Subject: RISKS DIGEST 12.51 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Wednesday 16 October 1991 Volume 12 : Issue 51 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Mathematical and scientific foundations for engineering (Henry Petroski via PGN) Thermostat failure (Richard Schroeppel) Blockbuster `Loses' Returned Video (Mowgli C Assor) Credit Card Fraud (Brian Randell) New Massachusetts check/credit card ID law (John R. Levine) Giving Away Privacy (Continued) (Sanford Sherizen) Re: buggy software (Martyn Thomas, Magnus Kempe, Dave Parnas, Bart Massey, Ernesto Pacas-Skewes) Re: TRW misreports local taxes (Rob Spray) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 12, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Tue, 15 Oct 91 19:54:33 PDT From: "Peter G. Neumann" Subject: Mathematical and scientific foundations for engineering (Petroski) Henry Petroski (who is now writing a regular column for _American Scientist_) has a fascinating analysis of the Tacoma Narrows Bridge collapse on 7 Nov 1940 in the latest issue of _American Scientist_, Sept-Oct 1991, pp.398-401. Here are the last two paragraphs, food for thought particularly for those of you planning to be in New Orleans for Henry's talk at SIGSOFT '91: Modern engineering rests heavily on mathematical and scientific foundations, and that is why the first two years of the engineering curriculum are dominated by mathematics and science courses. Eager and impatient engineering students often ask the relevance of those courses to real engineering, and so the discussion of real-world examples such as the oscillation and collapse of the Tacoma Narrows Bridge is especially important to receptive and impressionable students. Teachers of engineering are repeatedly reminded how difficult it is to break poor mathematics and science habits, especially those acquired in elementary courses that give preemptive explanations to dramatic engineering phenomena and failures. Yet in the Tacoma Narrows case study, mathematics and physics are clearly behind the engineering science, for which they are properly prerequisite. The juxtaposition of a simple, albeit retrospective, physical explanation and a complex engineering error has implications far beyond mere puzzle solving, for it contrasts the omniscient mathematician/scientist and the blundering engineer. It behooves us all to avoid such oversimplification and stereotyping, whether explicit or implicit, in our textbooks and our classes. The collapse of the Tacoma Narrows Bridge will no doubt remain, as it should, an irresistible pedagogical example; it should not also remain a classic example of interdisciplinary hubris and conflict. ------------------------------ Date: Wed, 16 Oct 91 10:45:17 MST From: "Richard Schroeppel" Subject: thermostat failure This is pretty vague, but relevant: I recall hearing on the radio a couple of years ago, probably in Los Angeles, of a family that was killed by failure of a conventional thermostat. Investigators concluded that the temperature in the house had reached 110F. Rich Schroeppel ------------------------------ Date: Wed, 16 Oct 91 1:48:59 EDT From: Mowgli C Assor Subject: Blockbuster `Loses' Returned Video Along the lines of the discussion of the AT&T and other semi-computerized systems risks, I ran into one today. The Blockbuster chain of video stores uses a very spiffy computer system to, among other things, keep track of what videos you've watched, what they have in stock, & who has checked in & out what. All videos have a barcode, which they simply scan into the computer system. When you bring a video in, you put it in the return box & eventually someone scans it into the computer as a 'returned' video. I checked out a video Friday, (Video A) and returned it Monday when I picked up another one (Video B). Today (Tuesday) I got a call that I had not yet returned Video A, & should do so soon (on Monday it was already 1 day late). I went in & returned Video B, & then mentioned that their computer was a little behind & had missed my return. The lady there remarked that that was odd, and went to find her manager (turns out assistant manager ;). The manager did all sorts of neat computer things, & wasn't able to find that someone else had checked out the video, & of course didn't find a record of me checking it in. She then mentioned that she didn't know how this could happen. I pointed out to her that I had at least twice seen employees get distracted when they put the video on the counter (but before they check it in), & have another overzealous employee come along & clean the counter off (moving the tapes to the 'to be shelved' section). She then sent the first lady to check the shelves for it. The video couldn't be found, & I then asked the manager if she could check if the video had been checked out by someone else. She replied that it had not, so if I didn't have it it must still be in the store. I was getting a little bit annoyed at this point, when the manager then said "I was training a new girl on Monday, & this morning we found about 25 videos hadn't been checked in properly." (Note that 2 paragraphs up she didn't know how this could happen ;) So the upshot of this is, I have to hope that they find the video around the store somewhere (she also mentioned that misshelving videos was common among new employees) because otherwise I will have to buy it (and of course, I'm not allowed to rent