The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 16 Issue 21

Thursday 7 July 1994

Contents

o Risks of REDIAL
via Lance Hoffman and others
o Online services taking big hits
Alan Wexelblat
o Tax Software to Avoid: CA Simply Tax
Smith Craig
o IRS SSN risks may abate
Michael Gerlek
o Re: Fraud on the Internet
Jeff Barber
o Signatures in electronic commerce
Benjamin Wright via Mich Kabay
o Re: Scary
Peter J. Denning
o Just the Facts, Ma'am (AI to screen bad from good cops)
David Honig
o Re: Video cameras in City Centres
Robert Allen
o Digitized CC Signatures
Eric Richards
o Re: Shopping Risks...
Jane Anna LANGLEY
o Info on RISKS (comp.risks)

Risks of REDIAL

"Lance J. Hoffman" <hoffman@seas.gwu.edu>
Thu, 7 Jul 1994 09:53:59 -0400 (EDT)
  [via various intermediaries...  PGN]

WIRES CROSS AS LOVERS DIAL M FOR MOTHER

LONDON, July 2 (Reuter) - A terrified British mother put police on red alert
after mistaking the sound of lovemaking for a cry for help from her daughter.
*The Independent* newspaper said on [July 2] that two accidental phone calls
woke the woman in Devizes, southern England, in the small hours of the
morning.  Hearing moaning, groaning and shouting, she dismissed the first as
an obscene call, but in the second she recognised her daughter crying: "Oh my
God," and heard a man's voice.

Convinced her daughter was being attacked in her bedroom 100 miles (160 km)
away, she dialed the emergency number 999 and a police squad sped to the
daughter's home to investigate.  "Officers rushed round and found she wasn't
being attacked -- in fact she was quite willing," a police spokesman said.
"They explained that during the moments of passion one of the couple
accidentally pushed the last-number redial button on the bedside telephone
with a toe.  Unfortunately on both occasions it was the girl's mother's phone
number," he said.  "This is a warning for other people -- if you're going to
indulge in this sort of thing, move the phone."

The mother and daughter have apologized to police for the confusion.

      [Reach out and toe someone?  This gives new
      meaning to "having your buttons pushed".
      And the mother was left to her own Devizes.  PGN]


Online services taking big hits

"Alan (Miburi-san) Wexelblat" <wex@media.mit.edu>
Wed, 29 Jun 94 12:15:22 -0400
On Saturday night, during Game 6 of the Stanley Cup Finals on ESPN, a
commercial for the Prodigy on-line computer service came on. They were
talking about how great the hockey game was, but it didn't compare to the
excitement available on Prodigy. They cut to the computer screen showing
Prodigy, and all of the sudden a big window came up on the screen, saying
"COMMUNICATION ERROR". Users of Prodigy say that when that happened, the
system locked up for almost a minute, then their screen went completely
blank. ESPN quickly cut away to another commercial.

The curse of the live demo!

On another ranch, AOL managed to get its main server building flooded,
knocking out the whole network for hours and denying email service for hours
more after that.  No word yet on lost data...  [You'd think after the mess
in Chicago a few years back they'd've learned something.]

--Alan Wexelblat, Reality Hacker, Author, and Cyberspace Bard, Media Lab
Advanced Human Interface Group  wex@media.mit.edu  617-258-9168


Tax Software to Avoid: CA Simply Tax

"Smith Craig" <smith_craig@mn14.ssec.honeywell.com>
1 Jul 1994 16:42:38 U
This time of year, taxes are far from mind.  That is until I received a letter
from the IRS stating that I had incorrectly figured the credit for child care
expenses on my 1993 return.  This is the first year my tax preparer, an
enrolled agent (EA), used the 1040PC format: only the necessary lines are
printed without descriptive text.  My EA checked and reports that the software,
Simply Tax by Computer Associates (CA) of MD, carried the incorrect figure to
line 4 of form 2441.  To my surprise, he said there were a number of such bugs
resulting in incorrect line transfers on other forms, but he corrected them
manually. What's the point of software that's automatically wrong?
Interestingly, the software can print either the 1040PC version or a graphic
facsimile of the IRS forms.  When the graphic facsimile was printed, Simply Tax
calculated a second _different_ set of incorrect numbers.  I would have assumed
the program implemented a single algorithm, with different output options.  It
now appears that the software implements independent (and different)
calculations, depending on which output format is selected!  This complicates
the debugging task.

