The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 15 Issue 75

Weds 13 April 1994


o E-Mail saves a man's life
o Risks of powerful computers to the quality of science
Dan Ruderman
o Robot mower
Pete Mellor
o God Grants Granite Gift to RISKS Punsters
Peter Wayner
o The Soft Pork Underbelly of Efficient Markets
Peter Wayner
o A creative, HONEST software disclaimer
Neil MacKay
o E-mail problems
Andrew W Kowalczyk
o Holiday Inn extra key requirements
Lance A. Brown
o Fingerprinting & welfare
Mich Kabay
o Re: More jail-door openings
Al Stangenberger
Peter Wayner
o Info on RISKS (comp.risks)

E-Mail saves a man's life

"Peter G. Neumann" <>
Sat, 2 Apr 94 13:24:39 PST
RISKS is always delighted to find cases in which the benefits of computing
technology manifest themselves in a critical way.  Here is such a case.

Jack Miller, a computer analyst from Paramus NJ, was experiencing severe chest
pains and called his doctor, who put him on hold.  As his condition worsened
to the point that he felt a strange coldness and could barely breathe, he was
just barely able to type a piece of E-mail to coworkers: HELP.  FEEL SICK.
NEED AID.  Apparently he had intended to sent it just to a few nearby
colleagues, but instead it appeared as an alert message on the screen of each
of the 80 people in his department.  Some of those who responded were trained
in cardiopulmonary resuscitation, and his life was saved.  [Source: an AP item
in the San Francisco Chronicle, 2 Apr 1994, p.A1.]

Risks of powerful computers to the quality of science

Dan Ruderman <>
Wed, 30 Mar 94 14:54 BST
Much of modern-day science relies on computer models for simulation and the
testing of various hypotheses.  The use of large scale simulations now
permeates many fields, from the Monte Carlo algorithms employed by physicists
and computer scientists to genetic mutation simulations performed by
evolutionary biologists.  As computers gain speed and data storage capacity,
science's dependence on simulation will only increase.

I see two grave risks in this trend.  First, the uses I mentioned above both
rely heavily on having a "good" random number generator.  But it is well known
that even the best pseudorandom number algorithms posses large amounts of
redundancy (and thus predictability) when viewed in high-dimensional spaces.
But this is exactly the regime in which they are mainly used in science to
simulate many-body dynamics.  The second edition of "Numerical Recipes"
discards its previous random number generator for a "better" one.  Should all
the thousands of simulations which used the first version now be redone?

The second potential danger is to the fundamental quality of scientific ideas.
How long should you think about a problem before letting the computer take a
brute-force crack at it for you?  As computers become more powerful the
temptation to stop thinking and start coding looms ever more prominently.  As
a high school computer nerd turned postdoc physics nerd, I am acutely aware of
this seduction.

One aspect of this problem is that we may not think as hard as we used to.
Another may be the predominance of work being on computer simulations rather
than basic ideas.  Since these simulations generally have many adjustable
parameters, the space of possible exploration is huge, and not all of it
relevant.  This also makes the interpretation of results that much more
difficult to grasp, since there is a large number of parameters to visualize.
Pedagogically speaking, simulations should be used sparingly either to
illustrate an idea or to perform an essential computation which cannot be
carried out analytically.  A proliferation of mediocre models with many
arbitrary parameters can only spell disaster for the industry.

Dan Ruderman  The Physiological Laboratory    Cambridge CB2 3EG    England

Robot mower (designed by Belgians, built by Swedes, driven by no-one)

Pete Mellor <>
Sun, 3 Apr 94 03:54:47 BST
The Daily Mail of 1st April 1994 carried a full-page report (p3) of a new
design of mower called the Solar Turtle.

This is a little robot that runs around your lawn on wheels, cutting the
grass ALL ON ITS OWN! The picture that accompanies the article shows a
low-profile object about 3 feet long by 2 feet wide, elliptical in outline,
and with its top surface sloping down from about one foot at the front to
6 inches at the back. (I am guessing: the exact dimensions are not given.)
It is so light that "it can be carried by a child." It is also (mercifully!)
almost completely silent.

Its flat upper surface is covered with an array of solar panels which provide
it with sufficient power to trundle around even on dull days, and charge its
little batteries so that it can keep going if it runs into a shaded patch of
garden. Its maximum speed is 1.8 kph (slower in the shade). Three separate
electric motors drive its two front wheels and rotating cutting blade. Since
it is intended to operate continuously, the grass never gets a chance to grow.
Therefore trimmings are very fine, and are simply left on the lawn as a mulch,
so that no collector box is required, and it doesn't even require periodic
attention from the gardener to empty it.

