The Sun, Tuesday, February 5th, 1991, p. 6: A tube passenger was dragged to his death after getting his arm trapped in a train's automatic doors. Four pals inside the carriage watched as the victim was pulled along the platform and smashed against the tunnel wall at London's Kings Cross. He was then sucked under the moving train. But the friends have not come forward, and the man - believed to be Italian - has not been identified. ********************* I was puzzled that this was not reported in the Guardian, or on the evening TV news, so I rang London Underground's PR department for confirmation. It happened on Sunday night, on the Northern Line. Apparently the man, being separated from his friends as the doors closed, had opened them by operating the butterfly clasp on top of the carriage. (Presumably this is intended for staff use only, to open doors in exceptional circumstances.) The doors then closed faster than he expected, so trapping him before he could get on. (The fact that the butterfly clasp had been operated, presumably meant that no warning signal was sent.) According to the PR department, neither the guard (still employed on older parts of the underground) nor the driver were to blame. LU PR are surprised, however, that the man was able to reach and operate the clasp. It looks like a case of "No system is foolproof. It all depends on the size of the fool!", but there may be some design implications here. Surely, for instance, a warning should be given if a door is open for *any* reason? In the meantime, London Underground is making 1000 staff redundant to cut costs. According to one union leader, this will lead to unmanned stations at night, and take the underground closer to being a "passenger-hostile system". Peter Mellor, Centre for Software Reliability, City University, Northampton Sq.,London EC1V 0HB +44(0)71-253-4399 Ext. 4162/3/1 email@example.com (JANET)
>From the New Zealand Herald, January 15th, 1991, p. 4. NZPA — Wellington A computer processing error at Databank has thrown many savings account balances out of kilter. Misalignment of account number suffixes prevented Databank's computers from identifying some recipient accounts. The computer posted payments to a safe holding file until the problem could be resolved, Databank said yesterday. Although current accounts (those with 00 suffixes) were not affected, accounts with other suffixes (such as 02, 03) may not have received payments made on Friday. This problem would show up on automatic teller machine and Eftpos inquiries into savings and special accounts. All bank in New Zealand were affected but the problem was expected to be resolved by start of business today, Databank said.
Extracts from Finance and Economics article, The Guardian, 1 February 1991: A bank engineer is being interviewed by police investigating unauthorised withdrawals from cash machines. It is alleged that money was withdrawn from customers' accounts through information gained during the servicing of machines operated by Clydesdale Bank. ... Since the first cash machines appeared ... all banks have denied that "phantom withdrawals" are possible, despite the fact that public complaints alleging such withdrawals make up the biggest single item in the banking Ombudsman's caseload. In only one of many hundreds of complaints has the Ombudsman found in the customer's favour ... Last year, 482 complaints about cash machine withdrawals were lodged ... None were resolved in the customer's favour. The only time the Ombudsman did find for the customer, in 1988, it was on a legal technicality. The first Ombudsman ... said his office accepted the banking industry line that withdrawals could only be made by a person using a card and a number. The banks have never accepted that cash-machine withdrawals could be made as a result of computer error or internal security breaches. Clydesdale said: "Unauthorised transactions were revealed as a result of our investigative procedures and the police advised. Only a very small number of accounts has been affected and the bank has written to them." Stella Page, Centre for Software Reliability, The City University, Northampton Square, London EC1V OHB, United Kingdom.
