The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 10 Issue 84

Wednesday 30 January 1991


o It's not always pilot error" - Official!
Pete Mellor
o IRS overbills for $1B interest
o Re: Patriots
Dave Parnas
o Re: Risks of automatic flight (flying at low level)
Brinton Cooper
o Automated brokerage service
Kent M Pitman
o Re: Broadcast local area networks are a'comin
Brinton Cooper
P.J. Karafiol
o Re: Electronic cash
Bob Stratton
Rick Smith
Stephen Perelgut
Art Medlar
Ed Ravin
Leslie DeGroff
o Info on RISKS (comp.risks)

It's not always pilot error" - Official!

Pete Mellor <>
Tue, 29 Jan 91 22:00:48 PST
    Tube train's open doors beat fail-safe   (By-line: Dick Murray)
    London Evening Standard, Thursday, 24 January, 1991

A tube train travelled four stops with a set of double doors open after its
"fail-safe" system broke down, it was revealed today.  The driver was not aware
of what had happened until alerted by an off-duty Tube manager who was
travelling on the Circle-line tube at the time.

London Underground has always described such an incident as "the one which
could never happen", and now seriously concerned engineers are worried that a
similar fault might occur on other trains.

The train has had a detailed examination and a full inquiry began today.
Luckily, the incident happened at one of the quietest times of the week, early
on a Saturday morning, but drivers are now worried about the consequences of a
similar incident taking place on a crowded rush-hour train.

London Underground says the driver of the train, which travelled between
Aldgate and Farringdon [the stop at which I get off! - PM], was not at fault.
A light in the cab's control panel tells a driver when all doors are closed.
If a door does not close, the "fail-safe" system should come into operation and
prevent it from moving off.  But in this case - the train was driver-only with
no guard [Sorry to say "I told you so!", but see my previous mailing! - PM] -
it seems the fault may have affected the panel light operation and the
automatic "fail-safe" system.  One driver said: "He got the light that that
everything was OK. He acted by the book."

An Underground spokesman confirmed the incident took place on Saturday, 12
January, and said: "The 6.18am from Aldgate was taken out of service at
Farringdon after a report from a supervisor on the train.  A set of doors
remained open but it appears the driver was not aware of this.  It would appear
to have been a train malfunction."

Peter Mellor, Centre for Software Reliability, City University, Northampton
Sq.,London EC1V 0HB +44(0)71-253-4399 Ext. 4162/3/1 (JANET)

IRS overbills for $1B interest

"Peter G. Neumann" <>
Wed, 30 Jan 1991 10:15:21 PST
Having ruled that Dickie Ann Conn of San Jose CA owed $67,714 in back taxes,
the IRS billed her for more than $1 billion (including penalties).  (The ruling
was based on the precedent of a recent court case, and stemmed from charitable
deductions to the Church of Scientology that Conn had claimed over six years.)
When she called the IRS to object, she was told by a clerk that her only
recourse was to sue the government.  Yesterday the IRS admitted that they had
found a mistake in the interest calculations, and said they will correct it.
[Source: San Francisco Chronicle, 30 Jan 91, p.4] (Conn is a computer consultant
and part owner of Connsult Inc.  She is probably used to jokes about Conn Jobs,
but in this case it sounded as if the IRS was trying to be Conniverous.)

Re: Patriots (Wegeng, RISKS-10.83)

Dave Parnas <>
Tue, 29 Jan 91 17:35:20 EST
Don Wegeng writes that sensors that were developed as part of the SDI research
program, and first tested about six months ago, are now deployed on the
thousands of Patriots in the field.  This is so inconsistent with my experience
with DoD deployment that I would not believe it unless the source was willing
to be identified.  There is a long road between first tests and deployment and
it is not usually travelled in six months.

One should also note that this would mean that SDI money was used to enhance
the Patriot, not that SDI software technology was used to enhance the Patriot.

