10-Nov-86 20:01:47-PST,17772;000000000000 Mail-From: NEUMANN created at 10-Nov-86 20:00:06 Date: Mon 10 Nov 86 20:00:06-PST From: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: RISKS DIGEST 4.9 Sender: NEUMANN@CSL.SRI.COM To: RISKS-LIST@CSL.SRI.COM RISKS-LIST: RISKS-FORUM Digest, Monday, 10 November 1986 Volume 4 : Issue 9 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Risk of aging (Lee F. Breisacher) Re: UK computer security audit (Henry Spencer) Lost files (Norman Yusol) Canard!! [Looping Mailers] (Lindsay F. Marshall) Friend-foe identification (Henry Spencer) Micros in Car Engines (Jed Sutherland) Information replacing knowledge (Bard Bloom, Herb Lin, Jerry Saltzer) Spelling becoming obsolete? (Ted Lee) They almost got me! [A motor-vehicle database saga] (Mark Hittinger) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM) (Back issues Vol i Issue j available in CSL.SRI.COM:RISKS-i.j. MAXj: Summary Contents Vol 1: RISKS-1.46; Vol 2: RISKS-2.57; Vol 3: RISKS-3.92.) ---------------------------------------------------------------------- Date: 10 Nov 86 12:26:56 PST (Monday) Subject: Risk of aging From: Breisacher.OsbuSouth@Xerox.COM (Lee F. Breisacher) To: RISKS@CSL.SRI.COM From LA Times, Saturday, November 8, 1986: G.C. Blodgett, a living legend as an outdoorsman in New England, drives a car to his favorite fishing spots from his home in West Babylon, Mass., but he almost quit this year when his insurance bill arrived. His son told the Providence Journal: "He wanted to know why the premium was three times as much as the previous year. So we called the insurance company, and after a while, the fellow there came back laughing and explained that their computer calculated premiums for drivers up to 100 years old. After that, it started at the beginning again, so he was being charged the premium of a teen-ager." Blodgett is 101. ------------------------------ From: hplabs!pyramid!utzoo!henry@ucbvax.Berkeley.EDU Date: Sun, 9 Nov 86 08:40:40 pst To: pyramid!CSL.SRI.COM!RISKS Subject: Re: UK computer security audit > The Guardian article paints a bleak picture of just how ill-prepared for > disaster the 50 or so companies visited are. 80% are not adequately > protected against fire, 96% are not protected against flood, (the two > exceptions had only installed detectors after sustaining water damage > previously), 70% don't have a stand-by power supply, ... It is worth noting that even the companies which theoretically *are* prepared may find their preparations wasted in practice. The first NYC blackout caught a number of hospitals with, so to speak, their pants down. Things like emergency generators with electric starters! Another example that I remember was a place that had a fine emergency generator, started up properly and actually ran for a while. Trouble was, it was in the basement, which was below the local water table and was kept dry by pumps running continuously. You guessed it, the pumps weren't on the emergency power. The only people who had reliable power throughout the blackout were the professional paranoids: the military and the phone company. It might be worth finding out whether there was any attempt to compile a list of such experiences from that blackout. I heard about this by chance. (The electrically-started-generator problem was larger than it looked. Modern power plants need startup power for things like pumps and control systems. No need for emergency generators, you can always get startup power from the network. But what do you do when the *whole* network is down? A combination of luck and improvisation sufficed that time.) Henry Spencer @ U of Toronto Zoology {allegra,ihnp4,decvax,pyramid}!utzoo!henry ------------------------------ Date: Sun, 9 Nov 86 18:57 EST From: Subject: Lost files To: risks-request@sri-csl.arpa [After a request to resend missing copies of RISKS-3.92, 4.1 and 4.2] I believe these files were lost on the net on 3 Nov. Apparently, one of the computers on Bitnet had a severe hardware crash and lost about 1500 files... Unfortunately, I don't have any more info on this. Norman [This happens far too often. I presume we need some research on really reliable, "guaranteed-service" protocols. On the other hand, the computational cost associated with such algorithms may be far too high for just sending net mail, and besides there is no such beast that will work correctly under all possible circumstances. PGN] ------------------------------ From: "Lindsay F. Marshall" Date: Mon, 10 Nov 86 09:40:12 gmt To: risks@csl.sri.com Subject: Canard!! [Looping Mailers] Let me hasten to assure the RISKS list that the 20 messages reported by PGN were not generated by our mailer at Newcastle as far as we can tell. I think that the problem was much further down the line. Lindsay [I thought about changing the SUBJECT line of this message to make it more explicit, but then I would be guilty of being a Canard Liner. However, since the implication of "canard" ("a fabricated story") is meaningful, I did not want to duck it. (An aquacktive nuisance.) Can anyone else provide a report of this happening elsewhere at the same time, on or around Friday, 7 Nov 86, 13:05:21 gmt? PGN] ------------------------------ From: hplabs!pyramid!utzoo!henry@ucbvax.Berkeley.EDU Date: Sun, 9 Nov 86 08:41:08 pst To: pyramid!CSL.SRI.COM!RISKS Subject: Friend-foe identification In the course of catching up on Flight International (the British analog to