Robert Powell reports in the Boston Herald, February 5, 1991, that from January 8 to February 4 callers were able to access info on any Fidelity Investments shareholder's account for which blocking had not been specifically requested -- solely via the investor's SSN. The access is still available for most Fidelity accounts. From the article: The program, introduced Jan. 8 and called Fidelity Telepeople Collection, lets folks dial an 800 telephone number. After being prompted by a computer, callers key in their or any customer's Social Security number to learn holdings of stocks, options, and mutual funds. People who knew the Social Security numbers of Fidelity's bigwigs like Chairman Edward C. Johnson or Peter Lynch could easily learn whether Johnson put his money where his firm is, or just how many shares of the Magellan Fund Lynch owned. The Social Security numbers of most executive officers of investment advisory firms is on file with the Securities and Exchange Commission. Fidelity, in reaction to a story in yesterday's Wall Street Journal, blocked the public's access to Fidelity executives' accounts. The article goes on to add that individual shareholders can request that telephone access to their accounts be blocked, according to Tracey Gordon at Fidelity. Marketing manager Judith McMichael adds that ...Fidelity changed the access code to the telephone service from a customer's account number to his or her Social Security number because of overwhelming customer support during the company's research. And Fidelity has only received three complaints to date, she said. Eric Kobren, the president of Mutual Fund Investors Association, is requesting that his subscribers call Fidelity to ask them to require a PIN tag for the service. Carol Springs firstname.lastname@example.org
In Risks 11.02, PGN writes: > Here is another example of ordinary mortals having to gain sophistication > in the vagaries of automated systems in order to maintain their cool. Who are you calling a mere mortal?-) Despite having read Allan Meers' posting (Risks 11.01) *I* got burned this morning, and not by an older machine, either. Around 11 AM I entered the lobby of the (brand-new) post office in Webster NY. Approximately 35 people were waiting in line, so I turned to the (brand-new) stamp vending machine. Several of the selections were flashing "SOLD OUT" but (great!) rolls of "F" stamps were still available for $29.00. There was a puzzled couple ahead of me; they'd fed a dollar into the machine thinking they could buy *one* F stamp, and were now trying to figure out what to do (no purchase, no change; cheapest non-sold-out option was 10 23 cent stamps for $2.30). I offered to feed the machine a $10 and a $20 bill, buy the $29.00 roll, and split the $2 change. (There was a big sign posted next to the machine warning about no change without purchase, noting that change up to $5 would be given in coins.) No problem. . .until I got my stamps. Displayed credit dropped from $31.00 to $2.00. Pressed the CHANGE button. . .display changed to flashing "OUT OF COINS - NO CHANGE AVAILABLE"! Gotcha! There was *no* warning of this state until change was requested. Getting a refund required pushing to the front of the line, flagging down a clerk, then filling out a long postal refund form IN DUPLICATE. . .and, for all I know, waiting for a government check to arrive from Washington. We decided to feed the machine some more change and take our change in 23 cent stamps, so the other guy put in 35 cents (no nickel). . .and THEN we noticed that the machine had quietly eaten the $2 credit. At this point we gave up; final score me -$1, them -$1.35, USPS +$2.35. It seems the programmers did anticipate this problem (credit stuck in the machine with no means of recovery). From the Postal System's point of view, this is a problem because IT DISABLES THE MACHINE. So, apparently, the solution is to clear unused credit after 60 seconds of inactivity, thereby "resetting the trap." Mark <MJackson.Wbst147@Xerox.COM> "This U.S. stamp, along with 25 [cents] of additional U.S. postage, is equivalent to the 'F' stamp rate" - Official Algorithm of the US Postal Service
I just got a phone message from one of my credit card companies, asking for a return call. However, when I called their 800 number, I got a computerized answering system. The second prompt was "please enter your 16-digit account number now." Happens I have two cards from that company; which had they called about? Hang up, try again — this time I figure I'll pretend to have a dial telephone and talk to a human. Wrong. The hardware is actually smart enough to detect dialing on a dial phone, and my fancy PBX won't let me masquerade by flashing the hook. Okay, I'll wait for a timeout. Wrong. After the timeout it insists on a number. Okay, how about an obviously incorrect number? After 16 5's, it pauses and then complains that the account number is incorrect, returning me to the original prompt. In frustration, I begin composing this message. While typing, I notice that there is a "flash" button on my PBX phone. Maybe that'll let me pretend to be a dial phone. Nope. But my PBX is screwy enough that this attempt put the line on hold without my noticing. 