The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 13 Issue 40

Wednesday 15 April 1992


o Risk of relying on editors and/or spelling checkers?
o New Applications of Voice Recognition Technologies
Saul Tannenbaum
o For savings we can count on our fingers...
Jeffrey Sorensen
o Computerized insurance quotes
Bear Giles
o Re: Risks in nuclear bombs to deflect asteroids
Dani Eder
o Re: Unauthorized Evidence Gathering
Peter K. Boucher
o Re: Phone Registration at Berkeley
Eric W. Anderson
o Re: Transcripts via e-mail
Dick Kain
Shyamal Jajodia
o Re: Public TV Series
Wayne Throop
Dave Katz
o Re: US PBS stations *do* censor
Jonathan Clark
Matt Braun
o Info on RISKS (comp.risks)

Risk of relying on editors and/or spelling checkers?

Tue, 14 Apr 92 14:06:39 -0400
The October 1991 issue of the New York University Law Review contained a note
titled "Rethinking Adoption: A Federal Solution to the Problem of Permanency
Planning for Children with Special Needs".  On the front cover of the journal
and in the table of contents the note was listed with the word "abortion" used
in place of "adoption".  The correct title appeared on the note itself. Editors
apparently only discovered the error when the received their advance copies,
although it was also pointed out to them in a letter from Supreme Court Justice
Harry Blackmun — one of the authors of Roe v. Wade.  [From: The National
Jurist, March 1992, page 4]

New Applications of Voice Recognition Technologies

Saul Tannenbaum <>
Thu, 9 Apr 1992 13:32 EST
One of our local NPR (WBUR) stations had, in its morning news report, a story
about a company that was developing a new twist in the application
of voice recognition technologies. [I don't include the name of the company
as I wasn't taking notes, and wouldn't want to needlessly slur the
wrong company, or even the right one by my errors of recollection.]

Their goal is to develop a system that would be able to recognize not the
words, but who the speaker is. The applications they envision would include
control of parolees and those under house arrest, as well as the replacement of
PINs. This is how they envision their system working:

    o The person who is to be monitored goes physically to the office
      doing the monitoring and records a set of words.
    o When the time comes for the person to be monitored to report in,
      they make a phone call to a computer system.
    o Caller-ID identifies who is supposed to be calling and
      their alleged physical location.
    o The system presents random challenge sentences that include some
      of the words used in step one. (One example: The purple television
      is exciting. "Television" and "exciting" would have been recorded.)
    o The system then isolates the pre-recorded words, compares the
      vocal characteristics and identifies the speaker.

Interesting concept. The company was quite proud that they had taken what has
been a serious problem with voice recognition (voices are so different) and
turned it into a technological advantage. It was asserted that a number of
state correctional departments are interested in this as a replacement for the
electronic bracelets that are now sometimes used to monitor house arrest and
that have been discussed at length in RISKS.

The news report indicated that this system would be secure, as the comparison
of vocal characteristics is not fooled by normal voice mimicry. It was also
felt that, while parolees, for example, could be compelled to speak silly
meaningless sentences into the phone, it might not be possible to do this
generally so as to replace PINs.

This system seems so easy to defeat that I feel I must be missing something.
When you go to record your words, bring your own micro-cassette recorder
so that you've got an accurate list of the challenge words. Record and
digitize them in your home personal computer. When time comes to report
in, have your computer call their computer. Their challenge system seems
quite structured (it already knows who you are supposed to be from the
caller ID), so program your machine to wait for the challenge sentences.
Recognize the right words from the list of the ones you've prerecorded,
and synthesize a response based on replaying the challenge sentence,
inserting your prerecorded words as necessary.

This technology is likely not within the reach of  your average parolee, but
should this system be used to authorize large financial transfers, the risk of
fraud should be obvious.

Saul Tannenbaum, Manager, Scientific Computing         STANNENB@HNRC.TUFTS.EDU
USDA Human Nutrition Research Center on Aging at Tufts University

For savings we can count on our fingers...

