RISKS-LIST: RISKS-FORUM Digest Tuesday 29 March 1988 Volume 6 : Issue 51 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Drive-by-wire BMW (Zdybel) Re: High Tech Trucking (Franklin Anthes) Countering driver aggression (Leisa Condie) Risks in diving computers (J M Hicks) Why gamble on non-redundant systems? (Roy Smith) [lotto] RISKS of using the "AT&T Public Phone Plus" (Henry Mensch) The risks of rumours (Dave Horsfall) Credit-limit handling found overly restrictive (Wm Brown III) Program prejudice and psychological testing (Prentiss Riddle) Funny phone (Steve Strassmann) Risks there and whoops! still there! (A.E. Mossberg) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. For Vol i issue j, FTP SRI.COM, CD STRIPE:, GET RISKS-i.j. Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85). ---------------------------------------------------------------------- Date: Thu, 24 Mar 88 18:55:28 PST From: Zdybel.pa@Xerox.COM Subject: Drive-by-wire BMW Referring to Jonathan Jacky's message about 'drive by wire': > 'Recently BMW in West Germany introduced a V-12 drive-by-wire automobile... The car you're referring to can only be the V-12 powered BMW 750iL, just introduced. In this case, 'drive by wire' means throttle control, not steering control. The following excerpt is from the November 87 issue of 'Road and Track', pp. 73: "Each bank of cylinders sports its own Bosh Motronic engine-management system as well as separate air-mass meters, fuel supply, fuel pumps and electronic "drive-by-wire" accelerator. An automotive first from aircraft practice, the drive-by-wire accelerator signals the fuel injection electronically; there's no direct mechanical linkage. Also from aircraft practice, dual systems have an obvious benefit: In the event one of these electronic wunder-banks fails, the other side is bound and determined to get you back home safely, albeit under half power." Apparently, one of the reasons BMW has taken this approach is in order to enable a feature they call ASC (Automatic Stability Control). From the same article, pp. 74: "ASC is a wonderful feature that, when activated from a switch on the center console, helps prevent uncontrolled wheelspin under varying road conditions, whether slippery, dry or a combination of both. With ASC engaged, we found it nearly impossible to break the rear end loose, but once we deactivated the system, tail-out driving was a possibility. Snowbound 750 owners will certainly welcome this device as readily as ABS braking." The article does not discuss what measures BMW engineers may have taken to ensure that the 'drive-by-wire' throttle fails 'safe.' ------------------------------ Date: Thu, 24 Mar 88 11:22:18 +0200 From: mcvax!geocub!anthes@uunet.UU.NET (Franklin Anthes) Subject: Re: High Tech Trucking Organization: Greco de programmation, Bordeaux France Over here in France a black-box system has existed for quite a while now. It isn't a computer, and its output goes to a paper disk, so it probably can be tampered with. The two things that I know of that can be checked with this device are: - speed of vehicle - time spent by driver without resting. The device is used on trucks and busses. Over here most truck drivers drive alone, so if the truck is driven for 15 hours straight, that means the driver has been driving all that time. The only cases I have heard of the output of the black-box being used, is when an accident has taken place. The output can help determine the causes and the responsabilities involved. It may be used at other times, but it just doesn't make the news. Frank Anthes-Harper ....!ucbvax!decvax!uunet!mcvax!inria!geocub!anthes ------------------------------ Date: Fri, 25 Mar 88 08:43:38 est From: munnari!csadfa.oz.au!phoenix@uunet.UU.NET (Leisa Condie) Subject: Countering driver aggression [For those of you who have not seen it] IEEE Spectrum (Tools and Toys section), Feb. 1988 without permission: Curbing homicidal impulses Revenger lets the frustrated driver vent aggressive impulses by emitting loud sounds. The instrument, which looks like a radar detector and attaches to your vehicle's dashboard, contains a sound chip and a row of light-emitting-diodes. When the Revenger is turned on, the LEDs start flashing, and the driver has the option of pressing three buttons: machine-gun (rat-a-tat-tat), grenade launcher (a whistle and a boom) or a death ray (a high-pitched, oscillating frequency). Mike Grubbs, vice president of the company that makes Revenger, jested about the death ray:"That's something that you might aim when a pedestrian walks out in front of you". Revenger is available through major retailers for $20- $25. ------------------------------ Date: Tue, 29 Mar 88 09:39:23 GMT From: J M Hicks Subject: Risks in diving computers ["diving", not "driving"] A colleague who goes diving once or twice a month told me about a diving computer. In order to avoid the bends, a diver must not come to the surface too fast (unless there is a decompression chamber). There are tables for divers to follow showing how fast a diver may ascend safely, but these are based on the assumption that the diver descends, remains at the same depth for some time, and then comes to the surface. In practice, of course, divers go repeatedly up a little and down a little during the time they spend underwater. The computer is supposed to be able to work out how fast the diver should ascend after a complicated pattern of going up and down underwater. Apparently for a simple dive the computer takes a more conservative view than the accepted tables. The usual display given by the computer shows the diver's depth. If the diver is going up too fast, the message "ASCEND MORE SLOWLY" appears for three