The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 5 Issue 13

Monday, 20 July 1987


o Re: Another computer-related prison escape
Alan J Rosenthal
o Credit card risks
David 'Witt' Wittenberg
o The latest in Do-It-Yourself manuals
Andrew Scott Beals
o Re: Robocop review
Eugene Miya
o Robocop and following instructions
Brian Gordon
o Info on RISKS (comp.risks)

Re: Another computer-related prison escape

Alan J Rosenthal <>
Sat, 18 Jul 87 10:58:07 EDT
Andrew Klossner:
> The alarm did go off, but little attention was paid to it because it 
> goes off every day, ...

Something I've always felt strongly about in regard to this is fire
alarms.  There are many buildings in which fire alarms are ignored as a
matter of course.  I believe that in such a case having the fire alarms
is worse than not having them, for two reasons.  One is if you are
trying to tell someone that there is a fire.  You will pull the fire
alarm and leave the building.  No one will listen.  The other is if you
are trying to observe whether or not there is a fire.  Someone tells
you that there is, but you tend to doubt them because their information
is probably from the fire alarm.  At least, this could cause a delay of
minutes which can be crucial in a large building in a fire.

In an apartment building I lived in recently, one night at about 4am the
fire alarm went off.  I blearily woke up, pulled on some clothes, and left
the building.  Standing outside, I saw only two other people that felt as I
did.  Everyone else was still inside.  (I had only been living there for two
months at this time.)
                                       Alan J Rosenthal

    [If any of you wonder, "What has this to do with computers and related 
    systems?", the answer by now should be obvious...  Alarms were ignored,
    bypassed, misinterpreted, or otherwise mishandled in many cases such as
    the Stark, Three Mile Island, Chernobyl, Therac 25...  PGN]

Credit card risks

David 'Witt' Wittenberg <>
17-Jul-1987 1134
AT&T phone credit cards use a credit card number that consists (in most
cases) of your phone number followed by four (presumably somewhat random)
digits.  If the last four digits are random, the probability of guessing a
number (assuming you know that a particular phone number has a card
associated with it) is .01%, which seems relatively safe.

The problem was that if your number was on a centrex where the main number
ended in 000 all the users of that centrex had numbers that consisted of the
main number followed by 4 digits (a different four digit code for each user
to provide accountability), so if the centrex had 500 users with credit card
numbers, a random 4 digit number appended to the centrex number had
a 5% chance of working.  This made the expectation value of the number
of tries before finding a valid number 10!  

This has been corrected, so that now the card number is an individual 
number followed by the 4 random digits.

--David Wittenberg

The latest in Do-It-Yourself manuals

well!bandy@lll-lcc.ARPA <Andrew Scott Beals>
Sun 19 Jul 87 16:54:46-PDT
Three ads from the August issue of Computer Shopper:

  CABLE and SUBSCRIPTION TV secret manual.  Build your own DESCRAMBLERS,
  converters.  Instructions, schematics for: Sine Wave, Inband/Outband Gated 
  Sync Pulse, SSAVI methods (for HBO, Showtime, Cinemax, UHF, etc.)  Send
  $8.95 + $1 postage to CABLETRONICS Box 30502CS, Bethesda MD 20814.

  COMPUTER UNDERGROUND.  Hacking, Crashing, Pirating, and Phreaking.  Who's
  doing it, why they're doing it, and how they're doing it.  Sample
  programs, phone numbers, and the tools of the trade.  Send $14.95 + $1
  postage to CABLETRONICS Box 30502CS, Bethesda MD 20814.

  HACKER'S HANDBOOK.  Tells how to access remote computers, figure out
  passwords, access codes, operating systems, modem protocols.  Plug into
  the electronic subculture; open up a world of new information.  Send 
  $12.95 + $1 postage to CABLETRONICS, Box 30502CS, Bethesda MD 20814.

