The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 24 Issue 19

Friday 10 March 2006


Technical Problems Cause Errors in SAT Test Scores
Karen W. Arenson via PGN
Officials Say Scoring Errors for SAT Were Understated
Karen W. Arenson via Monty Solomon
Watered-Down SAT Scores!
Chuck Weinstock
Complexity causes 50% of product returns
Onboard Emissions Chip Major Malfunction
Colin Brayton
Excel garbles microarray experiment data
Mark Liberman
Citibank Blocks Some Debit-Card Use Abroad
Monty Solomon
Government surplus sale yields personal data
Karl Klashinsky
Australian National Credit Union Limits Internet Passwords
More stupid high-tech legislation in NJ
Walter Dnes
Tanner Andrews
Rex Black
Re: On learning from accidents
Martyn Thomas
Jerome Ravetz
Perry Bowker
Richard Karpinski
Insecure APC BioPod
Gabe Goldberg
Info on RISKS (comp.risks)

"Technical Problems Cause Errors in SAT Test Scores"

<"Peter G. Neumann" <>>
Wed, 8 Mar 2006 15:30:27 PST

On the order of 4000 students taking the October 2005 Scholastic Aptitude
Tests (SATs) received scores lower than they should have been, due to
unexplained "technical problems".  Some scores on the reasoning section were
as much as 100 points too low (out of 800).  This may be unfortunate for
those students, considering that the final acceptances and rejections are
being decided before the affected universities have been notified.  Similar
scanning problems were noted in an earlier SAT chemistry test, although on a
smaller scale.  [Source: Karen W. Arenson, *The New York Times*, 8 Mar 2006,
National Edition A16; PGN-ed]

Officials Say Scoring Errors for SAT Were Understated

<Monty Solomon <>>
Thu, 9 Mar 2006 10:17:18 -0500

A day after the College Board notified colleges that it had misreported the
scores of 4,000 students who took the SAT exam in October, an official of
the testing organization disclosed that some of the errors were far larger
than initially suggested.  ...  Chiara Coletti, the College Board's vice
president for public affairs, said that 16 students out of the 495,000 who
took the October exam had scores that should have been more than 200 points
higher.  "There were no changes at all that were more than 400 points."
[Source: Karen W. Arenson, *The New York Times*, 9 Mar 2006]

Watered-Down SAT Scores!

<Chuck Weinstock <>>
Fri, 10 Mar 2006 09:12:11 -0500

Pearson Educational Measurement suggests that wet weather may have caused
the 4000 affected test results, blaming abnormally high moisture for
expanding the paper so that it could not be read properly at a scanning
center in Austin TX.  The test on 8 Oct 2005 coincided with the beginning of
heavy rains in the Northeast, from where most of those tests came.  (As much
as 10 inches fell on New Jersey.)  [Source: AP item on 10 Mar 2006.]

Complexity causes 50% of product returns

<"Peter G. Neumann" <>>
Thu, 9 Mar 2006 14:23:39 PST

Perhaps relevant to Don Norman's research on human interfaces, Elke den
Ouden's thesis at the Technical University of Eindhoven concluded that half
of all supposedly malfunctioning products returned to stores were in reality
in full working order, but just too complex to be operated successfully.
She also noted that the average U.S. consumer will spend a maximum of about
20 minutes trying to get a newly acquired electronics device to work before
giving up.

Onboard Emissions Chip Major Malfunction

<"Colin Brayton" <>>
Wed, 8 Mar 2006 15:21:05 -0500

Drivers in Missouri discovered that the onboard chips that monitored their
auto emissions could fail, causing certification failure, and could then
then be an unbelievable bother to reset:

Alter got a "drive cycle," or a step-by-step recipe to reset the car's
computer by driving 10 minutes or more at 50 to 65 mph, then coasting down
to 15 mph without hitting the brakes until the car reaches 20 mph. Then he
had to stop and let the car idle for 50 seconds or more before taking the
car back up to highway speeds, then gradually slowing until the car came to
a stop.

Nothing. The car still was rejected. Nine times in all.

"It was like, well, what do I do now?" he said. "I am driving around, doing
this, putting (a couple hundred) miles on it. So is it inconvenient? Yeah.
A big inconvenience. The amount of gas I wasted. And my time."

Finally, he discovered a shop whose repair technician drove his car while
monitoring its readiness codes with a mobile computer. Once the codes reset,
the technician took the car for a test.