Dave Parnas

Risks of automatic flight (flying at low level) (RISKS-10.83)

Brinton Cooper <abc@BRL.MIL>
Wed, 30 Jan 91 9:39:30 EST
Olivier M.J. Crepin-Leblond <> reports on the
risks of automatic flight (flying at low level) incurred by fighter pilots:

Perhaps the U.S. Air Force should consider abandoning HUMAN pilots for very low
altitude flights of this type.  As the proposal often begins,

    "Research is required..."

Automated brokerage service

Kent M Pitman <MP@STONY-BROOK.SCRC.Symbolics.COM>
Thu, 20 Dec 1990 15:38 EST [recently resent, never previously received]
My company's stock recently did a one-for-ten reverse split and I wanted to
follow the changes in its price.  I figured I might as well use the Charles
Schwab 24-hour 800 number with `automated telebroker,' so I could just punch in
the stock symbol and get info automatically.

I did this a few times at intervals after the split, and it kept telling me
that it was bid at 2-1/4, and asking 2-7/8.  Eventually I became suspicious.
Finally I heard a different price from someone and decided to call Schwab and
find out the straight story.

The guy tried to call up the price of SMBX on his computer and said it wasn't
there.  I assured him it had worked when I tried.  Then he said, ``oh, it's
trading under a new symbol--SMBXD.  It's at--'' and I forget exactly what price
he quoted but it was in the low 1's.

So my stock [fortunately not major dollars] had lots half its value and they
hadn't kept me aware.  Great.  [I wondered if there was any recourse, but
somehow doubt it.] The guy agreed it was a problem that should be fixed and
promised to notify the appropriate people.

Pretty clearly the bug was [and perhaps still is] the presence of an open
record for an account that was `renamed' when the reverse split occurred.

I called a couple days later to see if it had been fixed.  Nope.  At first the
attendant denied that you could call up such a record, and then said ``oh, are
you using that telebroker service?'' What did he think I was using?  The first
thing it says when I call up is to press `1' for the service if I'm using a
touch-tone phone.  Then when I explained the story about how I'd asked that it
be fixed, he said (as if this explained off the problem) ``well, that's an
automated service.''  He went on to add something to the effect of ``If you
really cared, you should have followed it more closely and noticed the problem
sooner yourself.''

>From a corporate point of view, I thought he put forward a phenomenally bad
image for his company and I will pursue my that gripe via the company's
customer relations department.  But from a pragmatic technological standpoint,
he was probably right.  Being in the computer business, I should probably have
known enough to understand that even an automated system like that still relies
on lots of human care and feeding, and is likely to have lots of problems.
Still, I wonder how many non-computer people understand that risk.

The other thing that bugged me in talking to him was the fact that I tried to
explain why it was a bug that when I asked for the dead account, it echoed back
``Symbolics Incorporated'' when all I'd punched in was its code, 73612292
[their telephone keypad code for "SMBX"].  But even now, when I punch in the
right symbol, 7361229231 ["SMBXD"], it echos back "ess em bee ex dee" and
doesn't give me tons of confidence that I'm even asking about the right thing.
He didn't seem to see why that was a problem.  I tried explaining several
different ways why it was important for the system to echo back something
meaningful after I pressed a bunch of digits so I could know I'd pressed the
right ones, and he couldn't seem to grasp why I felt that hearing the right
name after punching the wrong digits contributed to my feeling of having been
deceived, or why it bothered me that even now if you pressed the right digits
you heard something that was not the name of the company.

There should be a place in the world where you can send bug reports about
companies whose facilities for accepting bug reports are broken.  In the long
run, the free market may attend to these things, but in the short run that's
not much of an answer.

