The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 18 Issue 51

Weds 9 October 1996


o $850 Million Social Security Problem
Scott Lucero
o "ATMs chew up 400 bank cards"
Daniel P. B. Smith
o Crisps (chips), football (soccer) & the web
Geert Jan van Oldenborgh
o A Premature Comment on the Aeroperu Flight 603 B757 accident
Peter Ladkin
o You think this database anonymizes entries?
Identity withheld by request
o Re: RISKS of temporary change-of-addresses
Leonard Erickson
o Another mail-forwarding problem
Adrian Howard
o Risks of deferred ISDN charges
Bob Frankston
o Re: Queensland Police put Wanted Poster on the Web
Mark Eckenwiler
o Mailing list/vacation/autoresponder
Daniel P. B. Smith
o Re: USPS Mail Forwarding
Frank Caggiano
Jonathan I. Kamens
o Re: politics and safety
Steven Philipson
o Communications Unleashed - CPSR conference program
Susan Evoy
o Info on RISKS (comp.risks)

$850 Million Social Security Problem

lucero <>
Fri, 04 Oct 1996 11:11:15 EST
In the Daily Brief, the *Los Angeles Times* reported that, according to
Social Security Administration officials, some 695,000 Social Security
recipients have been underpaid since 1972, due to a computer program error.

  - total unpaid benefits are estimated at $850 million, with
    and average amount per affected recipient of $1,500.

  - the SSA says about 400,000 of those affected have been
    identified and will be getting the back payments.

One RISK of latent bugs in financial systems is that dollars and interest
really pile up after awhile.

Scott Lucero, U.S. Army OPTEC

  [Note: RISKS-16.67, 23 Dec 1994, had an item contributed by Mike Manos
  from *Federal Computer Week, 21 Nov 1994, on the discovery of this
  problem, which at the time was estimated at $478.5 million.  That item
  says that the problem occurred in 1978, when employers began reporting
  earnings annually rather than quarterly.  The item I saw on 04 Oct 1996
  said the software flaw was introduced in 1972.  In any event, the problem
  was evidently first detected in 1994, as reported in RISKS-16.67.  PGN].

"ATMs chew up 400 bank cards"

"Daniel P. B. Smith" <>
Sat, 5 Oct 1996 13:39:06 -0400 (EDT)
*The Boston Globe*, 5 Oct 1996, p. B5:

> About 400 US Trust customers had their automated teller machine cards
> eaten Thursday night when the bank's linkup with the regional ATM network
> broke down for two hours.  Bank officials said they still are trying to
> find out what went wrong....  Customers trying to use their ATM cards
> between 6:30 p.m. and 8:30 p.m. were told that their personal
> identification numbers had been keyed in incorrectly.  When they tried it
> again, the machine ate their card.  [A US trust spokesperson] said only
> US Trust customer's using another bank's ATM machine were affected.

You'd think "you have entered the wrong password" and "the network is down"
would be distinguishable conditions with different error handling, wouldn't

Daniel P. B. Smith

Crisps (chips), football (soccer) & the web

Geert Jan van Oldenborgh <>
Thu, 3 Oct 1996 23:20:13 +0200
Two weeks ago, one of the largest potato-cutters in the Netherlands started
a competition.  Building on the typical couch-potato's perceived expertise
in football (soccer) they announced they would put a 'scorecard' into an
unspecified proportion of their bags of crisps (chips).  It has two
scratchable pictures of a football game, without ball, and a superimposed
grid.  The idea was that the expert would guess where the ball was, verify
that guess by scratching off the protective layer of that gridsquare only,
and claim fl 10 (~US$ 6) when both were right.

However, the inevitable happened: two students set up a web site with the
information gathered so far, and a request for anybody who had guessed right
or wrong to share the information.  Within two weeks the database had the
correct ball position all 1445 pictures, and the crisp-fryer called off the
competition, muttering things about unsportmanlike behaviour.

The RISK?  Assuming knowledge does not spread is clearly not appropriate
with the web around...

Geert Jan van Oldenborgh

A Premature Comment on the Aeroperu Flight 603 B757 accident

Peter Ladkin <ladkin@TechFak.Uni-Bielefeld.DE>
Mon, 7 Oct 1996 21:05:59 +0200
On 2 Oct 1996, Aeroperu Flight 603, a Boeing B757, took off from Lima at
12.45am en route to Santiago, Chile, and disappeared from radar at 1.10am.
According to CNN, the pilot had reported mechanical problems, that he was
turning back, and had declared an emergency before radio and radar contact
was lost. I do not normally report details of accidents so early, for
reasons discussed recently in RISKS (Mills, 18.42; Dorsett, 18.43; Ladkin,
18.44; Mills, 18.45, Dorsett, 18.46) and am somewhat uncomfortable about
feeling a need to comment so soon on this case.