The cost: $120 for two hours of the technician's time.  Illinois test
officials say they see the problem in about 1 percent to 2 percent of all
on-board diagnostic tests.

Sources: *St. Louis Dispatch*, 25 Feb 2006
New Market Machines <>(my blog)

Excel garbles microarray experiment data

<"Peter G. Neumann" <>>
Fri, 10 Mar 2006 8:31:32 PST

  [TNX to Fernando Pereira for putting me on to this one.]

The December 1 DWIM effect [The Cupertino effect, 9 Mar 09, 2006]

The damage done by well-intentioned (mis)features of MS Office is not
limited to occasional dadafication of EU bureaucratese
According to Barry R Zeeberg, Joseph Riss, David W Kane, Kimberly J Bussey,
Edward Uchio, W Marston Linehan, J Carl Barrett and John N Weinstein,
"Mistaken Identifiers: Gene name errors can be introduced inadvertently when
using Excel in bioinformatics
<>", BMC Bioinformatics 2004,

  When we were beta-testing [two new bioinformatics programs] on microarray
  data, a frustrating problem occurred repeatedly: Some gene names kept
  bouncing back as "unknown." A little detective work revealed the reason:
  ... A default date conversion feature in Excel ... was altering gene names
  that it considered to look like dates.  For example, the tumor suppressor
  DEC1 [Deleted in Esophageal Cancer 1] was being converted to '1-DEC.'
  Figure 1 lists 30 gene names that suffer an analogous fate.

A worse problem apparently afflicts information from microarray

  There is another default conversion problem for RIKEN clone identifiers
  identifiers of the form nnnnnnnEnn, where n denotes a digit. These
  identifiers are comprised of the serial number of the plate that contains
  the library, information on plate status, and the address of the clone. A
  search ... identified more than 2,000 such identifiers out of a total set
  of 60,770. For example, the RIKEN identifier "2310009E13" was converted
  irreversibly to the floating-point number "2.31E+13." A non-expert user
  might well fail to notice that approximately 3% of the identifiers on a
  microarray with tens of thousands of genes had been converted to an
  incorrect form, yet the potential for 2,000 identifiers to be
  transmogrified without notice is a considerable concern. Most important,
  these conversions to an internal date representation or floating-point
  number format are irreversible; the original gene name cannot be

RIKEN <> microarrays are
systematically affected, but other microarray results are apparently
often garbled as well:

  The floating-point conversion is not restricted to RIKEN clone identifiers
  but will affect any clone designation derived from plate
  coordinates. ... [If plate library references are omitted or numerical],
  all clones from row E of any plate are converted to floating point numbers
  by Excel. ... Since 96-well plates contain 8 rows and 12 columns, row E
  represents 12/96 or 12.5% of the clones on the plate; similarly, 6.25% of
  clones from 384-well plates would be affected. Most libraries contain
  hundreds of plates, each of which would be subject to this problem.

If some computer virus or trojan did this sort of damage to the results
of thousands of high-cost biomedical experiments, I imagine that we'd
see a serious effort to put some people in jail. I'm not suggesting that
any similar sort of retribution is appropriate here, but perhaps some
rehabilitation would be in order, along the lines suggested below.

There's an acronym from the old days of classic AI, DWIM, standing for
"Do What I Mean". The Jargon File explains

  Warren Teitelman originally wrote DWIM to fix his typos and spelling
  errors, so it was somewhat idiosyncratic to his style, and would often
  make hash of anyone else's typos if they were stylistically
  different. Some victims of DWIM thus claimed that the acronym stood for
  "Damn Warren's Infernal Machine!".

  In one notorious incident, Warren added a DWIM feature to the command
  interpreter used at Xerox PARC. One day another hacker there typed delete
  *$ to free up some disk space. (The editor there named backup files by
  appending $ to the original file name, so he was trying to delete any
  backup files left over from old editing sessions.) It happened that there
  weren't any editor backup files, so DWIM helpfully reported *$ not found,
  assuming you meant 'delete *'. It then started to delete all the files on
  the disk! The hacker managed to stop it with a Vulcan nerve pinch after
  only a half dozen or so files were lost.

  The disgruntled victim later said he had been sorely tempted to go to
  Warren's office, tie Warren down in his chair in front of his workstation,
  and then type delete *$ twice.  DWIM is often suggested in jest as a
  desired feature for a complex program; it is also occasionally described
  as the single instruction the ideal computer would have. Back when proofs
  of program correctness were in vogue, there were also jokes about DWIMC
  (Do What I Mean, Correctly).