Jeffrey Sorensen <>
Wed, 15 Apr 92 00:12:45 EDT
New York state's legislature is currently debating a proposal that would
require Medicaid recipients to carry a photo ID and to be fingerprinted.  While
I think the proposal has a number of risks, for example amputees could
experience _another_ cutback...

Seriously, this week's _Legislative Gazette_ (Apr 6 '92) amusingly demonstrates
the risks of leaving politics to the politicians.  Here are some of the

  Sen Hollings of NYC says between $150 million and $2 billion is
  wasted by fraudulent individuals.  (Talk about ballpark figures)

  Hollings: "It scares me to think of all the people that could have
  benefited from this money."  (Well _some_ of those medicaid recipients
  are frightening.  :-)

  Republicans claim a similar system in LA saved the state $5 million
  in the first year of operation.
  With the electronic system, an individual places two fingers on a small
  flat screen.  A computer then compares the fingerprints to those already
  on file.

  Sen Farley of Schenectady said it didn't hurt, it wasn't messy and it
  took just a few seconds.  (If you have nothing to hide, you have nothing
  to fear.)

  The system costs LA $2 million a year, but Farley says the cost doesn't
  compare with the savings (!?!).  He estimates that New York could save
  $16 million a year.

So there you have it, a system that will catch somewhere between 11% and 0.8%
of the total fraud for the bargain price of $2 million a year plus the setup
fee.  Shouldn't we have a better estimate if we are going to measure the
benefits of the system?

Further, I wonder how much saving can be attributed to the effectiveness of the
system and how much is due to the perceived effectiveness of the system.  There
is this "scarecrow" effect that may not last in the long run.  Perhaps some
people will find work arounds.  Perhaps New York should install a fake
fingerprinting system with fake computers and fake databases at a lower cost
and still get the same savings.  Plus none of the civil liberties risks...

But no, this is not science, it is politics.
...fraudulent individuals wasting billions

Jeffrey Sorensen

Computerized insurance quotes

Bear Giles <>
Wed, 15 Apr 1992 15:58:44 -0600
A while back I called a number of local insurance agents, getting quotes for my
MR-2.  During each call I made sure the agent knew 1) the MR-2 is an undiluted
sports-car and 2) I have a clean driving record.  (These are not mutually
exclusive, though you will never get an insurance underwriter to admit it!)

Prudential Insurance quoted me a good rate ($430, vs. my current $620).  I
spent a lunch hour with the agent as he provided me an official quote from a
worksheet program, signed a contract and paid the initial installment.

This worksheet program required the agent to specify insurance pool, type of
vehicle, driver(s), mileage, etc.  It even asked if my car was sheltered at
home and/or work.  This was definitely _not_ a program an agent cobbled
together in his spare time.

Over a _month_ later I finally received my permanent insurance policy,
including a demand for much more money.  $690 (total), to be precise.
Prudential quickly agreed that all of the information I provided was correct --
it simply took them a month to notice that the agent had placed me in the
incorrect insurance pool.

There was absolutely no indication in the quote worksheet program that new
clients with MR-2s would not be accepted into the specified insurance pool --
it was 'assumed' the agent would know that.  Unfortunately my agent only
recently started working for Prudential and did not know MR-2s fell into this

At the current time, Prudential is insisting I pay the new amount despite being
quoted a lower rate with accurate information.  For now, I'm left paying more
for insurance than I was with my previous insurer.

Meanwhile, I am filing a formal complaint with the state's Insurance Commission
and Attorney General (was this bait-and-switch?), to say nothing of telling
everyone within earshot about my experience.  Prudential's legal expenses, in
responding to these complaints, will almost certainly exceed the insurance

The moral of the story: if you use a computer to determine contractual prices,
if there are any 'gotchas' they should be explicitly noted by the software.  I
could accept Prudential changing the quoted rate if I mislead them about my
driving history — but not due to their failure to conduct business in accord
with their own (internal) underwriting standards.

