie Burkholder, Terrell Ward Bynum, David Carey, Jacques N. Catudal, Gary Chapman, David Chaum, Frank Connolly, Marvin Croy, Peter Danielson, Dorothy Denning, Peter Denning, Charles E. M. Dunlop, Batya Friedman, Ken W. Gatzke, Richard Gordon, Donald Gotterbarn, Michael S. Hart, Barbara Heinisch, Deborah Johnson, Mitch Kapor, Isaac Victor Kerlow, John Ladd, Marianne LaFrance, Ann-Marie Lancaster, Paul Lansky, Doris Lidtke, Walter Maner, David H. Martin, Dianne Martin, Keith Miller, James H. Moor, William Hugh Murray, Barbara Nessim, Peter Neumann, George Nicholson, Helen Nissenbaum, Daniel Ort, Judith Perrolle, Amy Rubin, Lillian F. Schwartz, Sanford Sherizen, John Snapper, Kenneth Snelson, Eugene Spafford, Richard Stallman, T.C. Ting, Willis H. Ware, Sally Webster, Vivian Weil, Joseph Weizenbaum, Terry Winograd, Richard A. Wright, and Bob Zenhausern o 18 FOUR-DAY WORKSHOPS ON SIX MAJOR THEMES (MAIN TRACKS) - Computer Privacy & Confidentiality - Computer Security & Crime - Ownership of Software & Intellectual Property - Equity & Access to Computing Resources - Teaching Computing & Values - Policy Issues in the Campus Computing Environment o 7 ADDITIONAL ONE-DAY WORKSHOPS (SHORT TRACKS) On August 13th - Short track on philosophical and ethical issues - Short track on campus computing issues On August 14th - Short track on legal and governmental issues - Short track on business and computer ethics issues - Short track on ehical issues in city government computing On August 15th - Short track on issues of accessibility for persons with disabilities - Short track on software ownership issues o COMPUTER ART BY WORLD-FAMOUS ARTISTS o COMPUTER MUSIC BY A NATIONALLY KNOWN COMPOSER o FILM FESTIVAL ON COMPUTING AND HUMAN VALUES o EXTENSIVE EXHIBITS - Books and articles - Organizations and resources - Hardware and software - Adaptive technology N C C V / 91 is funded in part by the National Science Foundation and hosted by the Research Center on Computing and Society and Southern Connecticut State University. TO REGISTER IMMEDIATELY and assure yourself of a place at N C C V, please send a check payable to "B G S U" for $225 (full conference) or $100 (one-day) to Professor Walter Maner Dept. of Computer Science Bowling Green State University Bowling Green, OH 43403 USA FOR ADDITIONAL INFORMATION and literature, contact Professor Maner as follows BITNet MANER@BGSUOPIE.BITNET InterNet maner@andy.bgsu.edu (129.1.1.2) Fax (419) 372-8061 Phone (419) 372-8719 (answering machine) Phone (419) 372-2337 (secretary) ------------------------------ End of RISKS-FORUM Digest 12.05 ************************