RISKS-LIST: RISKS-FORUM Digest Monday 12 September 1988 Volume 7 : Issue 50 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Computer glitch costs AA $50M ..." (Ken Calvert) Risks of Motel Computers (Brint Cooper) IFF and the Vincennes (Geoff. Lane.) "Single keystroke" (Philip E. Agre) `Credit doctors' (Donn Seeley) Scientific Safety (WHMurray) Bev Littlewood's message in RISKS-7.48 (PGN) Calculations with Wrapped Numbers (Mark Brader, Bennet Yee, Jan Wolitzky, Roger Goun) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp kl.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95). ---------------------------------------------------------------------- Date: Mon, 12 Sep 88 10:36:29 CDT From: calvert@cs.utexas.edu Subject: "Computer glitch costs AA $50M ..." >From the Austin American-Statesman, Sun., 11 Sept. without permission: Computer glitch costs American $50 million in lost ticket sales by Martin Zimmerman, Dallas Morning News FORT WORTH- American Airlines, Inc. lost as much as $50 million in potential revenue this year when its computerized reservations system mistakenly restricted the sale of discount tickets, driving price-conscious travelers to American's competitors, the airline's chairman told industry analysts this week. According to analysts who attended the metting in New York with Robert Crandell, American's chairman, president and CEO, the revenue loss was due to a foul-up in the airline's yield-management system. "(Crandell) said that early in the second quarter they had implemented a new software program, which appears to have backfired," said one investment company analyst, who asked not to be named. "It did not do what it was intended to do." Yield management involves the use of sophisticated computer programs to determine how many seats on an airplane should be sold at various prices, squeezing the greatest possible revenue out of each ticket sold. On flights where there is heavy demand for seats, for instance, the program will instruct that fewer tickts should be sold at discount prices. On less-popular flights, more tickets will be sold at discount fares to fill what otherwise would be empty seats. American is considered an industry leader in yield management. But when the airline modified its system this year, the new program contained a serious flaw. According to the analysts, Crandall said the modified program prematurely stopped the sale of discount tickets for American flights, even though more seats would normally have been offered at lower fares. Travelers searching for a cheap fare -- told that none were available on American -- presumably then went to another airline to buy a ticket. Lowell Duncan, American's vice president-corporate communications, said the problem went on for 30 to 60 days before it was discovered and corrected. It came to light when wide discrepancies cropped up in the number of discount tickets sold during the second quarter of 1988 compared to previous quarters.... News of the foul-up apparently didn't cause much of a stir among the analysts, who study airlines' financial performance and then make recommendations on whether investors should buy their stock.... "Had American had a poor quarter, this glitch might have been more of a problem," said Timothy Pettee, an airline analyst... As it was, American's yields -- the amount of money collected per passenger -- increased 13 percent in the second quarter, Pettee said. "They might've been up 15 to 17 percent without this glitch, which would've been phenomenal," he said. This seems relevant to the recent discussions on quantitative risk assessment. The $50 million figure must be regarded with suspicion in the absence of further information. (Does anybody besides me have a problem with phrases like "losses" in "potential" revenue?) Such numbers are meaningful only in context,yet it seems to be unavoidable in our society that, once created, they take on a life of their own and appear in isolation. In my experience the problem is not limited to the media. (Hence I am generally skeptical about quantitative methods in system design and certification.) Ken Calvert ------------------------------ Date: Mon, 12 Sep 88 9:46:21 EDT From: Brint Cooper Subject: Risks of Motel Computers The following illustrates just how ignorant the "general public" remains of issues that the Risks community almost take for granted. Last month, with a friend my wife and I were touring Southern Maryland. We stopped unannounced at a new Holiday Inn and booked two rooms in my name. With both rooms' keys in hand, we proceeded to our friend's room; I opened the door to check out her room and found that the room was not vacant. While no one was actually in the room, briefcases, books, and clothes made it evident that someone else was already booked therein. Angrily, I returned to the desk, explaining to the very young night staff there the real risk of such an error: that the room might be occupied by a handgun-toting paranoid who would shoot first and ask questions later. The young woman offered that "the computer must have made a mistake." I