A single machine can look after 2000 sq. ft. of lawn. Price {pounds} 1,500
to 2,000 (still TBA). Manufacturers are Husqvarna of Sweden, and the inventor
is Andre Coles (Belgian). So far, it has been demonstrated at the Spring
Gardening Fair at Olympia, London. Look out for it next at the Chelsea Flower
Show. It will probably go on sale next year. (British outlet: Husqvarna
Forest and Garden.)

Risks? Well, what if it a) cuts your toe off, b) mows your prize dahlias,
c) gets stuck, or d) gets nicked?

This is where the relevance of all this to the RISKS forum becomes apparent.
For the Turtle is controlled by (you've guessed it, folks!) "an on-board
computer [which] analyses conditions 500 times a second, enabling it to adapt
to the amount of light, humidity and temperature, and to negotiate slopes
and particularly overgrown patches."

a) Safety (1): If it hits anything (tree, chair, foot) "a shock detector stops
it in its tracks". The picture shows a sort of white band around the front
edge, which is presumably a collision sensor. Since it moves "backwards and
forwards a few feet at a time", it presumably has a similar sensor at the
rear. Its sensor seems to be a few inches off the ground. Could it give a
sleeping cat a short back and sides?

b) Safety (2): It will not operate outside an area delimited by a buried
"boundary cable". An "electronic sensor" detects the cable, and "tells it
to turn back". The article does not go into this, but (IMHO) this is a
serious marketing weakness. The photo shows the Turtle standing proudly in
the foreground with a smiling and highly photogenic young lady (who obviously
never got her hands dirty with a bit of weeding in her life!) lolling in
a deck-chair in the background. The scenery includes (as well as the happy
Turtle user) about 50 acres of garden containing a lake, irregular patches
of shrubbery, occasional trees, and artistically arranged lumps of rock.
Even assuming the Turtle can negotiate the rocks, shrubs and trees without
help, burying a boundary cable around that little lot must be a major
logistical exercise.

c) Reliability: This must depend on precisely how intelligent its program is.
It can't simply stop when it hits a tree, so what does it do? Back up and
charge again? Try a random turn? What happens if it hits your foot, and you
then move out of the way? You can bet that even if you have more sense than
to get in its way, your kids will have hours of fun trying to convince it
that they are a tree! If it maintains a database of the terrain, this could
seriously blow its tiny mind! :-) On the other hand, it must somehow avoid
mowing the same little patch over and over again. Does it remember where it's
been? (Software Engineering coursework assignment: "Design an algorithm using
a pseudo-random number generator to ensure that a Turtle covers the whole of
a piece of lawn 2,000 sq. ft. in area in a given time irrespective of the
shape of the perimeter or the presence of interior obstructions." - That
should keep the students busy! :-)

d) Security: If the Turtle is picked up, "a loud alarm goes off ... and is
turned off only when an individual code is punched in. And it cannot operate
outside the electronic boundary." ("I say, Alice! What's the code for this
****** Turtle? I can't turn the frigging alarm off!") Also, if it's *carried*
outside the boundary cable, how does it detect this? Mmmm ...

After all that, risks to the public? Err ... getting fat through not having
to mow the lawn? :-)

  [There is a disclaimer in the Mail article which states that
  this is NOT an April Fool joke! :-) ]

Peter Mellor, Centre for Software Reliability, City University, Northampton Sq.
London EC1V 0HB    +44 (71) 477-8422,

God Grants Granite Gift to RISKS Punsters

Peter Wayner <>
Tue, 5 Apr 1994 15:25:20 -0400
The financial pages will be burning up with stories about a relatively small
investment fund called "Granite." The fund was set up by "really smart guy"
named David Askin to provide "RISK-free" investment in the the mortgage backed
securities market. As early as middle March, Askin was pretty sure that his
fund was still worth $600 million. Now it may not be worth anything. Poof. In
two weeks!

How could this happen? Everyone understands how money can disappear in the
stockmarket. But, the Granite fund was different. Askin et al.  used very
sophisticated models to figure out which morgage-backed securities were cheap
and which were dear. He would buy the cheap ones and sell out the expensive
ones. Eventually, the market would drive the price of the cheap and dear
securities together. Then the fund would close out the position and make money
based upon the original spread.

The great "strength" of plan was that it was supposedly interest-rate neutral.
If the rates went up, then both the cheap and the dear securities would lose
value in sync. They're both bonds so they tend to lose value as interest rates
rise. So any loss in the value of the "cheap" securities that the fund
actually bought was offset by a gain the value of the short investment in
"dear" securities that fund sold short. The same process would work in reverse
if interest rates dropped.

