Subject: RISKS DIGEST 15.58 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Weds 23 February 1994 Volume 15 : Issue 58 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for information on RISKS (comp.risks) ***** Contents: E-Mail blunder at Olympics (David G. Novick) Dog Gets Card With $10G Limit (marc via PGN) Computer error adds to ad valorem tax for 300,000 people (James E. Burns) Embezzler caught by computer trail (James E. Burns) Software testing at Sizewell (Brad Dolan) Clipping Clinton and the Executive Branch... (Peter Wayner) Clipper: Love your country, don't trust its government (David Honig) Re: CompuServe Offers Credit Info (Steve Bellovin) Social RISKS of Universal IDs (John Oram) Re: SimHealth (Gerd Meissner, Bob Frankston) Re: Telephone Card Audit Trails (Jonathan I. Kamens) Re: E-Mail Courtesy (Jim Haynes, Bob Frankston) Re: Electronic Food Stamps (Colby Kraybill) Re: International Internet Association (Jeff Porten) Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: Tue, 22 Feb 94 22:08 PST From: novick@cse.ogi.edu (David G. Novick) Subject: E-Mail blunder at Olympics Here's another example of a familiar problem with a topical twist, as reported by the Portland "Oregonian" February 22, 1994, p. C5: "Access Violation: Several U.S. reporters were contacted by Mike Moran, the U.S. Olympic Committee chief press attache, after they got Portland figure skater Tonya Harding's Olympic identification number and broke into her computer mail program. "All persons with Olympic credentials have access to a computer mail system on which they can send notes to others and receive information. Access is is through an individual's Olympic ID number and a password, typically the user's birthdate. "The reporters got Harding's ID number through a blown-up photo and typed her birthdate to gain access to her messages. "The skater had received 61 messages by Sunday." David G. Novick, Dept of Comp Sci & Eng, Oregon Grad. Inst. of Sci. & Techn., P.O. Box 91000, Portland, OR 97291-1000 novick@cse.ogi.edu (503) 690-1156 ------------------------------ Date: Wed, 23 Feb 94 00:57:23 EST From: marc@MIT.EDU Subject: Dog Gets Card With $10G Limit We've all read stories here of how credit agencies have make mistakes. Sometimes, it isn't the consumer who loses. Marc [The PGN Excerpting Service provides the following summary of an AP item from Ballston NY, relayed by clarinews@clarinet.com, 14 Feb 1994. PGN] An eight-year old Brittany spaniel has her own $10,000 line of credit. Her owner began using her name on coupons and warranties, which then resulted in solicitations and finally an offer of a credit card. [Her pawtograph is apparently enough when she charges dog food. Perhaps she pours arf-and-arf over it.] PGN ------------------------------ Date: Wed, 23 Feb 94 15:48:27 EST From: burns@gauss.bellcore.com (James E. Burns) Subject: Computer error adds to ad valorem tax for 300,000 people The Atlanta Journal of 18 Feb 1994 carried an article by Chris Grimes describing an error in 300,000 auto tax bills (about 5% of the total). The error added $10 to $30 to the ad valorem portion of the bill. Apparently the mistake was caused by a patch added to correct a similar problem from the previous tax season. (Once again, the rule of thumb that a change to fix a bug has a 50% chance of introducing a new one seems to hold.) Officials expect the problem to be fixed for next year's tax season. (One wonders if the have a "three strikes and you're out" rule :-) Apparently, the State is not notifying motorists directly of the incorrect amounts --- they must contact their local tag offices to ask if there was an error. The article warns, however, that this might result in a higher bill since the errors apparently were both postive and negative. James E. Burns, Bellcore, NVC-3X114, 331 Newman Springs Road, Red Bank, NJ 07701-5699 burns@nova.bellcore.com (908) 758-2819 ------------------------------ Date: Wed, 23 Feb 94 15:34:33 EST From: burns@gauss.bellcore.com (James E. Burns) Subject: Embezzler caught by computer trail An article by Davidson Taylor appeared in the 18 Feb 1994 issue of the Asbury Park Press (NJ) described the arrest a teller of a local credit union for embezzling $15,000. The embezzling was allegedly done on the teller's last day of work, 8 Mar 90. There is a supposition that the teller might have destroyed the paper trail; she was apparently caught through computer auditing by the Federal Reserve, which notified the credit union on 19 Mar 90. No clear explanation was given for the nearly four year delay in filing charges. Of interests to RISKS readers was the quote from Assistant U.S. Attorney Jay McMahon regarding the detection of the fraud: "You can't destroy computer records." James E. Burns, Bellcore, NVC-3X114, 331 Newman Springs Road, Red Bank, NJ 07701-5699 burns@nova.bellcore.com (908) 758-2819 ------------------------------ Date: Wed, 23 Feb 1994 12:32:02 -0800 From: Brad Dolan Subject: Software testing at Sizewell [Note: British NII is not US NII] TESTING THE SOFTWARE [Nuclear Engineering International, 12/93, p.10] Britain's Nuclear Installations Inspectorate is satisfied that the software for the Sizewell B Primary Protection System (PPS) will be adequate for its role - provided that no further major issues arise from NII's continuing assessment or from the commissioning trials now underway, that the various ongoing independent assessments are completed successfully, and that a "clean" dynamic testing demonstration is achieved. The NII does not believe that Nuclear Electric's original PPS integrity target (10E-04 probability of failure per demand as proposed in the Pre-Construction Safety Report) has been fully demonstrated - it was always regarded as a very tall order by the regulators - but it does accept that the overall safety case for the plant "can accommodate, without significant detriment, a lower integrity for the PPS." These conclusions are part of a status report on NII's assessment of the PPS presented by NII staff to the Advisory Committee on the Safety of Nuclear Installations on 1 July. In October, the UK trade newspaper _Computer Weekly_ took the innovative step of helping the nuclear industry in its mission to be more transparent by making the leaked report available to readers (at 2 pounds to cover copying and postage). The NII notes that two main themes have emerged from its assessment of the Sizewell B PPS software. On one hand there is complexity of design, which "has made the task of demonstrating a high integrity for the system particularly difficult." On the other hand there is the compensatory effect of examination and testing, not only by the supplier, Westinghouse, but also by a range of organisations in the UK: "no other reactor protection system in the world, past or present, has received more attention than the PPS" (see NEI, March 1993, pp. 28-33, for a flavour of the 500 person-year effort). Because of the difficulties of quantitative demonstration of software reliability, NII has adopted a "special case procedure" consisting of two legs: demonstrating excellence of production; and an onerous programme of confirmatory independent assessment, to build confidence that the required dependability has been delivered (see NEI, September 1991, pp. 38-40). The independent assessment is still going on. Because of the huge effort entailed, it was always expected to "run right up till the eleventh hour" says David Hunns of the NII. The dynamic testing, which has received a good deal of publicity recently, is just one part of the independent assessment programme. Originally offered by the utility on a voluntary basis, the dynamic testing uses a "test harness" to subject an actual guardline of the PPS to a sample of the inputs it might see during selected fault scenarios and then to compare the output from the guardline against what it should have been according to a logical model based on the specifications of the PPS. Unfortunately, in about 52% of the 49694 valid tests performed in the 6 month programme ending December 1992 there was a discrepancy between the actual and expected PPS output. About 90% of the failed runs have been ascribed to inadequacies of the test harness (in particular limitations in its modelling of PPS characteristics) rather than the PPS itself, but the NII wants a complete explanation of all the reasons for failure and demonstration of a "clean" test run the the test harness performing satisfactorily. More tests are underway. Brad Dolan bdolan@well.sf.ca.us 10ATT.0.700.NUCLEAR ask me about PGP ------------------------------ Date: Wed, 23 Feb 1994 13:28:19 -0500 From: Peter Wayner Subject: Clipping Clinton and the Executive Branch... In a recent samizdat, I've heard that the National Intelligence Agencies are urging the White House to use Clipper for its own internal system. It sounds like a good plan to lead by example, right? Unfortunately, I would resist using such a system if I was the President. Why? Because Washington is filled with intramural spooks watching other branches of the government. Most of the folks in privacy groups like to imagine the Clipper chip as an instrument of government oppression directed toward the common folks. In reality, I would bet that a number of phone taps are agency-vs-agency, intramural things. For instance, Bill Safire found out that his phone was tapped while he was a speechwriter for Nixon. A recent internal investigation by the DOJ revealed that there was an internal eavesdropping system for listening into different branches of the DOJ. Internal Phone calls were routinely recorded. This is why, I believe, that 13 state legislatures ban their state and local police from using phone taps. These taps would give the folks who run the local police a good deal of intelligence about state-wide issues and spending. This is also why the recent Bush-to-Clinton transition was such a mess. The