The RISKS Digest
Volume 7 Issue 42

Thursday, 1st September 1988

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


o "Pizzamation" traces phone calls, matches addresses
Jon Jacky
o Skylab and Sunspot Activity
o Denial of Service in Wembley-on-the-Motown
Behrooz Parhami
o Re: Calculations with wrapped numbers
Mike Linnig
o Meter reading follies
Chris Jones
o Re: abnormal bills
Ted Lee
o Risks of CAD programs
Mike A. Gigante
o Re: Risks of CAD programs
Sam Crowley
o Can current CAD/simulation methods handle long-term fatigue analysis?
Henry Spencer
o Re: Vincennes and Non-Computer Verification
Henry Spencer
o Re: Computers and Gambling
Jim Frost
o Automatic Bank Procedures
David A. Honig
o Info on RISKS (comp.risks)

"Pizzamation" traces phone calls, matches addresses

Jon Jacky <>
Thu, 01 Sep 88 09:10:40 PDT
Excerpted from a story in THE SEATTLE POST-INTELLIGENCER,
18 August 1988, pps. B5 and B8:


Tim Turnpaugh was caught off guard recently when he telephoned for a pizza
to be delivered to his home.  When he got the pizza company on the line, 
the person taking orders greeted him by name like an old friend — before
Turnpaugh could identify himself — and cheerily asked if he'd like the same
toppings he asked for on a previous order.

"I didn't have to give them directions to my house, nothing," he said.
Everything the company needed to know was gathered during a previous purchase
and stored in the memory of a computer, ready for instant regurgitation.
This is the brave new world of pizzamation.

Godfather's pizza in Washington [state] is one such firm on the cutting edge
of pizza technology.  Inside a gray-walled, nondescript building in a 
Renton [Seattle suburb] business park, 80 desktop computers are lined up in
rows at Godfather's state communications center.   Not a single pizza oven is
in sight.  On a hectic Friday night, as many as 50 part-time employees sit in
front of the tricolor screens, taking orders. ...  If you've called before,
the computer instantly identifies and recognizes your telephone number, and
retrieves information from previous orders.  "Customers don't even know a
lot of the time they've reached a centralized system," said Donna Brown,
manager of the center.  "They still think they're calling a local restaurant."

After the order is placed, the computer decides which of 51 restaurants or
outlets in Western Washington, or 10 in Eastern Washington, is closest to the
customer.  The computer totals the price and relays the order and delivery
instructions to the kitchen of a restaurant or outlet, where it comes out on
a network printer. ...

Brown said the system allows the company to keep track of sales data, and 
since it records addresses — more than 500,000 are stored in Godfather's 
memory banks — it can be used for direct-mail marketing. ...

Cathy Nichols, owner of four franchised Domino's Pizza stores in Renton
and Maple Valley, installed computers early this year ... Since the computer
matches phone numbers with addresses, it also helps smoke out young pranksters
who habitually order unwanted pizzas for the unsuspecting. ...
                     [Not if they are smart enough to read a phone book.  PGN]

Some customers may worry that their local pizza retailer may be keeping records
on their eating habits as well as detailed directions to their house.  It can
be unsettling to think that the Big Cheese is watching you.  Nichols
acknowledged that large, centralized systems are "kind of scary."  "There's one
number in the state that you call, and they know everything about you."

Bill Brown of Godfather's said she could recall only three people who asked
that their records be purged, and only because they didn't want to wind up 
on mailing lists.  Their records were immediately removed, she said, adding
that Godfather's does not sell its mailing list to other companies.

