RISKS-LIST: RISKS-FORUM Digest Friday 2 September 1988 Volume 7 : Issue 43 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Statistical reliability estimation criticized (Brian Randell) Calling party identification (Mark W. Eichin, TMPLee, anonymous) Automotive EMI - a personal experience (Scott C. Crumpton) The mental tyranny of a cash register (Steven C. Den Beste) Intoximeter risks (Andrew Vaught) SSNs, Passports (Chris Hibbert) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp kl.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95). ---------------------------------------------------------------------- Date: Fri, 2 Sep 88 11:07:59 WET DST From: Brian Randell Subject: Statistical reliability estimation criticized (Jon Jacky, RISKS 7.40) Re: Jon Jacky's message, stating that: >John Cullyer of the British Royal Signals and Radar Establishment ... >said, "Let's throw out the 10 ** -9" - and many of the audience >responded with enthusiastic applause. Someone asked if he would accept a >failure probability of only 10 ** -4 or 10 ** -5 for nuclear weapons safety. >He responded, "In the weapons area there should be no room for probability. >If something is unthinkable, don't let it happen. You either certify it or >you don't - one or zero." I'm appalled by this comment, if it is reported as accurately as I fear it is! Just because something is "unthinkable" doesn't mean that *any* particular technology, such as certification, will *guarantee* that it will not happen, and that no measures need be taken, or even considered, to allow for the possibility of failure. (This is the sort of thinking which has "justified" the reported lack of planning in the UK for dealing with Chernobyl-scale catastrophes at nuclear power stations.) I find the following attitude much more professional. (The quote comes from the review by Tom de Marco of "Principles of Software Engineering Management", by Gilb and Finzi, in IEEE Computer for August 1988): "We must quantify everything that matters to eventual project success or failure. Everything - particularly those product characteristics that we treat as unquantifiable (flexibility, "user-friendliness," net benefit, etc.) - must be scaled and targeted. Some of the quantifications will be "fuzzy" in Gilb's terms, but even fuzzy numbers are far better than no numbers at all. The very act of coming up with the best-effort quantification of these factors guides us towards success and knowing how well we are doing along the way." Otherwise, how will the Cullyers of this world for example (i) choose between rival certification techniques, (ii) know when certification is "complete", or (iii) decide how to divide a finite budget between certification and complementary approaches to reducing the likelihood of having to experience, and apologise for, an "unthinkable" occurrence. (In fact I fear I know the answer - by blind faith and misguided eloquence!) All this is not to say that naive unjustifiable quantification, such as often accompanies the bandying around of figures like 10 ** -9, any more professional. However the fact that such naivete occurs is no reason to abandon attempts to find means of making, justifying and intelligently using, quantified reliability assessments, even w.r.t. design errors, especially with systems whose failures would be truly catastrophic. Brian Randell ------------------------------ Date: Thu, 1 Sep 88 22:22:08 EDT From: Mark W. Eichin Subject: Calling party identification >... It is my observation that most people believe that "tracing a call" is >still a difficult, time consuming process that cannot be done routinely. This >story shows that it is a service phone companies offer to commercial >customers, although I have not seen any reports of it also being offered to >residential customers ... I believe the New Jersey telco offered digital display of incoming number to private subscribers a year ago; here at MIT, with the installation of a 5ESS system with full ISDN support available to offices, the digital set automatically displays the phone number the call came from (if it was within MIT; apparently there isn't software in place to track calls from other switches yet, the display merely indicates "Outside"). The documentation for the dormitory phones included mention of a ``privacy code'' which meant dialing 65 before any phone number; the pamphlet with the phone didn't actually explain what the privacy code *did* however. Mark Eichin, SIPB Member & Project Athena ``Watchmaker'' ------------------------------ Date: Thu, 1 Sep 88 22:42 EDT From: TMPLee@DOCKMASTER.ARPA Subject: Calling party identification Phone number tracing Our local cable company must use the same kind of connection to the phone company that the pizza place mentioned in RISKS-7.42 does. They have several pay-by-view channels and a set of incoming phone numbers. To order a pay-by-view event all you do is dial something like 938-77xx where the xx is the "ordering" code for the particular movie or live event (local sports, etc.) you want. A computer answers the call and is somehow told where the call was from; it