The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 6 Issue 51

Tuesday 29 March 1988


o Drive-by-wire BMW
o Re: High Tech Trucking
Franklin Anthes
o Countering driver aggression
Leisa Condie
o Risks in diving computers
J M Hicks
o Why gamble on non-redundant systems?
Roy Smith
o RISKS of using the "AT&T Public Phone Plus"
Henry Mensch
o The risks of rumours
Dave Horsfall
o Credit-limit handling found overly restrictive
Wm Brown III
o Program prejudice and psychological testing
Prentiss Riddle
o Funny phone
Steve Strassmann
o Risks there and whoops! still there!
A.E. Mossberg
o Info on RISKS (comp.risks)

Drive-by-wire BMW

Thu, 24 Mar 88 18:55:28 PST
Referring to Jonathan Jacky's message about 'drive by wire': 

  > 'Recently BMW in West Germany introduced a V-12 drive-by-wire automobile...

The car you're referring to can only be the V-12 powered BMW 750iL, just
introduced.  In this case, 'drive by wire' means throttle control, not steering
control.  The following excerpt is from the November 87 issue of 'Road and
Track', pp. 73:

  "Each bank of cylinders sports its own Bosh Motronic engine-management
  system as well as separate air-mass meters, fuel supply, fuel pumps and
  electronic "drive-by-wire" accelerator.  An automotive first from aircraft
  practice, the drive-by-wire accelerator signals the fuel injection
  electronically; there's no direct mechanical linkage.  Also from aircraft
  practice, dual systems have an obvious benefit:  In the event one of these
  electronic wunder-banks
  fails, the other side is bound and determined to get you back home safely,
  albeit under half power."

Apparently, one of the reasons BMW has taken this approach is in order to
enable a feature they call ASC (Automatic Stability Control).  From the same
article, pp. 74:

  "ASC is a wonderful feature that, when activated from a switch on the center
  console, helps prevent uncontrolled wheelspin under varying road conditions,
  whether slippery, dry or a combination of both.  With ASC engaged, we found
  it nearly impossible to break the rear end loose, but once we deactivated the
  system, tail-out driving was a possibility.  Snowbound 750 owners will
  certainly welcome this device as readily as ABS braking."

The article does not discuss what measures BMW engineers may have taken
to ensure that the 'drive-by-wire' throttle fails 'safe.'

Re: High Tech Trucking

Franklin Anthes <mcvax!geocub!anthes@uunet.UU.NET>
Thu, 24 Mar 88 11:22:18 +0200
 Over here in France a black-box system has existed for quite a while now.
It isn't a computer, and its output goes to a paper disk, so it probably
can be tampered with.

 The two things that I know of that can be checked with this device are:

    - speed of vehicle
    - time spent by driver without resting.

 The device is used on trucks and busses. Over here most truck drivers
drive alone, so if the truck is driven for 15 hours straight, that means
the driver has been driving all that time.

 The only cases I have heard of the output of the black-box being used, is
when an accident has taken place. The output can help determine the causes
and the responsabilities involved. It may be used at other times, but it
just doesn't make the news.

Frank Anthes-Harper       ....!ucbvax!decvax!uunet!mcvax!inria!geocub!anthes

Countering driver aggression [For those of you who have not seen it]

Leisa Condie <munnari!!phoenix@uunet.UU.NET>
Fri, 25 Mar 88 08:43:38 est
IEEE Spectrum (Tools and Toys section), Feb. 1988 without permission:

Curbing homicidal impulses

Revenger lets the frustrated driver vent aggressive impulses by emitting loud
sounds. The instrument, which looks like a radar detector and attaches to your
vehicle's dashboard, contains a sound chip and a row of light-emitting-diodes.
When the Revenger is turned on, the LEDs start flashing, and the driver has the
option of pressing three buttons: machine-gun (rat-a-tat-tat), grenade launcher
(a whistle and a boom) or a death ray (a high-pitched, oscillating frequency).
Mike Grubbs, vice president of the company that makes Revenger, jested about
the death ray:"That's something that you might aim when a pedestrian walks out
in front of you". Revenger is available through major retailers for $20- $25.

Risks in diving computers ["diving", not "driving"]

J M Hicks <cudat@CU.WARWICK.AC.UK>
Tue, 29 Mar 88 09:39:23 GMT
A colleague who goes diving once or twice a month told me about a diving
computer.  In order to avoid the bends, a diver must not come to the
surface too fast (unless there is a decompression chamber).  There are tables
for divers to follow showing how fast a diver may ascend safely, but these
are based on the assumption that the diver descends, remains at the same
depth for some time, and then comes to the surface.  In practice, of course,
divers go repeatedly up a little and down a little during the time they
spend underwater. The computer is supposed to be able to work out how
fast the diver should ascend after a complicated pattern of going up
and down underwater.  Apparently for a simple dive the computer takes
a more conservative view than the accepted tables.