The Peruvian Transport Minister, Elsa Carrera de Escalante, declared
to The Times that "it seems there was a blockage in the computer
system".  According to CNN, she told a news conference that "it is not
the first time that one of these planes has had this kind of fault. We
have to find out why the computers went crazy". The Times reported the
story as `Computers Blamed...' and CNN as `Computer Failure
Puzzling...'  The Electronic Telegaph reported that Gen Juan Piperes,
fire chief of the Peruvian port of Callao, said: "The plane's whole
system completely failed."

I am thus concerned about a rumor starting that attributes the cause
of the crash to be a computer failure. It has not been so determined.
The information available so far to anyone is gleaned from the
transcript of pilot/controller conversation, and radar plots. These,
by themselves, are insufficient to determine the nature of the
problems. Until the digital flight data recorder (DFDR) and cockpit
voice recorder (CVR) are recovered and analysed, very little can be
determined about the sequence of events leading to the accident.

The B757 was introduced into service in January 1983 [*] and flew until
December 1995 with an unblemished safety record. There have been accidents
on 20 December 1995 (near Cali, Colombia) and 6 February 1996 (near Puerto
Plata, Dominican Republic), and now this one. In both of the previous
accidents, pilot procedural errors, including errors in interacting with the
flight management systems, played the decisive role. There were no technical
failures, whether of structure or of flight management systems, involved in
the Cali accident; the sole technical system failure in the Birgenair
accident is (so far) presumed to have been caused by a blocked pitot tube.
The B757 has three physically independent pitot-static systems, of which two
seem to have been operating normally. It seems that normal procedures to
cope with the single pitot-static failure were not followed by the Birgenair
crew. The final report on the Puerto Plata accident is not yet published. If
a computer failure `caused' the Aeroperu crash, it would be the first time.
There is no precedent for computer failure in a B757 accident, contrary to
what Senora Carrera's statement would seem to suggest.

When the data from the CVR and DFDR are in, they might show that it
would be worth questioning if the pilot's interaction with automated
flight management may have contributed to the accident, as it did with
both the previous accidents. Although this would be an HCI question,
it's not a computer system failure per se. All sorts of hypothetical
questions such as this may arise.

In any case, if computers were involved, it's exceptionally unlikely
that they could be the sole cause, as I shall demonstrate.  The B757
aircraft uses computer systems for displaying air data, for
navigation, and for autopilot control and flight management. It does
not use computers for flight control, which is achieved by
conventional hydromechanical systems. Furthermore, the air data
computer systems are backed up by conventional electromechanical
`standby' instruments of highly reliable design used for over half a
century.  The integrity of these physically-operated standby systems
along with that of the physically-operated flight controls, as well as
structural integrity, suffices to conduct safe flight in this
airplane. From this fact, we may already draw some broad conclusions.

Let me thus divide the possible sequences of events into three.
First, suppose normal control of the aircraft was lost. The B757 is
conventionally controlled (not computer-controlled), and the air data
systems have electromechanical backups. Therefore, in the event
control was lost, either these backup systems would have had to fail
also (in which case there would be a physical contributing factor), or
the pilot would have to have made ineffective use of these backup
systems (in which case either inappropriate pilot action or some other
cognitive confusion would also be a contributing factor), or the
autopilot flew the aircraft into an out-of-control situation (as in
the Birgenair accident), in which case the pilot's behavior in
engaging and not disengaging the autopilot would be a factor, or the
pilot would somehow otherwise have allowed control to be lost. No one has
yet determined whether any of these situations occurred.

Second, if normal control was not lost, then either the aircraft must have
suffered some form of structural failure in normal flight, which
computers alone could not have been responsible for (structures can fail
under normal control inputs if the aircraft is in an overspeed condition,
but normally not otherwise); or the aircraft flew under control into the
water (i.e., a CFIT, Controlled Flight Into Terrain, accident), in which
case pilot behavior or engine failure must also have played a role.

These alternatives cover, grossly, all the possible scenarios.  Since
computers alone could not cause any of them, we may conclude that
singling out computer failure of any kind cannot be the whole story.
Since no one is able yet even to determine which of the above alternatives
occurred (or one that I missed:-), it is certainly premature to attribute
a cause of the accident.