looks that up in a data base, finds the i.d. of your cable box and enables the show. (It goes on your bill, of course.) Rather clever, actually: no human operators and it works from either a dial phone or a touch tone phone. Don't use it much, and apart from misdialling the only "risk" I have is remembering to use line 1 rather than line 2. Ted Lee ------------------------------ Date: Thu, 1 Sep 88 19:57:52 xDT From: [anonymous] Subject: Calling party identification While there is work going on to allow for the identification of calling parties by the callee, such systems are not generally implemented and won't be for some time to come. There are some limited test projects, but I don't believe that any large-scale operation of the sort implied is currently operational. Most likely what is actually happening is that the first question people are asked when they call the pizza folks is "what is your phone number?" Then the computer operator punches that in and up pops all the info from any previous call. It is unlikely that they are receiving the calling party's number in realtime. It IS true that with some long-distance carriers' 800 callers numbers are made available to the callee, but this is done on a billing cycle basis (i.e., in the billing statement) and not in realtime. If it turns out the pizza folks ARE receiving the number ID in realtime, then they are in one of the test groups and one can't help but wonder how many folks in the area realize the ramifications of this all (see below). Now, in the middle future the issue of the callee being able to receive the number of the caller will be a significant one for us all. The technology is being put into place. At first glance, many people might say, "Gee, how neat, I'll know the numbers of the phone solicitors who bother me." But think again. It would work both ways. Do you really want YOUR phone number recorded (and possibly later called back with solicitations, matched with addresses for mailings, etc.) whenever you call a business, possibly from your private line you only intend to use for outgoing calls, or from some friend's house or business from where you happened to make the call? If you make a business call from home, do you necessarily want the person receiving the call to immediately have your home number? Do they have any right to that number rather than calling you back on the office number you might give them? There are a variety of complex ramifications. Even worse, if YOU could see the callers' numbers on calls YOU receive, you might be disappointed at much of what you'd see. Most big solicitation businesses use special outward-calls-only trunking groups; you would frequently see undialable numbers like 012-4161 on your display. Such info isn't going to do you a lot of good without a lot of hassling with telco for info (which they might well be unwilling to give you). And what about obscene phone calls and such? Won't this system help stop them? Well, maybe some dummies would get caught, but there are one hell of a lot of payphones out there and people could easily move from one to another indefinitely... The issue of privacy of callers' numbers is thus more complicated than it might appear at first. Some proposals call for unlisted numbers not to routinely display on callee displays. Some other plans propose a control prefix (e.g. "*21") which you could dial before dialing a phone number if you want to block number display for that particular call. All in all the issues involved are quite complex. The time to start thinking about them is now. ------------------------------ Date: Fri, 26 Aug 1988 09:51:42 LCL From: NESCC%NERVM.BITNET@CUNYVM.CUNY.EDU (Scott C. Crumpton) Subject: Automotive EMI - a personal experience There is a section of road that I frequently drive which comes within about 600 feet of a TV (ch 20) transmitter tower. Within a distance of approximately 1/4 mi of the tower, the cruise control on my 87 Volvo 240DL will not set properly. The "set" button acts like "resume", causing a normal rate of acceleration up to the previously set speed. This behavior is repeatable in this location, however I have not noticed any other symptoms or occurrences in other locations. Considering the "success" that I have had getting minor problems (like cold start stalling) fixed at the local Volvo dealer, I don't think I'll be taking this one to them. I will probably attempt to fix it myself with some ferrite chokes and a little shielding. ---Scott. ------------------------------ Date: Mon, 29 Aug 88 12:01:58 -0400 From: denbeste@OAKLAND.BBN.COM Subject: The mental tyranny of a cash register Last Saturday I was in a local mall, and being thirsty I went to a cookie- over-the-counter store which was handy, and ordered a "medium rootbeer", price listed as $.75. I proffered a dollar, and was given $0.19 change. [It should be explained at this point that Massachussetts has a 5% sales tax. However, this would have fallen under the restaurant and meal tax, which also happens to be 5%.] "Wait a minute", I said, "The sales tax on this should be 4 cents, not 6." "I know. The cash