Aviation Leak), I ran across an interesting item in the 7 June 1986 issue. The UK Ministry of Defence officially admitted that a British helicopter, shot down in the Falklands War with all four aboard killed, was downed by a Sea Dart missile from a British destroyer. On 6 June 1982, HMS Cardiff reported shooting down an Argentine helicopter flying in darkness toward Port Stanley. It was actually a British Army Gazelle on a resupply flight between Darwin and Mount Pleasant. The lack of Argentine wreckage and the coincidence of timing were noticed, but a forensic investigation was unable to establish a firm connection. Forensic tests in the last year or so have pretty much settled the question. MoD apparently won't discuss how the misidentification occurred. (This sort of thing is far more common in combat than most people think. In WW2 there was a standing joke about how antiaircraft gunners decided whether an aircraft was friendly or hostile: approaching = hostile, receding = friendly.) Henry Spencer @ U of Toronto Zoology {allegra,ihnp4,decvax,pyramid}!utzoo!henry ------------------------------ Date: Mon, 10 Nov 86 09:32:27 pst From: jed sutherland To: risks@CSL.SRI.COM Subject: Micros in Car Engines Considering the amount of duties undertaken by micros in today's automobiles, I can only conclude that it is a case of "Because we can do it". Sure, computer controlled fuel injection is very efficient and is a good idea. But my brother just bought a new BMW with all sorts of standard stuff on it. It will tell you the outside temperature, warn you when the temp is low enough that the roads are likely to be icy, etc. The radio is more complicated than the oil pressure, water temperature indications. I am also amazed at the fact that one can buy a car with totally digital instrumentation. What possible advantage can there be to all of this? I noted a while back that when boosting the newer car, one runs the risk of blowing any computer that may be on board due to power surges. These things cost about $1000 to replace. Most mechanics nowadays are trained to identify the faulty module and replace it without trying to find the bad component. I think that the average driver loves all the pretty lights but doesn't usually use all his instruments anyway. For one thing, most drivers seem to be able to handle very little at one time and it is all they can do to keep the car between the lines. They don't need more distractions provided by today's auto-toys. Jed Sutherland ------------------------------ Date: Sun, 9 Nov 86 17:41:55 est From: Bard Bloom To: RISKS@CSL.SRI.COM Subject: Information replacing knowledge > As I see it, one of the greatest risks of widespread computing is that > we'll all stop learning... Most of the time, people learn things because someone (often the person herself) thinks the things are useful. So, for instance, very few Americans this decade know a whole lot about the care and tending of a horse or about the growing seasons of various plants, despite the fact that these were vital facts for much of the American population a century or two ago. Mathematics (e.g., things like algebra and basic set theory) have become a lot more popular. As the environment changes, the set of things chosen as "essential knowledge" changes. We may expect to see this continue, and a good thing too. I don't *want* to know a lot about mucking out stables. Some might argue that some things are good to learn in and of themselves. I'd agree for some areas (e.g., the arts), and disagree for others (e.g., spelling). > Are we reaching the point where being an expert simply means having a large > computer database, as opposed to years of learning and knowledge? I hope not. We might be reaching the point where being an expert means having a large computer database as well as knowing the subject well. This is not particularly different in character from having a large physical library in one's area of expertise, which most experts do. Part of the point of expertise it that one can do things that aren't in one's library or database. > I don't think we're there yet, but I fear that our society's heavy > emphasis on "information" and computing might be leading us there. Possibly so. I've noticed a general feeling that computer answers are more to be trusted than human ones. Bard Bloom, MIT ------------------------------ Date: Sun, 9 Nov 1986 15:52 EST From: LIN@XX.LCS.MIT.EDU To: (Daniel G. Rabe) Cc: risks@CSL.SRI.COM Subject: Information replacing knowledge From: (Daniel G. Rabe) As I see it, one of the greatest risks of widespread computing is that we'll all stop learning. We've got spelling checkers, so why bother learning to spell?... It's an old fear. It was said about Xeroxing -- and who has not had the experience of copying an article in the hopes that its information would seep from the file cabinet to the brain? It was said about books and printing -- and who has not bought a book without the same experience. It was apparently even said about writing -- and who has not wished that (s)he could speak as well as (s)he could write? That's not to say that all these fears are unjustified. But it is not new with the advent of computers. ------------------------------ Date: Sun, 9 Nov 86 18:52:04 EST To: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: Information replacing knowledge From: Jerome H. Saltzer > [...] some professional writers noticed that their sentences were > becoming shorter [...], as they relied on a 40-column, 8-line display... From what I have seen of the output of some professional writers, that is a RISK that I am willing to tolerate, perhaps even encourage. Jerry [It even sounds like a fine idea for RISKS contributors. PGN] ------------------------------ Date: Mon, 10 Nov 86 00:11 EST From: TMPLee@DOCKMASTER.ARPA Subject: Spelling becoming obsolete? To: Risks@CSL.SRI.COM Yes, spelling checkers are allowing students to get by without learning to spell -- *and the schools are endorsing that trend*! I have yet (slight hyperbole here) to get over the words I heard three years ago from our oldest son's seventh-grade English teacher (yes, "English"). It was during the beginning-of-the-year parents' orientation meeting where we have the opportunity to meet all the teachers and hear their plans for the year. I can't remember the precise context any more, but I think we had asked some kind of question about whether she took spelling into consideration in grading compositions. The answer was roughly this: "Not very much -- after all, all these kids will be using word processors in the future and won't have to know how to spell." Fortunately this view was not shared by most of the rest of the teachers. (The school district, by the way, and the particular junior high itself, is among the top few percent in the country, as judged by scores on the SAT and the various awards it has received.) ------------------------------ Date: Sun, 9 Nov 86 15:57 EDT From: Subject: They almost got me! [A motor-vehicle database saga] To: risks@csl.sri.com I scored big on some DEC call options recently. I used the proceeds to purchase an expensive 87 turbo mazda RX-7. After driving it for a month I realized my driver's license had been expired for a year. Kentucky sends you a post card when it is time to renew. I simply assumed that mine got lost somehow and went downtown to renew. They took my license and told me it was suspended in February of 85! Arg! Since my license was suspended I did not get a renewal notice. The clerk was very helpful and gave me a phone number to call. I called the number and the gentleman on the other end told me that because my license was issued under an older system, it would be awhile before he could retrieve my record and tell me why the suspension occurred. The State was switching over to a social security number based system, and evidently the old system existed only in hard copy form. He then said, "By the way, may I have your social security number? Please call us back after lunch and we should have some information for you." I called back and found out that a speeding ticket obtained in February of 85 had pushed me to the limit of "points" and that the state had sent me a notice to appear at court to plead my case. If I had shown up, the judge would have given me "traffic school" and I would have kept my license. I never received any notice. I didn't show up in court so they suspended my license for 6 months in retaliation. I asked the clerk on the phone to tell me where they sent the notice. He said "6103 glimmer way apartment 4". After finding out what the procedure for getting my license back was I thanked the clerk for his assistance. (Plot thickens here) In 1981 I lived at 8103 glimmer way apartment 4. In 1982 I moved from there, and sent the state a letter informing them of my change in address. I did not include my social security number. Since the state was converting from an older system to the new SSN based system the address change did not get made. Evidently, they just re-entered all the data from the old system to the new system and mis-keyed my address. State law states that my obligation was to inform them of a change in address. So, bottom line, I was driving from March 85 to November 86 with a suspended driver's license. I continued to pay auto insurance. I rented cars during several business trips (I consult on the side). I get another(!) speeding ticket on the interstate. The officer called in to "run" my license, but since it was "old-system" they didn't give him the info that I was suspended. I drove off, paid the fine, never heard anything. My car was towed twice for being parked improperly, I paid the fines, showed my license, got the car back twice. Here is the real kicker. My insurance company states clearly that they are not liable if I have an accident without a valid driver's license. The loan on the unfunded portion of my sleek black RX-7 states that if I don't maintain insurance I can be sued for the loan. What if....I had gotten in my RX-7 and wiped out some people and the car? I'd have been found to be in violation of the law, been denied insurance coverage, lost the funds I put in to the car, and still been liable for the remaining portion of the loan I took out!!!! Well I have my license back now, smiling in my RX-7 (insured). I feel VERY lucky that nothing happened to me. The total cost for me to get out of this one was $38! It makes me wonder if there others are in the same boat (massive personal liability indirectly induced by a change from one computer record system to another). I just fell through the cracks and didn't even know it. Mark Hittinger/systems programmer iv/ocis south center University of Louisville, Louisville, Ky 40292 sysmsh%ulkyvx.bitnet@wiscvm.wisc.edu ------------------------------ End of RISKS-FORUM Digest ************************ -------