The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 15 Issue 58

Weds 23 February 1994


o E-Mail blunder at Olympics
David G. Novick
o Dog Gets Card With $10G Limit
marc via PGN
o Computer error adds to ad valorem tax for 300,000 people
James E. Burns
o Embezzler caught by computer trail
James E. Burns
o Software testing at Sizewell
Brad Dolan
o Clipping Clinton and the Executive Branch...
Peter Wayner
o Clipper: Love your country, don't trust its government
David Honig
o Re: CompuServe Offers Credit Info
Steve Bellovin
o Social RISKS of Universal IDs
John Oram
o Re: SimHealth
Gerd Meissner
Bob Frankston
o Re: Telephone Card Audit Trails
Jonathan I. Kamens
o Re: E-Mail Courtesy
Jim Haynes
Bob Frankston
o Re: Electronic Food Stamps
Colby Kraybill
o Re: International Internet Association
Jeff Porten
o Info on RISKS (comp.risks)

E-Mail blunder at Olympics

David G. Novick <>
Tue, 22 Feb 94 22:08 PST
Here's another example of a familiar problem with a topical twist,
as reported by the Portland "Oregonian" February 22, 1994, p. C5:

"Access Violation: Several U.S. reporters were contacted by Mike
Moran, the U.S. Olympic Committee chief press attache, after they got
Portland figure skater Tonya Harding's Olympic identification number
and broke into her computer mail program.

"All persons with Olympic credentials have access to a computer mail
system on which they can send notes to others and receive information.
Access is is through an individual's Olympic ID number and a password,
typically the user's birthdate.

"The reporters got Harding's ID number through a blown-up photo and
typed her birthdate to gain access to her messages.

"The skater had received 61 messages by Sunday."

David G. Novick, Dept of Comp Sci & Eng, Oregon Grad. Inst. of Sci. & Techn.,
P.O. Box 91000, Portland, OR 97291-1000  (503) 690-1156

Dog Gets Card With $10G Limit

Wed, 23 Feb 94 00:57:23 EST
We've all read stories here of how credit agencies have make mistakes.
Sometimes, it isn't the consumer who loses.  Marc

      [The PGN Excerpting Service provides the following summary of
      an AP item from Ballston NY, relayed by,
      14 Feb 1994.  PGN]

An eight-year old Brittany spaniel has her own $10,000 line of credit.  Her
owner began using her name on coupons and warranties, which then resulted in
solicitations and finally an offer of a credit card.  [Her pawtograph is
apparently enough when she charges dog food.  Perhaps she pours arf-and-arf
over it.]  PGN

Computer error adds to ad valorem tax for 300,000 people

James E. Burns <>
Wed, 23 Feb 94 15:48:27 EST
The Atlanta Journal of 18 Feb 1994 carried an article by Chris Grimes
describing an error in 300,000 auto tax bills (about 5% of the total).  The
error added $10 to $30 to the ad valorem portion of the bill.  Apparently the
mistake was caused by a patch added to correct a similar problem from the
previous tax season.  (Once again, the rule of thumb that a change to fix a
bug has a 50% chance of introducing a new one seems to hold.)  Officials
expect the problem to be fixed for next year's tax season.  (One wonders if
the have a "three strikes and you're out" rule :-)

Apparently, the State is not notifying motorists directly of the incorrect
amounts --- they must contact their local tag offices to ask if there was an
error.  The article warns, however, that this might result in a higher bill
since the errors apparently were both postive and negative.

James E. Burns, Bellcore, NVC-3X114, 331 Newman Springs Road,
Red Bank, NJ 07701-5699  (908) 758-2819

Embezzler caught by computer trail

James E. Burns <>
Wed, 23 Feb 94 15:34:33 EST
An article by Davidson Taylor appeared in the 18 Feb 1994 issue of the Asbury
Park Press (NJ) described the arrest a teller of a local credit union for
embezzling $15,000.  The embezzling was allegedly done on the teller's last
day of work, 8 Mar 90.  There is a supposition that the teller might have
destroyed the paper trail; she was apparently caught through computer auditing
by the Federal Reserve, which notified the credit union on 19 Mar 90.  No
clear explanation was given for the nearly four year delay in filing charges.

