Subject: RISKS DIGEST 13.02 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Thursday 9 January 1992 Volume 13 : Issue 02 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: UK Government security breach (Robert Jenkins) Landlord's software chokes on identical check numbers (Jon Weintraub) The "Miracle" computer-controlled piano teaching system (Ed Nilges) Gambling machines scramble checking facility (George Michaelson) Re: Life-and-Death Computer (Tom Perrine, Bob Kerns) Re: Snow at San Jose ??? (Alan Marcum, Christopher Pettus) Re: Customer Clogs Honda 800 Number (anonymous, Sanford Sherizen) Re: Screensaver doing "nothing" (Bill Davidsen, A. Padgett Peterson) Re: ZIP+4 (Kraig Meyer, Ed Wright, Brad Templeton, John J. DiLeo) Risk Assessment for Aviation Safety -- a request (Peter C Olsen) Rampant Virology -- a book by Mark Ludwig (Ray Kaplan) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE INTERNET FROM: ADDRESS, especially .UUCP domain folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 12, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Wed, 8 Jan 92 20:52 GMT From: Robert Jenkins Subject: UK Government security breach The Guardian of 8 January carries the following report, headlined "Security Flaw in Whitehall": Fake names were fed into a Whitehall [i.e., central government] computer to give unauthorised staff access to details of top security safes holding cabinet papers and sensitive defence documents, an investigation by the National Audit Office, parliament's financial watchdog revealed yesterday. The issue of security furniture, such as filing cabinets for classified documents, was "left in the hands of an inexperienced officer who had virtually unlimited control of the system and was not effectively supervised," says the report. It goes on: "Control over access to the computer system was minimal; staff who were no longer authorised to use it, and two fictitious names thought to have been entered by a previous employee, continued to have access. "Staff training was inadequate, procedures were not documented, and inaccurate stock information was leading to the posting of wrong figures to the accounts. The staff were unable to generate invoices for equipment and substantial amounts had consequently not been charged. At least one duplicate payment, amounting to 92,000 pounds, had been made to a supplier." The report said there was no evidence of fraud, "but the serious lack of control, and the limited audit trails, made it impossible to provide an unconditional assurance that it had not." ------------------------------ Date: Thu, 9 Jan 92 12:48:53 -0600 From: Jon Weintraub Subject: Landlord's software chokes on identical check numbers My landlord has been `politely threatening' us since the first of the year for overdue rent. After careful checking, the problem was that both my roommate and I each happened to pay with a check numbered 144 from our respective accounts. The computer supplanted its record of the first check with its record of the second -- it was counting on check serial number to be a unique identifier across accounts! If we were less lucky, we might be in court over this by now. ------------------------------ Date: Tue, 7 Jan 1992 17:11:16 GMT From: EGNILGES@pucc.Princeton.EDU Subject: The "Miracle" computer-controlled piano teaching system This morning (7 Jan 1992) on the Today show, the "Miracle" computer-controlled piano teaching system from the Software Toolworks was demonstrated for announcer Katy Couric. This is a high-quality electronic piano and software running on several platforms (including the Mac and the PC) which teaches piano by lessons and by monitoring play on a key-by-key basis. It was the subject of some reasonably smarmy ads as Yuppie parents watched, eyes glistening, as their Little Darlings played rather complicated pieces reasonably well. The performance in the ads has been borne-out by tests of the system; it is a good way of teaching piano skills, interpreted as being able to play the music on the page. Thereby, however, lies a potential Risk to music aesthetics. For when Katy Couric played a decent version of "Happy Birthday", including some rather elegant grace notes, the computer gave her a low score of 38%. This is it could not recognize the slight improvisation represented by grace notes as an improvement over the music displayed on the screen. In my opinion, a good piano teacher would give Couric a higher score for the creativity implicit in grace notes. More than this, the