any more videos from here until the entire matter is resolved). At this time, Blockbuster thinks I stole the tape (even though the manager doesn't ;) & since I gave them the proof I didn't on Monday & they lost it, I of course have no proof anymore. The risk of relying on employees to know their jobs, I guess. Address: mowgli@magnus.acs.ohio-state.edu (Mowgli Assor in quasi-real life) ------------------------------ Date: Wed, 16 Oct 91 17:13:51 BST From: Brian.Randell@newcastle.ac.uk Subject: Credit Card Fraud The attached article is reprinted in its entirety from today's (London) Financial Times. I find it rather pleasing that one (claimed) reason for not using photographs on cards is the risk that this would in effect create a national identity card scheme. If we are to have such a scheme - and public sentiment against such a scheme in the UK has for years been very strong, with the cards that were introduced during World War II being abandoned as soon as the war ended - then I'd prefer it to be introduced properly, with suitable safeguards and legal framework. However, I also know that past research by the UK's Inter-Bank Research Organization (as it was then called) threw grave doubt on the effectiveness of using photographs, so I doubt that the identity card reason was foremost in the bankers' minds. Brian Randell Computing Laboratory, The University, Newcastle upon Tyne, NE1 7RU, UK EMAIL = Brian.Randell@newcastle.ac.uk PHONE = +44 91 222 7923 ========= CARD FRAUD PLAN COSTS BANKS (Pounds) 500M By David Barchard Britain's Banks plan to spend more than (Pounds) 500m in the next three years on an initiative to combat plastic card fraud but they have persuaded Mr. Kenneth Baker, the Home Secretary, to drop controversial proposals to put photographs of holders on all credit and debit cards. Under the new fraud prevention measures, shoppers may soon have to punch in their personal identity number into a computer terminal each time they pay by card. Other possibilities being discussed by the banks and the Home Office include checking a customer's identity by shining a laser beam on his or her retina and verifying the signature on the card by computer. These proposals were discussed at a meeting in London yesterday between Mr. Baker and banking industry representatives on how to combat the rapid increase in plastic card fraud. Losses on card fraud are expected to increase by more than (Pounds) 20m to about (Pounds) 150m this year and some bankers fear that losses next year could be close to (Pounds) 200m. The banks promised Mr. Baker that they would spend more than (Pounds) 500m on technology and training during the next three years to fight card fraud. This would be the largest joint investment that they have ever made. Banks fought against the introduction of photographs on cards because they feared the government was asking them to introduce an identity card scheme through the back door. Mr. Baker said he had asked the banks to report to him early in the new year on the action they were taking to beat credit card fraud. "There is a lot that can be done to curb it. We must work together to keep ahead of the criminals involved," he said. Proposals to use personal identification numbers with cards at retail outlets would represent a partial return by the banks to something close to National Eftpos, the proposed national card scheme for electronic payment which they abandoned in January 1990 at a cost of more than (Pounds) 65m. The odds are heavily on personal identification numbers being adopted rather than other methods. Bank customers already know how to use Pin numbers when using cash cards. Numbers could be introduced without any need to change the existing magnetic stripe technology for credit cards. ------------------------------ Date: Wed, 16 Oct 91 19:11:43 EDT From: John R. Levine Subject: New Massachusetts check/credit card ID law Cc: alt-privacy@iecc.cambridge.ma.us According to today's Boston Globe, the state legislature has recently approved and the governor is expected to sign a new law regulating the data that may be collected when a customer pays with a check or credit card. When a customer pays with a check, he may be asked to show a credit card and photo ID, but the only information that may be written on the check is the address and phone number. When a customer pays with a credit card, he may be asked to show a photo ID, but no extra info may be written on the charge slip. The customer's address can be recorded separately if needed for warranty or delivery. This is in response to two separate abuses. One is that many stores recorded customers' race, ostensibly to help prosecure check bouncers. The other is that crooks armed with a victim's credit card numbers, SSNs, and addresses from checks and charge slips were able to get credit cards in victims' names and make thousands of dollars of phony charges. Violators of the law will be subject to triple damages in case of credit theft. John Levine, johnl@iecc.cambridge.ma.us, {spdcc|ima|world}!iecc!johnl ------------------------------ Date: Wed, 16 Oct 91 17:13 GMT From: Sanford Sherizen <0003965782@mcimail.com> Subject: Giving Away Privacy (Continued) A bit ago, I wrote in RISKS about some of the ways by which individuals are giving away their private information. At times, this is involuntary (such as a condition of employment) while, at other times, people give away this information