Re: Broadcast local area networks are a'comin (Tom.Lane, RISKS-10.83)

Brinton Cooper <abc@BRL.MIL>
Wed, 30 Jan 91 9:44:24 EST
Tom.Lane@G.GP.CS.CMU.EDU reports on the filing by Apple computer for allocation
of radio bandwidth to implement wireless local radio networks.  He correctly

>The risks should be pretty obvious to readers of this digest.  Somebody in
>the next building could eavesdrop on your traffic, or actively connect into
>your net, with NO special hardware.  I sure hope Apple is at least planning
>to encrypt the packets... (But if they are going to support 10Mb/sec data rates, the
>encryption would have to be fairly weak, methinks.) ...

Beyond this, the risk for spectral chaos seems to be quite high.  Imagine the
RFI (radio frequency interference) implications of a central city full of
wireless ethernets(tm?) attempting to coexist with cellular phone, radio paging
systems, public safety radio, business use of dispatch radio, amateur radio
repeaters, etc. Pulsed signals 10 Mb/s may well wreak havoc in many such

Broadcast local area networks are a'comin

P.J. Karafiol <>
Wed, 30 Jan 91 09:52:44 -0500
This summer I saw ads for a similar product: Appletalk LANS created by a system
of infrared transmitters and receivers.  The idea was that each desk would have
a doodad that would bounce the signals off the ceiling; the system was designed
for a cubicle-type environment where offices were reconfigured frequently.  It
was about $500/connection.  This seems more reasonable than the radio LAN
because we are talking about a true line-of-sight kind of communication;
besides, the beams were only sufficiently intense for about 150'.  To intercept
this LAN would require a listening (watching?) post *outside*the*window* of the
offices in question.  The obvious defense would be to locate on the 56th floor
. . .
                        == pj karafiol

Re: Re: Electronic cash completely replacing cash (Lamb, RISKS-10.82)

Bob Stratton <>
Tue, 29 Jan 91 15:51:10 EST
> ...There's a prophecy in Revelations about "the mark of the Beast" without
> which one could neither buy or sell.  ...

As I understand it, the world's largest EFT (electronic funds transfer)
computer, which I believe to be in Switzerland, is affectionately nicknamed
"The Beast", and more than one religious group has capitalized on this fact in
its literature. (I've seen some of it, but it was a while ago...)

Bob Stratton, Stratton Systems Design,   +1 703 823 MIND

Re: Electronic cash completely replacing cash (`witt', RISKS-10.81)

Rick Smith <smith@SCTC.COM>
Tue, 29 Jan 91 17:35:19 CST
As a "cash resistant" individual, I enjoyed reading the proposals to "eliminate
cash."  Personally, I usually carry only enough cash to pay for lunch for the
week, and use credit cards for everything else.

But I don't think the "Americard" proposal would work. Not in America.  The
author's recommendations require the assignment of a unique number that gets
copied and used in virtually every transaction.  This sounds like a clone of
the Social Security Number, and I think the current trend in restricting use of
SSNs bodes ill for the implementation of similar numbers. It is also not clear
whether the author expects that private credit card organizations will be put
out of business for this government boondoggle, but it seems to be implied.

Most people know that their credit card numbers and Social Security numbers are
sensitive information. You don't give your credit card number to just anyone.
Right now, credit card numbers are used by a fairly restricted set of
organizations. The banks who process credit card purchases for stores are very
careful about the stores they work with. The bank and store are very, very
interested in the security of these transactions. The store doesn't want any
improper credits and the bank doesn't want any improper sales.  Credit slips go
into a special pile that unauthorized people can't go looking through. But if
every Tom, Dick, or Harriet can plug in their Americard reader and post
"payments" from other people, how soon will it be before someone builds the new
generation "blue box" that steals money electronically?

>...  Muggers and bu[r]glars would be out of business: no one would
>be carrying cash and stolen property would be difficult to sell
>because there would be records of all transactions....

Burglary begins at home. Why hit the streets if you can steal it all with a
little box of electronics?

>        Think about it.  Drug deals, muggings, corruption, businesses
>concealing their income - they all require cash and secrecy.  A
>monetary system bases solely on electronic currency would leave a
>trail that would cripple such enterprises.