developers of "The Miracle" seem unaware of the fact that Playing The Music Exactly As Written (PTMEAW) is (in a global sense) not the usual practice. Not only is folk music almost completely improvised, Indian classical music gains much of its richness from being IN PART improvised by master musicians every time it is performed. Even in the Western classical tradition, improvisation was the norm prior to the Baroque era. Deliberate error, even, has played an extensive part in music. Italian and German violinists of the 17th century used a system of deliberately "incorrect" tuning, called "scordatura", by which the Baroque composer Biber gained much emotional intensity in his violin sonatas. Up until Beethoven the instrumentalist in a concerto provided a "coda" in which the soloist could improvise on the theme, so PTMEAW was not even the norm in Mozart's time. Nowadays, although classical music is subject to PTMEAW (with the absurd stress on "original instruments" being part of this), non- classical music, including folk, rock and country gains much of its liveliness by retaining both improvisation and "scordatura" (that is, deliberate error for emotional intensity.) "The Miracle" completely ignores this by assigning high scores in a dehumanized fashion to students who, unlike Couric, don't have the creativity to improvise. I predict that two types of populations will evolve on "The Miracle": unimaginative keyboarders of the music as written, and hackers, who will misuse the features. In neither group will true musicians be found. "The Miracle" does look like a useful tool for learning music, but I object both to its operatic name, which makes an overlarge claim, and to its incorporation of numeric scoring. The designers could have (under the advice of a decent musicologist) deliberately eschewed the assignment of numeric scores and restricted themselves to the display of natural-language evaluations. ------------------------------ Date: Tue, 7 Jan 1992 10:02:53 +1100 From: George Michaelson Subject: Gambling machines scramble checking facility ABC Radio (Australia) reported this morning that different manufacturers "one armed bandits" (in-line gambling machines) confuse the centralized checking systems to which they are networked, and destroy each others records. This has delayed installation of the systems in clubs and hotels around the state of Queensland, until new code can be put in to ensure they can be checked up on. Worry about abuses of the machines for gambling, tax evasion and links with crime (for money laundering, and alleged mafia involvement in the manufacture & distribution) has been a big political football here. -George ------------------------------ Date: Tue, 7 Jan 92 11:03:13 PST From: tep@tots.logicon.com Subject: Re: Life-and-Death Computer The Washington Post editorial in Risks 13.01 (Subject: Life-and-Death Computer) overlooked one other problem with the APACHE software: it has the potential to generate self-fulfilling prophecies. It appears that APACHE is really reporting on patient "profiles": age, weight, general medical condition, cross-referenced with specific complaints or injuries and treatments and survival rates. Since APACHE reduces people to profiles, we might as well use that term in discussion. Lets say that a "profile" is not treated with a given procedure, in part due to the "advice" of APACHE, and then dies. If the information concerning this "profile" is then fed back into the APACHE database, this will decrease the "survivability" quotient for subsequent "profiles" with the same initial set of problems. Each time a patient (oops, "profile") with a given complaint is not treated (and dies), the survival quotient decreases again. Each time APACHE (indirectly) advises a doctor to withhold treatment for a condition, it increases the probability that it will "advise" withholding treatment for the next patient (oops, "profile") with the same basic complaint/injury, leading to another death, leading to another survival quotient decrease. The editorial remarks that "a computer can serve the cause of accurate diagnosis only on the basis of properly entered information by the physician using his or her senses". Even if data is 100% correct, it still leads to positive feedback which will further skew the output data. Tom Perrine (tep), Logicon - T&TSD, P.O. Box 85158, San Diego CA 92138 +1 619 597 7221 UUCP: sun!suntan!tots!tep ------------------------------ Date: Wed, 8 Jan 92 06:12:15 -0500 From: rwk@crl.dec.com Subject: Life-and-death computer: Numbers lie In RISKS 13.01, Warren McLaughlin cites a Washington Post article about programs which give highly-precise probabilities on medical treatment outcomes, and how this can lead to doctors relinquishing their proper decision-making responsibility. It seems clear to me that the problem here isn't that the doctor is relinquishing his responsibility by being too trusting of the software, so much as it is the programmer is relinquishing the responsibility to the doctor by presenting bad information. The problems inherent in encoding weights for different courses of action (or any other "non-monotonic" comparison) is very familiar to anyone familiar with expert systems. In addition to the illusion of accuracy illustrated in the article, there are numerous other kinds of error introduced at every step, from the initial assignment of weights for the raw data (what is a "favorable outcome" in treatments to prolong life in a terminal disease), observed situation (what is "slight swelling of the lymph nodes"), anomolies when these are reasoned on in conjunction with each other (often you can prove a>b>c>a), and then, finally, in the way they are reported. Assuming that these problems are dealt with in a realistic manner, for the program to communicate reasonably with the doctor, it is necessary to give some idea of the precision of these numbers. One of the better techniques is to use "error-bars". This can help transform what appears to be a definitive decision: Cut off head: 40% Give aspirin: 30% Cut off foot: 20% vs: -Treatment- 0 10 20 30 40 50 60 70 80 90 100 Cut off head: |-------------------X----| Give aspirin: |---------X--------------| Cut off foot: |----X--------------| As you can see, this makes it much more clear that the program really hasn't decided much of anything at all. It should also be clear from my example that in addition to the numerical information, an explanation of the reasoning process together may well be warranted, to check for any unwarranted assumptions, and other things to look out for. (Such as the need for reattaching the head after repairs are effected, and the assumption that the patient is a robot). (The disease in question, of course, is "headache"). In real life, a doctor giving a second opinion isn't just going to give a number. He's going to give reasons, and an idea how sure he is of the appropriateness of a particular treatment and alternative treatments and even perhaps alternative diagnosis to consider. [Or maybe the insurance industry has this process reduced to a coded number now too, in which case, the Risks should be obvious]. The deceptive problems of encoding preferences and subjective evaluations into numbers is, of course, a pervasive problem in other areas. Indeed, the entire area of risk analysis is rife with it, as I've pointed out indirectly in other messages. It's so much easier to calculate with simple numbers that this is a very tempting trap to fall into. But we must resist the temptation to manufacture certainty where non exists. Whether we are computer professionals, scientists, pollsters, or journalists, or newspaper reader I think being careful with these issues is a matter of professional integrety. It's an integrety which is all too often lacking, out of ignorance, sloppiness, desire to persuade, or desire to be persuaded. [finger rwk@... suggests this might be someone named Bob Kerns. PGN] ------------------------------ Date: Mon, 6 Jan 92 14:47:46 PST From: Alan_Marcum@NeXT.COM (Alan M. Marcum - Tech Support) Subject: Re: Snow at San Jose ??? (Pettitt, RISKS-13.01) > 1) a decode error (I don't know what the correct decode of VBSY is) > 2) VBSY does mean snow and spray and the NWS screwed up the forecast. There's a third possible cause, which I guess I'd call the probably cause. Someone made a typographical error. VSBY is the contraction for visibility. BSY could well translate to snow and blowing spray. For the RISKS folks, note also that the translation Contel provides is made available as a courtesy. They have a large disclaimer stating this, and requesting that the pilot acknowledges his responsibility for correct translation according to the relevant portions of the Federal Aviation Regulations. There is the RISK, though, of typos in critical information with little or no redundancy, such as the FAA's cryptic weather information. Alan M. Marcum, NeXTedge Technical Support, amm@NeXT.COM ------------------------------ Date: 6 Jan 92 21:57:25 GMT From: cep@Apple.COM (Christopher Pettus) Subject: Re: Snow in San Jose ??? (RISKS-13.01) >Either way computer weather briefing has a way to go yet. Indeed. One of the problems with computerized decoding of National Weather Service (NWS) weather information is that the format, while supposedly standardized, is actually typed in by humans with no checking in a pretty free-form format. In this case, the answer is both (1) and (2). A terminal forecast has two parts, an 18-hour "forecast" and a 6-hour "categorical outlook" (although even weather briefers are often unaware of the difference). The forecast is relatively detailed: the clouds are going to be at 4000 feet, it's going to be raining, the visibility is going to be 5 miles in fog, etc. The categorical outlook is pretty generic, and just makes braod claims about the weather, in particular ceilings greater than 3000', visibility greater than 6 miles, etc. If the visibility is expected to be restricted, "VSBY" is put into the categorical. In this case, the forecaster expected the visibility to be at three miles, so he stuck a 3 in the categorical (free-format, no checking). This is not a meaningless thing to do, since three miles of visibility is a "magic number" (it allows flight operations that might otherwise be prohibited). This isn't what the "official" format allows, so the program decided that it had just hit a standard notation for visibility, where the visibility is given in miles, then followed by letter codes for what kind of goo is restricting the visibility (for example, "2RF" means "visibility 2 miles in rain and fog"). "S" is snow, "Y" is spray, and "B" in front of a code means "blowing," and the "V" I assume was ignored, so we have "Visibility 3 miles in snow and blowing spray." The whole weather reporting system is based on ancient 110-baud teletype technology, and is in desperate need of being trashed and redone. But it probably will not be for many years. -- Christophe ------------------------------ Date: Mon, 6 Jan 92 22:06:51 PST From: [anonymous] Subject: Re: Customer Clogs Honda 800 Number It is pretty well established that such abuse of an 800 number (or any number for that matter) constitutes harrassment. In the famous case of the guy doing this to the tele-evangelist, I believe that the caller was prosecuted, found guilty, and had to make some sort of restitution. Keep in mind that virtually all 800 (and 900) customers already receive the caller's number for about 95%+ callers via the carriers' Automatic Number Identification (ANI) systems (this is actually different from Caller-ID, but the distinction is too complex to elaborate on here). Only larger customers usually receive this information in real-time with the call, but most receive the caller numbers with their phone bills, or sometime after the call via other means, and abusive patterns can be clearly seen in such data. ------------------------------ Date: Wed, 8 Jan 92 01:54 GMT From: Sanford Sherizen <0003965782@mcimail.com> Subject: Customer Clogs Honda 800 Number (Cont.) There is more about this incident. According to the TAB, a very good local newspaper in this area, Daniel Gregory has been charged with telephone harassment after he made at least 100 phone calls in one day and faxed a 14-foot computer banner saying "Dan Gregory is unhappy with his Honda." Gregory admitted making the calls. "It could have been as many as 100 in one day," he said last week. "MAYBE I OVERDID IT. BUT EVEN IF THAT WAS THE CASE, SO LA DE DA." (Emphasis added by me to highlight why the U.S. is in decline) He made a comment about the long fax. "A roll of fax paper is $12 at Staples (office store). We're talking about a multi-million dollar company getting mad because I use a lot of fax paper?" While this story has received some coverage around the U.S., it has been treated as if it is a funny story. Some form of man-bites-Honda. The fact is, however, that this incident shows a vulnerability of technology. Is this phone clogging almost a virus-type phenomenon? Can it be possible on a larger scale? Say someone doesn't like their boss, the Internal Revenue, their ex-spouse, a political candidate, a computer network, or some other party. Then "la-de-da" is the right response. For all we know, Gregory may run for national office on the La De Da Platform. Oop, sorry, I think that political platform is already taken by at least one other candidate for president. Sanford Sherizen, Data Security Systems, Inc., Natick, MA 01760 USA ------------------------------ Date: Wed, 8 Jan 92 09:12:47 EST From: davidsen@crdos1.crd.ge.com (bill davidsen) Subject: Re: Screensaver doing "nothing" might be a resource hog Also note that "screensavers" and "lock screen" programs can use a lot of ethernet bandwidth if you run them on X terminals. This can actually be enough of a factor to measure, particularly if you have a site where people tend to lock a lot of terminals at night while the administration is trying to take dumps over the net. bill davidsen (davidsen@crdos1.crd.GE.COM -or- uunet!crdgw1!crdos1!davidsen) GE Corp R&D Center Moderator comp.binaries.ibm.pc and 386-users digest. ------------------------------ Date: Tue, 7 Jan 92 09:28:30 -0500 From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: ScreenSavers & Resource Hogs (Swartz, RISKS-13.01) The comments concerning the effects of a screensaver on a Sun station brings to mind a couple of incidents that occured a few years ago on our Vax systems. The first involved a brand new, state-of-the-art VAX 11/780 and a digital "clock" (with alarm). A short (50 or 60 lines) DCL program, it was quite popular until it was found that four simultaneous "clocks" would swamp the 1 VUP 780 and cause logins to take upwards of five minutes. The second was a program that used QIO and QIOW calls (never could get all of the commas straight without help) that enabled the VAX to function as a terminal emulator. Add in a Racal-Vadic 1200 baud (great improvement over 300 baud Silent 700s) modem and it was possible to debug systems in New York from my desk in Florida. With a TekHex conversion, binary traffic was also possible (this was before XMODEM, KERMIT, or UUENCODE programs were available so everything was "home grown" but worked) so we could make "on-line" fixes to a Mil-Std-1750A program. Trouble was that in order to make a multitasking system operate as a terminal, constant cyclic checking of the workstation port and the output port was necessary. As a result the program was something of a hog and we were politely requested to only use it when necessary, preferably after hours. In any event, one Friday an engineer left work with his terminal still running the program (this was a *long* time ago) even though the phone was hung up. Three weeks later we got the bill for that weekend from the computing center: $32,000.00 for resources used. Needles to say some frantic negotiations ensued. Of course the high cost of VAX time back then is what financed the PC revolution here so it wasn't all bad, just "there is nothing new under the Sun" (sorry). ------------------------------ Date: Mon, 06 Jan 92 15:38:39 PST From: kmeyer@aero.org Subject: Re: ZIP+4 (RISKS-13.01) jones@pyrite.cs.uiowa.edu (Douglas W. Jones,201H MLH,3193350740) writes: >I recently asked at my post office how many houses shared the same ZIP+4 code >with my house. The answer was that if I lived in a single-family dwelling, I >almost certainly have a unique ZIP+4 code. [Unique ZIP+4] was not the intended or actual implementation of ZIP+4 that I'm familiar with. Generally, the last 4 digits indicate which block the address lies in (or sometimes additionally, which side of the block). My parents live in a subdivision in Michigan with one acre lots, and they share their ZIP+4 code with 1/2 miles' worth of single family dwellings, because that is the distance between the two cross streets. The other side of the street has a different ZIP+4 code, even though all of the mailboxes are on the same side of the street. Check out a ZIP+4 directory at your local post office to see who you share your ZIP with. Kraig R. Meyer [Also noted by the following: johnl@iecc.cambridge.ma.us (John R. Levine) merlyn@iwarp.intel.com (Randal L. Schwartz) seidel@puma.sri.com (Craig Seidel) brock@cs.unca.edu (J. Dean Brock) goldsten@m.cs.uiuc.edu (Arthur Goldstein) sullivan@geom.umn.edu (John Sullivan) and PGN himself, who owns a ZIP+4 that is unique -- which is the case for box numbers in small post offices. PGN] ------------------------------ Date: Thu, 9 Jan 92 10:21:53 PDT From: Ed Wright Subject: Re: ZIP+4 (RISKS-13.01) The Zip + 4 system gets your letter to the correct carrier, correct side of the street, correct two block segment. Soon Zip + 6 will emerge (its under test now) and that will give each address a unique numeric sequence. ------------------------------ Date: Tue, 7 Jan 92 20:26:22 PST From: brad@looking.clarinet.com (Brad Templeton) Subject: Re: ZIP+4 (RISKS-13.01) Actually, rather than letting people mail to me with my Zip+4 (which