for a sales coupon or while filling in a warranty card for a product. In my previous posting, I said that Big Brother has turned out to be the Big Browser. Even though TRW may have changed some of its tactics, the credit industry continues to grab bits and pieces of private information in any way possible. The privacy battle is far from over, particularly since TRW is going to provide credit histories while not having to reveal all of the personal information that it has gathered and continues to sell. What follows is a perfect example of what information is being sought and the often manipulative ways by which it is being gathered. This is from a letter that BUYER'S MARKET sent to me. "If you enjoy shopping by mail, we are ready to give you $150 in savings just (sic) for telling us what's on your personal (sic) shopping list. This invitation is mailed to consumers with unique interests. People just like you, who are sought out by the nation's leading mail order companies. As part of this sought-after-group, you qualify for a six-month FREE charter membership in BUYERS'S MARKET, the new nationwide organization that not only arranges generous discounts for preferred mail order customers but also brings you: * MAIL-SELECTOR--...that helps you get catalogs and special offers on products you want (underlined) while helping to reduce unwanted (underlined) mail! (Sic) * [Deleted--Other similar materials] ... There is only one requirement: To receive a minimum of $150.00 in Savings Certificates and FREE Charter Membership in BUYER'S MARKET, you MUST complete and return our Consumer Survey by October 30, 1991." At the bottom of the questionnaire is a box market confidential. In small print, it is revealed that the organization is part of Equifax, which few consumers may realize is a biggie in the credit history industry. The confidential (but note not a confidentiality) statement is as follows: "BUYER'S MARKET is a nation-wide organization of consumers sponsored by Equifax Consumer Direct. Consumer information provided to BUYER'S MARKET is used solely to facilitate consumer purchasing choices; it is not supplied for any consumer-evaluative activities and will not be added to any other Equifax database. The information you provide to Buyer's Market by completing this Member Profile will be kept completely confidential. Your answers will be used by the staff of BUYER'S MARKET solely to guide cooperating merchants in directing to you offers you may be interested in, and/or to help eliminate your name from mailings of offers you indicate you don't want." Doesn't this confidential statement make you feel protected? I wonder how many people are going to fill out the "Consumer Survey", which contains sections on personal interests, uses of coupons, leisure and hobbies, new product preferences, purchasing plans, and "about YOU" (including questions on age, income, home ownership, length of residence, size of household, marital status, children by age, and personal computer). Maybe Mr. Justice Thomas or the Honorable Senator Orrin Hatch, new converts to the cause of privacy, will become advocates for limiting this invasion. I wonder if their records on video rentals are available through Equifax? Sanford Sherizen, Data Security Systems, Inc., Natick, MA MCI MAIL: SSHERIZEN (396-5782), PHONE: (508) 655-9888 ------------------------------ Date: Wed, 16 Oct 91 10:09:53 +0100 From: Martyn Thomas Subject: Risks from legislation (Re: buggy software, Shearer, RISKS-12.49) jbs@watson.ibm.com (James B. Shearer) writes: > A real risk is that laws will be passed requiring people to use > certain crackpot programming methodologies ... This *is* a real risk. If our profession continues to be irresponsible, and to use unqualified and untrained staff, undefined processes and poor quality assurance, for developing critical systems, then legislators will force us to change. If (when) this happens, I am confident that the legislation will be far from ideal - but the fault will be ours. ------------------------------ Date: Wed, 16 Oct 1991 18:02:25 +0100 From: "(Magnus Kempe)" Subject: Control of the software industry (was Re: buggy software) David Parnas writes: > As far as I know no one is required by law to buy an electrical appliance. > Nonetheless, every country that I know requires appliances to meet certain > minimal standards. If this is intended to be an argument, then it is a fallacy. If all governments in the world practiced censorship of philosophical and political literature, would that make full-scale censorship a moral goal? Would that justify _any_ kind of censorship? It is certainly true that the software industry is not shackled by all-encompassing government control, while virtually all other business activities are. However, this does _not_ imply that it is morally right to extend government interference (coercive "standards", "certifications", "licensing", etc.) to the creation of software --or to any other kind of productive activity. Several premises are implicit in the arguments in favor of government control of business activities--especially when it comes to technical activities (e.g., software engineering.) Here are a few: 1. That pointing a gun at someone, telling him "Think and produce", is practical and moral. In fact, it is neither practical--a mind can not be forced--nor moral--the man who, alone, initiates force against another is properly