The RISK?  Aside from reliance on software that is revised every year (never
debugged?), the 1040PC version threatens to further obfuscate our tax system
and create a new elite of tax preparers.  Since I have my taxes prepared
professionally, the IRS no longer sends the forms and instructions.  How
comfortable will I be signing next years 1040PC, which I can not decipher, in
the face of suspected bugs?  The IRS is moving away from graphic facsimiles, so
that may no longer be an option.  In future, expect to file taxes by hand,
1040PC, or electronically.  Graphic facsimiles will be allowed only if
identical to the IRS form including the color of the ink (you'll need a full
color printer).

My EA believes that the programmer was not a tax expert.  Unlike straight line
programming, tax forms have backwards references (to whit, my incorrect
transfer from line 25 to line 4 on the same form).  He suggests tax software be
tested by former IRS agents with experience preparing taxes for the public
(there are many such qualified individuals).

The IRS, with uncharacteristic understanding, is requiring only the tax and
interest, waiving the penalty for an "honest" error.  Have they recognized a
software bug?  My EA insisted on paying the interest (a paltry 0.5% per month).
 Apparently there is a preparer's code covering this.  CA, on the other hand,
is under no such obligation.  In most industries, a defective product is
exchanged, refunded or repaired by the seller.  With the short use life of tax
software, CA assumes no such liability.  According to one theory, profits are
maximized when the cost of quality assurance equals the cost of defective
returns.  When there is no cost to the seller for defects, quality will be
minimized  :-(

Craig A. Smith, Solid State Electronics Center, Honeywell Inc., 12001 State
Hwy 55 Plymouth, MN 55441-4799  (612)954-2895 smithc@ccsvax.ssec.honeywell.com

   [By the way, the IRS endorses none of the tax preparation programs,
   and is not responsible for any errors they may cause.  PGN]


IRS SSN risks may abate

Michael Gerlek <gerlek@cse.ogi.edu>
Wed, 6 Jul 94 13:13 PDT
>From the Wall Street Journal, 6 Jul 94 (pg A1, col 5):

  IRS officials are considering removing Social Security numbers from
  the mailing labels taxpayers stick on their returns.  The reason:
  "Some concerns about privacy," an IRS spokesman says.

-[mpg]   gerlek@cse.ogi.edu

   [Good news!  I raised that topic along with some related problems raised
   by RISKS readers (such as the amount of the check peeking through the
   envelope window) at my IRS Commissioner's Advisory Group meeting in DC
   three weeks ago.  I'm delighted to see a speedy reaction!  PGN]


Re: Fraud on the Internet (Kabay, RISKS-16.19)

Jeff Barber <jeffb@sware.com>
Wed, 6 Jul 1994 09:03:50 -0400 (EDT)
>[Comment from Michel E. Kabay:]
>[...] perhaps these frauds will eventually lead to requirements for
>effective identification and authentication of users.  Ultimately, it would be
>helpful to see non-repudiation as a feature of all electronic communications.
>For the time being, caveat lector.]

I find it distressing though not necessarily surprising that Dr. Kabay
would "solve" this "problem" by requiring more stringent I&A.  My own
reaction was that the "unscrupulous" investors got exactly what they
deserved.  Do we really need to require users to show their identification
papers before they can participate on the Internet?

Jeff Barber             jeffb@sware.com


Signatures in electronic commerce

"Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>
05 Jul 94 23:26:34 EDT
[Ben Wright, an attorney teaching the online seminar on The Law of Electronic
Commerce in the NCSAFORUM of CompuServe, has granted permission to post the
following article on signatures.  I recommend that it be posted in RISKS
because it addresses assumptions about the need for non-repudiation of
contracts--an area which has been fuzzy for many of us.  I hope it will be as
useful for others as it has been for me.  --MK]

<

Re: Scary (Horning, RISKS-16.19)

Peter J. Denning <pjd@cne.gmu.edu>
Wed, 6 Jul 94 15:34:19 EDT
Political prevarication is part of the scene, unfortunately, and part of the
reason that politicians are finding themselves faced with term-limit referenda
around the country.  (I support those movements.)  At the same time, I am not
"scared" by the prospect that Perot (or any other) might tell me "promises"
that are tailored for me and antithetical to the "promises" that he makes to
you.  Why?  The same technology that enables him to do that enables him to be
revealed.  Many of the people who get such tailored notes are going to compare
notes on public bulletin boards.  Prevarications, if they exist, will be
instantly revealed and the candidate discredited.  This will help prevent them
from getting elected.  Let them reveal their stripes early, I say.  Let the
prevaricators be detected before election, not after.