Bear Giles

Re: Risks in nuclear bombs to deflect asteroids

Dani Eder <>
9 Apr 92 17:28:12 GMT
   >change the orbit of asteroids heading towards the earth

About 25% of the risk is due to comets.

   >4. NASA held two workshops to discuss this problem.

One of my co-workers, Dr. Brian Tillotson, attended one of the workshops, and I
am working on a contract for the NASA guy who is responsible for this stuff
(John Rather, NASA Asst. Director for Space Technology), although what I am
working on is another subject (Laser power beaming).

   >6. The last big collision of an asteroid with the earth was about 65 mill...

Don't forget about the Tunguska impact in 1908, and the impact that caused
Meteor Crater about 25,000 years ago.  We have lousy statistics on
Earth-approaching asteroids in the 1-km size class (smaller than the supposed
dinosaur killer, but still in the multi-gigaton of TNT energy class.  There is
expected to be on the order of 1000 of these, but we know of about 50 or so.

As for the risks/benefits:

In the past a large sudden explosion could happen and not much consequence
beyond the immediate damage from the impact.  Today, with early warning
satellites in orbit, a meteorite impact could look suspiciously like a nuclear
explosion.  If it happened to be a sensitive military or political location
that got hit, it could touch off a war.  Even a kiloton impact (which would be
much more common than a big one), could have this effect if it landed in the
wrong place.  So there is value in being able to detect incoming rocks and warn
people beforehand, even if you can't deflect/destroy it.

Another side benefit, is getting good orbits for all these objects for later
asteroid mining.  The ones that come near the Earth are the ones that
potentially are easiest to access for mining.

Long period comets are not mappable the way asteroids are, since they come from
the depths of the Oort cloud, way beyond Pluto.  They do make themselves bloody
obvious when they get to the inner solar system, so finding them is not the
problem.  Fortunately they have the consistency of a mudball, so blowing them
away with a nuke is relatively easy.  An iron-nickel asteroid, on the other
hand, is a much harder problem to deal with.  It is structurally harder and
more difficult to vaporize.  The issues of how to deal with these are more
challenging.  For now, the recommendations to upgrade the search for asteroids
seems a fairly small cost to address a fairly small risk.

In a real emergency (comet discovered heading right for Earth, impact in 2
months), you can be sure that a nuke would get mounted on whatever rocket is
handy in very short order and launched for an attempted interception.  You can
get a lot done if you work around the clock.

Dani Eder/Boeing/Advanced Civil Space/(205)464-2697(w)/232-7467(h)/
Rt.1, Box 188-2, Athens AL 35611/Member: Space Studies Institute

Unauthorized Evidence Gathering (Griffith, RISKS-13.39)

"Peter K. Boucher" <>
Tue, 14 Apr 92 11:55:53 -0700
I don't know much about the laws in this area, but I have been following the
Rodney King trial, where no-one involved knew they were being taped.  Does the
admission of this evidence set a new precedent?

If such evidence can be used against you, the obvious risk is that your
privacy can be invaded on a massive scale in order to obtain the evidence.
Of course they can invade your privacy already, they just can't use the
results as evidence ;-) unless they've done their paperwork.

Peter K. Boucher

Use of taped evidence

Tue, 14 Apr 92 00:24:22 PDT
It would appear that permission, knowledge, or other prior information is not
necessary for the use of taped materials in many cases, nor is it necessary for
the person making the tape to be an "involved" party.  A perfect example is
playing itself out in the Los Angeles area right now, where the infamous
"Rodney King" beating trial is drawing to a close.  The most important evidence
in the trial has been the videotape made by an uninvolved person living across
the street.  One would assume that the police involved did not have knowledge
of the taping at the time of the event.