         [This item is included here to illustrate an important point:
         Knowledge on how to subvert system security is VERY WIDESPREAD.
         Sticking one's head in the sand and assuming that everything is 
         OK is a certain way to court disaster.  IMPORTANT SIDEBAR:  RISKS
         does not endorse unsavory behavior by crackers; however, RISKS
         also does not endorse ostrich behavior by system purveyors.  PGN]

Re: Robocop review

Eugene Miya <>
Fri, 17 Jul 87 10:40:16 PDT
Yes, I saw that segment as well.  I think the scene derived its effect from the
"blame the computer" syndrome we have developed over the last couple of 
decades.  The effect is supposed to be based on 1) "we" have this new security 
device, 2) to test it, would you hold this gun?  [For those not seeing the 
scene, this biped robot security device can identify guns held at it.]  Stop.

Typical person (Everyman, who was the actor of this scene, there is a name
of this type of person in the Star Trek parlance) would say "No way."  This
is what you have test pilots and drivers for.  Machines have made us think
about them in less than positive ways.  It's perfectly safe.

Now, for the viewer (you the reader of RISKS), do you think you would point
a gun at an armed security device?  Now, do ya'?  Do ya' feel luck.. punk?

We (computer people) would think this device would be tested to this point.
I'm certain the programmer characters in the film would have thought so too,
otherwise, why would the RISKS group exist?

The problem with computer systems is that we think we should try to put
common sense into them.  I think this is wrong.  Humans take common sense
for granted.  It is a form of prejudice.  Common sense is not logic.  The
other extreme is "blind logic", which is portrayed as poor programming
(actually inconsiderate "exception handling").  Our problem is that we have
conflicting goals; the best written description was given by Nancy Leveson
in her Computing Survey article on Safety.  One purpose of science is to
challenge the assumption of common sense as part of education/learning.

Remember that just over a century ago, it was `common sense' that certain
members of the human population were inferior on the basis of race.
Quantum mechanics arose in a different domain to change other `common sense'
ideas.  In the end, it is all your point of view.  I do plan to see this film
(as bad as it might be). S&E both gave thumbs up, but I don't trust them.

--eugene miya,   NASA Ames
                             [1. `` `Common sense' is not very common.''  
                              2. I have seen one scathing review and one rave
                                 (qualified with "excessive violence").  
                                 The previews go right to the ``would you
                                 trust this robot?'' scene...  PGN]

Robocop and following instructions (RISKS-5.12)

Brian Gordon <>
Sun, 19 Jul 87 08:26:23 PDT
  >"I think there's something basically funny about a machine ... 
  > blindly following instructions in the face of logic" 

One of the scariest things I learned while teaching "Computer Appreciation"
(actually titled "Computers in Society") to non-technical types in the 70's
was how little college students knew about the "nature" of computers.  On
every final there was a question of the general type, "What are the
implications of a machine that only does EXACTLY as it is told".  The majority
of the answers were always about how bad it WOULD be if there WERE such
devices -- and remember, this was after they were told the question was
coming!   It almost makes you want to take up plumbing.

FROM:   Brian G. Gordon, CAE Systems Division of Tektronix, Inc.
UUCP:   tektronix!cae780!gordon [or gordon@cae780.CAE.TEK.COM]

Re: Robocop review

Mon, 20 Jul 87 11:35:48 EDT
Right-on-target discussion (by Eugene Miya) of safety and risks in this
hypothetical situation, and the contrasts between what people intuitively
expect from "intelligent" machines and what they actually get.  (The term
"intelligent machine" is a lasting disservice done to our discipline by the
press of the 1940's and '50's.)  The point I want to make is that there
seems to be a large segment of society out there that doesn't think this is
a risk at all - it's just funny. That's the same society that somehow has to
make collective decisions about computer systems in nuclear power plants,
weapons, planes, and all the other things we've been discussing for
who-knows-how-long here.

Please report problems with the web pages to the maintainer