Peter


Just the Facts, Ma'am (was Re: AI to screen bad from good cops)

David Honig <honig@buckaroo.ICS.UCI.EDU>
Wed, 06 Jul 1994 13:08:00 -0700
In Volume 16 : Issue 20 : pjt1@scigen.co.uk (Piers Thompson) worries about the
legal implications of screening cops for attributes shared with bad cops, when
attributes include race and gender.

In machine learning work I once came across, techniques that automaticly build
decision processes were applied to known data to estimate students' expected
performance in college.  These techniques find the most
information-theoreticly useful attributes and use these to sort new instances.
It turned out that race was found to be a very useful attribute in making
predictions in this domain, but for political reasons the decision process had
to be doctored to exclude this.

I think similar things have been found in financial areas, eg., predicting
loan defaults.

(NB: Since present politics allows age and geographical discrimination, auto
insurance companies can and do use these properties in their assessments.)


Re: Video cameras in City Centres (RISKS-16.20)

Robert Allen <Robert.Allen@eng.sun.com>
6 Jul 1994 20:24:40 GMT
An interesting report.  Even more interesting to me because I first read about
the efforts to instrument society w/ video cameras in a comic book about 5
years ago, and the comic had been written at least 10 years ago.  For those
interested in seeking it out, the comic was a limited series (perhaps 10
issues) called V for Vendetta.  It was written by an English author (I believe
it was Alan Moore) who had a 1 page editorial in one of the issues wherein he
decried the slide of English society into what he saw as facism.  In his
preface he wrote that he hoped to get himself and his family out of England as
soon as possible because of what he saw happening to society.  I believe he
specifically mentioned TV cameras on street corners, and these were definitely
central to the story.  They also had audio pickup capability, and vandalizing
them was a capital crime.  The story dealt with how the English gov't became
facist after a 3rd world war.  "V" is a lone hero (?) who bucks the system,
assassinating various gov't figures, with an ending I won't spoil for you.

Life imitates art.  The complete series is available at any decent comic book
store (check your yellow pages) or even a large book store, in bound, graphic
novel format.

Robert Allen, rja@sun.com


Digitized CC Signatures

Eric Richards <ericr@SSD.intel.com>
Wed, 6 Jul 94 13:29:03 PDT
   While buying a bag of cat food at a local PetCo, I was asked to sign my
credit card receipt upon the machine that printed the receipt out.  After the
receipt was torn from the machine, I noticed that I had written my signature
on a rubber pad of some sort.  I asked the young lady what exactly this was.

   She then went into a cheerful explanation of this machine, showing me how
it keeps a low resolution digitized "picture" of the customer's signature.
She put it into test mode and had it print her signature back out.

   Her final comment raised my eyebrows: the full system will simply digitize
the customer's signature and keep it as proof of purchase.  No second copy at
all -- the customer keeps what the customer signs.

   There are, however, a few bugs to fix first, she admitted.

   I haven't seen discussion of this machine before and casual examination of
the machine didn't reveal the name of the company that makes it.  I'm not
especially thrilled of the notion that someone can have a digitized version of
my signature.  Does anyone else have information about the machine and/or
comments on risks of this CC machine's use?


Re: Shopping Risks... (Banks, RISKs-16.18)

Jane Anna LANGLEY <squirrel@mundil.cs.mu.OZ.AU>
Fri, 1 Jul 1994 11:47:13 +1000
In Australia there is a code of practice for supermarkets that use scanners.

Here if the item scans at a price higher than the price shown on the shelf you
are entitled to receive that item free. If you are purchasing several of the
same item and this happens, you get one free and the rest at the lower price.

Of course supermarkets do not go out of their way to draw your attention to
this, although some state it on a tiny sticker at each checkout.  A few months
ago an elderly couple who had some difficulty with English were ahead of me
in the checkout queue when one of their items scanned at a higher price they
complained, and the checkout operator's did not know about the code of
practice. I pointed out the store's stated policy to both the customers and
the operator, who then referred it to the supervisor.

If you want to avoid being ripped off at the checkout, find out if there is
such a code of practice in your area, and make sure your supermarket sticks
to it.  If they don't, make a complaint or go someplace else.

Jane

Please report problems with the web pages to the maintainer