seconds, alternating with the usual display, which also lasts for three seconds. My colleague reckons the diver is more interested in his depth, and it is a great temptation to ignore the warning message because it obscures the depth display and come to the surface anyway. Most of the time divers who do this don't suffer, I think, because the computer takes a cautious view (I am told it has several physiological models to work with). Poor human interfaces have been discussed in this forum many times, but what opinions do people have of users' behaviour when a simple system is replaced by a complicated system that they do not understand and they can probably ignore because it takes a conservative view? J. M. Hicks (a.k.a. Hilary), Computing Services, Warwick University, Coventry, England. CV4 7AL On JANET: cudat@UK.AC.WARWICK.CU (in the U.K.), cudat@cu.warwick.ac.uk (abroad) From ARPAnet: try cudat%cu.warwick.ac.uk@cunyvm.cuny.edu (untested) On uucp: ...!ihnp4!mcvax!ukc!warwick!cudat It helps if you spell "cudat" in lower case. [Sensitive users will note that quite a few systems are case sensitive. It began with Multics, as I recall. PGN] ------------------------------ Date: 29 Mar 88 03:29:20 GMT From: roy%phri@uunet.UU.NET (Roy Smith) Subject: Why gamble on non-redundant systems? [lotto] We all know about the advantages of redundant systems; have two parallel systems so when one computer crashes you can keep running with the other, perhaps at reduced efficiency. For critical systems, redundancy is a must. All that's left now is to define just what makes a critical system. Would you believe Lotto? I heard an ad on the radio yesterday from the New York State Lotto commission. It seems that they have split their network into two halves, each running independently. Ticket sellers have either blue or green Lotto signs, depending on which system they are on, and each geographical area has some of each. So, boast the Lotto folks, if one system goes down, you can still buy tickets and claim cash prizes from ticket sellers with the other color sign. I'm still at the mercy of a single system to get my pay check printed out on time, but it sure is comforting to know that I don't have to worry about being able to buy a Lotto ticket whenever I want to. Roy Smith, {allegra,cmcl2,philabs}!phri!roy System Administrator, Public Health Research Institute 455 First Avenue, New York, NY 10016 [That is indeed a critical system in the eyes of many! PGN] ------------------------------ Date: Mon, 28 Mar 88 23:38:54 EST From: henry@GARP.MIT.EDU (Henry Mensch) Subject: RISKS of using the "AT&T Public Phone Plus" The AT&T Public Phone Plus service is most often found in airports, rail stations, etc. There is a card reader at the bottom of the phone which will do the right thing (purportedly) with your AT&T card (I didn't think to try my FoNCard), a bank card, or an AmEx/DinersClub/etc. Some days ago I was in Boston's Logan Airport and I spotted one of these phones so I went up to investigate. Instead of seeing a "Welcome" sort of screen on the display, I saw a display which read "if you want to make another call, press the button." Further inspection revealed that the receiver, while sitting in the hangup hook, didn't fit well enough to depress the lever which would have terminated the calling session. Over the next few days I noted that the same situation existed on other "Public Phone Plus" devices in remote places (other terminals of Logan Airport, as well as JFK and LAG airports). Hasn't anyone been burned by this yet? # Henry Mensch / / E40-379 MIT, Cambridge, MA # {ames,cca,rochester,harvard,mit-eddie}!garp!henry ------------------------------ Date: Tue, 29 Mar 88 11:04:22 est From: munnari!stcns3.stc.oz.au!dave@uunet.UU.NET (Dave Horsfall) Subject: The risks of rumours I thought this might make a good RISKS item, as it resembles the shutdown of a computer network because of a perceived hacker threat (sorry I can't remember which issue!). A colleague told me the other day that he'd heard that the Australian Federal Police were going through the various Universities, armed with a search warrant, looking for pirated software on PC hard disks. I could not find anyone who actually _saw_ this, but they'd all "heard of it". However, the threat was sufficient to cause people to stay up at all hours, reformatting their disks! I subsequently received the following reply from someone who would rather remain anonymous: We heard about this too! It caused quite a panic around here until the Dean phoned around to other Faculties/Unis. It is not true. We heard that Macquarie had been 'hit', they though that SU had been hit & SU thought that we had. It apparently partly stems from a letter that was circulated at ANU warning people there about the risks of software piracy & the uni refusing to take any blame for stolen programs. It may well have been due to some rumour planting by FAST itself. As you said though, a lot of people got rid of pirated software. At least now people have thought about what they are doing/have done. Who are "FAST"? Federation Against Software Theft - a commercial outfit consisting of the head honchos from the various software distributors, who think they can stamp out software piracy. Dave Horsfall (VK2KFU), Alcatel-STC Australia, dave@stcns3.stc.oz dave%stcns3.stc.OZ.AU@uunet.UU.NET, ...munnari!stcns3.stc.OZ.AU!dave ------------------------------ Date: Tue, 29 Mar 88 13:48 PST From: Wm Brown III Subject: Credit-limit handling found overly restrictive (RISKS-6.50) Date: Mon, 28 Mar 1988 19:06 EST From: LENOIL@XX.LCS.MIT.EDU I assume that the number is used to remove the associated hold, which is then replaced with the actual charge. If your