Phone Registration at Berkeley

Wed, 15 Apr 92 15:52 PDT
The following article appeared in The Daily Californian, an independent
newspaper distributed at UC Berkeley, April 14, 1992:


  UC Berkeley sophomore Erica Oliver is caught in a registration Catch-22.
Oliver says Tele-BEARS, the new registration-by-phone system heralded by
students and administrators as a faster, more efficient way to get classes,
won't let her enroll at all.  The system will not place Oliver in the
lower-division classes she needs to declare her major because she will be a
junior next fall, but won't allow her to enroll in any upper division classes
in her major because she hasn't declared it yet.

  "It makes me feel very frustrated," Oliver said.  "I just can't figure out
why in the world I'm paying this university if I can't get any classes."

  The phone-in system, initiated on campus last fall by a test group of 4,200
graduating seniors, guarantees students up to the maximum number of units their
college allows.  But the system doesn't guarantee students will be able to get
into classes they need in order to declare or fulfill major requirements.

  "Being a Junior, it's kind of late for not fulfilling the major
requirements," Jorge Garza, acting associate registrar, said of Oliver's
predicament.  Garza said he recommends to students in situations similar to
Oliver's to talk to an advisor about getting into the prerequisite classes.

  But Margaret Distasi, director of student advising in Campbell Hall, said it
may be difficult for undeclared students to get classes because major
departments may reserve courses for declared students by prohibiting undeclared
students from enrolling.  Garza said students will simply have to declare as
soon as possible in order to register for classes.  "This is going to force
students to process their paperwork (for declaring) faster," Garza said.

  Garza said his office sent out more than 5,000 letters to students last fall
offering a Tele-BEARS training session to inform students about how to prepare
themselves for using the system.  Only 39 students attended the session.

  But on its second day of use by the whole campus, Garza said the registration
process is going fairly smoothly.  "Most students are getting classes even if
they're not the ones they want because they haven't fulfilled certain
requirements," Garza said.  Tele-BEARS is scheduled to take 85 calls every 15
minutes during its operational hours, which Garza said would register the
entire student population in 10 days.

  [End of Quote]

This phone-activated registration system seems to avoid many of the risks that
others have remarked on for similar systems at other universities.  Each
student is assigned a PIN unrelated to the student ID number.  Each student has
several possible time periods in which to register spread over the 10 day
period.  We won't know until it is through how many students will miss their
time slots or otherwise fail to register properly, but the written information
seems pretty clear and complete.

What are the RISKS here?

For one thing, they thought they had done a large-scale test of the system by
having over 4000 students use it last semester.  The flaw was that by limiting
the test group to graduating seniors, they didn't test any number of
complications that may only occur for undeclared students, freshmen, transfers,
part-time students, those changing majors, etc.  Repeating a simple test many
times is not the same thing as showing that a procedure is flexible enough to
handle the full spectrum of real-world inputs.  They might have done a much
better test by having 400 students from a range of departments and classes use
the system rather than 4000 all from one class.  (Of course, selecting students
for the test at random might have been even better; by deliberately choosing
some from every major, they might well have forgotten to test undeclared

The second risk is less obvious.  At the same time they replaced mail-in
registration with the phone-in system, they changed the algorithm by which they
assigned classes.  Like many universities, Berkeley has difficulty offering
enough sections of certain classes to satisfy demand.  In the past, little
checking was done to see whether a student was eligible to take a requested
class.  Now, many departments can limit registration in certain courses to
students who have declared a major in that department.  Apparently, they also
now limit the ability of 3rd-year students to take lower division classed as
well.  Here the new method of ACCESSING the registration system is being blamed
for a problem that could just as easily have arisen in the old one.

A third risk is best exemplified by the final quote from Garza.  He appears to
have changed the definition of successful registration from "getting the
classes you want or need," to "getting any classes at all."  It is hard to tell
whether this is a case of retroactively changing the goals of a project to
match the accomplishments, or whether this is just the way registrar's office
droids see the problem of registration.