The main problem seems to be that no one was willing to buy any
mortgage-backed securities as the bond rates went through the roof.
The markets just froze. Plus, prices weren't behaving according to
the very careful models that he originally created. Bam.

Interested parties should check out the various articles in the NYT (April 5,
A1), Time magazine (cover), and other sources to find out more details.

The message for the comp.risks readers is the same old story of technical
hubris that we've grown to love. But it is even better than almost any other
case I've read about. People who use computers and mathematics on Wall Street
usually have a stronger arrogance than those who use the computers to guide
planes, run home security systems, run 911 systems or steer satellites. Why?
Derivative securities, like those bought by Granite, are sheer creations of
mathematicians. It is very tempting to believe that they're free from
real-world problems like wind, noise, pets or other gremlins that keep plenty
of engineers up late.

I've worked on Wall Street doing these sorts of things. The whole mathematical
foundation of the work made things both very fun and very certain. I've always
thought that mathematics was a very clubbish pursuit. The proofs were the
rites of initiation. Once you made it in you could be sure that you and the
other members of this club really did have a superior view of the world.
Unlike the all-male, all-female, all-whatever clubs, you had actually _proven_
the truths you held up as self-evident. The mathematicians running these games
are probably just as sure.

But, when the Bear putsch came to shove and the world tried to get out of the
stock market at the same time, all of the mathematical models started breaking
down. I can assure you that the people who bought into this fund probably
thought that they were buying a sure thing. They had probably worked through
the math themselves. There are probably lawyers combing the prospectus hoping
that the Granite partners were so sure of themselves that they didn't put the
usual disclaimers in the prospectus.

At this point, I'm wondering about of the dangers of using mathematics for a
guarantee of even things mathematical. The theorem that all maps can be
colored with four colors is widely known as the first example of
computer-based proofs. Many people don't remember that the theorem was
originally considered settled and true back at the turn of the century. People
believed the "proof" for several decades. Then someone stumbled upon a
loophole and it became famous again.

--Peter "I will build my Church/Turing theorem on this Granite" Wayner

The Soft Pork Underbelly of Efficient Markets

Peter Wayner <>
Thu, 31 Mar 1994 23:30:20 -0500
     The Under Pork Belly of Efficient Markets, or
     How to Launder Money Using Cattle Futures

The great promise of electronic networks and virtual communities is a
collection of very efficient markets. In the future, information will be
moved, products will be sold and trades will be executed in a blink of an eye.
This efficiency is usually considered to be a pretty good thing by everyone in
business, in economics or in line at the video store. The underside of this
efficiency, though, is a blurring of the line between legitimate and
illegitimate business.

A good way to understand this effect is to study the case of how to launder
money using the futures markets. Laundering money is an age old problem for
people who want to move funds from person A to person B without leaving a
suspicious trail. Cash is the nieve approach and it has plenty of problems: it
is bulky, it can be lost or stolen, and most importantly it often leaves
people asking "Hey, where did that come from?"

The futures markets, though, make it simple to move funds in a way that is
indistinguishable from ordinary commerce. If it is done correctly, the
recipiant, person A, looks like a lucky stiff or a market savvy investor.
Person B is usually out of the picture or out of luck. The same games can be
played with almost any other market, but futures markets are so efficient that
the process is actually feasible and easy to do.

The basic transaction in futures is to buy or sell a contract for the delivery
of x pounds/barrels/tons/feet of some commodity at y dollars/yen/marks etc. If
you buy a contract, then you're obligated to actually cough up y dollars when
the contract comes due.  Most people don't hold on to the contracts long
enough for them to actually take delivery.  They sell another contract and the
futures market maintains a clearing house that is responsible for matching up
the contracts and cancelling them out. It's a great system. Very efficient and
very useful for farmers, manufacturers and others who actually produce and
consume commodities.

Futures markets are great for laundering money, though, because they can
generate big losses or big gains in a short amount of time. It is quite
possible for $100 to turn into a $5000 gain overnight. The downside is that it
can often turn into a $5000 loss in the same amount of time. In fact, the
market is a zero sum game. If you make n dollars, then there is someone out
there who just lost n dollars. The sum total of the losses and the winnings
equals zero.

This zero sum nature is the key to laundering the money. Person A and Person B
get together and guess that the price for a commodity is going to go up. That
means that who ever buys a contract will make money. So Person A, the intended
recipient buys a contract and Person B sells a contract. If they're right,
then Person A gets the money and Person B loses the same amount.

Bingo. The money moved from B to A and no one can trace how it got there.
Person A looks smart or lucky and Person B looks out of luck. There was no
direct connection between the two. There are thousands of other people out
there winning and losing money at the same time. The marketplace's central
clearing house arranges it so each wins and loses their rightful share.

