Subject: RISKS DIGEST 13.40 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Wednesday 15 April 1992 Volume 13 : Issue 40 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Risk of relying on editors and/or spelling checkers? (Siritzky) New Applications of Voice Recognition Technologies (Saul Tannenbaum) For savings we can count on our fingers... (Jeffrey Sorensen) Computerized insurance quotes (Bear Giles) Re: Risks in nuclear bombs to deflect asteroids (Dani Eder) Re: Unauthorized Evidence Gathering (Peter K. Boucher, anonymous) Re: Phone Registration at Berkeley (Eric W. Anderson) Re: Transcripts via e-mail (Dick Kain, Shyamal Jajodia) Re: Public TV Series (Wayne Throop, Dave Katz, Re: US PBS stations *do* censor (Jonathan Clark, Matt Braun) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 13, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Tue, 14 Apr 92 14:06:39 -0400 From: siritzky@apollo.hp.com Subject: Risk of relying on editors and/or spelling checkers? The October 1991 issue of the New York University Law Review contained a note titled "Rethinking Adoption: A Federal Solution to the Problem of Permanency Planning for Children with Special Needs". On the front cover of the journal and in the table of contents the note was listed with the word "abortion" used in place of "adoption". The correct title appeared on the note itself. Editors apparently only discovered the error when the received their advance copies, although it was also pointed out to them in a letter from Supreme Court Justice Harry Blackmun -- one of the authors of Roe v. Wade. [From: The National Jurist, March 1992, page 4] ------------------------------ Date: Thu, 9 Apr 1992 13:32 EST From: Saul Tannenbaum Subject: New Applications of Voice Recognition Technologies One of our local NPR (WBUR) stations had, in its morning news report, a story about a company that was developing a new twist in the application of voice recognition technologies. [I don't include the name of the company as I wasn't taking notes, and wouldn't want to needlessly slur the wrong company, or even the right one by my errors of recollection.] Their goal is to develop a system that would be able to recognize not the words, but who the speaker is. The applications they envision would include control of parolees and those under house arrest, as well as the replacement of PINs. This is how they envision their system working: o The person who is to be monitored goes physically to the office doing the monitoring and records a set of words. o When the time comes for the person to be monitored to report in, they make a phone call to a computer system. o Caller-ID identifies who is supposed to be calling and their alleged physical location. o The system presents random challenge sentences that include some of the words used in step one. (One example: The purple television is exciting. "Television" and "exciting" would have been recorded.) o The system then isolates the pre-recorded words, compares the vocal characteristics and identifies the speaker. Interesting concept. The company was quite proud that they had taken what has been a serious problem with voice recognition (voices are so different) and turned it into a technological advantage. It was asserted that a number of state correctional departments are interested in this as a replacement for the electronic bracelets that are now sometimes used to monitor house arrest and that have been discussed at length in RISKS. The news report indicated that this system would be secure, as the comparison of vocal characteristics is not fooled by normal voice mimicry. It was also felt that, while parolees, for example, could be compelled to speak silly meaningless sentences into the phone, it might not be possible to do this generally so as to replace PINs. This system seems so easy to defeat that I feel I must be missing something. When you go to record your words, bring your own micro-cassette recorder so that you've got an accurate list of the challenge words. Record and digitize them in your home personal computer. When time comes to report in, have your computer call their computer. Their challenge system seems quite structured (it already knows who you are supposed to be from the caller ID), so program your machine to wait for the challenge sentences. Recognize the right words from the list of the ones you've prerecorded, and synthesize a response based on replaying the challenge sentence, inserting your prerecorded words as necessary. This technology is likely not within the reach of your average parolee, but should this system be used to authorize large financial transfers, the risk of fraud should be obvious. Saul Tannenbaum, Manager, Scientific Computing STANNENB@HNRC.TUFTS.EDU USDA Human Nutrition Research Center