It seems to me that all interactive programs should have a prominently
displayed switch labeled something like DEWITYD, "Do Exactly What I Tell
You, Damnit!" (pronounced as "de-witted"). No doubt the results will be
wrong (or even disastrous) at least as often as the results of DWIM will be;
but at least you'll know exactly who to blame.

Posted by Mark Liberman at March 9, 2006 05:51 PM

  [I always enjoyed seeing Warren's license plate (DWIM) now and then while
  driving.  However, based on experience with InterLisp, many wags suggested
  that the correct acronym should have been DWWTYM -- Do What Warren Thinks
  You Mean.  PGN]

Citibank Blocks Some Debit-Card Use Abroad

<Monty Solomon <>>
Wed, 8 Mar 2006 12:40:13 -0500

Citibank said has blocked the use of some of its PIN-based debit cards after
detecting fraudulent cash withdrawals in Britain, Canada and Russia.  PINs
were apparently obtained from "a third-party business' information breach"
in the U.S. last year.  [Source: Eileen Alt Powell, AP Online, 8 Mar 2006;

[Apparently the PINs are archived, perhaps even unencrypted?  PGN]

Government surplus sale yields personal data

<Karl Klashinsky <>>
Tue, 07 Mar 2006 11:03:09 -0800

Health and immigration records sold at B.C. auction
(news item from the Canadian Broadcasting Corp)

Several investigations have begun after computer tapes containing health
and immigration records for thousands of people in British Columbia were
sold at a public auction for $101.

The records contained information on sexual abuse, HIV status, and mental
health, as well as other information that was obviously quite confidential
in nature.

The fact that old backup tapes were sold off is probably not too surprising
to RISKS readers.  What is interesting is that this is not the first time,
and, according to the article, "the government brought in rules that should
have ensured that all information was removed from surplus computer
equipment before it was sold."

Australian National Credit Union Limits Internet Passwords

Wed, 8 Mar 2006 16:00:16 +1100

A step backwards for customers of Australian National Credit Union
( where from 21 Mar 2006 all users of the credit
union's Internet banking will be limited to choosing passwords of six
characters, consisting only of the numbers 0-9. They have previously had the
ability to choose alpha-numeric passwords of varying length.

The credit union's website claims that the changes are for enhanced security

  Important Internet Banking Password Changes

  As of 21st March 2006, passwords for Internet Banking will be
  changing. This will apply to all passwords and second passwords (where
  applicable).  Your Internet Banking password will now be known as your Web
  Access Code (WAC).

  Web Access Codes (WAC) must now be six (6) digits long and only contain
  numbers (0 - 9), but no spaces. Make sure it is difficult for others to
  guess and does not contain your date of birth, member number and repeated

  Please do not change your WAC until you are prompted to on or after the
  21st March 2006. This will save you having to re enter a new WAC.

  These changes are being made in preparation for an improved site later in
  the year with added functionality such as Bpay view, Secure mail, Setting
  up regular payments, Submit a request for a new Term Deposit, Added
  security features.

After I enquired about this apparent backward step, the credit union's
response claimed this was required for the implementation of two-factor
authentication, amongst other security enhancements.  Two-factor
authentication might be great for those who use it, but those that don't
will be left with the limited password options.

I thought the RISKS were obvious, but perhaps not to the credit union's
security team.

More stupid high-tech legislation in NJ (RISKS-24.19)

<"Walter Dnes" <>>
Tue, 7 Mar 2006 23:38:35 -0500

High-tech-howlers are nothing new for New Jersey legislators.  See back in 1991.  That was
about a bill that would require all "software engineers" to be licenced, for
a *VERY WIDE* definition of "software engineer".  The initial draft would've
required every secretary who created a Word or Excel macro to be licenced as
an engineer.

Walter Dnes <> In linux /sbin/init is Job #1

Re: NJ Bill Would Prohibit Anonymous Posts on Forums (RISKS-24.19)

<tanner andrews <>>
Mon, 6 Mar 2006 23:03:08 -0500 (EST)

Too much important opinion, including that leading to the founding of the
country, was published anonymously to permit the government to ban anonymous
opinion.  Even unto this day, anonymous pamphleteering is an honorable
activity at the core of the First Amendment.

The main difference between Mrs. McIntyre's pamphlets and the fora to be
regulated is that a reader could use the pamphlet to create litter.  The
Internet provides no similar opportunity because one is not handed an
physical object.