And people will establish electronic laundries to undo all of this.
Transactions will identify buyer and seller, and probably include some
transaction-specific code agreed on by the buyer and seller.  For example, if
I'm paying my phone bill I use code 1234506 and if I'm paying for overpriced
repair services I use code 9876765, both paid to the phone company. Or, if I'm
trying to launder a transaction, I funnel it through some bizarre set of
recepients with a peculiar set of transaction codes. The recipients have to be
in on it, of course, so a good laundry would probably be a regional fast food
chain, for example. In order to trace laundry transactions you'd have to
reconstruct numerous "small" transactions and follow them through accounts that
would be gone when investigators went looking for them.

The only way to prevent such laundering would be to pass laws, laws, and more
laws, trying to stay ahead of potential data paths. Most of the laws would be
unenforceable without a platoon of data police. You'd bind up business with so
many transaction regulations that the economy would grind to a halt. And we'd
get a centralized economy that even Josef Stalin would envy. As it is, a
variety of small businesses have special treatment under currency reporting
regulations. That keeps them from going out of business due to excessive
regulatory paperwork.

>...  The benefits would be tremendous.  Individuals and businesses
>would no longer be able to conceal income.  All transactions would be
>recorded in a computerized bank file and would be easy for the I.R.S.
>to check....

This is a benefit? I don't think the proposer has any idea how massive such a
file would be. It took the IRS years to set up a fairly mundane procedure to
cross check income reports against individual tax returns. That handled
millions of transactions per year. The other database would be millions per
day, if not per hour. People could conceal income by just refusing to report it
twice. Data like that can only be used after they filter it. The only things
they'll find are things they look for. You bypass such things by hiding the
"bad" transaction behind a set of "good" ones. And it's just a case of staying
one step ahead of their filtering program, which can't look for everything.
After all, it's only a computer.

Finally, some economic considerations:

>        In place of paper money, we would receive new cards - let's
>call them Americards - each bio-mechanically impregnated with the
>owner's hand and retina prints to insure virtually foolproof
>identification. ...
>At lunchtime, you would go to your favorite [restaurant] - or the local
>hot dog stand - and instead of paying cash, you'd use your Americard.

This is the technological battering ram hitting the proverbial fly.  Each hot
dog stand needs a high reliability, secure, bidirectional link to the
international electronic funds financial network (typical hotdog stands don't
even have telephones, after all). This link is connected to a device that does
pattern recognition on fingerprints or retinas, and reads some data off of a
card. Finally we find it attached to a numeric keypad. And it's probably as
easy to use as a helicopter. As a kid I remember predictions of the "mass
market personal airplane." It never happened. Some technological systems are
too costly. I expect the bio-identification and the security problems will keep
the costs of "Americard" very high indefinitely.

In any case, how do you know you can trust a cheesy vending machine at some gas
station to charge you a quarter and not $25.00 ??  We already have that problem
with pay phones.

Rick Smith, SCTC, Arden Hills, Minnesota


Stephen Perelgut <>
Tue, 29 Jan 91 21:59:13 EST
More cash-card questions (from an infrequent reader).  What happens to
people travelling from outside the U.S.  Do we stop at immigration and
get an Americard?  Is it a credit card, debit card, ???  What about
Americans travelling outside the country?  Surely they would use the
appropriate currency.  I'd guess that Canadian $'s would become the
coinage of the underground marketplace thereby artificially inflating
the value of $CDN thereby destroying one of our economic underpinnings.

Electronic cash completely replacing cash

Art Medlar <art@big-ben.UUCP>
Tue, 29 Jan 91 20:27:09 PST
>    If all the people who do business in cash were forced to report
>their incomes accurately - if the under-ground economy were forced to the
>surface - the Government could collect an additional $100 billion a year
>for the nation[a]l treasury - without raising taxes.  States and cities, many
>in serious financial trouble, would also benefit from collecting
>previously unpaid income and sales taxes.