clintonians arrived to find computers stripped of their hard disks. Why? Because it is possible to retrieve info from hard disks long after they've been erased. Also, the Clintons stripped out the phone system and had a new one installed? Why? Who knew what bugs were left in place. Of course the most important reason not to adopt the Clipper for White House use was on the cover of the NYT today. A CIA analyst was finally caught spying for the Soviets. He was supposed to have netted at least 1.5 million dollars for his information. I was particularly struck by the size of the house that he bought for $500,000 in allegedly ill-gotten cash. It wasn't that big. Life in Washington is very expensive-- especially for the clerks and career employees of NIST and the Treasury Dept. If you need to sell out to get this house, it must be tough to sit there on top of hte keys to every conversation in america and be happy in your rundown bungalow and Reagan era sedan. ------------------------------ Date: Wed, 23 Feb 1994 11:31:11 -0800 From: David Honig Subject: Clipper: Love your country, don't trust its government [... Further comment after noting the CIA story:] So, you can buy a high ranking CIA person (who ran the *counter*intelligence branch for 2 years) for a measly $1.5 million. I wonder how much a pair of Clipper-key-escrow agency people will cost? ------------------------------ Date: Tue, 22 Feb 94 22:49:24 EST From: smb@research.att.com Subject: Re: CompuServe Offers Credit Info CompuServe Inc. and National Information Bureau Ltd. (NIB) have agreed to give CompuServe users access to NIB's credit information, as well as motor vehicle, workers' compensation, ... The AP ran a correction to this story today. They noted that only National Information Bureau customers would have access to the information. (But the article did not say how that would be enforced.) [Also noted by Chuck Weinstock . PGN] ------------------------------ Date: Wed, 23 Feb 1994 01:00:23 -0800 From: oramy92@halcyon.com (John Oram) Subject: Social RISKS of Universal IDs This was in the op-ed section of the Globe & Mail last Friday (23 Feb). As it is a relatively non-technical description, I'm not sure how appropriate it is for this forum, but it presents a fairly eloquent argument outlining the potential social RISKS of universal ID cards. =-=-=-=-=-=-= *Your identity card please* Ontario's Social Services Minister is worried about welfare fraud, but doesn't want to stigmatize welfare recipients by singling them out for fingerprinting. So Tony Silio has seized on a clever alternative: require _everyone_ in Canada, whether or not they are on welfare, to carry a universal identity card. Citizens wouldn't have to clutter their wallets with a separate driver's license, age-of-majority card, health card and so on. It would be adorned with a photograph and (possibly) a digitized fingerprint. How efficient. How practical. How unwise. It's always difficult to argue against such schemes because they are, on the surface, so sensible. There is no doubt at all that a universal ID card would make life easier for all kinds of authorities, from the welfare people (who could easily prevent multiple claims) to health care administrators (who could catch out-of-province and out-of-country freeloaders) to the police (who could quickly check the identity of suspected wrong-doers, whether or not they are licensed to drive). For honest Canadians, they would make daily life a little more convenient without posing any immediate threat -- just as photo radar on the highways poses no immediate threat to people who do not speed, or video cameras on street corners pose no immediate threat to people who don't vandalize public property. Why, then, do all these things give us a chill? Critics would say it is irrational fear, an automatic reaction to any measure, however reasonable, that reeks of Big Brother. They would be partly right. Few opponents of identity cards really expect Canada to become a police state the day after they are introduced. Their opposition springs instead from instinct, a gut feeling that a society that makes its members carry an identity card is, however intangibly, less free. It is, on the whole, an admirable instinct. There are many practical objections, too. The very existence of a unified identity card would invite invasions of privacy. Advances in microchips and other technologies have made it possible to put an immense store of information on a simple plastic card. If such a card can carry a digitalized fingerprint, it can also be designed to contain the holder's medical history (handy for insurance companies), credit record (convenient for banks and stores) or criminal record and probation status (nice for the police). Thanks to computer networks, this sort of information can easily be shard among various agencies. At present, we are at least partially protected by the fact that we carry separate cards for separate things. A person