considered to be an evil criminal. Similarly, 50 million men holding the gun against a single man are both impractical and immoral. And 50 million men holding guns against each other are suicidal and evil, too. 2. That men, left to their own devices, will not create good things; therefore, they should be forced to act "in their own interest". According to _whose_ standard is it in a man's interest to be forced to act against his own judgment? It is not a value to be forced to spend one's time, one's life, in order to have, keep or make something one does not want. 3. That businessmen are evil man-haters, intent on destroying all human values; thus they should be presumed guilty unless they prove otherwise (e.g., "you will hurt someone with the things you do --prove you won't.") But that is a negation of the purpose of business: the creation and trade of _values_. It is also a negation of logic and justice: the onus of proof is on he who asserts the positive ("you _will_ hurt someone", or, in Parnas's words: "we _would_ _all_ be worse off for [getting rid of all of these regulations]" --emphasis mine); it is profoundly unjust to consider a man guilty unless he should somehow "prove" a negative. 4. That voluntary trade to mutual benefit is bad, and that software is systematically "buggy" because software producers are not doing their best. Of course, proof of _this_ is that the software industry is making _billions_. If you don't like my software, or if you distrust me, don't buy my products. If you think you can write better software than I do, go ahead--you are free to do so. I am eager to watch as you flood the world with excellent software. And, pray tell, do _you_ need to be pushed around by the government, with a gun pointed to your head, in order to write good software? Why want to coerce your fellow men, if you have the ability to do everything much better than they do? Why aren't you already many times richer than, say, Bill Gates? 5. That some people, especially those in government, know everything about anything, and should therefore dictate how software must be written. I trust I am not alone to see the disastrous implications of this idea. If, in the future, a moral cannibal should attempt to use the government's power to force me to create software according to _his_ "standards", "certification requirements", or to impose compulsory "licensing", I will not submit: I will never produce a single line of code under the threat of a gun. I do not ask men to live under my threats, nor do I surrender my life, my work, to their threats. What kind of man is it, who is ready to submit his free-will to a gunman? And what does the gunman expect to achieve--production, or destruction? Check your premises. Magnus Kempe, magnus@lglsun.epfl.ch ------------------------------ Date: Wed, 16 Oct 91 13:53:50 EDT From: David Parnas Subject: Re: Control of the software industry (was Re: buggy software) I hope that this discussion is not about to degenerate into the age-old debate about whether any regulation of industry is needed at all and whether that regulation should be "brutal", "full-scale", "all-encompassing" "coercive" or any of the other highly loaded adjectives and rhetorical phrases used by Mr. Kermpe. It seems to me that those issues are much more general than the mandate of RISKS and that Mr. Kempe's "Red Herring" images of people pointing guns at programmers are best discussed somewhere else. The issue that is relevant to RISKS is whether there is any reason to treat software products different from those produced by older technologies. One premise that seems to run through Mr. Kempe's message is that programmes, like other pieces of text, are artistic creations and should not be "censored" any more than we censor books, poems, or essays. As a strong defender of the right to free speech, I can sympathise with his rejection of any restriction on our freedom of expression. However, our creations differ from those of traditional text producers in that they can be turned into mechanical objects with all the capability of endangering our fellow humans that other mechanical products possess. I am all in favour of allowing people to write, even publish, any text, but I worry about telling people that that text can be loaded into a mechanical device and will transform that device into something safe and usable. At that point, one must treat the text as one would any other appliance. When I went through Mr Kempe's "declaration of independence" looking for remarks that were specific to computers I found only, "4. ... that software is systematically "buggy" because software producers are not doing their best." While I would not ever put the word "systematically" in front of "buggy", I think that this statement would be true if one inserted the word "many" (instead of the implied "all") before "software". There are many people who, because of a variety of external pressures are producing a lower quality of software than they could produce. In fact, I know many who have told me that they would like to do better, and could do better, if the market were better controlled and users were better informed about products. None of these people believe that "some people, especially those in government, know everything about anything, and should therefore dictate how software must be written" but they do believe that some regulation (e.g. truth in advertising) would