Eric W. Anderson, Chemical Engineering Dept., University of California
Berkeley CA 94720

Transcripts via e-mail

R.Y. Kain <>
Wed, 15 Apr 92 11:53:55 -0500
I don't understand what the objective of such transfers would be, since most
schools require authenticated paper copies of such documents before acting on
them in any serious manner (such as admitting a student). The risks associated
with restricting access to those authorized (not only to see any transcripts,
but also to see specific transcripts - of designated individuals) seem quite

On another aspect - the course numbering system - let me relate our experience
at the University of Minnesota with computerized academic record keeping. Such
records were kept by hand (pen and ink!) for longer than any one of us would
believe. Then about 15-20 years ago they decided to install a computer to do
the job. Before the change we had courses with identifiers that contained both
letters and numbers, and some with one but not the other. For example, non-
credit courses just had letters ("Math T" was remedial trig). And sequence
courses had the same number with letter appendages (EE 30A, 30B, 30C). But then
someone announced that the computer could only handle four-digit course numbers
and we went through a long transition. This entailed conversion booklets working
in both directions, and confusion among faculty who were used to advising the
students based on the old numbers. After about three years it wore off. In EE
we did obtain an advantage from the conversion - I suggested that we renumber
so that the course number also indicated the sub-area within EE (thus computer
related courses have numbers x350-x399 or x850-899, where x=3, 5, or 8). Why
the x restriction? Well, nobody on campus is allowed to use numbers starting
with 2, 4, 6, 7, or 9. And 0 and 1 correspond to no credit and lower division
material, which doesn't include computers. (A long digression, but perhaps
interesting to others... I think that the difficulty of conversion, etc. makes
any "standard" that doesn't encompass ALL course numbering systems worthless.
BUT that assumes that the access control and authentication issues are also
satisfactorily resolved!)

Richard Y. Kain, EE Dept., University of Minnesota Mpls, MN 55455, 612-625-3537

Re: Academic Transcripts (Nico, RISKS-13.39)

Shyamal Jajodia <>
Wed, 15 Apr 92 17:04:10 EDT
Yes, it is true. The American Association of Collegiate Registrars and
Admissions Officers (AACRAO) has a committee on SPEEDE (nifty eh!) for
developing a national standard format for exchanging student transcripts over

I agree with Bill Nico that the undertaking is fraught with risks but so
is a trip to outer space. The important question is as Nico asks later
what controls are being built in? I hope Bill is aware that grades can
be obtained in several institutions over the phone even today.

The controls are no small matter because under the Family Education
Rights Privacy Act (FERPA - Buckley Amendment) Universities must obtain
written consent of the student before disclosing private records such as
transcripts. I have seen this rule applied even when the person
requesting the records is a parent of the student concerned.

I am also sure that a RISKS spotlight on this subject will help improve
the controls in the system.

Re: Public TV Series

Wayne Throop <sheol!>
13 Apr 92 22:01:02 GMT
<> [...] PBS will present "The Machine that Changed the World,"[...]
<> Perhaps it is risky not to see how our
<> industry is being popularized for the mass media.

Very true, I think.  For example, in the very first program, I was
interested to find out that Turing had established that anything a human
can do, a computer can do.

Of course, on the other hand, a PBS series a year or two ago included the
interesting fact that Searle had established that computers could never have
true understanding.

> Their coverage of the historical material was the most accurate and
> even handed I have ever seen.  Their coverage of risks issues is also
> exemplary.  I could seriously use them in undergraduate teaching and did
> not regard them in any way as "technopulp" for the masses.

Hmmmm.  I've only seen the first one so far, but it really seemed to fall prey
to the common risk of many popularizations and simplifications of "scientific"
results.  A few other examples of the kind of thing I'm thinking of from
physics: quantum theory "proves" that Zen Buddhism or Taoism or
whatever-"eastern"-ism is correct after all, chaos theory is the explanation of
QM effects, the uncertainty principle arises because observers affect the

The problem is that in simplifying and dramatizing and analogizing ideas
for presentation to "the public", much of the actual information is
squeezed out, and incorrect factoids creep in as replacement.  It isn't
at all apparent what can be done about it, but it seems to me to be both
commonplace and quite RISKy.