register is broken. But that is what it says to give you, so that's what I have to do." [I suspect my memory may be making his words a bit different - please bear with me.] "Give me the rest of my change!" "There's no way for me to do that." I walked away snarling. Actually, of course, he could just have hit "No Sale" and gotten two more pennies out of the till. But, having done so, at the end of the shift the till would have contained less money than the cash register said it should, and he would've had to make up the difference out of his own pocket. Given a choice between it being his money and being mine, he wanted it to be mine. Both of us were trapped by a cash register which had been programmed for an 8% sales tax. Now that I've cooled down, I'm not even sure that he thought it through to the point I gave two paragraphs ago. I think his reaction was merely: Do what the machine says, even if you KNOW it is wrong. Editorial point: Shades of the Vincennes. We are the elite - we understand, at least in principle, what goes on inside of virtually anything which is computerized. This makes us free - we know enough to know that the computer can be just as wrong as a person can, since a person decided ahead of time what it would do. It is only a machine, and is just as fallible as its creators. But for those out there who truly have no idea what a computer is, it has become a kind of oracle or demigod: You follow its orders and you DO NOT QUESTION, because it is smarter than you. Perhaps this is why some people flatly refuse to use automated tellers at banks, and literally refuse to touch a computer keyboard even when urged. Those who mess with the gods get turned to spiders. When put in a job-related situation where interaction with a computer is unavoidable, the computer truly becomes almost a deity: YOU DO NOT QUESTION. ("We are sorry, Mr. Thompson, but our computer says that you are dead. We do not do business with corpses.") [Maybe I HAVEN'T cooled down, after all.] ------------------------------ Date: Thu, 01 Sep 88 13:33:56 PLT From: Andrew Vaught <29284843%WSUVM1.BITNET@CUNYVM.CUNY.EDU> Subject: Intoximeter risks {Taken from the 24 August 1988 Spokesman-Review without permission} GASSED OR DRUNK? PRISONER FILLS 'ER UP While official witnesses looked on, a Bonner County Jail prisoner swigged a paper cup full of gasoline last week in an effort to prove himself innocent of drunk driving. Sagle resident Barry Joe Raynor, 20, claims he was siphoning gasoline just before he was arrested for drunken driving last Jan 14, said his attorney Jonathon Cottrell. When the case goes to trial in 1st District Magistrate Court next week, Cottrell and Raynor will argue it was gasoline on his breath that lit up the scoreboard on Bonner County's intoximeter the night he was arrested. [The article goes on to say why drinking gasoline is not a real good idea and how drinking a cup of gasoline showed a .28 percent blood alcohol level one hour later.] Although the article never mentions what kind of `intoximeter' is actually used in the tests, it is pretty obvious that it is not directly measuring blood alcohol content, but some other telltale that allows it to be fooled by gasoline. [NPR this morning noted that when the tape recording of the arrest was played in court, Raynor sounded so intoxicated that he simply gave up on his gas defense. OK. This item thus appears to not be RISKS related, although the risk of false positives on such tests is always a risk that must be recognized. PGN] ------------------------------ Date: Wed, 31 Aug 88 17:45:40 PDT From: Hibbert.pa@Xerox.COM Subject: SSNs, Passports I was just looking through Robert Ellis Smith's "Report on the Collection and Use of Social Security Numbers", and on the final page he added a note about SSN's and the Passport office. Since there was some unresolved discussion of this at the beginning of the year, I thought I would forward the information. Smith says that as of the beginning of this year, SSN's are required on passport applications, and failure to include it may result in a $500 fine. I'm as puzzled by this as the people who reported similar things in January. I don't know why the passport office doesn't refuse to handle applications without SSNs and just forget about the fine. The reason they want the number in the first place is apparently so that the IRS can make sure that Americans living abroad file returns. If there really is a fine, then it should be mentioned in the requisite Privacy Act notice along with a statement as to whether disclosure has an impact on you're getting a passport. The "Report on the Collection and Use of Social Security Numbers" can be ordered from the Privacy Journal, P.O. Box 15300, Washington DC 20003. Their phone number is (202) 547-2865. I was dissapointed in the level of the report. It's mostly a sampler of case histories of people who were burned in various ways by abuse of their numbers. It contains little in the way of privacy advice that hasn't already appeared here. Chris ------------------------------ End of RISKS-FORUM Digest 7.43 ************************