slightly mis-represented myself as a "computer scientist" and told her that this was no excuse and repeated all the arguments that are more than familiar to readers of "Risks Digest." We were assigned another room. At checkout the next morning, I reported the mistake to the morning staff, so that "management" would become aware. After the expected profuse apologies, the desk manager said, "The computer shouldn't have allowed that. The night clerk must have made a mistake." What could I say? Brint Cooper ------------------------------ Date: Mon, 12 Sep 88 09:32:13 BST From: "Geoff. Lane. Tel UK-061 275 6051" Subject: IFF and the Vincennes Once upon a time I worked on the IFF software of the Nimrod project. (Nimrod was a British Airborne Early Warning system which got cancelled - to be replaced by AWACS). As part of the design process we were given a few lectures on the purposes and uses of IFF in general. During these we found out that a) NO combat fighter plane will ever go into combat with its IFF system operating - for obvious reasons! b) If you are in a combat zone and a planes' IFF claims it to be a civilian assume that it is a counterfeit signal. These policies were not, to my knowledge built into the software. They were left for the pilot to act upon. This was about 10 years ago now. I doubt if the general policy of the UK air defence people has changed. It would appear that the Captain of the Vincennes worked to a similar set of assumptions. BTW, The Nimrod project was done by GEC-Marconi Space and Defence Systems. This is a part of the same company that is currently being so unlucky with suicides and strange accidental deaths. Geoff. Lane., University of Manchester Regional Computer Centre ------------------------------ Date: Mon, 12 Sep 88 03:50:09 EDT From: "Philip E. Agre" Subject: "Single keystroke" PGN attaches the following comment onto a message about the Soviet's loss of a Phobos spacecraft. [Several people reported on radio items that attributed the problem to a console operator's single keystroke in error, which it was speculated might have triggered the Mars probe's self-destruct signal. After the command was sent, contact with the probe was lost completely. PGN] I have no reliable information about this particular case, but I am struck by the high proportion of operator mistakes which get reported as `single keystroke' errors. I strongly suspect that single-keystroke errors are largely an urban myth (you know, poodles in microwaves and the like). I'm sure that in this world of crummy user interfaces you can often do plenty of damage with a single keystroke, but the image of a single mistaken keystroke leading to disaster has got to be a very tempting trope for journalists and cartoonists and rumor-passers whether it's accurate or not. Besides, it'll always have a certain tenuous relation to the truth: the single keystroke that does the damage is the final Return you hit after your two hundred keystrokes of wrongheadedness. ------------------------------ Date: Mon, 12 Sep 88 00:46:26 MDT From: donn@cs.utah.edu (Donn Seeley) Subject: `Credit doctors' Clean Credit for Sale: A growing illegal racket by Larry Reibstein with Lisa Drew, Newsweek 9/12/88 p. 49 Houston schoolteacher Darlene Alexander thought she had a clean credit record. Then in June she applied for a $75,000 mortgage, and the lender told her she had too much debt to qualify. Her records showed accounts for American Express, MasterCard and Visa. The biggest balance was a $22,800 loan for a 1988 Chevrolet Camaro. All this baffled Alexander. None of the accounts were hers; she drives a paid-up 1983 Datsun. Alexander was a victim of 'credit doctors,' people who use computers to steal good credit histories and then sell that information to people with bad credit. Using Darlene Alexander's name and history, an impostor opened charge accounts and got loans with almost no risk. The real Alexander, who was also turned down for a vacation loan, is angry. 'You try for years to get good credit,' she says, 'and then someone else just takes it away from you.' Credit doctors -- thieves, really -- are starting to surface in a big way. In Houston, where the depressed economy has created plenty of willing customers, about 30 people have been arrested, and 20 convicted, for credit-doctoring schemes in the last year. Among them were 'patients' -- consumers -- who paid up to $2,000 for stolen or fake credit identities. Houston police have identified $7 million to $10 million in merchandise and homes bought with the help of fraudulent accounts. Similar cases have cropped up in Chicago and Los Angeles. In an era when everyone seems intent on building up their credit one way or another, Secret Service agent Neal Findley says, 'An industry has risen up based on getting into other people's credit files.' The thieves work by tapping credit-bureau computers that contain histories on millions of consumers. It's surprisingly easy. Credit doctors usually buy the computer-access code from a contact who works in a legitimate business, such as a mortgage