   The usual display given by the computer shows the diver's depth.  If the
diver is going up too fast, the message "ASCEND MORE SLOWLY" appears for three
seconds, alternating with the usual display, which also lasts for three
seconds.  My colleague reckons the diver is more interested in his depth, and
it is a great temptation to ignore the warning message because it obscures the
depth display and come to the surface anyway.  Most of the time divers who do
this don't suffer, I think, because the computer takes a cautious view (I am
told it has several physiological models to work with).

   Poor human interfaces have been discussed in this forum many times, but
what opinions do people have of users' behaviour when a simple system is
replaced by a complicated system that they do not understand and they
can probably ignore because it takes a conservative view?

J. M. Hicks (a.k.a. Hilary),
Computing Services, Warwick University, Coventry, England. CV4 7AL
On JANET: cudat@UK.AC.WARWICK.CU (in the U.K.), (abroad)
From ARPAnet: try   (untested)
On uucp:        ...!ihnp4!mcvax!ukc!warwick!cudat
                                It helps if you spell "cudat" in lower case.

              [Sensitive users will note that quite a few systems are 
              case sensitive.  It began with Multics, as I recall.  PGN]

Why gamble on non-redundant systems? [lotto]

Roy Smith <roy%phri@uunet.UU.NET>
29 Mar 88 03:29:20 GMT
    We all know about the advantages of redundant systems; have two
parallel systems so when one computer crashes you can keep running with the
other, perhaps at reduced efficiency.  For critical systems, redundancy is a
must.  All that's left now is to define just what makes a critical system.

    Would you believe Lotto?  I heard an ad on the radio yesterday from
the New York State Lotto commission.  It seems that they have split their
network into two halves, each running independently.  Ticket sellers have
either blue or green Lotto signs, depending on which system they are on, and
each geographical area has some of each.  So, boast the Lotto folks, if one
system goes down, you can still buy tickets and claim cash prizes from ticket
sellers with the other color sign.

    I'm still at the mercy of a single system to get my pay check printed
out on time, but it sure is comforting to know that I don't have to worry
about being able to buy a Lotto ticket whenever I want to.

Roy Smith, {allegra,cmcl2,philabs}!phri!roy
System Administrator, Public Health Research Institute
455 First Avenue, New York, NY 10016

                 [That is indeed a critical system in the eyes of many!  PGN]

RISKS of using the "AT&T Public Phone Plus"

Henry Mensch <henry@GARP.MIT.EDU>
Mon, 28 Mar 88 23:38:54 EST
The AT&T Public Phone Plus service is most often found in airports, rail
stations, etc.  There is a card reader at the bottom of the phone which will do
the right thing (purportedly) with your AT&T card (I didn't think to try my
FoNCard), a bank card, or an AmEx/DinersClub/etc.

Some days ago I was in Boston's Logan Airport and I spotted one of these phones
so I went up to investigate.  Instead of seeing a "Welcome" sort of screen on
the display, I saw a display which read "if you want to make another call,
press the <frob> button."  Further inspection revealed that the receiver, while
sitting in the hangup hook, didn't fit well enough to depress the lever which
would have terminated the calling session.  Over the next few days I noted that
the same situation existed on other "Public Phone Plus" devices in remote
places (other terminals of Logan Airport, as well as JFK and LAG airports).

Hasn't anyone been burned by this yet?

# Henry Mensch / <> / E40-379 MIT, Cambridge, MA
#      {ames,cca,rochester,harvard,mit-eddie}!garp!henry

The risks of rumours

Dave Horsfall <munnari!!dave@uunet.UU.NET>
Tue, 29 Mar 88 11:04:22 est
I thought this might make a good RISKS item, as it resembles the shutdown
of a computer network because of a perceived hacker threat (sorry I can't
remember which issue!).

A colleague told me the other day that he'd heard that the Australian
Federal Police were going through the various Universities, armed with
a search warrant, looking for pirated software on PC hard disks.  I could
not find anyone who actually _saw_ this, but they'd all "heard of it".
However, the threat was sufficient to cause people to stay up at all
hours, reformatting their disks!  I subsequently received the following
reply from someone who would rather remain anonymous:

  We heard about this too!  It caused quite a panic around here until the
  Dean phoned around to other Faculties/Unis.  It is not true.  We heard
  that Macquarie had been 'hit', they though that SU had been hit & SU
  thought that we had.  It apparently partly stems from a letter that was
  circulated at ANU warning people there about the risks of software
  piracy & the uni refusing to take any blame for stolen programs.  It may
  well have been due to some rumour planting by FAST itself.  As you said
  though, a lot of people got rid of pirated software.  At least now people
  have thought about what they are doing/have done.  

Who are "FAST"?  Federation Against Software Theft - a commercial outfit
consisting of the head honchos from the various software distributors, who
think they can stamp out software piracy.