I would expect that such a statute, were it to be enacted, would be quickly
challenged and almost as quickly overturned.  See _McIntyre v. Ohio
Elections Comm'n_, 514 U.S. 334 (1995).  Nor is the question of littering
dispositive.  See _Schneider v. NJ_, 308 U.S. 147 (1939) [@156, Milwaukee;
@157, Worcester].

Obviously I am not a lawyer and you would talk to one before challenging or
violating any statute.

Re: NJ Bill Would Prohibit Anonymous Posts on Forums (RISKS-24.18)

<Rex Black <>>
Mon, 06 Mar 2006 22:45:37 -0600

On the other hand, having had a few "hit job" reviews posted of my book,
*Managing the Testing Process*, posted at by anonymous reviewers,
it seems that allowing people to slam other people--who may well be
competitor's--in a public forum without disclosing their identities and
therefore their interests poses some risks not just to the people who are
slammed, but also to the readers who may unquestioning accept the critique
while unaware of the motivations and interests behind the critique.

Rex Black, CTO, Pure Testing, Pvt Ltd; President, American Software Testing
Qualifications Board; President, International Software Testing
Qualifications Board; 31520 Beck Road, Bulverde, TX 78163 +1 (830) 438-4830

Re: On learning from accidents (Kirakowski, RISKS-24.18)

<"Martyn Thomas" <>>
Tue, 7 Mar 2006 09:48:48 -0000

When was the last time you saw a safety case where the claimed probabilities
of failure had error bounds?

When was the last time you saw a sound argument justifying these error
bounds? I never have.

Has anyone on the list *written* such a safety case?

Re: On learning from accidents (Norman, RISKS-24.17)

<Jerome Ravetz <>>
Tue, 7 Mar 2006 14:07:05 +0000

Up to now the most obvious harm done by pseudo-precision may well be in the
'accidents' of badly designed systems.  It could also be that the failure to
control the mass of meaningless output from computer programs ('GIGO
science') is a consequence of our dogmatic faith in numbers.  My education
in pseudo-precision began when I realised that students being taught the
Systeme Internationale as promoted in England in 1970 were forced to lie.
At that time, the S.I. prefixes were rigorously cascaded in thousands; the
deci- and centi- were banned.  So students doing exercises in 'the metric
system' were required to quote measurements of length to the nearest
millimetre, even when the object was a rough concrete pillar.  Like Hamish
Marson I knew some old-fashioned physical scientists who taught their
students about the management of uncertainty; but the breed was dying out
even then.

Reflecting on all this I eventually wrote (with my colleague Silvio
Funtowicz) 'Uncertainty and Quality in Science for Policy'.  In this we
developed the 'NUSAP' notational scheme, whose categories are Numeral, Unit,
Spread, Assessment and Pedigree.  The principle behind NUSAP has had some
success; the Dutch Environment Agency has a 'Guidance' for assessing
uncertainty in scientific information which is becoming a standard.  But
even there I find inadequate attention to the task of matching precision to
accuracy.  And for the situations when very uncertain quantities are
involved (as in much policy-related information) I find hardly any concern
at all.

Are there RISKS readers interested in developing this?

Jerry Ravetz, 111 Victoria Road, Oxford OX2 7QG,  +44 [0]1865 512247
Mobile   0790 535 2788  Website:
Visiting Fellow, the James Martin Institute for Science and
Civilization, Business School, Oxford University.

Files of my recent papers, available for downloading, can be found on the
website; on the Home Page see Tutorials - Post-Normal Science
and NUSAP, and Sections - Reports, papers.

Re: On learning from accidents (Norman, RISKS-24.17)

<Perry Bowker <>>
Thu, 09 Mar 2006 10:27:35 -0500

The discussion of error tolerances reminded me of a time, many years ago,
when I was an undergrad physics student. We were, of course, drilled
endlessly by professors and post-grad assistants about the vital need to
include error bars in experimental results. One day, my lab partner and I
were running some experiment (I think it was to explore a Wheatstone bridge)
built out of ancient wires, resistances, and meters.  The hopelessly antique
equipment inspired my partner to record some result as "4.1487892 +/- .002%"
in his lab book. When the experiment was marked, the instructor wrote "I
don't see how you could have achieved such precision", to which my partner
wittily wrote back: "You should not be critical of extra work, voluntarily

Re: On learning from accidents (Marson, RISKS-24.18)

Mon, 6 Mar 2006 21:16:46 -0800

Relevant experience? (gotta understand)

Hamish Marson asks, How many people who write software actually have
relevant experience in the real world for things they're doing?