only specifies some people exactly and not others) I would rather the post office (and other shippers) implement a scheme where I can get a unique code (number or alpha), perhaps of my choice, which identifies my address in Post Office computers, and only there. People would be able to mail to: Code: foobazbarx, U.S.A. And the mail would get to me. The P.O. would be pledged never to reveal where I actually live except on court order. In fact, the actual information should only be available in the local post office computer -- other computers would only know which local post office to send mail for foobazbarx. Naturally, you could have more than one code, if you wish to pay. Mailers would be free to add more redundant information, but you would want a check letter (the x) on the end so that people who take down your address can be sure they have it right when they are talking to you. There's a real way to use computers to preserve your privacy, and make mailing and address transcription easier, too. ------------------------------ Date: 9 Jan 92 23:56:16 GMT From: "John J. DiLeo" Subject: Re: ZIP + 4 codes ... For the more stout-hearted (and those to whom the CD-ROM is not available), all government depository libraries should have a full set of printed directories (I filed them in the depository stacks at Johns Hopkins when I was a student employee there). Entries are listed by: 1)City name/Post Office name; 2) Street name/P.O. Box group; and 3) numerically by block numbers. John DiLeo, dileo@brl.mil ------------------------------ Date: Wed, 8 Jan 1992 02:30:30 GMT From: pcolsen@super.super.org (Peter C Olsen) Subject: Risk Assessment for Aviation Safety I'm doing a strategic study on aviation security and I'm looking for information about techniques that might be used to model the threat, risk, and effectiveness of countermeasures in commercial aviation security --- particularly airline security. I am particularly interested in approaches that might be useful in helping to quantify and refine the qualitative data which seems to be all that is available. Similar problems have been addressed by the people in the computer security and nuclear safety arenas. I'd appreciate any information or advice. Please reply to ME via email because I don't follow this newsgroup; I will summarize if there is any interest. Peter Olsen pcolsen@super.super.org ..uunet!super!pcolsen PO Box 410, Simpsonville, MD 21150 202-366-6525 (office) ------------------------------ Date: Wed, 8 Jan 92 20:51 MST From: Making memories Subject: Rampant Virology More books to keep you awake at night (I've only seen volume 1 so far.) The Little Black Book of Computer Viruses, 169 pages, Mark Ludwig, ISBN 0-929408-02-0, $14.95 - American Eagle Publications, P.O. Box 41401, Tucson, AZ 85717 - (602) 888-4957. (Thanks to Winn Schwartau for this referal to a publisher right here in my own town!) The back cover of this one tells it all: WARNING. This book contains complete source code for live computer viruses which could be EXTREEMELY DANGEROUS in the hands of incompetent persons. You can be held legally liable for the misuse of these viruses, EVEN IF SUCH MISUSE IS UNINTENTIONAL. Do not attempt to execute any of the code in this book unless you are well versed in systems programming for personal computers, and you are working on an isolated machine. Introduction: "This is the first in a series of three books about computer viruses... All three volumes are full of source code... It is enevitable that these books will offend some people ... The first volume is a technical introduction... The second volume discusses scientific applications... The third volume discusses military applications ... (And, a lengthy disertation on everything from the social meaning of this all to the "why do it" of it all (that would play very nicely here in RISKS.?)) Vol 1 Ch 1 - The basics Types Functional elements Tools needed to write viruses Ch 2 - Simple COM file infector Ch 3 - Sophisticated executable virus Ch 4 - Simple boot sector virus Ch 5 - Sophisticated boot sector virus Appendix 1 - TIMID Appendix 2 - INTRUDER Appendix 3 - A basic boot sector Appendix 4 - KILROY Appendix 5 - STEALTH Appendix 6 - Hex file loader Appendix 7 - BIOS and DOS interupt functions Appendix 8 - Suggested reading list Kaplan's comments: 1) - "Oh, my." 2) - Wonder if volume three will ever get out ;) Ray 8-|)} New address: kaplan@vms.ccit.arizona.edu ------------------------------ End of RISKS-FORUM Digest 13.02 ************************