60 seconds later I notice the flashing light and pick up, just in time to get a voice saying "Hello?" I say "hello," and the person at the other end asks for my account number. But now I've got a human, and when I tell him my problem, he is smart enough to handle me without insisting on the account number. Surprise! I have more than two cards with that company, because they just bought out another of my cards! So now which card do they care about? The only good thing (other than a chuckle) about this whole thing is that the phone answering system is still on trial, so if I can remember to call on Monday, I can talk to a responsible person and perhaps (especially by mentioning RISKS) affect their go/no go decision. If I didn't love them so much, I'd hate computers... Geoff Kuenning email@example.com geoff@ITcorp.com
I guess risks readers haven't stopped for gas on the Ohio turnpike lately. A new service is being offered on the Ohio turnpike by Sohio (a division of BP Oil). I'll quote their flyer: " New from SOHIO and the Ohio Turnpike ... [Their ellipses] Now, RAPID PUMP lets you charge your gas quickly and conveniently right at the pump. If you need a receipt, RAPID PUMP will give you one. No need to walk to the cashier. Just charge your gas at RAPID PUMP, and drive away. " On another flyer the operation is explained: " 1 Just insert and remove your card ... RAPID PUMP automatically checks for authorization. If you would like to cancel at any time before pumping fuel, use the CANCEL button. You may also press the HELP button at any time for assistance 2 Need a Receipt? Watch the display screen and select either the YES or the NO button 3 Then select your fuel ... [text irrelevant to risks] 4 Stop when you want ... When you reach the dollars and gallons you want, slide the lever down, replace the nozzle and your gas cap. If you did not request a receipt, your transaction is complete and you may drive away. 5 If you requested a receipt ... RAPID PUMP automatically prints your receipt for you. Take it and drive away! " Having read risks for a while (or rather, having read the archive recently), I did not try this 'convenience' out. Just in the time I was pumping gas I came up with several _risky_ questions about the process: What verification is there that the card that is authorized is really mine? What happens if the receipt disagrees with the amount pumped? How about if my number is not cleared from the pump's memory and I get billed for the entire day's gas from that pump? How do I get that receipt if the machine is out of paper? Will is _always_ know that it can't print _before_ I pump the gas? There are quite a few that risks readers could come up with. This situation does start to merge in to the 'Americard' type of risks as well. Perhaps this gas pump is a harbinger of the 'Americard'. I hope not. Bob Grumbine
Recently in Toronto the Ministry of Transportation has introduced a system to regulate/inform motorists while driving on a large section of highway that crosses almost centrally through the city (also known as the 401). This highway has approx 16-20 lanes of traffic which has the daily weekday tendancy to come to a full and complete stop during morning and afternoon rush hours. The system they have given us consists of electronic signs much like typical Stadium Scoreboards on which they will display messages about traffic conditions ahead, behind, or wherever that they collect from a set of TV cameras and wire loop sensors that are installed along the highway. On a smaller highway that runs through the city they installed a single smaller version of the big signs now installed, and for the last year or so they have been conducting tests with it (I assume). Now usually this smaller sign has contained a simple message saying what the next exit is, but a few times it has displayed messages about weekend highway closures. This has resulted in the best chaos I have seen next to the typical rush hour stuff. There is a serious danger here of people crashing into others who are either reading the message, or trying to avoid someone else who is. This is ONE sign. I figure there are about 30 of the big ones now going to be used. I can only imagine what we are going to see happen when they start displaying things like "LEFT LANE BLOCKED, USE COLLECTORS AHEAD" and 700 motorists first slow down to read this and then try and pull over to the two rightmost lanes in order to exit off that section of the highway. I suppose they could use some of the other signs available to tell of the impending disaster in the collector lanes. ISOTECH Computer Industries, Toronto, Canada ....Rich (rsnider@xrtll) Ls not 1s ....uunet!itcyyz!xrtll!rsnider