You may wonder why B bothered to sell a contract and lose money. This is the
safeguard against guessing wrong. No one is correct all of the time. Even the
people who try and rig the markets and corner them get burned as often as they
succeed. The best investors in the futures markets, the ones who make money
time after time, are the arbitrageurs. They spot inefficient pockets and try
and remain neutral to the overall shifts in the market.

Person B sells the contract so that if the market goes down, i.e., the wrong
way, then A and B together have lost no money. It's a zero sum. Now they just
have to play the game a bit longer or for stakes that are twice as high. You
can think of the process as flipping a coin until you have encounter a heads.

Ideally, you play this game with two players with relatively deep
pockets. This means that A can cover the short term loses. This is a
bit of a disadvantage because many money laundering operations must
move cash from the rich to the poor. You can cover up this problem by
using the same broker for A and B. The broker executes the trades and
then assigns the winning trade to A and the losing trade to B. They
fill in the order books after the fact.

Using the same broker for A and B can be problematic because it may look too
suspicious if the mirrored trades appear on the same ledger. The beauty of
this system is that it can look quite indistinguishable from normal business
practices. Many companies actively enter the futures markets to hedge
themselves against foreign currency movements. Others actively enter the
futures markets to guarantee themselves a good supply of their raw materials.

The essential point of this lesson is that fast, efficient markets make it
possible to move money easily. The futures markets were designed so that is no
real other half to every trade. It's literally you against the world with
every trade. The RISKS, of course, is that accountability can vanish as the
size of the crowd grows to be as big as the world. There is no way to catch up
with this. The futures market are so great because there is no need to deal
one on one.

The effects of speed are not only apparent in big financial markets. Credit
cards and overnight delivery are a dangerous combination. You could steal
cards, order a fortune of stuff, arrange for it all to be delivered overnight
and then jump town quickly before people notice the card was gone. Suddenly,
merchants must deal with the fact that something that used to be complete
legitimate (exchanging cash for goods) is now a potential theft.

Of course, there are other crimes that lose their edge. It is much harder to
escape the law by heading to a new town. Computerized fingerprint files are
very, very efficient.

I think everyone felt that perfect, computerized markets would bring about the
right mixture of accountability and efficiency. It would be a perfect mixture
of Big Brotherly scrutiny would take care of everything. Every trade, after
all, is recorded in the futures market. Yet, the best mechanism for anonymous
fund transfer yet discovered exists here in the midsts of all of this record
keeping, legal scrutiny and oversight.

A creative, HONEST software disclaimer

Thu, 31 Mar 94 21:11:41 EST
To add one more to your creative software disclaimers; I read this one in
WIRED magazine issue #2.01. It is reprinted without permission. It concerns
Haventrees Software's EasyFlow program.

  If EasyFlow doesn't work: tough. If you lose millions because EasyFlow
  messes up, it's you that's out the millions, not us. If you don't like this
  disclaimer: tough. We reserve the right to do the absolute minimum provided
  by law, up to and including nothing. This is basically the same disclaimer
  that comes with all software packages, but ours is in plain English and
  theirs is in legalese. We didn't want to include any disclaimer at all, but
  our lawyers insisted.

Certainly clarifies their position. In a strange, twisted, punkish kind of
way I admire them. :-)


E-mail problems

Andrew W Kowalczyk <>
Fri, 1 Apr 94 19:46 EST
With all the tribulations you have gone through in trying to mail stuff
properly through the various E-Mail systems I thought you might enjoy this
joke that was related by columnists Nicholas Petreley and Laura Wonnacott in
the March 28, 1994 issue of InfoWORLD:

A fellow goes into a bar and says to the bartender, "Hey, I just heard this
great E-mail gateway programmer joke."

The bartender replies indignantly, "Now, wait a minute. I used to be a gateway
programmer.  See that guy at the end of the bar? The guy at the other end?
Those two guys at the table over there?  They are all gateway programmers.
Now, do you still want to tell that joke?"

And the fellow says, "Well, not if I have to explain it five times."

Andy Kowalczyk, Allstate Life Insurance Co., 1415 Lake Cook Road P2A, Deerfield
IL 60015-5213   (708)317-6206

Holiday Inn extra key requirements

"Lance A. Brown" <>
Thu, 31 Mar 1994 23:50:59 -0500
Last weekend, March 27th I checked into a local Holiday Inn for an
overnight stay and was given only 1 credit card style mag-stripe key.
A few hours later I went back to the desk and requested another key
for my wife.  The clerk asked for my name and room number, pulled
something up on her computer, swiped a key through a card read
(writer?) and handed it to me.  No photo ID or other ID requested.

