The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 11 Issue 45

Monday 15 April 1991


o Simulation: Minus heart disease, life expectancy only 3 years greater!
o Accident statistics continued
Paul Smee
o Another bogus security system
Gord Deinstadt
o Urban Legends crying wolf...
Peter da Silva
o Smart traffic: "drive-by-wire"
Rodney Hoffman
o Recommended: "Probability Blindness: Why We Misread Risk"
Bob Frankston
o Kevin Poulsen Arrested
o Computerized Vote Tallying report
Terry Gauchat
o Info on RISKS (comp.risks)

Simulation: Minus heart disease, life expectancy only 3 years greater!

Mon, 15 Apr 91 12:06:46 xxT
New Heart Disease Study Issued
   BOSTON (AP) [14 Apr 91]
   Completely eliminating heart disease, the nation's leading killer, would
increase the average 35-year-old American's life span by just three years, a
new study concludes.  Although the gain in longevity may seem surprisingly
small, the finding reflects the difficulty of pushing back the boundaries of
old age, the researchers said.  Even if people escape the No. 1 killer, a host
of other ailments are likely to take its place as people reach their 80s and
beyond.  "If you wipe out heart disease, people don't live forever," said Dr.
Lee Goldman, a co-author of the study. "It is the leading killer, but there are
other things people die from," such as cancer, pneumonia and strokes.
   Similar analyses of cancer have concluded that life expectancy would
increase about two years if that disease were conquered.  Heart disease kills
about 500,000 Americans annually.  The average life span in the United States
has risen from 47 in 1900 to 75 today.
   The latest study was based on a computer program developed by Goldman of
Brigham and Women's Hospital in Boston and Dr. Milton C. Weinstein of Harvard
School of Public Health. The study's principal author was Dr. Joel Tsevat of
Boston's Beth Israel Hospital. It was published in the April issue of the
journal Circulation.
   In an accompanying editorial, Dr. Robert M. Kaplan of the University of
California at San Diego called the study "well executed, well reported and very
   The study asks such questions as: What if all Americans got their
cholesterol levels below 200? What if everyone stopped smoking?  The computer
simulation concludes that achieving such major public health goals add only a
year or so to the average life span.  However, the authors point out that even
though average increases are small, the gains for individuals can be dramatic,
especially if healthier habits prevent occasional deaths from heart attacks at
age 40 or 50.

   Among the findings:
    For the average man who turned 35 last year, getting blood pressure under
control will add one year of life. Getting cholesterol under 200 increases
longevity by eight months, eliminating smoking adds 10 months and getting
weight down to the ideal level adds seven months.
    For a woman, blood pressure control adds 5 months of life, cholesterol
lowering 10 months, smoking cessation eight months and weight loss five months.
    Individuals who already have one of these risk factors benefit more from
eliminating them. For instance, a 35-year-old man who reduces his cholesterol
from 250 to 200 gains one year of life. If he reduces his weight by 30 percent
to the ideal level, he gains another year.

   [What are the computer-related risks, you ask?  Here are people using
   computer models to yield results that could have drastic impact on health
   care and research funding...]

     [But the results may be quite sound...  On the other hand, the elimination
     of heart disease would undoubtably have many concomitant effects, which
     overall probably could dramatically increase longevity.  PGN]

Accident statistics continued

Paul Smee <>
Mon, 15 Apr 91 11:15:11 BST
Don't normally follow-up things twice in a row, but apropos the recent thread
about interpreting accident statistics (80% of drivers believe themselves to be
better than average) I found a relevant article in the Guardian on Saturday, 13
April.  I'll try a (probably weak) tie-in with computer risks at the end.
Following is quoted without permission.

  Most road accidents are caused by flouting the law rather than human
  error, such as a misjudgement, a psychologist said yesterday.

  Prof Tony Manstead, of Manchester Uni, said most accidents were
  caused by a small number of drivers who deliberately exceeded the
  speed limit and enjoyed racing other cars away from traffic lights
  and driving too closely to cars in front.

  One study of the Government's road research lab involved 500 drivers,
  the other 1500.  The known accident records of the the drivers was
  compared with the way they described their driving.