More information on the accident, press reports, and the aircraft, as well as
links to original sources and reports on the Cali and Puerto Plata
accidents, may be found in my Compendium `Computer-Related Incidents
and Accidents With Commercial Aircraft', available through

Peter Ladkin

   [* 1983 is correct.  This is a correction in the archive copy.  PGN]

You think this database anonymizes entries?

<[Identity withheld by request]>
Wed, 9 Oct 1996 11:38:58 PDT
Here's an interesting example of Info-War.

Many of us have seen and heard the television and radio commercials for a
new in-home HIV test that is accurate, fast, and anonymous.

The test works as follows:

You buy the kit.  Go home and follow the directions and obtain a sample.
Mail the sample to the lab.  In 3 days, call the lab and enter in the
`secret' code and the results of the test performed on the sample matching
your `secret' code will be revealed to you.  The secret code is used to
ensure anonymity so the user doesn't have to reveal their name.

Accurate? I believe so..

Fast? Three days is pretty fast..

Anonymous? Not at all!!! And here's why.

Whenever you call a 1-800 number, your phone number is captured and
forwarded to the company for billing purposes.  It is also available to the
PBX in the form of ANI which can the be sent to the automated phone system
that processes the request.  In the HIV test scenario, the company that is
called has a record of the calling phone number (ANI), and the requested
`secret' code.  Since they already have the test results, the company is now
able to match the phone number, which can be looked up, and the HIV status.
In effect, the company is capable of covertly developing a database
containing the names, addresses, phone number, and HIV status of the people
who purchase and take the test.

Who would want this database?

Government, insurance companies, employers, you name it.  Most health
related information is considered confidential and will not be released by
either the government nor the physicians.  If someone had a `secret'
database that contained the HIV status of millions of people, then the
interested organisations would have a discreet way of `checking-out'
potential clients, or employees.

Re: RISKS of temporary change-of-addresses (McFadden, RISKS-18.50)

Leonard Erickson <>
Fri, 4 Oct 1996 23:33:29 PST
Try this one on for size.

I have the bad luck to have moved into an apartment where the previous
tenant had the same last name. Other than that we have nothing in common as
far as I can tell. I'm male, she was female. First names aren't at all

But I still get her mail and have to be *very* careful about how I turn it
over to the post office. The first time I just marked it "Not at this
address, and it wasn't until a check didn't appear that I found out the post
office had just blithely started bouncing my mail!

It's currently "handled" by my having had a talk with the carrier, and being
careful to circle the first name *only* when writing not at this address...

>From comments nade in this forum in the past, I'm not certain that the
system the post office uses for tracking forwarding orders can deal with
this properly. Anyone know for sure?

Oh yeah, to add insult to injury, I got a card from the previous previous
tenant's dentist reminding him to come in for a checkup. I wrote "not at
this address" on it and dropped it in the outgoing box.  Several days later,
it was back again. That's *really* stupid!

Leonard Erickson (aka Shadow)

Another mail-forwarding problem

Adrian Howard <>
Fri, 4 Oct 1996 11:50:48 +0100
Another mail-forwarding problem with a slightly different (and older) cause.

I've recently moved to flat numbered 03. Note that leading zero because, for
various historical reasons I've yet to fathom, there is also a separate flat
3 at the same address.

I arranged mail forwarding from my previous address --- no prizes for
guessing where the mail actually arrived.

After several phone calls, the operator at the post office finally realised
that the software was stripping the leading zero as he typed it in...  I now
live at "flat zero three" as this seemed the only solution to the problem.

Since then I have encountered similar problems with various utility and
delivery companies.

Risks: a variation of the old theme of making assumptions about the format
of input data "nobody has an street name with more than 20 characters",
"everybody has a middle initial", etc.  Although in this case I think the
person who came up with the foolish numbering system for the flats has to
share some of the blame.

Adrian Howard. Head Techie. Victoria Real Ltd.
e. - v. +44 (0) 1273 774469 - f. +44 (0) 1273 779960

Risks of deferred ISDN charges

Sat, 5 Oct 1996 15:13 -0400
This is in response to a query about why I received a year's worth of Long
Distance charges all at once. The name of the carrier has been omitted to
protect the very large long-distance carrier (or the remaining third). The
original was sent all upper case, this is an OCRed version.

