RISKS-LIST: RISKS-FORUM Digest Monday 31 October 1988 Volume 7 : Issue 68 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Conspiracy to Defraud (Martyn Thomas) `Runaway' Computer Projects (Rodney Hoffman) Perceived risk (James F. Carter) "TCA pushes for privacy on corporate networks" (Jerry Leichter) Risks in Answering Machines (Andy Glew) Ear-itation (Ed Ravin) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp kl.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85),(6,95). ---------------------------------------------------------------------- Date: Wed, 26 Oct 88 15:04:46 BST From: Martyn Thomas Subject: Conspiracy to Defraud The Confederation of British Industry has submitted a proposal to the Law Commission proposing changes to the law on conspiracy to defraud. They propose (inter alia) that current offences involving "deception" (which require that a human mind is deceived) should be extended to include deception of machines, including (in particular) computers. This sounds risky - can anyone think of good examples of unintended consequences? Martyn Thomas !uunet!mcvax!ukc!praxis!mct ------------------------------ Date: 30 Oct 88 13:20:56 PST (Sunday) From: Rodney Hoffman Subject: `Runaway' Computer Projects In the November 7, 1988 issue, 'Business Week' has a two-page story headlined "IT'S LATE, COSTLY, INCOMPETENT -- BUT TRY FIRING A COMPUTER SYSTEM: Companies get stuck with 'runaways' that trample all over their budgets and reputations." Nothing amazingly new, but a good summary of the problems, with several case histories. From the article: "A recent Peat Marwick Mitchell & Co. survey of 600 of the accounting firm's largest clients highlighted the problem: Some 35% currently have major runaways.... In 1986, [a management consultant] set up a group at Peat Marwick to rein in runaways. Since then, he has had $30 million in revenues from nearly 20 clients...." Two sidebars are of interest: A SAMPLING OF `RUNAWAY' PROJECTS * ALLSTATE INSURANCE. In 1982, with software from Electronic Data Systems, the insurer began to build an $8 million computer system that would automate it from top to bottom. Completion date: 1987. An assortment of problems developed, delaying completion until 1993. The new estimated price: $100 million. * CITY OF RICHMOND. In 1984 it hired Arthur Young to develop a $1.2 million billing and information sytem for its water and gas utilities. Completion date: March, 1987. After paying out close to $1 million, Richmond recently canceled the contract, saying no system had been delivered. Arthur Young has filed a $2 million breach of contract suit against the city. * BUSINESS MEN'S ASSURANCE. In 1985 the reinsurer began a one- year project to build a $500,000 system to help minimize the risk of buying insurance policies held by major insurers. The company has spent nearly $2 million to date on the project, which is in disarray. The new completion date is early 1990. * STATE OF OKLAHOMA. In 1983 it hired a Big Eight accounting firm to design a $500,000 system to handle explosive growth in workers' compensation claims. Two years and more than $2 million later, the system still didn't exist. It finally was finished last year at a price of nearly $4 million. * BLUE CROSS AND BLUE SHIELD UNITED OF WISCONSIN. In late 1983 it hired Electronic Data Systems to build a $200 million computer sytem. It was ready 18 months later -- on time. But it didn't work. The system spewed out some $60 million in overpayments and duplicate checks before it was harnessed last year. By then, Blue Cross says, it had lost 35,000 policyholders. [Several of these are discussed in more detail in the article.] --- HOW TO KEEP A PROJECT UNDER CONTROL * Before designing the system, get suggestions from the people who will use it. * Put senior, nontechnical management in charge of the project to help ensure that it is finished on time and within budget * Set up 12-month milestones -- interim deadlines for various parts of the project * Insist on performance clauses that hold suppliers legally responsible for meeting deadlines * Don't try to update the system in midstream, before the original plan is finished ------------------------------ Date: Wed, 26 Oct 88 16:22:19 PDT From: jimc@math.ucla.edu Subject: Perceived risk Freudenburg, William R, "Perceived Risk, Real Risk: Social Science and the Art of Probabilistic Risk Assessment", Science, vol 242 #4875 (10/7/88) p.44. A very interesting article. The author's thesis is that risks computed from "hard scientific evidence" frequently inadequately predict both the probability and the consequences of a risk, because human factors are inadequately modelled. Risk estimation workers suffer from non-obvious human errors. The general public are not as irrational as they sometimes seem to technical people, when their concerns, values and experience history are taken into account. Readers of this newsgroup may already "know" all this, but it's useful to have our noses rubbed in it yet again. James F. Carter (213) 825-2897 UCLA-Mathnet; 6608B MSA; 405 Hilgard Ave.; Los Angeles, CA 90024-1555 ------------------------------ Date: Wed, 19 Oct 88 14:54 EST From: "Jerry Leichter (LEICHTER-JERRY@CS.YALE.EDU)" Subject: "TCA pushes for privacy on corporate networks" [Entered without permission from Computerworld, 3 Oct 88, page 133] By Kathy Chin Leong, CW Staff SAN DIEGO --- As more and more confidential data winds its way across computer networks, users are expressing alarm over how much of that information is safe from subsidiaries of the Bell operating companies and long-distance firms providing