[This is the first confirmed report I have seen of marketing outfits tracing
calls, although I have heard rumors of other systems in which calling an 800-
number in response to some promotion would put your phone number on a list that
would later be matched in order to derive your name and address.  It is my
observation that most people believe that "tracing a call" is still a
difficult, time consuming process that cannot be done routinely.  This story
shows that it is a service phone companies offer to commercial customers,
although I have not seen any reports of it also being offered to residential
customers (who would then be able to ignore calls from marketers, cranks, etc.)
Jonathan Jacky, University of Washington]

    [In an unrelated development, some of the pizza outfitters are selling
    leather pizza outfits — that is, protective clothing for the pizzas.  If
    the pizza chains are going into leather, maybe S&M now stands for salami
    and mushrooms.  PGN]

Skylab and Sunspot Activity

Peter Neumann <>
Fri, 26 Aug 1988 14:30:16 PDT
There is an article by Richard A. Kerr entitled ``Heads Up! Sunspots Are
Dragging Down Satellites'', Science, vol 241, 19 August 1988, p. 902.  He
discusses the ups and downs of sunspot activity, and recalls that the last time
a relative maximum was reached in 1979, the 85-ton Skylab satellite was downed
as a result of the increased drag from the sun-swollen atmosphere.  The
predictability of future activity is apparently very poor.  Computer relevance?
Well, just one more thing to remember next time you put a computer in space to
control something, along with cosmic rays, laser beams, meteorites, space junk,
and other assorted hazards.

Denial of Service in Wembley-on-the-Motown

Peter Neumann <>
Wed, 31 Aug 1988 18:34:41 PDT
Stevie Wonder's birthday concert for Nelson Mandela at Wembley was disrupted
when someone stole a portable digital audio tape machine and a computer disk
drive that links into his Synclavier.  After a three-hour delay during which he
could not perform the intended program without the equipment, only two songs
were sung and the synthesizer pieces were omitted completely.  (The equipment
was later found.)  [From England's COMPUTING, 16 June 1988, p.3, contributed by
Behrooz Parhami, Computer Science, Carleton University, Ottawa CANADA K1S 5B6]

    [Here is another example of the risk of becoming completely dependent on
    technology — no longer being able to function without it.  On the other
    hand, the equipment is presumably so reliable that there is little 
    incentive to provide much in the way of backup facilities?]

Calculations with wrapped numbers (RISKS-7.40)

Mon, 29 Aug 88 16:19:22 CDT
James Peterson <peterson%sw.MCC.COM@MCC.COM> writes:
>The problem is how to identify a wrap-around as different from a misreading...

We had a similar problem with wrapped data on a missile guidance system. Every
few milliseconds we would get a target position update.  To smooth out
the noise we'd average the new input with the old.  Since target positions
were in degrees from true north they ranged from -180 to + 180 degrees.

The problem occurs when the previous value is -175 or so and the new
value is +175.  What is the average?   Adding and dividing by two doesn't
cut it (zero is certainly NOT the answer).

I don't remember how we solved this particular problem, but I have thought
about it since then.  Imagine trying to compute the average position of the
second hand on a clock.  You sample the position once a second for sixty
seconds.  Ok, now what is the average?
                                            Mike Linnig

meter reading follies

Chris Jones <ksr!>
Fri, 26 Aug 88 15:42:34 EDT
About three years ago I had an extended interaction with our gas company
(Boston Gas), because of an error which was allowed to override all other
readings.  Boston Gas replaced our meters as part of what they say is a program
to replace the meters every seven years.  (In fact, I notice that they have
replaced the meters three times in the thirteen years we've owned the house,
but it certainly doesn't bother me to have the gas company look at our service
and say it looks non-explosive).  The old meters were the boxes with which I
was familiar; the new meters were smaller by about 50% in volume, and had
digital readouts.

As is standard practice, which practice had, until then, been working smoothly,
our old reading was sent in along with our new reading.

It took many months of ridiculous bills, and numerous (well, four) trips by the
gas company to notice that we were being billed amazingly incorrectly.  The
things that went wrong were:

1. The initial reading was wrong (*THIS* was the uncorrectable
   mistake).  I was *AT LAST* able to convince the gas company that
   all of our data made sense if they first assumed that the first
   meter reading had been made from right to left instead of left to
   right (this is a somewhat obvious mistake since non-digital meters
   should be read from right to left).

2. Since my wife and I were not at home during the normal working
   hours of Boston Gas's meter readers, we were sent estimated bills
   for months (about 14, all told).  It occurs to me that the price of
   the gas fluctuated during this time, and they have no way of
   knowing when we were using high-priced gas and when we were using
   low-priced gas.  It  probably didn't make more of a difference than
   writng them 10 letters did, which is what we, in fact, did.