bank doesn't work this way, you should switch to one that does. (I've never had a problem with my Citibank MasterCard, so I don't think the problem is endemic to MasterCards.) Look at the number of characters in an authorization code; it is far too small to reflect the number of authorizations issued by just one processing center on one busy day. I believe that the banks are really interested in covering their soft parts, as usual, rather than making the system airtight. All they need to prove is that an authorization was (or was not) obtained at the time of sale. I know from personal experience that authorizations are frequently issued for estimated amounts; most hotels call for them as soon as someone checks in, long before phone or room service charges can even be estimated. Restaurants frequently bring back charge slips for signature without a total, but with an authorization code. I don't think that authorization codes are actually generated by the bank which issued your credit card. The merchant calls HIS bank's processing center (which may serve many different banks); that center's computer verifies the credit available on your account, then IT issues a number which the merchant writes on the charge slip. The only time anyone really cares about that number is when you don't pay your bill. Then the important question is whether the merchant really DID call for authorization before accepting your plastic (in which case it becomes the bank's problem) or not (in which case he eats the loss). It's just electronic finger-pointing. I would speculate that the codes are some sort of hash of date, time, account number(s) etc. which would make it impossible for the merchant to dummy up an authorization after the fact. As to not having problems with your card, the system is designed to be almost invisible under normal circumstances. Unless you charge a lot of estimated amounts AND are near your credit limit, you probably won't ever know that it is there. The only way I have found to check on it is to obtain both your current debt and available credit from an on-line source (such as an ATM). If they total to less than your maximum line, there is probably a hold floating around in there. [The authorization code is a protection for the card acceptor. If the card authorizer grants an authorization code, then it will grant the payment. Otherwise maybe not, e.g., if the account is bogus! PGN] ------------------------------ Date: 22 Mar 88 14:09:58 GMT From: ut-sally!im4u!woton!riddle@uunet.uu.net (Prentiss Riddle) Subject: Program prejudice and psychological testing Organization: Shriners Burns Institute, Galveston >> Your answers to a few meaningless questions on a job interview could be >> interpreted for drug use, integrity of character, and watching Saturday >> Morning Cartoons. This is another case in which computers only facilitate an already existing risky practice. Corporate personnel offices have been misusing psychological testing for years. A member of my family was once diagnosed as "neurotic" by an employer (who then in a fit of paternalism informed the employee's spouse but not the employee). I mistrust psychological testing even in the hands of professionals trained to appreciate its limits; if widely used for personnel decisions it could exceed even bogus lie detector tests in the damage it might do to innocent individuals' careers and lives. -- Prentiss Riddle ("Aprendiz de todo, maestro de nada.") -- Opinions expressed are not necessarily those of my employer. -- riddle%woton.uucp@cs.utexas.edu {ihnp4,uunet}!ut-sally!im4u!woton!riddle ------------------------------ Date: Thu, 24 Mar 88 02:44 EST From: Steve Strassmann Subject: funny phone My father uses a service provided by the Peoples Phone Company of Connecticut. From anywhere in the US, you can dial an 800 number, and then enter a password (via touchtone) to call him or a third party, and he gets the bill. Many PPC customers share the same 800 number. Unfortunately, the service was widely abused when this number became widely known, so it was changed. Last week I was greatly amused to discover: (1) although the phone number was changed, the passwords weren't, because (according to the president of PPC) they "didn't want to inconvenience existing users too much." (2) when you dialed the old 800 number, you got a recording saying "This number is no longer in service... the NEW number is ...." Needless to say, yet another change is in the works. Steve Strassmann, MIT Media Lab, Cambridge, Mass. ------------------------------ From: a.e. mossberg Subject: risks there and whoops! still there! Date: Tue, 22 Mar 88 13:03:57 EDT In RISKS-6.47 Jerry Leichter suggests vt220 terminals are somewhat secure.... I think that the problem is better stated as 'block mode', not programmable function keys. I've looked at our vt220 manuals and the problem I stated before remains.. I can send a sequence like this: lock keyboard erase display block mode on output whatever sequence of commands I want executed... send screen I tend to doubt there are many people who are quick enough to go into setup to unlock the keyboard for the sequence executes, and who pay enough attention to even catch it, if I were to do a clear screen, block mode off, unlock keyboard at the end of the above sequence. Anyway, why is block mode still around? I can't recall seeing ANY application that used it. (I kinda vaguely remember a pseudo-full-screen editor on the UNIVAC that might have needed it.) a.e.mossberg Internet: aem@mthvax.miami.edu Bitnet: aem%mthvax.miami.edu@cunyvm Univ of Miami Hertz Laboratory Uucp: ...!uunet!miavax!aem ------------------------------ End of RISKS-FORUM Digest ************************