Dave Horsfall (VK2KFU), Alcatel-STC Australia,, ...munnari!!dave

Credit-limit handling found overly restrictive (RISKS-6.50)

Wm Brown III <Brown@GODZILLA.SCH.Symbolics.COM>
Tue, 29 Mar 88 13:48 PST
  Date: Mon, 28 Mar 1988  19:06 EST

  I assume that the number is used to remove the associated hold, which is then
  replaced with the actual charge.  If your bank doesn't work this way, you
  should switch to one that does. (I've never had a problem with my Citibank
  MasterCard, so I don't think the problem is endemic to MasterCards.)

Look at the number of characters in an authorization code; it is far too small
to reflect the number of authorizations issued by just one processing center on
one busy day.  I believe that the banks are really interested in covering their
soft parts, as usual, rather than making the system airtight.  All they need to
prove is that an authorization was (or was not) obtained at the time of sale.
I know from personal experience that authorizations are frequently issued for
estimated amounts; most hotels call for them as soon as someone checks in, long
before phone or room service charges can even be estimated.  Restaurants
frequently bring back charge slips for signature without a total, but with an
authorization code.

I don't think that authorization codes are actually generated by the bank which
issued your credit card.  The merchant calls HIS bank's processing center
(which may serve many different banks); that center's computer verifies the
credit available on your account, then IT issues a number which the merchant
writes on the charge slip.  The only time anyone really cares about that number
is when you don't pay your bill.  Then the important question is whether the
merchant really DID call for authorization before accepting your plastic (in
which case it becomes the bank's problem) or not (in which case he eats the
loss).  It's just electronic finger-pointing.

I would speculate that the codes are some sort of hash of date, time, account
number(s) etc. which would make it impossible for the merchant to dummy up an
authorization after the fact.  As to not having problems with your card, the
system is designed to be almost invisible under normal circumstances.  Unless
you charge a lot of estimated amounts AND are near your credit limit, you
probably won't ever know that it is there.  The only way I have found to check
on it is to obtain both your current debt and available credit from an on-line
source (such as an ATM).  If they total to less than your maximum line, there
is probably a hold floating around in there.

    [The authorization code is a protection for the card acceptor.  If the
    card authorizer grants an authorization code, then it will grant the
    payment.  Otherwise maybe not, e.g., if the account is bogus!  PGN]

Program prejudice and psychological testing

Prentiss Riddle <ut-sally!im4u!woton!>
22 Mar 88 14:09:58 GMT
<> Your answers to a few meaningless questions on a job interview could be
<> interpreted for drug use, integrity of character, and watching Saturday
<> Morning Cartoons. 

This is another case in which computers only facilitate an already existing
risky practice.  Corporate personnel offices have been misusing psychological
testing for years.  A member of my family was once diagnosed as "neurotic" by
an employer (who then in a fit of paternalism informed the employee's spouse
but not the employee).  I mistrust psychological testing even in the hands of
professionals trained to appreciate its limits; if widely used for personnel
decisions it could exceed even bogus lie detector tests in the damage it might
do to innocent individuals' careers and lives.

-- Prentiss Riddle ("Aprendiz de todo, maestro de nada.")
-- Opinions expressed are not necessarily those of my employer.
--  {ihnp4,uunet}!ut-sally!im4u!woton!riddle

funny phone

Steve Strassmann <straz@MEDIA-LAB.MEDIA.MIT.EDU>
Thu, 24 Mar 88 02:44 EST
My father uses a service provided by the Peoples Phone Company of Connecticut.
From anywhere in the US, you can dial an 800 number, and then enter a password
(via touchtone) to call him or a third party, and he gets the bill. Many PPC
customers share the same 800 number.

Unfortunately, the service was widely abused when this number became widely
known, so it was changed. Last week I was greatly amused to discover:

 (1) although the phone number was changed, the passwords weren't,
     because (according to the president of PPC) they "didn't want to
     inconvenience existing users too much."

 (2) when you dialed the old 800 number, you got a recording saying
     "This number is no longer in service... the NEW number is ...."

Needless to say, yet another change is in the works.

Steve Strassmann, MIT Media Lab, Cambridge, Mass.

risks there and whoops! still there!

a.e. mossberg <>
Tue, 22 Mar 88 13:03:57 EDT
In RISKS-6.47 Jerry Leichter suggests vt220 terminals are somewhat secure....

I think that the problem is better stated as 'block mode', not
programmable function keys.  I've looked at our vt220 manuals and 
the problem I stated before remains.. I can send a sequence like this:

    lock keyboard
    erase display
    block mode on
    output whatever sequence of commands I want executed...
    send screen

I tend to doubt there are many people who are quick enough to go into setup
to unlock the keyboard for the sequence executes, and who pay enough
attention to even catch it, if I were to do a clear screen, block mode off,
unlock keyboard at the end of the above sequence.  Anyway, why is block mode
still around?  I can't recall seeing ANY application that used it.  (I kinda
vaguely remember a pseudo-full-screen editor on the UNIVAC that might have
needed it.)

a.e.mossberg                Internet:
Univ of Miami Hertz Laboratory      Uucp: ...!uunet!miavax!aem

Please report problems with the web pages to the maintainer