who is pulled over by the police for speeding expects to hand over his driver's licence because he knows that holding such a license is required to operate a car. He does not expect simultaneously to hand over his welfare, medical or employment ID. The merit of separate cards is that each agency of the government has access only to the information that it clearly and demonstrably needs. Canadians already must carry a host of identification cards they did not need on the past. Ontario, for example, only recently required residents to present a health card when visiting the doctor. Until 1964, there was no such thing as a social insurance number. But if a citizen is not applying for a job, paying his taxes, going to the doctor or driving a car, he can still leave his wallet and home and walk down the street without a scrap of identification in his pocket, defined not by a piece of plastic but by his status as an individual. That is a feeling that citizens of most countries do not enjoy. It is one Canadians should not let slip away. ------------------------------ Date: 23 Feb 94 05:19:42 EST From: Gerd Meissner <100064.3164@CompuServe.COM> Subject: Re: SimHealth (RISKS-15.57) SimHealth, introduced in Washington D.C. last November, was developed by Maxis Business Simulations, which is a special unit of that company. It was developed, as I`ve learned, for the Markle Foundation as kind of "demonstration/educational tool" for students and community colleges etc. to show, discuss and learn about some basics of health reforms and politics. The only "risk" I see is that the result is better informed, critical citizens. Regards, Gerd ------------------------------ Date: Wed, 23 Feb 1994 00:40 -0400 From: Bob_Frankston@frankston.com Subject: Re: SimHealth One general issue of the Sim series is that they portray certain viewpoints of how the world operates and don't pretend to be objective. As noted, there is a danger in using the simulations to understand public policies where just about every parameter is debatable. One benefit is making people appreciate the complexity of interacting systems. I'm reminded of the Apple ads of a decade ago arguing that pretending to dissect a frog on an Apple ][ was just as good as cutting open a real frog. It also worth noting that the Psychic Hotlines on the 900 #'s are listed in small type as "for entertainment purposes only". How much of their audience consists of people who are spending $300/hr just to play a game. Maxis makes fine software and great games with a number of valid lessons. Too bad schools don't teach much about models vs reality. ------------------------------ Date: Wed, 23 Feb 1994 09:34:56 -0500 From: "Jonathan I. Kamens" Subject: Re: Telephone Card Audit Trails (Baube, RISKS-15.57) What happens when the police arrest a suspect in some crime, find a prepaid phone card on him, take the phone card to the telephone company, and say, "Tell us what calls were made with this card?" What happens if the enemies of a prominent businessman engaged in private negotiations hire someone to mug him to get his phone card, take the phone card to the telephone company pretending to be the legitimate owner, and claim that it malfunctioned? Will they be able to look at the screen the operator pulls up with the phone numbers called on it? What happens if they don't bother to go to the telephone company directly, and instead just break into the telephone company's computers and read the number off of the stolen card themselves? This doesn't sound like an "anonymous" system at all. An alternative system that would do a much better job of protecting users' privacy would be to allow users to type a special code on the pay phone if their card malfunctions while placing a call. That code would cause *that call only* to be recorded in the telephone company's computers. No explicit action by the user means no records in the computer. Jonathan Kamens | OpenVision Technologies, Inc. | jik@security.ov.com ------------------------------ Date: Wed, 23 Feb 1994 09:21:55 -0800 From: haynes@cats.ucsc.edu (Jim Haynes) Subject: Re: E-Mail Courtesy (RISKS-15.57) The flip side of this issue (inappropriate questions posted to news or list server when the questioner should have used the library first) is that it's ego-gratifying to answer questions. So for every simple question there are likely to be dozens of answers, some sent to the asker in private e-mail but many posted back to the list or newsgroup. There is, however a socially redeeming aspect of all this. When dozens of answers are posted many of them will be slightly or completely wrong. One learns, over a period of time, just how unreliable information obtained on the net can be, and whose answers tend to be the most reliable. ------------------------------ Date: Wed, 23 Feb 1994 00:41 -0400 From: Bob_Frankston@frankston.com Subject: Re: E-Mail Courtesy I'd pose the complaint differently. The argument that one should trek miles