Of interests to RISKS readers was the quote from Assistant U.S.
Attorney Jay McMahon regarding the detection of the fraud:

     "You can't destroy computer records."

James E. Burns, Bellcore, NVC-3X114, 331 Newman Springs Road,
Red Bank, NJ 07701-5699  (908) 758-2819

Software testing at Sizewell [Note: British NII is not US NII]

Brad Dolan <>
Wed, 23 Feb 1994 12:32:02 -0800
TESTING THE SOFTWARE  [Nuclear Engineering International, 12/93, p.10]

Britain's Nuclear Installations Inspectorate is satisfied that the software
for the Sizewell B Primary Protection System (PPS) will be adequate for its
role - provided that no further major issues arise from NII's continuing
assessment or from the commissioning trials now underway, that the various
ongoing independent assessments are completed successfully, and that a
"clean" dynamic testing demonstration is achieved.

The NII does not believe that Nuclear Electric's original PPS integrity target
(10E-04 probability of failure per demand as proposed in the Pre-Construction
Safety Report) has been fully demonstrated - it was always regarded as a very
tall order by the regulators - but it does accept that the overall safety case
for the plant "can accommodate, without significant detriment, a lower
integrity for the PPS."

These conclusions are part of a status report on NII's assessment of the PPS
presented by NII staff to the Advisory Committee on the Safety of Nuclear
Installations on 1 July.  In October, the UK trade newspaper _Computer Weekly_
took the innovative step of helping the nuclear industry in its mission to be
more transparent by making the leaked report available to readers (at 2 pounds
to cover copying and postage).

The NII notes that two main themes have emerged from its assessment of the
Sizewell B PPS software. On one hand there is complexity of design, which "has
made the task of demonstrating a high integrity for the system particularly
difficult."  On the other hand there is the compensatory effect of examination
and testing, not only by the supplier, Westinghouse, but also by a range of
organisations in the UK: "no other reactor protection system in the world,
past or present, has received more attention than the PPS" (see NEI, March
1993, pp. 28-33, for a flavour of the 500 person-year effort).

Because of the difficulties of quantitative demonstration of software
reliability, NII has adopted a "special case procedure" consisting of two
legs: demonstrating excellence of production; and an onerous programme of
confirmatory independent assessment, to build confidence that the required
dependability has been delivered (see NEI, September 1991, pp. 38-40).

The independent assessment is still going on.  Because of the huge effort
entailed, it was always expected to "run right up till the eleventh hour" says
David Hunns of the NII.

The dynamic testing, which has received a good deal of publicity recently, is
just one part of the independent assessment programme.  Originally offered by
the utility on a voluntary basis, the dynamic testing uses a "test harness" to
subject an actual guardline of the PPS to a sample of the inputs it might see
during selected fault scenarios and then to compare the output from the
guardline against what it should have been according to a logical model based
on the specifications of the PPS.

Unfortunately, in about 52% of the 49694 valid tests performed in the 6 month
programme ending December 1992 there was a discrepancy between the actual and
expected PPS output.  About 90% of the failed runs have been ascribed to
inadequacies of the test harness (in particular limitations in its modelling
of PPS characteristics) rather than the PPS itself, but the NII wants a
complete explanation of all the reasons for failure and demonstration of a
"clean" test run the the test harness performing satisfactorily.  More tests
are underway.

Brad Dolan  10ATT.0.700.NUCLEAR  ask me about PGP

Clipping Clinton and the Executive Branch...

Peter Wayner <>
Wed, 23 Feb 1994 13:28:19 -0500
In a recent samizdat, I've heard that the National Intelligence Agencies are
urging the White House to use Clipper for its own internal system.  It sounds
like a good plan to lead by example, right?