on Aging at Tufts University ------------------------------ Date: Wed, 15 Apr 92 00:12:45 EDT From: sorensen@spl.ecse.rpi.edu (Jeffrey Sorensen) Subject: For savings we can count on our fingers... New York state's legislature is currently debating a proposal that would require Medicaid recipients to carry a photo ID and to be fingerprinted. While I think the proposal has a number of risks, for example amputees could experience _another_ cutback... Seriously, this week's _Legislative Gazette_ (Apr 6 '92) amusingly demonstrates the risks of leaving politics to the politicians. Here are some of the insights: Sen Hollings of NYC says between $150 million and $2 billion is wasted by fraudulent individuals. (Talk about ballpark figures) Hollings: "It scares me to think of all the people that could have benefited from this money." (Well _some_ of those medicaid recipients are frightening. :-) Republicans claim a similar system in LA saved the state $5 million in the first year of operation. With the electronic system, an individual places two fingers on a small flat screen. A computer then compares the fingerprints to those already on file. Sen Farley of Schenectady said it didn't hurt, it wasn't messy and it took just a few seconds. (If you have nothing to hide, you have nothing to fear.) The system costs LA $2 million a year, but Farley says the cost doesn't compare with the savings (!?!). He estimates that New York could save $16 million a year. So there you have it, a system that will catch somewhere between 11% and 0.8% of the total fraud for the bargain price of $2 million a year plus the setup fee. Shouldn't we have a better estimate if we are going to measure the benefits of the system? Further, I wonder how much saving can be attributed to the effectiveness of the system and how much is due to the perceived effectiveness of the system. There is this "scarecrow" effect that may not last in the long run. Perhaps some people will find work arounds. Perhaps New York should install a fake fingerprinting system with fake computers and fake databases at a lower cost and still get the same savings. Plus none of the civil liberties risks... But no, this is not science, it is politics. ...fraudulent individuals wasting billions Jeffrey Sorensen sorensen@ecse.rpi.edu ------------------------------ Date: Wed, 15 Apr 1992 15:58:44 -0600 From: Bear Giles Subject: Computerized insurance quotes A while back I called a number of local insurance agents, getting quotes for my MR-2. During each call I made sure the agent knew 1) the MR-2 is an undiluted sports-car and 2) I have a clean driving record. (These are not mutually exclusive, though you will never get an insurance underwriter to admit it!) Prudential Insurance quoted me a good rate ($430, vs. my current $620). I spent a lunch hour with the agent as he provided me an official quote from a worksheet program, signed a contract and paid the initial installment. This worksheet program required the agent to specify insurance pool, type of vehicle, driver(s), mileage, etc. It even asked if my car was sheltered at home and/or work. This was definitely _not_ a program an agent cobbled together in his spare time. Over a _month_ later I finally received my permanent insurance policy, including a demand for much more money. $690 (total), to be precise. Prudential quickly agreed that all of the information I provided was correct -- it simply took them a month to notice that the agent had placed me in the incorrect insurance pool. There was absolutely no indication in the quote worksheet program that new clients with MR-2s would not be accepted into the specified insurance pool -- it was 'assumed' the agent would know that. Unfortunately my agent only recently started working for Prudential and did not know MR-2s fell into this category. At the current time, Prudential is insisting I pay the new amount despite being quoted a lower rate with accurate information. For now, I'm left paying more for insurance than I was with my previous insurer. Meanwhile, I am filing a formal complaint with the state's Insurance Commission and Attorney General (was this bait-and-switch?), to say nothing of telling everyone within earshot about my experience. Prudential's legal expenses, in responding to these complaints, will almost certainly exceed the insurance premium. The moral of the story: if you use a computer to determine contractual prices, if there are any 'gotchas' they should be explicitly noted by the software. I could accept Prudential changing the quoted rate if I mislead them about my driving history -- but not due to their failure to conduct business in accord with their own (internal) underwriting standards. Bear Giles bear@fsl.noaa.gov ------------------------------ Date: 9 Apr 92 17:28:12 