DEAR ***



AT .1-800-***-****

Re: Queensland Police put Wanted Poster on the Web (Roberts, R-18.50)

Mark Eckenwiler <>
Fri, 4 Oct 1996 12:57:12 -0400 (EDT)
Of course, the FBI has had the Ten Most Wanted up in a web page here
in the US for some time; see

I wrote Director Freeh a letter many months ago pointing out that the
FBI ought to a) digitally sign these mug shots and b) embed expiry
dates, given the problems of forgery, ease-of-duplication/
dissemination, and persistence.  Risks include not only the
inconvenience to wrongly apprehended persons, but also the cost to law
enforcement of responding to citizen reports based on forged/stale
Wanted notices.

I did not receive a reply.

Mailing list/vacation/autoresponder

"Daniel P. B. Smith" <>
Sun, 6 Oct 1996 11:13:47 -0400 (EDT)
So this guy goes on vacation, see, and he's on this mailing list that sends
out a 32K digest approximately daily, see, so when his autoreplier gets the
mailing it sends back a chatty little personal note to the whole list,
quoting the entire digest in full each time which, of course, creates a
loop... and about the time someone gets THAT shut off, a very highly-placed
honcho who is a _user-interface guru_ and _internet expert_ decides to send
a chide-o-gram to this guy.  Who's on vacation.  Actually, it's his
honeymoon, as he's mentioned.  Repeatedly.  So we _hope_ he isn't going to
be hopping up every five minutes to check e-mail, right?

But accidentally, the highly-placed honcho sends this note to the whole
list.  Helpfully quoting the entire digest.  In full.

Fortunately, this is a great mailing list and the back issues are well
worth repeated rereading.

Yeah, it happens all the time, to all of us.  And exactly how long have we
been building e-mail software and mailing lists and using the network and
reading and writing books about user interface design?  Don't you sometimes
think we're all too stupid to be trusted with anything important?

Daniel P. B. Smith

Re: USPS Mail Forwarding (Smith, RISKS 18.50)

Frank Caggiano <>
Fri, 04 Oct 1996 15:24:01 -0400
The web page
mentioned in RISKS-18.50 for postal change of address does not send the
change of address form electronically. (At least not as of 4 Oct).  After
reading the message in Risks, I thought I would try it out.  Figuring that
there would be a confirmation after filling out the form, I put in a change
of address for myself.  After entering information on a number of pages you
are finally directed to print out the form and give it to your letter
carrier or to mail it to your postmaster.  There is some mention of their
work on coming up with a secure system to allow the form to be filed via

As for the suggestion that all change of addresses be done in person, I
don't see how this would solve anything.  A photo id would be required to
confirm your identity (as a minimum) and we all know how easy it is to
obtain a false one.  Also any system is only as good as the people running
it.  On numerous occasions I have gone to the post office to pick up mail
that they were holding for me and not once was I asked for ID (different
offices, different clerks).

Frank Caggiano

Re: USPS Mail Forwarding (Smith, RISKS 18.50)

"Jonathan I. Kamens" <>
Fri, 4 Oct 1996 08:44:00 -0400
I see no risks from the WWW USPS Change of Address form that are not already
present in the printed form available in any Post Office.  In both cases,
you never have to deal with a person or show any ID, and in both cases,
submission of the form constitutes the claim that it is valid.  Quite
frankly, I don't see much of a "Risk to the Public in Computers and Related
Systems" here -- if anything, it's simply a "Risk to the Public".

I will concede that since it's a lot easier to visit a WWW site and type in
some information than it is to visit a Post Office, pick up a form, fill it
out and mail it, the WWW form makes it easier for obnoxious people to submit
false forwarding requests for other people.  But I don't see that as a very
big deal, especially because of the verification step outlined in the
following paragraph.

Those of you who think that there isn't sufficient verification in the
USPS mail-forwarding system should perhaps have read the <A
HREF="">Q&A About Mail
Forwarding</A> page available on the USPS WWW site.  Quoting from it:

>How will the Postal Service verify that it received a Change of
>Address Order from me?
>The Postal Service will promptly mail you a confirmation letter to the
>address you are leaving, regardless of the date of your move. (For
>your privacy, it will not mention what your new mail forwarding
>address will be.) Another confirmation letter will be sent to you at
>your new address after the date of your move.

Yes, this does really happen -- I recently field a Change of Address
order and did receive the two confirmation letters.

I assume that the USPS has sufficiently good "exception handling" that if
you get a letter about a Change of Address Order you never filed and go to
your Post Office and protest it, they can put a stop on the Change of
Address.  There is still some room for mischief, e.g., it's possible that
some mail will be lost before you stop the forwarding, especially if someone
is clever enough to file it while you are out of town or something, but the
addition of this step still makes things a heck of a lot more secure than
they were before.