I asked if it is standard to not request ID for extra keys and was
told that is true.  I then asked her if she realized anyone could get
a key just by knowing the name of a person and what room they were in.
She seemed quite startled by this.

The RISK is quite obvious.

Lance Brown

Fingerprinting & welfare

"Mich Kabay [NCSA]" <75300.3232@CompuServe.COM>
01 Apr 94 07:26:21 EST
>From the Associated Press newswire via Executive News Service on CompuServe

  Welfare Fingerprints, By KATHLEEN HOLDER, Associated Press Writer

    SACRAMENTO, Calif. (AP, 31 Mar 1994) -- Expanding the use of
  fingerprinting to flush out welfare cheats, Los Angeles County will soon
  start taking the prints of applicants for federal dependent children
    Officials said the requirement, which won state approval Wednesday, will
  be the nation's first use of fingerprinting to prevent fraud by applicants
  for Aid to Families with Dependent Children, the main federal-state welfare

The author explains the background and details.  Key points:

o electronic fingerprint scans of applicants are stored in computer database.

o fingerprint taken as unique authenticator of identity.

o Los Angeles has been using these techniques since 1991 for state general

o Needed and received a waiver from federal govt to add requirement to federal
regulations for AFDC.

o These techniques will be implemented state-wide if they work.

o Several advocates for poor people's rights object to the stigma of

o "In the first six months after Los Angeles County began running fingerprint
checks for general assistance in 1991, the county reported cutting its costs
by $5.4 million, or more than half."

o "More than 3,000 people lost their aid for suspected fraud, and more than
200 applicants were denied assistance because they refused to submit their

Michel E. Kabay, Director of Education, National Computer Security Assn

Re: More jail-door openings (Markson, RISKS-15.73)

Al Stangenberger <forags@nature.Berkeley.EDU>
Fri, 1 Apr 1994 20:43:04 -0800
> a jail in Marin ...

There's something wrong with this -- Polly Klaas's accused killer is housed in
Santa Rosa, Sonoma County.  Not Marin.  I don't think Marin's new jail is
finished yet.

Al Stangenberger, Dept. of Env. Sci., Policy, & Mgt., 145 Mulford Hall - Univ.
of Calif., Berkeley, CA  94720    (510) 642-4424


Peter Wayner <>
Fri, 8 Apr 1994 13:36:38 -0400
Q: What is WAIS?
A: It stands for Wide Area Information Server. It's a pretty popular
standard for accessing text based information on the Internet. Anyone
can use readily available software to create an index for a collection
of texts and then make this available to the world on the Internet.

Q: How do you use it?
A: Get the right software, choose some data bases, type in some keywords
and press the button. WAIS will come back with a list of documents and
their matching quotient. You can then choose to read the entire text of
the documents.

Q: Why would RISKS readers care about this?
A: Comp.risks digests are indexed with a WAIS server. You can type in
"plane crash" and get more than enough information to keep you wondering
about one, two and three engine planes that fly-by-wire using code
written in Fortran and encrypted with Clipper to prevent terrorist

Q: How can I get the software?
A: There are many different ways to access WAIS. Many GOPHER servers
offer it as an option. You won't even leave GOPHER to type your query.

You can also use TELNET to "" and log in as "wais" to use
their link. The interface isn't great, but it is not bad.

The best options seems to be to get a copy of the specialized software
written for different platforms. One package, which I've used
occasionally is called "MacWAIS." It is available via anonymous ftp from  You need to have a Macintosh computer with an Internet
connection using MacTCP to use this. There are other copies for NeXTs,
PCs and other machines at in the "/wais" directory.

Q: Are there any tricky parts?
A: Well, it is pretty easy in some respects. You just type and go. I've
occasionally had trouble getting a good list of servers that are
available.  The WAIS folks were clever enough to make it possible to use
WAIS to search through the lists of servers. You just type in some
keywords and back comes a list of servers that have that keyword in their

So, if you want to access RISKS, try searching the directory of servers
for the keyword RISKS. Once you find it, you will be able to save the
result on your machine and it will automagically know about the RISKS

Another solution is to search through the directory of servers using
".src".  Several people have recommended this to me, but I've had trouble
getting it to work well for a number of reasons. First, it only searches
the description string of each server. If the author/creator of the
server was parsimonious with the description, then you might not even
find the world ".src" in there. I've tried all kinds of keywords, but
I've often felt like there are still many sources out there that I just
can't find.

This problem may be fixed or solved by now. (Please write if it has.)

Please report problems with the web pages to the maintainer