Mind you, I don't disagree that the series is "historically accurate",
and I have no problem recommending it, if you watch it with a large
grain of salt to hand.  But it seems to me to be too quick to
oversimplify complicated issues (such as the Turing bit above, and the
reason binary encodings were eventually settled on, and many more).

Wayne Throop  ...!mcnc!dg-rtp!sheol!throopw

PBS Program

Dave Katz <>
Tue, 14 Apr 92 15:10:13 -0700
A few things shot by in last night's presentation that struck me as
surprisingly pseudo-techno (rather than thoroughly techno, as most of the
content of the programs have been).  The most amusing was in the discussion of
"higher level languages," during which a FORTRAN program scrolled by.  It
looked like FORTRAN in form, but close inspection revealed lines of code like:
An interesting assertion, but I suspect that even FORTRAN 66 compilers would
reject it (rather than causing the booster rocket to fly off course, etc...).

Somebody had to do a whole lot of typing to create the "program."  T'would have
been much easier to use a real FORTRAN source (but of course this would
introduce other RISKs that have been oft-discussed in this forum).

US PBS stations *do* censor

Jonathan Clark <>
Tue, 14 Apr 1992 13:35:35 -0400
In Risks 13:39, Brian Tompsett says:

    PBS, as the US readers now know, eventually broadcast Python in its
    unexpurgated form (BBC logos and all). Thanks should go to PBS for
    rendering this public service.

Alas, PBS have (at least partially) stopped doing this. Last year's rerun of I,
Claudius had previously broadcast scenes cut from it (this was hinted at, but
not spelled out, in Alistair Cooke's introduction). WNET (my local big PBS
station) claimed that they presented the program the way it was given to them
by WGBH. Paradoxically, WGBH's retail offshoot (Signals), in its advert for the
videotapes of the series, claims that ``this is the original, uncut, British
production, including some scenes not shown in the PBS broadcast''.

I have noticed that the ``same'' programs shown on the BBC and on PBS often
have cuts, usually relating to sex scenes, when they are broadcast in the US.
I, too, showed my feelings about the issue at pledge time, by *withholding*
support, and telling the stations exactly why I was doing so.

Jonathan Clark,

Re: The makers of the PBS series respond (Tompsett, RISKS-13.39)

"Matt Braun" <>
Wed, 15 Apr 92 12:59:11 CDT
>  For those of you who are interested in these things, there is a US
> court case over the changing of TV programmes to "reflect the
> interests and knowledge of the different audiences". It involves the
> first US airing of "Monty Pythons Flying Circus" by a US network.
> The networks made "minor" changes to some sketches (removing some
> expletives) for a US audience.

Actually, this isn't quite true.  ABC (the network in question) SAID that all
they were going to do was remove expletives.  In reality, they were editing
three 30-minute shows down into one 68-minute show, allowing some 24 minutes
for commercials (i.e. they removed almost 25% of the material.)  They deleted
sketches, rearranged the order of some of them, etc.  ABC did not make minor
edits--they performed major surgery.  It's sort of like going under the knife
for an ingrown toenail and emerging minus one leg.

>                The python team sued and won, on the
> grounds that the changes substantially damaged their reputation.
> PBS, as the US readers now know, eventually broadcast Python in its
> unexpurgated form (BBC logos and all).

Yes, well, the changes *did* substantially alter the content of the program,
and make the group appear to be less funny than they were.  (For reference, see
the excellent book by Robert Hewison, "Monty Python: The Case Against", ISBN

In the case of "The Machine That Changed The World", imagine trying to fit
commercials into it, say at 8 minutes per half hour.  (That seems to be close
to the going rate here in the States.)  Again, you'd have to lose about 1/4 of
the program.  I'd worry if they made edits because they don't want to offend

The Risk here?  Um...the knives of the network gnomes?
    The Searing Scissors of the Censors?

Please report problems with the web pages to the maintainer