help. Some believe that cigarette box style warnings would be enough, while others would prefer inspections and grading. Most take pride in their work and would like to make it easier for customers to tell the difference between their products and those of lesser quality. Rather than paint frightening pictures of "big brother" censoring our our outpourings, we should try to examine the ways in which software products differ from other products and find the appropriate compromise between our right to produce arbitrary texts and our responsibility to avoid flooding the world with unreliable products. David L. Parnas parnas@sscvax.cis.mcmaster.ca ------------------------------ Date: Wed, 16 Oct 91 13:50:00 PDT From: bart@cs.uoregon.edu Subject: Re: buggy software (Parnas, RISKS-12.50) > We are asking that software be > treated like other products, produced by registered or licenced engineers Like all those small appliances you mentioned? There's no one right answer to the question of how to ensure the safety and reliability of something as wide-ranging and widespread as software, and I am concerned that a person of Mr. Parnas' reputation might mistakenly give the impression that licensing all programmers across the board is feasible, much less a panacea of some kind. IMHO, you could make a case for requiring a licensed safety engineer specializing in software safety to be in charge of development of certain types of software, such as medical software or control software for large industrial systems (e.g., nuclear power plants) where the general public welfare depends on this expertise. For other types of software, such as computer games or word processors, it is clear that no safety supervision should be required, since there is no threat of bodily harm to anyone as the direct result of the use of this software. There is probably some intermediate class of software applications where a UL-like oversight body would be the appropriate answer. The situation with regard to reliability and fitness is similar. For example, the implied warranties of merchantability and fitness which already exist are probably adequate for computer games, but perhaps there should be special protections provided to banks who purchase multi-million dollar accounting packages. Part of the problem IMHO is the use of the generic term "software," which implies that "it's all the same" in some important sense. This is less and less true as time goes on, and I believe that there will soon come a time when lumping all "software" together in discussions of safety and reliability regulations is about as common as lumping together cars, household appliances, and roller coasters under the term "electromechanical devices" in these discussions. Bart Massey bart@cs.uoregon.edu ------------------------------ Date: Wed, 16 Oct 91 16:15:21 CDT From: skewes@CAD.MCC.COM (Ernesto Pacas-Skewes) Subject: Re: buggy software (Parnas, RISKS-12.50) Good common points brought up by Mr. Parnas. I specially support free bug fixes. > ... We are asking that software be > treated like other products, produced by registered or licenced engineers, and > that software manufacturers be treated like other manufacturers. . . . The goal is commendable, but I'll take exception on the "registered or licenced" part. Looking back, registering and licensing are not necessarily related to being competent and responsible. The only (exaggeration?) things that registering and licensing are garanteed to produce is income for the registra(e)r/licenser and job security for registered/licensed elites that are not necessarily competent or responsible. Following the line of examples: The last time you went to a licenced (otherwise unknown to you) professional, were you sure s/he was "good"? Were you sure it was going to be expensive? To be sure, I'm not saying that all those who are are, and all of those who aren't aren't. I'm just saying that registration and license like so many other things aren't always what they seem. > . . . If cars were as buggy as the software on the market today, > the automobile manufacturers would have long ago been sued into bankruptcy. I wasn't driving at that time, but I'm sure cars WERE as buggy as software IS. (Besides, several things can prevent bankrupcy, lawyers and lobbying come to mind) Ernesto Pacas-Skewes PACASSKEWES@MCC.COM ------------------------------ Date: Wed, 16 Oct 1991 16:35:10 GMT From: spray@convex.com (Rob Spray) Subject: Re: TRW misreports local taxes >I heard a radio report (just a headline, really) this morning that TRW will >provide "free copies" of credit reports to some (of their New England?) >consumers, in a PR move. According to Nareen (sp?) at TRW (214/235-1200) the report is slightly erroneous. Starting January 1, 1992, TRW will provide consumers with one free credit report per year. (You currently get a freebie, if you've been denied credit or employment because of a report, otherwise it's $15). Apparently, they've had "a lot" of calls about this! They need: Full name Spouse's first name Addresses with zip codes for last five years SSN DOB and a signed request for the info. Send it to TRW PO Box 749029 Dallas TX 75374 A recording that explains this (but not the free deal) is on 214/235-5005 --Rob Spray --spray@convex.com --your RISKman in Dallas [AND WAIT UNTIL AFTER 1 JAN 92. PGN] ------------------------------ End of RISKS-FORUM Digest 12.51 ************************