GMT From: eder@hsvaic.boeing.com (Dani Eder) Subject: Re: Risks in nuclear bombs to deflect asteroids >change the orbit of asteroids heading towards the earth About 25% of the risk is due to comets. >4. NASA held two workshops to discuss this problem. One of my co-workers, Dr. Brian Tillotson, attended one of the workshops, and I am working on a contract for the NASA guy who is responsible for this stuff (John Rather, NASA Asst. Director for Space Technology), although what I am working on is another subject (Laser power beaming). >6. The last big collision of an asteroid with the earth was about 65 mill... Don't forget about the Tunguska impact in 1908, and the impact that caused Meteor Crater about 25,000 years ago. We have lousy statistics on Earth-approaching asteroids in the 1-km size class (smaller than the supposed dinosaur killer, but still in the multi-gigaton of TNT energy class. There is expected to be on the order of 1000 of these, but we know of about 50 or so. As for the risks/benefits: In the past a large sudden explosion could happen and not much consequence beyond the immediate damage from the impact. Today, with early warning satellites in orbit, a meteorite impact could look suspiciously like a nuclear explosion. If it happened to be a sensitive military or political location that got hit, it could touch off a war. Even a kiloton impact (which would be much more common than a big one), could have this effect if it landed in the wrong place. So there is value in being able to detect incoming rocks and warn people beforehand, even if you can't deflect/destroy it. Another side benefit, is getting good orbits for all these objects for later asteroid mining. The ones that come near the Earth are the ones that potentially are easiest to access for mining. Long period comets are not mappable the way asteroids are, since they come from the depths of the Oort cloud, way beyond Pluto. They do make themselves bloody obvious when they get to the inner solar system, so finding them is not the problem. Fortunately they have the consistency of a mudball, so blowing them away with a nuke is relatively easy. An iron-nickel asteroid, on the other hand, is a much harder problem to deal with. It is structurally harder and more difficult to vaporize. The issues of how to deal with these are more challenging. For now, the recommendations to upgrade the search for asteroids seems a fairly small cost to address a fairly small risk. In a real emergency (comet discovered heading right for Earth, impact in 2 months), you can be sure that a nuke would get mounted on whatever rocket is handy in very short order and launched for an attempted interception. You can get a lot done if you work around the clock. Dani Eder/Boeing/Advanced Civil Space/(205)464-2697(w)/232-7467(h)/ Rt.1, Box 188-2, Athens AL 35611/Member: Space Studies Institute ------------------------------ Date: Tue, 14 Apr 92 11:55:53 -0700 From: "Peter K. Boucher" Subject: Unauthorized Evidence Gathering (Griffith, RISKS-13.39) I don't know much about the laws in this area, but I have been following the Rodney King trial, where no-one involved knew they were being taped. Does the admission of this evidence set a new precedent? If such evidence can be used against you, the obvious risk is that your privacy can be invaded on a massive scale in order to obtain the evidence. Of course they can invade your privacy already, they just can't use the results as evidence ;-) unless they've done their paperwork. Peter K. Boucher boucher@csl.sri.com ------------------------------ Date: Tue, 14 Apr 92 00:24:22 PDT From: [anonymous] Subject: Use of taped evidence It would appear that permission, knowledge, or other prior information is not necessary for the use of taped materials in many cases, nor is it necessary for the person making the tape to be an "involved" party. A perfect example is playing itself out in the Los Angeles area right now, where the infamous "Rodney King" beating trial is drawing to a close. The most important evidence in the trial has been the videotape made by an uninvolved person living across the street. One would assume that the police involved did not have knowledge of the taping at the time of the event. ------------------------------ Date: Wed, 15 Apr 92 15:52 PDT From: EWANDERS@cmsa.Berkeley.EDU Subject: Phone Registration at Berkeley The following article appeared in The Daily Californian, an independent newspaper distributed at UC Berkeley, April 14, 1992: NO CLASSES FOR UNDECLARED IN TELEBEARS LIMBO UC Berkeley sophomore Erica Oliver is caught in a registration Catch-22. Oliver says Tele-BEARS, the new registration-by-phone system heralded by students and administrators as a faster, more efficient way to get classes, won't let her enroll