I would like to expand on the issues raised by Martyn Thomas concerning reliability requirements, expectations and predictions. Mr. Thomas points out that it is unsound to predict the reliability of one system from knowledge of the reliability of another, "similar" system. In my opinion, this is the major problem with using reliability growth models to predict the reliability of a system. Whenever changes are made to fix errors discovered by testing, the result is a new system. The new system will certainly be similar to the old system, but because the changes may have introduced or uncovered new faults, we cannot predict that the reliability of the new system will have any fixed relationship to the reliability of the old system. It seems clear to many investigators of software reliability that the only way to gain confidence that a given level of reliability has been achieved is to have a period of failure-free operation longer than the required period. Therefore we must change some of our reliability requirements and definitions in order to make reliability testing practical. I believe that someone has already pointed out in a previous RISKS debate concerning the A320, that there are great differences in the control requirements and safety requirements between takeoff, level flight, and landing. It is much more feasible to test a system over a large number of simulated takeoffs and landings than it is to test for an extremely long operating time. Similarly, as Mr. Thomas points out, for on demand systems. My own concern is with nuclear reactor shutdown systems. While these systems are "on-demand" (they are only required to "act" to shut down the reactor when some kind of process anomaly is detected), they are in continuous operation in a monitoring role. In order to make reliability testing feasible, it is necessary to design the system in such a way that each individual test need not include the months of steady-state operation which generally precedes a shutdown demand. We must also be careful to define our reliability requirements to separate the shutdown function and from the less critical monitoring and reporting functions. The Canadian Atomic Energy Control Board is currently working on ways to define, test and review software safety system reliability. I would also welcome further discussion of these issues in RISKS. Richard P. Taylor, Atomic Energy Control Board (AECB), P.O. Box 1046, Station B, 270 Albert St., Ottawa, Canada, K1P 5S9 (613) 995-3782
California did indeed introduce a new format of Driver's License. I've been following the issue for a while as part of CPSR's Palo Alto working group on Computers and Civil Liberties. Here are some of the details: There will be a magnetic stripe on the back with three tracks encoded on it. The middle track will be encoded in the same format as your credit cards, and will therefore be readable with ordinary commercial readers. This track will only contain 40 bytes of information, and will only contain the name, driver's license number, and expiration date. The other two tracks will be in a format that is incompatible with current commercial readers, and will contain the rest of the information that is printed on the front: birth date, eye color, hair color, height, weight etc. The picture on the front will be an ordinary photo (I'm not sure whether it'll be color or B&W), with a hologram of the state and DMV seals to make counterfeiting harder. There will apparently be a different version for people under the legal drinking age: the picture will be on the right instead of the left. (This tidbit from the Mercury News. I hadn't noticed it before.) The DMV says that the first and third stripes will be encoded at a higher density and "corrosivity." Apparently corrosivity is resistance to changing the pattern of magnetization. (I welcome corrections or expansions on this point.) I'm not sure whether "Orsteds" are measures of density or corrosivity, but they say that the standard specifies 30 Orsteds, and that's what the middle stripe will use, while the other two stripes will be encoded at 3600 Orsteds. The difference in density is for incompatibility with current commercial readers, though I'm not convinced that new readers won't be made available soon to the California business community. The difference in magnetization is intended to make the cards harder to erase or rewrite. I don't know whether it'll do any good, or whether there will be penalties for carrying an erased card around. I fully intend to see if I can erase my card first thing when I get one. The primary purpose of the new cards, according to the DMV, is to make it easier for police officers to fill out tickets correctly and quickly. There will be readers for the new cards in all state police cars, though I don't know what the schedule for installation is. They'll probably wait until a significant proportion of the citizenry have the new licenses. A secondary purpose is to save money and time when issuing renewal licenses. The DMV (actually, the contractor who won the bid) will keep digitized records of the picture and other data on the card, and when renewal time comes around, they'll be able to just pop a brand-new card in the mail. This will get rid of the certificates of renewal and address update cards that Californians now carry around with their licenses until they get a new card. Another purpose (as evidenced by the fact that the stripes are partially compatible