3. MOST ANNOYINGLY, eventually our gas meter reading caught up to what
   BG thought made sense.  So, they called us, since now their bills
   showed that instead of owing them about $1300, they had overcharged
   us by about $400.  It *only now* had become a problem that they
   wanted to solve.  It took me about 10 minutes on the phone to
   convince the service person that I understood what was going on.
   As a matter of fact, when they finally read our meter, and believed
   the reading, it turned out that they owed us $5, which I declined
   to accept, knowing that, in New England in the middle of winter, I
   had impending multi-hundred dollar heating bills and could wait
   several weeks to realize my $5 credit.

So, what had happened?  One incorrect reading had been accepted as correct, and
someone (or someone's algorithm) had summarily rejected all subsequent
readings, even though an examination of them would have revealed that they were
all consistent ****with the exception of the initial reading****!!!!

It works to be first, even if you're wrong.

Re: abnormal bills

Fri, 26 Aug 88 01:33 EDT
Yes, some periodic billers do notice abnormal bills.  When I first installed a
modem on my Apple (must have been about five years ago) our oldest son, then
about seventh grade, used it to call the usual local bulletin boards.  (By the
way, they outgrow the habit — neither of our two kids has bothered in the last
several years.) On some of them there were posted the usual lists of bulletin
boards all over the place, national and international.  ("for neat stuff call
01144 ...") Somehow either we or the U.S. public education system had neglected
to inform grade school students that any phone number over seven digits cost
money, and real long numbers cost lots of money.  Needless to say, the next
month's phone bill was out of sight. (I vaguely remember it was about $300,
when usually it was around $20 or so.)  We almost immediately got a call from
the phone company asking if there was some kind of error and whether the bill
should be corrected.  I'm afraid I didn't have the presence of mind to ask how
they noticed it.

(And no, it wasn't a "small town" phenomenon:  the Twin Cities metropolitan
area is about 2 million people and incidentally has one of the geographically
largest toll-free phone systems in the country.)
                                                           Ted Lee

Risks of CAD programs (RISKS-7.38)

Mike A. Gigante <munnari!!mg@uunet.UU.NET>
Sun, 28 Aug 88 09:22:52 EST
> Do practicing civil engineers reduce their safety margins these days because
> they use computer-aided analysis?  How much?  How small a safety margin ...
> Alan Kaminsky, School of Computer Science, Rochester Institute of Technology

In my previous life, I was an Aeronautical Structures Engineer specializing
in CAD/FEM at an active design organization.

FEM isn't new, computers were being used in the 50's to do structural
analysis (matrix methods on mainly truss structures), then and now, the 
programs are not a panacea for an indepth knowledge of both teh behaviour
of structures and of how the program works. Any engineer using these methods
without that understanding is both incompetent to do the design and dangerous.
There are a million different ways to represent your structural model with
a wide variation in the quality of the results, you need to know what you
are doing and what simplifying assumptions have been made in the element

Luckily, there are a number of checks in the engineering design process. there
are regulatory authorities who need to independently varify the design (at least
for aeronautical, automotive and civil). These independent checks often include
physical tests and 'rule-of-thumb' calculation checks to catch gross errors.

On validation of the programs, packages like NASTRAN have been in regular
use for ~20 years. For routine use by a competent designer, they are fairly

Simply adding a large safety factor is not a solution. for financial and
performance reasons, the product should be as close to the bone as
possible. A good analysis program and in-depth understanding of structural
behaviour can give you a better product (or a product that will actually
take off with its full load!). 

Something you need to realize is that the safety factors generally fall 
into two catagories

1) Loads 2) structural failure

By better understanding the modes of failure etc, the SF on 2) can be
reduced (and even more importantly, a surprise falure mode won't catch you
out!). The SF on loads (1) is most often regulated and hence cannot be
lowered. It is these SFs that 'protect' you.         Mike

Re: Risks of CAD programs (RISKS-7.38)

Sam Crowley <astroatc!>
Tue, 23 Aug 88 16:56:50 CDT
> Alan Kaminsky, School of Computer Science, Rochester Institute of Technology
> Now for the RISK.  With a detailed picture of the exact stresses and
> deflections on a particular structural member, the engineer can justify
> designing with a smaller safety margin...