at all. The system will not place Oliver in the lower-division classes she needs to declare her major because she will be a junior next fall, but won't allow her to enroll in any upper division classes in her major because she hasn't declared it yet. "It makes me feel very frustrated," Oliver said. "I just can't figure out why in the world I'm paying this university if I can't get any classes." The phone-in system, initiated on campus last fall by a test group of 4,200 graduating seniors, guarantees students up to the maximum number of units their college allows. But the system doesn't guarantee students will be able to get into classes they need in order to declare or fulfill major requirements. "Being a Junior, it's kind of late for not fulfilling the major requirements," Jorge Garza, acting associate registrar, said of Oliver's predicament. Garza said he recommends to students in situations similar to Oliver's to talk to an advisor about getting into the prerequisite classes. But Margaret Distasi, director of student advising in Campbell Hall, said it may be difficult for undeclared students to get classes because major departments may reserve courses for declared students by prohibiting undeclared students from enrolling. Garza said students will simply have to declare as soon as possible in order to register for classes. "This is going to force students to process their paperwork (for declaring) faster," Garza said. Garza said his office sent out more than 5,000 letters to students last fall offering a Tele-BEARS training session to inform students about how to prepare themselves for using the system. Only 39 students attended the session. But on its second day of use by the whole campus, Garza said the registration process is going fairly smoothly. "Most students are getting classes even if they're not the ones they want because they haven't fulfilled certain requirements," Garza said. Tele-BEARS is scheduled to take 85 calls every 15 minutes during its operational hours, which Garza said would register the entire student population in 10 days. [End of Quote] This phone-activated registration system seems to avoid many of the risks that others have remarked on for similar systems at other universities. Each student is assigned a PIN unrelated to the student ID number. Each student has several possible time periods in which to register spread over the 10 day period. We won't know until it is through how many students will miss their time slots or otherwise fail to register properly, but the written information seems pretty clear and complete. What are the RISKS here? For one thing, they thought they had done a large-scale test of the system by having over 4000 students use it last semester. The flaw was that by limiting the test group to graduating seniors, they didn't test any number of complications that may only occur for undeclared students, freshmen, transfers, part-time students, those changing majors, etc. Repeating a simple test many times is not the same thing as showing that a procedure is flexible enough to handle the full spectrum of real-world inputs. They might have done a much better test by having 400 students from a range of departments and classes use the system rather than 4000 all from one class. (Of course, selecting students for the test at random might have been even better; by deliberately choosing some from every major, they might well have forgotten to test undeclared students.) The second risk is less obvious. At the same time they replaced mail-in registration with the phone-in system, they changed the algorithm by which they assigned classes. Like many universities, Berkeley has difficulty offering enough sections of certain classes to satisfy demand. In the past, little checking was done to see whether a student was eligible to take a requested class. Now, many departments can limit registration in certain courses to students who have declared a major in that department. Apparently, they also now limit the ability of 3rd-year students to take lower division classed as well. Here the new method of ACCESSING the registration system is being blamed for a problem that could just as easily have arisen in the old one. A third risk is best exemplified by the final quote from Garza. He appears to have changed the definition of successful registration from "getting the classes you want or need," to "getting any classes at all." It is hard to tell whether this is a case of retroactively changing the goals of a project to match the accomplishments, or whether this is just the way registrar's office droids see the problem of registration. Eric W. Anderson, Chemical Engineering Dept., University of California Berkeley CA 94720 ewanders@garnet.berkeley.edu ewanders@CMSA.berkeley.edu ------------------------------ Date: Wed, 15 Apr 92 11:53:55 -0500 From: kain@ee.umn.edu (R.Y. Kain) Subject: Transcripts via e-mail I don't understand what the objective of such transfers would be, since most schools require authenticated paper copies of such documents before acting on them in any serious manner (such as admitting a student). The risks associated with restricting access to those authorized (not only to see any transcripts, but also to see specific transcripts - of designated individuals) seem quite high. On another aspect - the course numbering system - let me relate our experience at the University of Minnesota with computerized academic record keeping. Such records were kept by hand (pen and ink!) for longer than any one of us would believe. Then about 15-20 years ago they decided to install a computer to do the job. Before the change we had courses with identifiers that contained both letters and numbers, and some with one but not the other. For example, non- credit courses just had letters ("Math T" was remedial trig). And sequence courses had the same number with letter appendages (EE 30A, 30B, 30C). But then someone announced that the computer could only handle four-digit course numbers and we went through a long transition. This entailed conversion booklets working in both directions, and confusion among faculty who were used to advising the students based on the old numbers. After about three years it wore off. In EE we did obtain an advantage from the conversion - I suggested that we renumber so that the course number also indicated the sub-area within EE (thus computer related courses have numbers x350-x399 or x850-899, where x=3, 5, or 8). Why the x restriction? Well, nobody on campus is allowed to use numbers starting with 2, 4, 6, 7, or 9. And 0 and 1 correspond to no credit and lower division material, which doesn't include computers. (A long digression, but perhaps interesting to others... I think that the difficulty of conversion, etc. makes any "standard" that doesn't encompass ALL course numbering systems worthless. BUT that assumes that the access control and authentication issues are also satisfactorily resolved!) Richard Y. Kain, EE Dept., University of Minnesota Mpls, MN 55455, 612-625-3537 ------------------------------ Date: Wed, 15 Apr 92 17:04:10 EDT From: Shyamal Jajodia Subject: Re: Academic Transcripts (Nico, RISKS-13.39) Yes, it is true. The American Association of Collegiate Registrars and Admissions Officers (AACRAO) has a committee on SPEEDE (nifty eh!) for developing a national standard format for exchanging student transcripts over networks. I agree with Bill Nico that the undertaking is fraught with risks but so is a trip to outer space. The important question is as Nico asks later what controls are being built in? I hope Bill is aware that grades can be obtained in several institutions over the phone even today. The controls are no small matter because under the Family Education Rights Privacy Act (FERPA - Buckley Amendment) Universities must obtain written consent of the student before disclosing private records such as transcripts. I have seen this rule applied even when the person requesting the records is a parent of the student concerned. I am also sure that a RISKS spotlight on this subject will help improve the controls in the system. ------------------------------ Date: 13 Apr 92 22:01:02 GMT From: sheol!throopw@dg-rtp.dg.com (Wayne Throop) Subject: Re: Public TV Series >> [...] PBS will present "The Machine that Changed the World,"[...] >> Perhaps it is risky not to see how our >> industry is being popularized for the mass media. Very true, I think. For example, in the very first program, I was interested to find out that Turing had established that anything a human can do, a computer can do. Of course, on the other hand, a PBS series a year or two ago included the interesting fact that Searle had established that computers could never have true understanding. > Their coverage of the historical material was the most accurate and > even handed I have ever seen. Their coverage of risks issues is also > exemplary. I could seriously use them in undergraduate teaching and did > not regard them in any way as "technopulp" for the masses. Hmmmm. I've only seen the first one so far, but it really seemed to fall prey to the common risk of many popularizations and simplifications of "scientific" results. A few other examples of the kind of thing I'm thinking of from physics: quantum theory "proves" that Zen Buddhism or Taoism or whatever-"eastern"-ism is correct after all, chaos theory is the explanation of QM effects, the uncertainty principle arises because observers affect the observed. The problem is that in simplifying and dramatizing and analogizing ideas for presentation