In my view, relevant experience is not near enough to do the job right.
Usually when a task is to be done using a computer, the designers and coders
must understand the task BETTER than most real world experts do.  Otherwise
it doesn't work and nobody is happy. Furthermore, there are many other ways
to fail, as well. Some of them are profitable anyway.

Insecure APC BioPod

<Gabe Goldberg <>>
Wed, 08 Mar 2006 22:06:21 -0500

APC (American Power Conversion) sells a BioPod
described "Biometric Security:A Simple and Secure Way to Remember Passwords".

Text is "As security concerns continue to grow, so do the number of
passwords.  The Biometric Password Manager provide users a convenient and
secure way to manage and access multiple security phrases and codes.  This
product biometrically identifies users and gives them convenient access to
password protected applications and web sites."

When you install the software, it uses your Windows password for securing
all your login/password pairs. That's of course bad because you might want
more or layered security on your logins. What's worse is that if you have no
Windows password the software silently accepts null as password. That is,
not only do you not need a password to open the password vault stored on the
BioPod, no warning is given that a password might be a good idea to secure
the goodies.

After getting over my astonishment at that behavior I called APC tech
support but couldn't convince them that there was a problem. The dialogue
below shows my repeated failed attempts to convince the Web folk that a
problem exists.


  Me: Biopod has huge security flaw, compromises the device's integrity.
  I've reported this to your support people but see no action taken.

  APC: Thank you for contacting APC's email support on 01/31/2006 06:27
  PM. I would be happy to assist you.

  I apologize for the inconvenience. I am unaware of any security flaw with
  the BioPod. If you would like to describe the details of the suspected
  please feel free to send them to me. Officially the BioPod is not
  advertised as a security device, but a password manager, so it is not
  designed to increase the security of your computer, but provide a safe way
  to manage and store your passwords.

  Me: Installing the BioPod software on a Windows PC that is not password
  protected makes the BioPod password blanks. That is, when the password
  challenge is issued simply clicking OK without using a fingerprint AND
  WITHOUT ENTERING A PASSWORD logs in to the BioPod password vault.

  That's not my idea of a useful password manager.

  APC: The OmniPass software and BioPod can be setup for use with a Windows
  password or without a Windows password. If you don't have a Windows
  password and setup a "Windows" user you will be able to log into the
  password vault without a password because you don't have a Windows
  password. If you don't want to setup a Windows password simply setup a
  non-Windows user in OmniPass by following the directions in the attached

  Me: You're entirely missing my point. NO WARNING IS GIVEN THAT THE BIOPOD
  think the BioPod is performing correctly and that it's documented
  correctly and fully? If so, we have nothing further to discuss -- but I'm
  astonished at APC's (lack of) response to this problem.

  APC: I understand your point, however if you choose to setup a BioPod user
  using your Windows password as the master password and your Windows
  Password is blank, the BioPod would clearly not have a secure Master
  Password. It is for this reason if you do not have a Windows password it
  is recommended you use choose the option to setup a separate Master
  Password not based on the Windows password. Or you could opt to add
  security to your computer system by adding a Windows password.

  Me: This is your last chance. I reinstalled the software to review the
  installation dialogue. If no Windows password is set NO WARNING IS GIVEN
  THAT THE DEVICE IS NOT SECURE. You're correct that the user can set a
  Windows password for the specific purpose of having it inherited by the
  BioPod, and then remove the Windows password. But doesn't this seem a bit
  cumbersome to you? And aren't users unlikely to do it WITHOUT SPECIFIC

  Having the BioPod only take the Windows password, being unable to set a
  specific unique password for the BioPod, is very bad design. Your
  unwillingness to acknowledge that users MAY NOT REALIZE THAT THEIR BIOPOD
  is insecure is baffling.

  So my next communication will be with your public relations people and
  some mailing lists that publicize security risks such as this. They'll of
  course see how many times I tried to convince you that there's a problem

  APC: When the BioPod and OmniPass software are used properly they provide
  a secure way to manage your passwords. For more information about the
  operation of the software please contact Softex Inc, the designer of the
  software at

Gabriel Goldberg, Computers and Publishing, Inc., 3401 Silver Maple Place,
Falls Church, VA 22042 <> (703) 204-0433

Please report problems with the web pages to the maintainer