Unfortunately, I would resist using such a system if I was the President.
Why? Because Washington is filled with intramural spooks watching other
branches of the government. Most of the folks in privacy groups like to
imagine the Clipper chip as an instrument of government oppression directed
toward the common folks. In reality, I would bet that a number of phone taps
are agency-vs-agency, intramural things.

For instance, Bill Safire found out that his phone was tapped while he was a
speechwriter for Nixon. A recent internal investigation by the DOJ revealed
that there was an internal eavesdropping system for listening into different
branches of the DOJ. Internal Phone calls were routinely recorded.

This is why, I believe, that 13 state legislatures ban their state and local
police from using phone taps. These taps would give the folks who run the
local police a good deal of intelligence about state-wide issues and spending.

This is also why the recent Bush-to-Clinton transition was such a mess. The
clintonians arrived to find computers stripped of their hard disks.  Why?
Because it is possible to retrieve info from hard disks long after they've
been erased. Also, the Clintons stripped out the phone system and had a new
one installed? Why? Who knew what bugs were left in place.

Of course the most important reason not to adopt the Clipper for White House
use was on the cover of the NYT today. A CIA analyst was finally caught spying
for the Soviets. He was supposed to have netted at least 1.5 million dollars
for his information.

I was particularly struck by the size of the house that he bought for $500,000
in allegedly ill-gotten cash. It wasn't that big. Life in Washington is very
expensive-- especially for the clerks and career employees of NIST and the
Treasury Dept. If you need to sell out to get this house, it must be tough to
sit there on top of hte keys to every conversation in america and be happy in
your rundown bungalow and Reagan era sedan.

Date: Wed, 23 Feb 1994 11:31:11 -0800
From: David Honig <honig@ruffles.ICS.UCI.EDU>
Subject: Clipper: Love your country, don't trust its government

   [... Further comment after noting the CIA story:]

So, you can buy a high ranking CIA person (who ran the *counter*intelligence
branch for 2 years) for a measly $1.5 million.  I wonder how much a pair of
Clipper-key-escrow agency people will cost?

Re: CompuServe Offers Credit Info

Tue, 22 Feb 94 22:49:24 EST
     CompuServe Inc. and National Information Bureau Ltd. (NIB)
     have agreed to give CompuServe users access to NIB's credit
     information, as well as motor vehicle, workers' compensation, ...

The AP ran a correction to this story today.  They noted that only National
Information Bureau customers would have access to the information.  (But the
article did not say how that would be enforced.)

   [Also noted by Chuck Weinstock <weinstoc@SEI.CMU.EDU>.  PGN]

Social RISKS of Universal IDs

John Oram <>
Wed, 23 Feb 1994 01:00:23 -0800
This was in the op-ed section of the Globe & Mail last Friday (23 Feb).  As it
is a relatively non-technical description, I'm not sure how appropriate it is
for this forum, but it presents a fairly eloquent argument outlining the
potential social RISKS of universal ID cards.


*Your identity card please*

Ontario's Social Services Minister is worried about welfare fraud, but doesn't
want to stigmatize welfare recipients by singling them out for fingerprinting.
So Tony Silio has seized on a clever alternative: require _everyone_ in
Canada, whether or not they are on welfare, to carry a universal identity
card.  Citizens wouldn't have to clutter their wallets with a separate
driver's license, age-of-majority card, health card and so on.  It would be
adorned with a photograph and (possibly) a digitized fingerprint.  How
efficient.  How practical.  How unwise.

It's always difficult to argue against such schemes because they are, on the
surface, so sensible.  There is no doubt at all that a universal ID card would
make life easier for all kinds of authorities, from the welfare people (who
could easily prevent multiple claims) to health care administrators (who could
catch out-of-province and out-of-country freeloaders) to the police (who could
quickly check the identity of suspected wrong-doers, whether or not they are
licensed to drive).  For honest Canadians, they would make daily life a little
more convenient without posing any immediate threat — just as photo radar on
the highways poses no immediate threat to people who do not speed, or video
cameras on street corners pose no immediate threat to people who don't
vandalize public property.  Why, then, do all these things give us a chill?