to "the public", much of the actual information is squeezed out, and incorrect factoids creep in as replacement. It isn't at all apparent what can be done about it, but it seems to me to be both commonplace and quite RISKy. Mind you, I don't disagree that the series is "historically accurate", and I have no problem recommending it, if you watch it with a large grain of salt to hand. But it seems to me to be too quick to oversimplify complicated issues (such as the Turing bit above, and the reason binary encodings were eventually settled on, and many more). Wayne Throop ...!mcnc!dg-rtp!sheol!throopw ------------------------------ Date: Tue, 14 Apr 92 15:10:13 -0700 From: Dave Katz Subject: PBS Program A few things shot by in last night's presentation that struck me as surprisingly pseudo-techno (rather than thoroughly techno, as most of the content of the programs have been). The most amusing was in the discussion of "higher level languages," during which a FORTRAN program scrolled by. It looked like FORTRAN in form, but close inspection revealed lines of code like: 151=15+1 An interesting assertion, but I suspect that even FORTRAN 66 compilers would reject it (rather than causing the booster rocket to fly off course, etc...). Somebody had to do a whole lot of typing to create the "program." T'would have been much easier to use a real FORTRAN source (but of course this would introduce other RISKs that have been oft-discussed in this forum). ------------------------------ Date: Tue, 14 Apr 1992 13:35:35 -0400 From: jhc@iscp.bellcore.com (Jonathan Clark) Subject: US PBS stations *do* censor In Risks 13:39, Brian Tompsett says: PBS, as the US readers now know, eventually broadcast Python in its unexpurgated form (BBC logos and all). Thanks should go to PBS for rendering this public service. Alas, PBS have (at least partially) stopped doing this. Last year's rerun of I, Claudius had previously broadcast scenes cut from it (this was hinted at, but not spelled out, in Alistair Cooke's introduction). WNET (my local big PBS station) claimed that they presented the program the way it was given to them by WGBH. Paradoxically, WGBH's retail offshoot (Signals), in its advert for the videotapes of the series, claims that ``this is the original, uncut, British production, including some scenes not shown in the PBS broadcast''. I have noticed that the ``same'' programs shown on the BBC and on PBS often have cuts, usually relating to sex scenes, when they are broadcast in the US. I, too, showed my feelings about the issue at pledge time, by *withholding* support, and telling the stations exactly why I was doing so. Jonathan Clark, jhc@iscp.bellcore.com ------------------------------ Date: Wed, 15 Apr 92 12:59:11 CDT From: "Matt Braun" Subject: Re: The makers of the PBS series respond (Tompsett, RISKS-13.39) > For those of you who are interested in these things, there is a US > court case over the changing of TV programmes to "reflect the > interests and knowledge of the different audiences". It involves the > first US airing of "Monty Pythons Flying Circus" by a US network. > The networks made "minor" changes to some sketches (removing some > expletives) for a US audience. Actually, this isn't quite true. ABC (the network in question) SAID that all they were going to do was remove expletives. In reality, they were editing three 30-minute shows down into one 68-minute show, allowing some 24 minutes for commercials (i.e. they removed almost 25% of the material.) They deleted sketches, rearranged the order of some of them, etc. ABC did not make minor edits--they performed major surgery. It's sort of like going under the knife for an ingrown toenail and emerging minus one leg. > The python team sued and won, on the > grounds that the changes substantially damaged their reputation. > PBS, as the US readers now know, eventually broadcast Python in its > unexpurgated form (BBC logos and all). Yes, well, the changes *did* substantially alter the content of the program, and make the group appear to be less funny than they were. (For reference, see the excellent book by Robert Hewison, "Monty Python: The Case Against", ISBN 0-413-48660-5.) In the case of "The Machine That Changed The World", imagine trying to fit commercials into it, say at 8 minutes per half hour. (That seems to be close to the going rate here in the States.) Again, you'd have to lose about 1/4 of the program. I'd worry if they made edits because they don't want to offend "Mr. and Mrs. America". [... SLIGHTLY IMMODERATE BUT LIKELY EXAMPLES DELETED BY YOUR (IM)MODERATOR, TO STAVE OFF OBJECTIONS! PGN] The Risk here? Um...the knives of the network gnomes? The Searing Scissors of the Censors? ------------------------------ End of RISKS-FORUM Digest 13.40 ************************