to the public library to look at the berries on wood pulp before querying the electronic medium is misdirected. There is a valid complaint that reasonable discussions should be stratified according to some measure of common interest or expertise. This is going to be an increasingly serious issue as the network grows, especially in the absence of control mechanisms such as financial incentives and/or an established etiquette. Asking questions online is more a symptom of the lack of effective information retrieval technology in this medium (net surfing is not the final answer) and is more a teething problem. Yes, deciding not to don ones winter gear and head out into the blizzard is laziness. But it is precisely this laziness that will force the issues and encourage people to make this new medium work. If it breaks, fix it. You can ask people to hold back until the problem is solved but don't blame them for the problem. I do get a cultural jolt when I use an online catalog only to find I've actually got to find the pbook. ------------------------------ Date: Wed, 23 Feb 94 11:12:58 MST From: opus@herschel.unm.edu (Colby Kraybill) Subject: Re: Electronic Food Stamps (Kabay, RISKS-15.54) The same program has been floating about New Mexico over a year now. It works very well, I should know, I use it. It is very convenient. My card has a little 'Money card' symbol on the back, name of the service is called Electronic Benefits Transfer or EBT. Some of the propaganda on the card and it's protective sheath : Warning : It's a crime to illegally use, transfer, acquire, alter or possess food stamps or authorized cards. Persons convicted may be FINED AND/OR IMPRISONED. PENALTIES ARE SEVERE. (on the card) This card remains the property of the State of New Mexico Human Services Department and is subject to the terms and conditions under which it is issued. If found etc.. etc.. In any case, I think that the security of the card is much better than carrying around paper food stamps which someone without the knowledge of your PIN could use. Colby Kraybill - University of New Mexico - I.F.A.-H.E.P opus@unm.edu ------------------------------ Date: Tue, 22 Feb 94 13:53:51 EST From: jeffporten@aol.com Subject: Re: International Internet Association (RISKS-15.49) Concerning the Washington Post article about the International Internet Association that was mentioned in RISKS-15.49: The tone of the original article in the Post and the RISKS followup were along the lines of "Gee, isn't it a shame that this legitimate organization has had its reputation impugned by someone who was took quick on the trigger in his e-mail." There's another side to this story that I'd like to share. I'm a member of an informal network of organizations in the DC area that work with student and youth activists. We meet for dinner once a month, and a running joke for the last few meetings has been the IIA. Several of us have gotten faxes from the IIA, which promised free Internet access and a forthcoming larger packet of information that never materialized. Contact was frequent enough to keep us joking and wonder who these people were, but the whole thing had a very fly-by-night feel to it. First off, an organization called the International Internet Association appears out of nowhere... one would have thought that an organization like that would have made itself known *on* the Internet in order to build its reputation. Second, the letterhead consisted of clip art of a world map with IIA typed over it -- materials that could have been thrown together in about 15 seconds with no monetary investment, especially since everything we saw arrived by fax. All of this was merely quaint, until they asked us for a credit-card number for a *free* account. As soon as I saw that, I told the rest of the group to stay as far away from these people as possible; the whole thing just screamed "scam", and I am still not convinced otherwise. ------------------------------ Date: ongoing From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA) with SUBSCRIBE RISKS or UNSUBSCRIBE RISKS as needed. Users on US Military and Government machines should contact (Dennis Rears). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, send requests to (not automated). CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ARCHIVES: "FTP CRVAX.SRI.COMlogin anonymousYourName CD RISKS: GET RISKS-i.j" (where i=1 to 15, j always TWO digits) for Vol i Issue j. Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is vital. CRVAX.SRI.COM = [128.18.30.65]; =CarriageReturn; FTPs may differ; UNIX prompts for username, password. WAIS and bitftp@pucc.Princeton.EDU are alternative repositories. FAX: ONLY IF YOU CANNOT GET RISKS ON-LINE, you may be interested in receiving it via fax; phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for info regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ------------------------------ End of RISKS-FORUM Digest 15.58 ************************