Critics would say it is irrational fear, an automatic reaction to any measure,
however reasonable, that reeks of Big Brother.  They would be partly right.
Few opponents of identity cards really expect Canada to become a police state
the day after they are introduced.  Their opposition springs instead from
instinct, a gut feeling that a society that makes its members carry an
identity card is, however intangibly, less free.  It is, on the whole, an
admirable instinct.

There are many practical objections, too.  The very existence of a unified
identity card would invite invasions of privacy.  Advances in microchips and
other technologies have made it possible to put an immense store of
information on a simple plastic card.  If such a card can carry a digitalized
fingerprint, it can also be designed to contain the holder's medical history
(handy for insurance companies), credit record (convenient for banks and
stores) or criminal record and probation status (nice for the police).  Thanks
to computer networks, this sort of information can easily be shard among
various agencies.

At present, we are at least partially protected by the fact that we carry
separate cards for separate things.  A person who is pulled over by the police
for speeding expects to hand over his driver's licence because he knows that
holding such a license is required to operate a car.  He does not expect
simultaneously to hand over his welfare, medical or employment ID.  The merit
of separate cards is that each agency of the government has access only to the
information that it clearly and demonstrably needs.

Canadians already must carry a host of identification cards they did not need
on the past.  Ontario, for example, only recently required residents to
present a health card when visiting the doctor.  Until 1964, there was no such
thing as a social insurance number.  But if a citizen is not applying for a
job, paying his taxes, going to the doctor or driving a car, he can still
leave his wallet and home and walk down the street without a scrap of
identification in his pocket, defined not by a piece of plastic but by his
status as an individual.  That is a feeling that citizens of most countries do
not enjoy.  It is one Canadians should not let slip away.

Re: SimHealth (RISKS-15.57)

Gerd Meissner <100064.3164@CompuServe.COM>
23 Feb 94 05:19:42 EST
SimHealth, introduced in Washington D.C. last November, was developed by Maxis
Business Simulations, which is a special unit of that company. It was
developed, as I`ve learned, for the Markle Foundation as kind of
"demonstration/educational tool" for students and community colleges etc. to
show, discuss and learn about some basics of health reforms and politics. The
only "risk" I see is that the result is better informed, critical citizens.
Regards, Gerd

Re: SimHealth

Wed, 23 Feb 1994 00:40 -0400
One general issue of the Sim series is that they portray certain viewpoints of
how the world operates and don't pretend to be objective. As noted, there is a
danger in using the simulations to understand public policies where just about
every parameter is debatable. One benefit is making people appreciate the
complexity of interacting systems.

I'm reminded of the Apple ads of a decade ago arguing that pretending to
dissect a frog on an Apple ][ was just as good as cutting open a real frog.
It also worth noting that the Psychic Hotlines on the 900 #'s are listed in
small type as "for entertainment purposes only". How much of their audience
consists of people who are spending $300/hr just to play a game.

Maxis makes fine software and great games with a number of valid lessons. Too
bad schools don't teach much about models vs reality.

Re: Telephone Card Audit Trails (Baube, RISKS-15.57)

"Jonathan I. Kamens" <>
Wed, 23 Feb 1994 09:34:56 -0500
What happens when the police arrest a suspect in some crime, find a prepaid
phone card on him, take the phone card to the telephone company, and say,
"Tell us what calls were made with this card?"

What happens if the enemies of a prominent businessman engaged in private
negotiations hire someone to mug him to get his phone card, take the phone
card to the telephone company pretending to be the legitimate owner, and claim
that it malfunctioned?  Will they be able to look at the screen the operator
pulls up with the phone numbers called on it?  What happens if they don't
bother to go to the telephone company directly, and instead just break into
the telephone company's computers and read the number off of the stolen card

This doesn't sound like an "anonymous" system at all.

An alternative system that would do a much better job of protecting users'
privacy would be to allow users to type a special code on the pay phone if
their card malfunctions while placing a call.  That code would cause *that
call only* to be recorded in the telephone company's computers.  No explicit
action by the user means no records in the computer.