  Those involved in two or more accidents shared certain characteristics,
  he said.  They were likely to be young males who believed themselves
  to possess above-average driving skills.

  There was no correlation between people who admitted making driving
  errors, such as misjudging distances when overtaking, and accidents.

  But there was a strong link between accidents and people who admitted
  frequent traffic violations such as speeding or overtaking on the

  Prof Manstead said: "At the risk of oversimplifying the picture, it
  appears that those who are involved in accidents are not those who
  tend involuntarily to make errors of judgement when driving but
  rather those who wittingly drive in a manner which flouts social
  and legal conventions.

  "... the strategy for promoting greater driver safety should be to
  identify the beliefs and values that underlie the commission of
  violations and then target those beliefs and values for change."

This fits in with a sample of one, known to me.  My friend James, whose driving
is such that I refuse to ride with him, even if that means we need to take two
cars rather than one.  He regularly ignores the 'social and legal conventions'.
His rationale is that the conventions were designed to allow average drivers to
drive safely.  Since (of course, and according to him) his reactions are both
faster, and more accurate, than average, the rules cannot possibly be meant to
apply to him.  Terrifies me.

Apropos technorisks, my intuition has long told me that similar principles
apply to product design.  I've known programmers, for example, who felt that
they could dodge, where possible, company standards for testing and design
reviews, on grounds that they were too competent to make silly mistakes.  I
suspect that the observations of Professor Manstead's study could equally be
applied to most human activities.

Paul Smee, Computing Service, University of Bristol, Bristol BS8 1UD, UK - ..!uunet!ukc!bsmail!p.smee - Tel +44 272 303132

Another bogus security system

Gord Deinstadt <gd@geovision.UUCP>
Fri, 12 Apr 1991 19:52:14 -0400
A local muckazine (Ottawa Frank) reports that a student at Carleton University
used the touch-tone registration system to deregister another student from all
her courses.  Apart from the political interest (the alleged practical joker is
the son of the Governor General), this is another story of ill-conceived
computer security.

When you enroll at Carleton you are issued a student id number, and a student
card with the number displayed.  Since the card is used to get into pubs and
get discounts at off-campus bookstores, your id number is effectively public

The touch-tone system responds to your id number and a "password".  The
"password" is your day and month of birth.  No, you can't change it.

Urban Legends crying wolf...

Peter da Silva <>
Sat, 13 Apr 1991 15:38:39 GMT
> The following posting recently appeared in several newsgroups and forums:

> >Subject: MODEM TAX
> As soon as it is posted again, it is immediately flamed down as bogus. Now
> further suppose that what the message claims *comes to pass!* How would
> this information be disseminated??

People don't apply equal weights to any source. For example, if this article
comes from it will likely be ignored. If it comes
from Henry Spencer or Mike Godwin it'll be closely examined.

> Even were it discovered that someone was exploiting this security hole, how
> would information of this discovery be communicated??

Through postings in moderated groups of known reliability, and references
in other groups.

Smart traffic: "drive-by-wire"

Rodney Hoffman <>
Sun, 14 Apr 1991 20:22:22 PDT
The 14 April issue of the 'Los Angeles Times Magazine' features two articles on
Mobility 2000, an Intellignet Vehicle / Highway System or "drive-by-wire" (my
term, not theirs):  THE BIG FIX by J.E. Ferrell and STREET SMART by Ronald B.
Taylor.  The last major 'Los Angeles Times' article on this was in July '89
(see RISKS 9.10 et seq.).

California Dept. of Transportation (CalTrans) researchers project "no
revolutionary technological advances, just evolutionary applications" which
"will allow platoons of cars, separated by only a few feet, to zoom along at 90
mph while their drivers read the newpaper."  Similar moves are under study or
development elsewhere in the U.S., Japan, and Europe.

Planners see financial, political, and cultural obstacles, but they are adamant
that smart traffic systems are "the only way to keep things moving."

They also say automated travel will be much safer, since more than 90% of all
vehicular accidents today are caused by human error.  According to one
UCBerkeley researcher, future accidents will resemble airliner crashes: "You'll
be trading 100 accidents in which a total of 105 people get killed for two
accidents in which 30 people get killed."