transmission services. This fear has prompted the Tele-Communications Association (TCA) and large network users to appeal to the Federal Communications Commission to clarify exactly what network data is available to these vendors. Users with large networks, such as banks and insurance companies, are concerned that published details even of where a circuit is routed can be misused. "We don't what someone like AT&T to use our information and then turn around and compete against us," said Leland Fong, a network planner at Visa International in San Francisco. Users are demanding that the FCC establish a set of rules and regulations so that information is not abused. At issue is the term "customer proprietary network information" (CPNI), which encompasses packet data, address and circuit information and traffic statistics on networks. Under the FCC's Computer Inquiry III rules, long-distance carriers and Bell operating companies --- specifically, marketing personnel --- can get access to their own customers' CPNI unless users request confidentiality. What his group wants, TCA President Jerry Appleby said, is the FCC to clarify exactly what falls under the category of CPNI. Fong added that users can be at the mercy of the Bell operating companies and long-distance vendors if there are no safeguards established. Customer information such as calling patterns can be used by the operating companies for thier own competitive advantage. "At this time, there are no controls over CPNI, and the users need to see some action on this," Fong said. SPREAD THE CONCERN At a meeting here during the TCA show, TCA officials and the association's government liason committee met with AT&T to discuss the issue; the group will also voice its concerns to other vendors. Appleby said the issue should not be of concern just to network managers but to the entire company. Earlier this month, several banks, including Chase Manhattan Bank and Security Pacific National Bank, and credit card companies met with the FCC to urge it to come up with a standard definition for CPNI, Appleby said. While the customer information is generally confidential, it is available to the transmission carrier that is supplying the line. The data is also available to marketing departments of that vendor unless a company asks for confidentiality. Fong said that there is no regulation that prevents a company from passing the data along to its subsidiaries. [Comment: What I find particularly fascinating about this article is its perfect illustration of the world-view of large businesses. Banks, insurance companies and credit agencies collect tons of information about individuals, which they then wish to treat as their private property, to do with as they see fit. They fight "government interference" intended to protect the privacy of that data as expensive, burdensome and unnecessary. But when their precious data is moved over AT&T's lines, all of a sudden they are very concerned that AT&T not abuse it. Not only that, but they want the government to make SURE that AT&T remains on its best behavior! -- Jerry] ------------------------------ Date: Tue, 25 Oct 88 20:12:54 CDT From: aglew%vger@xenurus.gould.com (Andy-Krazy-Glew) Subject: Risks in Answering Machines (revisited) Recently I went to purchase an answering machine. Modern answering machines have all sorts of remote features, features that can be exercised from another phone, by generating touch tones. These features include the ability to listen to already recorded messages, erase already recorded messages, change the outgoing message that answers the phone, etc. There is almost no security for these remote features. The machine I bought has a two digit code, with one digit factory set, and the second digit set by a switch on the machine. The user settable digit can only be set to 3 values! Now, I don't have many secrets, so the idea of people listening to my recorded messages doesn't bother me too much (except for the possibility that a criminal watching my house and knowing my number could intercept a message from me telling my wife that I won't be home for several hours). But I do not like the possibility that someone could, maliciously or accidentally, erase messages, or change my answering message. And I most emphatically do not like the remote listen feature, whereby anyone can call my answering machine, press a dial tone, and listen to anything going on in my apartment. I spent some time looking for a basic answering machine that had only the most basic remote feature, the ability to listen to recorded messages remotely, *without* having them erased. There doesn't seem to be such a system -- if you can remotely listen, you can remotely erase. Unfortunately, it does not seem possible to selectively disable these remote features. Most salespeople were surprised by my concern, but one gave me the service numbers for Panasonic and GE. The Panasonic service was distinctly unhelpful, unable to understand why one might want more than the 256 password possibilities in their top of the line model (a model that uses 3 digits, only one of which is user settable). The Panasonic service refused even to give me an address to which I might write to describe what I think a secure answering machine should be. The GE service was much more sympathetic - but, unfortunately, GE's consumer electronics was sold to Thomson a while back, and the GE service didn't know where to forward consumer suggestions. All this leads me to several questions: (1) Are there any answering machines that have redefinable passwords that are long enough for an acceptable