Jonathan Kamens | OpenVision Technologies, Inc. |

Re: E-Mail Courtesy (RISKS-15.57)

Jim Haynes <>
Wed, 23 Feb 1994 09:21:55 -0800
The flip side of this issue (inappropriate questions posted to news or list
server when the questioner should have used the library first) is that it's
ego-gratifying to answer questions.  So for every simple question there are
likely to be dozens of answers, some sent to the asker in private e-mail but
many posted back to the list or newsgroup.  There is, however a socially
redeeming aspect of all this.  When dozens of answers are posted many of them
will be slightly or completely wrong.  One learns, over a period of time, just
how unreliable information obtained on the net can be, and whose answers tend
to be the most reliable.

Re: E-Mail Courtesy

Wed, 23 Feb 1994 00:41 -0400
I'd pose the complaint differently. The argument that one should trek miles to
the public library to look at the berries on wood pulp before querying the
electronic medium is misdirected. There is a valid complaint that reasonable
discussions should be stratified according to some measure of common interest
or expertise. This is going to be an increasingly serious issue as the network
grows, especially in the absence of control mechanisms such as financial
incentives and/or an established etiquette.

Asking questions online is more a symptom of the lack of effective
information retrieval technology in this medium (net surfing is not the final
answer) and is more a teething problem. Yes, deciding not to don ones winter
gear and head out into the blizzard is laziness. But it is precisely this
laziness that will force the issues and encourage people to make this new
medium work. If it breaks, fix it. You can ask people to hold back until the
problem is solved but don't blame them for the problem.

I do get a cultural jolt when I use an online catalog only to find I've
actually got to find the pbook.

Re: Electronic Food Stamps (Kabay, RISKS-15.54)

Colby Kraybill <>
Wed, 23 Feb 94 11:12:58 MST
The same program has been floating about New Mexico over a year now.  It works
very well, I should know, I use it.  It is very convenient.  My card has a
little 'Money card' symbol on the back, name of the service is called
Electronic Benefits Transfer or EBT.  Some of the propaganda on the card and
it's protective sheath :

Warning : It's a crime to illegally use, transfer, acquire, alter or possess
      food stamps or authorized cards.  Persons convicted may be FINED

(on the card)

    This card remains the property of the State of New Mexico Human
    Services Department and is subject to the terms and conditions
    under which it is issued.  If found etc.. etc..

In any case, I think that the security of the card is much better than
carrying around paper food stamps which someone without the knowledge of your
PIN could use.

Colby Kraybill - University of New Mexico - I.F.A.-H.E.P

Re: International Internet Association (RISKS-15.49)

Tue, 22 Feb 94 13:53:51 EST
Concerning the Washington Post article about the International Internet
Association that was mentioned in RISKS-15.49:

The tone of the original article in the Post and the RISKS followup were along
the lines of "Gee, isn't it a shame that this legitimate organization has had
its reputation impugned by someone who was took quick on the trigger in his
e-mail."  There's another side to this story that I'd like to share.

I'm a member of an informal network of organizations in the DC area that work
with student and youth activists.  We meet for dinner once a month, and a
running joke for the last few meetings has been the IIA.  Several of us have
gotten faxes from the IIA, which promised free Internet access and a
forthcoming larger packet of information that never materialized.

Contact was frequent enough to keep us joking and wonder who these people
were, but the whole thing had a very fly-by-night feel to it.  First off, an
organization called the International Internet Association appears out of
nowhere... one would have thought that an organization like that would have
made itself known *on* the Internet in order to build its reputation.  Second,
the letterhead consisted of clip art of a world map with IIA typed over it --
materials that could have been thrown together in about 15 seconds with no
monetary investment, especially since everything we saw arrived by fax.

All of this was merely quaint, until they asked us for a credit-card number
for a *free* account.  As soon as I saw that, I told the rest of the group to
stay as far away from these people as possible; the whole thing just screamed
"scam", and I am still not convinced otherwise.

Please report problems with the web pages to the maintainer