with commercial readers) is making the information more easily available to merchants. Since the information is accessible, merchants will find a way to use it. The most likely way is to keep track of customers and their habits. More efficient access to the bad-check data bases is a laudable goal, but it's cost will be that more information will be stored about everybody who's willing to let their licenses be scanned in the name of efficency. I've tried to explain this point to members of the state legislature, but without success. The fact that I didn't find out about the plan until after the DMV had gotten some approval and had requested and started processing bids didn't help my case. In a response to a letter of mine, Assemblywoman Delaine Eastin (Chairwoman of the committee on Governmental Efficiency and Consumer Protection; now there's a pair of incompatible goals for one committee to work on!) wrote: "I share your concern that the stripes, if used improperly or if expanded beyond the current plan, could constitute an invasion of privacy. A society where people carry around magnetically coded `ID' cards for use by police and store-keepers would not be one most of us want to live in. Nevertheless, the DMV plan, limited in its scope, seems like a relatively benign way to save time and money for everyone." The new licenses constitute exactly the "magnetically coded `ID' cards for use by police and store-keepers" that she said we wouldn't find acceptable. Merchants will start asking customers for their licenses, and most customers will comply unthinkingly. Those who see the deeper privacy issues and don't want their identity recorded along with their buying habits in yet another computer system will have to contend with clerks who just do what the boss tells them to. They won't be allowed to ignore those behind them in line who can only tell that someone is interrupting the routine and making them wait longer. I'm afraid that we've lost a little more of our privacy, and it's going to be very hard to get it back. Chris
I must agree with Mike Beede in RISKS-11.01 that phone voting is basically a solution in search of a problem. I understand that we are all in technological fields, but surely there must be times that we can see the answer to a problem does not lie in technology. What is the problem that phone voting is trying to solve? It appears to me that the main problem with elections in this country is the low turnout. I find it hard to believe that it is the difficulty of physically going to vote that accounts for that. Why not try the solution many countries have — either make election day a holiday, or conduct it on Sundays when most of the population is not working? (Of course, I'm tempted to say that having a real choice on the ballot may be the best cure.) Michael Barnett
firstname.lastname@example.org (Evan Ravitz) writes: > (in regards to voting via phone) >Paranoia is justified, but apply it to how we vote now, as well. Don't you >think that a government that can photograph your license plate from outer space >can install a tiny video camera that watches how you vote in a booth? Sure the government could install a video camera in every voting booth. Could they keep it secret? I don't think so. However, accessing a database and cracking a cryptographic code is something that could be done by a small group of people working in secret. That's the risk inherent. I doubt that the government proper will ever conduct a project like spying on the voters but a small group, ala Ollie North and Friends, could very easily do it given a relatively small amount of resources. David L. Smith, FPS Computing, San Diego ucsd!celit!dave or email@example.com
> Think about it. Drug deals, muggings, corruption, businesses > concealing their income - they all require cash and secrecy. A monetary > system bases solely on electronic currency would leave a trail that would > cripple such enterprises. Fat chance. When was the last time you "hacked" a supposedly secure system, just to prove you could? I remember when BART (Bay Area Rapid Transit) was just starting, with its supposedly secure, tamper-proof, "electronic tokens" (cards that registered the amount in the commuter's "account" and allowed a ticket purchase if there was enough remaining — somewhat similar to the electronic cash scenario). A Berkeley councilman, suspecting the BART cards weren't quite as secure as claimed, offered a cash reward (only $100, as I remember) to 50 UC Berkeley students, if they could find a way to steal from the proposed system. He got fifty different successful hacks. ^^^^^^^^^ Electronic cash would only breed electronic thieves. A better breed, perhaps, but thieves nonetheless... :^) B. Wright firstname.lastname@example.org [By the way, there is still an enormous collection of pending messages on mastercards and on americards. If I have the patience to prune it a little, you'll get to see it. Otherwise, it may just drop through the crack. It required much more moderation on the part of your moderator than usual... PGN]
Please report problems with the web pages to the maintainer