level of security? (2) Are there any answering machines that have only non-destructive remote commands, ie. that only allow messages to be listened to remotely, not reset and overwritten? (3) Have there been any incidents of remote sabotage of answering machines, or, worse, criminal interception of messages, or bugging, as I describe above? Andy "Krazy" Glew, Motorola Microcomputer Division, Champaign-Urbana Development Center [lengthy trailer and disclaimer deleted. PGN] ------------------------------ Return-Path: <@CSL.SRI.COM,@nyu.edu,@phri:eravin@dasys1.UUCP> Date: 24 Oct 88 15:10:19 GMT From: eravin@dasys1.UUCP (Ed Ravin) Subject: Ear-itation I've got my own story to tell about high frequency noises crawling out of computer related devices, and since I'm new to RISKS, my apologies if any or all of this has been discussed before. It all started back in college, when I went to a little office in the computing center. I walked into the room and immediately clapped my hands two my ears and shouted in aversion to the awful sound I was hearing. The two techs in the room, who worked in there most of the day, looked at me like I was crazy, because they didn't hear anything. It turned out to be the high-frequency whining from a Televideo terminal's flyback transformer. The two technicians never reported any ill effects from it. The few times I visited them again I had to stay outside of the office because of the direct pain I would experience walking in there when that terminal was turned on. After that I began noticing the sounds made by all the other CRT's in my life. They were high pitched and slightly irritating, but not painful. I had always, even before meeting computers, noticed the 15khz whine from a TV set, but it had never bothered me. My next experience was with a DEC VT-100. I visited a friend of mine who had an operating VT-100 in a little room in his house. Again, I heard a loud, high pitched whine that I felt as pressure in my ears and pain. He noticed nothing, but said that that particular VT-100 was stacked with option boards and might be overloading its power supply. I've worked with other VT-100 terminals and noticed noise, but not anywhere near as bad as that sample. And the best story of all is the AT&T Unix PC. All of the Unix PC's I ever worked with had a high-frequency noise problem to one extent or another, but the worst offenders were the ones with 40 meg disk drives installed. As soon as I turned on of them on, I would hear a high pitched noise that would slowly rise in pitch until it either went beyond my audible range or got lost in the fan noise. I thought nothing more of it until I realized that I was getting headaches, stomachaches, and feeling irritable without knowing why. I moved the machine to a closet and used it remotely. I polled everyone else at the office, as well as a few visitors from AT&T: almost noone could hear the noise from it, but anyone who had to work in the same room as the machine would eventually start complaining, even if the machine was parked in a noisy machine room. This wasn't limited to one sample, because we returned the machine and got it replaced two or three times, and none of them were acceptable to me. It wasn't just me, because we tried it out on a few other employees, who complained of irritation, stomachaches and toothaches after being in the same room as the Unix PC after a few days. This noise was definitely associated with the hard drive (as opposed to the flyback transformer who is the usual culprit), and was in the 20khz or above range, since I couldn't directly hear it, but felt it as a slight pressure in my ears. I have walked up to airline reservation counters, car rental counters, and other service desks where the ubiquitous VDT is part of the worker's routine, where the worker must sit in front of the terminal all day, and blanched from the whine coming out of the back of the CRT. As a white collar employeee in a technical office, with a moderately eloquent speaking ability, I was able to explain to my managers why I couldn't use certain equipment and they understood and assisted me. The information industry service worker has no such options: you can work on the machine or you can get another job. Managers over 40 probably can't even hear at 15khz, and will not understand what you're talking about. There have been numerous studies of "cluster miscarriages", where a high proportion of pregnant women using a particular brand of VDT all experience miscarriages, but most studies of VDT hazards seem to focus on low level radiation and ignore sound emissions completely. There are no OSHA or NIOSH standards on high-frequency sound or ultrasound emmissions from devices in the workplace: the engineers who build these things are used to listening to 15 or 20 khz whines all day long and no longer notice such things. Maybe my problem is that I never listened to loud rock music and my hearing above 15khz is mostly intact. But even when you can't hear it, that noise can still bother you, as witnessed by the Stevie Wonder experience (if not my own). And I wouldn't be surprised if it has a factor in miscarriages: one of the things ultrasound can do is heat up the tissue under your skin, which is related to the hospital uses of ultrasound devices. The scary thing is that so many people just dismiss this problem because they "can't hear it". Ed Ravin | cucard!dasys1!eravin (BigElectricCatPublicUNIX)| eravin@dasys1.UUCP Reader bears responsibility for all opinions expressed in this article. ------------------------------ End of RISKS-FORUM Digest 7.68 ************************