Here are some of the pieces discussed in the stories:

 *  Pathfinder, an in-car navigational computer and information system.
 *  Advanced Traffic Management System to monitor and control traffic
    flow via computers, sensors, and communications.
 *  Advanced Traveler Information System to link drivers with the
    management system.
 *  Advanced Vehicle Control System — high-tech vehicles and roadways.
 *  Freeway Real-Time Expert System Demonstration (FRED), a UCIrvine
    project to "capture the expertise, judgment and knowledge of the
    best traffic controllers and put it into a computer program."
 *  Parataxi, a computerized system to link up commuting drivers with
    passengers on the spur of the moment.
 *  Transportation Resources Information Processing System (TRIPS)
    allows travelers to tap into bus schedules and the parataxi service
 *  Roadway Electric Powered Vehicle, powered by batteries continually
    charged by cables built into the roadway.
 *  Automated Traffic Surveillance and Control, installed for the 1984
    Los Angeles Olympics, monitors corridor traffic lane-by-lane, and
    controls stoplights and freeway on-ramp meters.

A recommended article: "Probability Blindness: Why We Misread Risk"

Bob Frankston <>
Mon, 15 Apr 91 01:58 GMT
I'll start out with the citation for the article on Probability Blindness
(Neither Rational nor Capricious): Bostonia Magazine, March/April 1991 issue.
Author: Massimo Piattelli-Palmarini at the MIT Center for Cognitive Science.  I
recommend the article to readers of this forum.  It does a good job of
exploring how people assess risks and probabilities with a number of examples.

I found it much better than Nova's "Living Against the Odds".  While there are
many real risks in the world, I felt the Nova show emphasized risks rather than
unlikelyhoods.  Perhaps that was their intent.  My problem is that I feel that
people are acutely tuned to risks and not the unlikelyhood of many occurrences.
The Bostonia article was a more balanced piece.  I'm more accepting of the
emphasis on risks in this forum not only because of the name, but because I see
its purpose as making people aware of possible implications of the technology
we are responsible for.  Even here, I'd like to see more discussion of
engineering tradeoffs.

Back to the citation problem.  I'm used to electronic distribution (such as
Risks Forum).  If I want people to read something, I either mail it out or
announce a means of accessing it online.  Recommending an article in the print
media is not the same.  The effort to actually obtain a copy is relatively
large and unaided — it involves either phoning or writing for a back issue or
a reprint.  If people actually did follow through the volume might be larger
than the publication is ready to handle.

If you do want to contact Bostonia Magazine, their subscription number is
617-353-2055 (yes, that is the Boston University phone exchange).  Too bad they
(nor the author) didn't publish an email address.

Kevin Poulsen Arrested

Peter G. Neumann <>
Mon, 15 Apr 91 11:25:07 PDT
Today's papers (e.g., NY Times, LA Times) note that Kevin L. Poulsen (Dark
Dante) had been arrested after 15 months, under a variety of computer-fraud
charges, while entering the canned vegetable section of a supermarket in Los
Angeles.  Poulsen and co-defendants Robert Gilligan and Mark Lottor were
charged with using stolen Pacific Bell access codes to invade a U.S. Army
computer network, eavesdrop on telephone security personnel and obtain
information used in an FBI investigation of former Philippine President
Ferdinand Marcos, said Richard W. Held, special agent in charge of the FBI's
San Francisco office.  Gilligan has pleaded guilty to one count of illegally
obtaining telephone access codes and agreed to cooperate with authorities.
Lottor pleaded not guilty and declined a similar plea bargain, officials said.

Computerized Vote Tallying report

Terry Gauchat <>
Thu, 11 Apr 91 23:12:39 EDT
  [Terry sent me a rather long term paper on the subject of computerized vote
  tallying, which I have edited for net use.  Those of you with a burning
  interest in the subject may find it useful.  The original is available from
  him, and my slightly edited version can be obtained from the CRVAX.SRI.COM
  archive, as CD RISKS: and GET GAUCHAT.VOTING .  Apparently his net address
  is about to change, however, so I hope he will advise us when it does. PGN]
    happily type "cd sys$user2:[risks]" instead, courtesy of VMS.  PGN)

Please report problems with the web pages to the maintainer