Though not all would agree that this is a RISK of the technology (as opposed to
a benefit), certainly one potential outcome of Mr. Wachsman's scheme would be
the enhancement and strengthening of the very underground economy he seeks to
destroy; and consequentially the elimination of even more tax income from the
national treasury.  An active, established barter system, and a thriving black
market economy based on the easily convertible currency of some foreign
country, would tend to destabilize and decentralize the control of the monetary

But it's in the subtext of Mr. Wachsman's loopy proposal that the real RISK
lies.  I've heard that there's a delightful Yiddish word, "farpotchket" I
think, which means not simply broken, but broken because somebody tried to fix
it. The danger of the haphazard application of computer technology to
situations that are really getting along just fine in the first place should be
apparent to all.

Cashless society

C-News <>
Wed, 30 Jan 91 09:37:22 -0500
The risks of a cashless economy are charmingly illustrated in the fiction of
Frederik Pohl.  I especially recommend The Space Merchants by Pohl and C. M.
                           [The c-news are tensed these days?  Who are you?]

Re: Electronic Cash

Unix Guru-in-Training <elr%trintex@uunet.UU.NET>
Wed, 30 Jan 91 08:59:54 EST
For an excellent treatment of how easily an electronic cash system can be
abused by the government in power, check out "The Handmaid's Tale" by Margaret
Atwood.  The theme is a Christian Fundamentalist takeover of the US Government.
In one scene, the new government in power decides that women shouldn't be
allowed to handle money (hmm... sounds like Saudia Arabia, doesn't it).
Everyone in the country was already using an "Electrobank" card system, and
women's account numbers ended in an even numbered digit.  One day everyone
wakes up and women's cash cards don't work anymore.  All their balances were
switched to their husband's, father's or other patriarchal figure (such as the
government itself).

The simplicity of Atwood's scenario and its nearness to our current reality is
chilling.  (This applies to most of the scenarios in the book.)  I was
especially struck by this section, perhaps because in spite of the fact that I
work with computer networks every day and consider myself well informed on
these threats to our civil liberties, 1984 just never seemed so close as when I
read this novel.

Ed Ravin, Prodigy Services Company, White Plains, NY 10601
    philabs!trintex!elr   +1-914-993-4737

Comment on all electronic currency

Tue, 29 Jan 91 14:02:53 PST
   Being a day behind on reading risks many of my comments have been made by
others but I would like to make two additions to the commentary, The
"Underground" economy is a vigorous part of the system and in many places and
times when the official currency of a country is at risk, either by price and
bank controls or by simply not being worth much you find that the most valued
street money is some other countries currency. For example in many parts of
asia or eastern europe a greatly desired street currency is US dollars... which
are generally not easily exchanged locally for official goods or currency. The
coupling of the official currency and the subeconomy by cash is not typical or
required for it to work. Note also the current Soviet attempt to withdraw large
bills from circulation...  partly to try and weaken the subeconomy.
   A second point that I think is critical is that such a scheme has many
attractions to banks and government officials and in a severe financial crisis
might be sold to the American public (or at least to the elected officials)
Among it's attractions besides better control of taxation; more precision in
economic statistics, ability to quickly deflate/inflate currency especially in
regards to foreign exchanges (out of one currency into another).  Such a system
is an attractive trap and one that one can slip slowly into..

  today (credit and debit cards (more than one per American)
         legally mandated reporting of large cash transactions
         S&L and bank problems and discussion about limits
         on government backed deposit insurance)
         (tax's need to be paided by transaction card
          with valid ID
          Social Security cards that are magnetic media
          encoded (there was a note recently in Risks
          about California Drivers Licences on encoded cards)
          Costs continue to decline for access and software
 end point
         A primary cashless system (by law and by withdrawal of
         currency and coin) and an underground economy back to
         specie (gold and silver), barter and other countries

Leslie DeGroff                              

Please report problems with the web pages to the maintainer