company. Using a personal computer, the credit doctor searches for someone who has his client's name -- and good credit. He then copies that person's credit history -- including the all-important social security number [[argh! -- Donn]] -- and furnishes the information to the client, who uses it when applying for credit. Houston police say some consumers have been offered a choice of credit histories at a range of prices, depending on the 'quality' of the stolen credit. ... Authorities believe many credit-doctoring scams remain undetected. People whose histories have been stolen may never know it -- until a lot of debt is entered in their names. Merchants often look the other way as long as the impostor is keeping up with payments, says Houston police lieutenant J. F. Rabago. Many credit bureaus say that no safeguards can completely block unauthorized access to their computers. For now, a consumer can only hope that someone with the same name isn't in the market for a new credit history. [[Are credit bureaus' security measures really this lax? It's not hard to believe, just appalling. -- Donn]] ------------------------------ Date: Sun, 11 Sep 88 13:22 EDT From: WHMurray@DOCKMASTER.ARPA Subject: Scientific Safety Since I only speak American, I often have a difficult time understanding things originating across the pond. For esmaple, Bev Littlewood writes: >The system is certificated in Europe, the thing is carrying passengers, >yet, I believe, it cannot be asserted in any scientifcally meaningful >way that it has an "acceptable level of safety". It is not clear to me whether "scientifically meaningful" modifies "can be asserted" or "acceptable level of safety." It seems to me that a great part of this discussion has turned on whether "acceptable level of safety" can ever be a scientific term. It sounds to me as though it is being asserted that in the UK it is a scientific and, even legal, term. I would assert that in the US it is neither. It is at best political, and at worst journalistic. The toleration of a risk in the US is inversely proportional to its novelty or its mystery. We do not tolerate the risk of the medicinal use of marijuana or heroin in terminally ill patients. On the other hand we tolerate 300,000 premature, painful and slow deaths a year from the use of tobacco. We tolerate 1500 to 10,000 measureable deaths a year from the burning of fossil fuels. Much lower risks of alternatives cannot be tolerated because of the absence of political courage. We kill 40,000 people a year on our highways, and maim for life another 2-400,000, while programs in other countries suggest to us that least half of those are avoidable. Novel technology, such as fly-by-wire, would not be tolerated here unless it could be "proved" to be safer than the technology in use. (The opposition to the A320 in the US revolves around the fact that it contributes to an unfavorable balance of trade and has a two man cocpit. The opposition has missed a good bet. The risk of new foods and drugs here are measured absolutely, in terms of their risk in small animals; not against the risk of the alternatives. Better the devil we know. One can say little "scientific" about safety and risk in such a society. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ------------------------------ Date: Sun, 11 Sep 88 20:28:20 PDT From: Peter G. Neumann Subject: Bev Littlewood's message in RISKS-7.48 Somewhere between Bev's transmission to Brian Randell and Brian's retransmission to me, Bev's lines longer than 80 characters got truncated. Sorry. [Probably at the border? Customs? Round up the usual characters?] [By the way, I sometimes get messages from within the U.S.A. whose text has NO line breaks -- just rampant character strings. The UK/USA 80-character filter would truncate the entire message except for the first 80 characters!] ------------------------------ Date: Fri, 9 Sep 88 17:41:38 EDT From: Mark Brader Subject: Calculations with Wrapped Numbers > > The problem occurs when the previous value is -175 or so and the new > > value is +175. What is the average? > A good way to estimate an average angle, A, from a set of angle measurements > a[i] 0<=i> Imagine trying to compute the average position of the second hand on a >> clock. You sample the position once a second for sixty seconds. Ok, now >> what is the average? I made a deliberately naive attempt to determine the average position of a second hand, using the above formula and a spreadsheet program that shall remain nameless. I assumed N = 60, 0 <= a[i] <= 354. The spreadsheet dutifully reported that sum_i_from_1_to_N sin(a[i]) = -7.173E-10, sum_i_from_1_to_N cos(a[i]) = .000000014, and a = -3.0000006. This example is obviously contrived to "make the computer look bad." But it's not hard to imagine a scenario in which such a completely bogus answer might seem plausible to an unsophisticated consumer of information, especially if he or she was not shown the intermediate results of the calculation. Roger Goun ------------------------------ End of RISKS-FORUM Digest 7.50 ************************