I confess that I'm baffled about one thing.... When I put my mail on hold
when I go out of town, and then go to the Post Office when I get back to
pick it up, they require me to show ID before they'll give me the mail.  I
simply do not understand why they don't require people to show ID when
submitting a Change of Address Order.  The only explanation I can come up
with is that right now, the minimal number of forged requests is outweighed
by the increased convenience (and the less USPS-employee time consumed) of
the current system; this presumably means that if forging Change of Address
requests for other people ever becomes an "in" thing to do, the USPS is
going to have to ditch the convenience and start requiring that forms be
filed in person with ID and notarized by a USPS employee.

Jonathan Kamens  |  OpenVision Technologies, Inc.  |

Re: politics and safety (Mills, RISKS-18.45)

Steven Philipson <>
Fri, 4 Oct 1996 16:26:40 -0700 (PDT)
In RISKS-18.45, Dick Mills <> continued his argument on
public speculation about the causes of airline disasters.  He states:

>Mr. Dorsett expands on that theme when he says "It's a political world, not
>a technical one."  I say no, never.  Mixing demagoguery and science is
>irresponsible.  It must never be tolerated.

   That's a nice philosophy, but it has no connection to reality.

Public safety is *never* a technical matter.  It is always and primarily
political.  If you are a technologist (as are most of us who read RISKS)
then it is critical that you understand this *if* you want to have an effect
on public policy.  If there is no political force driving a public issue
then nothing is done no matter how compelling the technical case.  Technical
changes are virtually never implemented unless someone has a political (or
financial) motivation to do so.

Here's a case in point.  In 1985 two friends of mine were killed while
flying a light aircraft.  When the details of the accident were released it
became obvious to me and several others that a major technical error was
committed by the pilots.  This was an error attributable to lack of
knowledge/training.  Unfortunately, the NTSB investigators on the case were
also not familiar with the critical technical issue of the accident
(dynamics of low-performance aircraft in mountain wave conditions) and
omitted any mention of this error in the accident report.  No
recommendations have been issued which could help prevent additional
accidents of this type, and they continue to occur with painful regularity

I have expended a significant amount of effort over the last 11 years in
trying to get the NTSB and FAA to recognize the problem and to modify pilot
and controller training such that accidents from this cause could be reduced
or eliminated.  There have been some encouraging results, but in the large
the government has not moved.

The problem is *not* technical; the solution to the problem is well known.
Rather, the problem is that there is not enough political force involved to
motivate key government players.  It likely will take either a major
accident or the death of a prominent person before changes will be mandated.

In the meantime, public discussion of the issues is the *only* means
available to disseminate this information and influence public safety.  To
that end, I have several web pages and

that are intended to inform people interested in the subject and keep the
matter in the public eye.  I also regularly speak on the subject at local
venues and deliberately note the problem of political apathy on this matter.
I am working on various political moves in an attempt to force the issue,
but in the meantime all I can do is discuss the problem in public to the
maximum extent possible.

Mr. Mills states: "Mixing demagoguery and science is irresponsible.  It must
never be tolerated."  On the contrary.  In this case and in others, mixing
politics and technology is likely the *only* way in which public safety will
be served.  It is the only responsible course of action at my disposal.

Steve Philipson

Communications Unleashed - CPSR conference program [RISKS-abridged]

Susan Evoy <sevoy@Sunnyside.COM>
Wed, 2 Oct 1996 11:39:02 -0700
                    presents a conference on
       What's At Stake? Who Benefits? How To Get Involved!

                       OCTOBER 19-20, 1996
                Georgetown University, Washington, DC
  Co-sponsored by the Communication, Culture, and Technology program
  of the Graduate School of Arts and Sciences at Georgetown University

Saturday sessions:
 6:30 -  8:00  Dinner and presentation of the Norbert Wiener Award to
        Phil Zimmermann, inventor of PGP (Pretty Good Privacy)

Sunday sessions:
 9:15 - 10:30   Concurrent workshops
               A. Using the Internet for progressive political action
               B. Internet legal issues
               C. Broadcasting and mass media
10:45 - 12:00  Concurrent workshops
               A. Communications access and the consumer
               B. Media tactics and outreach
               C. Civic networking

PM: CPSR ANNUAL MEETING (Attendance is free and open to the public)

     at 415-322-3778, 703-739-9320 or or

Computer Professionals for Social Responsibility, P.O. Box 717, Palo Alto CA
94302  Phone: (415) 322-3778  Fax: (415) 322-4748

Please report problems with the web pages to the maintainer