    The term "smaller safety margin" should be "known safety margin" and the 
term "large safety factors" should be "large estimated safety factors". When a
guess was made at the amount with a generous safety margin tossed in, the
exact safety margin is still unknown. An estimate of the safety margin could 
be made depending on the accuracy of the guess. 
                                              Sam Crowley  astroatc!crowley

Can current CAD/simulation methods handle long-term fatigue analysis?

Wed, 31 Aug 88 23:08:24 EDT
> Metal fatigue can be calculated with a reasonable amount of accuracy. 

It is possible that my information is out of date.  However, Aloha Airlines
might dispute the matter!  If fatigue calculation for real structures under
real conditions is indeed accurate and practical, it is not being used very
widely, for some reason.  I'd be interested to see references on this.

> Most aircraft design use a 10% to 20% safety factor. A safety factor of
> two would make an aircraft so heavy it would never leave the ground.

For structural weights, yes, 10-20% is normal.  But what I was thinking of
was fatigue life, which — at least in the military aircraft that are the
ones I know most about — is treated *very* conservatively.

Henry Spencer U.Toronto Zoology uunet!attcan!utzoo!

Re: Vincennes and Non-Computer Verification

Fri, 26 Aug 88 23:04:02 EDT
> Indeed, **what happened** in the case of the Vincennes?  Was the U.S.
> operating naval patrols in a war zone without air support?  If so, why?

The underlying problem here is simply that today's US Navy is not built
for environments like the Gulf War.  Their air support is concentrated
in a handful of big, expensive, conspicuous, vulnerable carriers that
cannot be risked in the Gulf.  If the Vincennes had had a Harrier parked
on its helipad ready to go, that would have been different, but it didn't.
In an area as small as the Gulf, things happen quickly and there is no
time to call up distant support forces.  It's not practical to maintain
airborne patrols on speculation — too costly, not just in money but in
wear and tear on men and machines, and in outright accidental losses.
(A significant fraction of the British Harrier losses in the Falklands
War were accidents not involving enemy action.)

Henry Spencer @ U of Toronto Zoology

Re: Computers and Gambling (RISKS-7.39)

Jim Frost <madd@bu-it.BU.EDU>
Sat, 27 Aug 88 13:58:50 EDT
It's my observation regarding modified electronic games:

| [games] "..appear to run legitimate amusement games but with the flick 
| of a switch they are converted to gambling machines.
| Machines of greater sophistication are now starting to appear
| with a second switch that totally erases the computer program
| [sic] which runs the illegal games.
| If that happens we are powerless to prosecute."

Modified games must have some sort of mechanism (either mechanical or human)
to pay off a win.  The existence of such a mechanism, especially if it were
mechanical, could be used as proof that the machine had been used for
gambling.  I'm not a lawyer so I can't speculate on how well this might hold
up in court though.
                                                     jim frost   

    [Assuming the machine is in the "gambling" state rather than the normal 
    "non-gambling" state, authorized surreptitiously by some trusted agent,
    such a payoff "mechanism" could be a screen message that asks you to type
    in suitable identification and then show up at the cashier's office.  If
    the program then immediately returns the machine to its normal non-gambling
    state, that could be rather hard to detect unless someone were looking
    for it explicitly.  One can conjure up all sorts of variants on this
    topic, but the problem is a valid one.  PGN]

Automatic Bank Procedures

"David A. Honig" <honig@BONNIE.ICS.UCI.EDU>
Thu, 01 Sep 88 13:09:15 -0700
My bank, Home Federal in Ca., has a policy of locking an account (at
least to ATM transactions) after * 3 months * of inactivity.  This
policy is implemented automatically by their computers.  You cannot
even check your balance using your ATM card when this is in effect.

This happened to me a year ago, also: that time the ATM swallowed my
card because my savings account was "inactive" for a year. I had been
trying to access my *active* checking account.  Several days later I
got my card back, after going to the bank.  I had to withdraw a dollar
from savings, then redeposit, to reactivate it.

This time when I asked the bank person I spoke with if he could do this
administrative No-Op over the phone.  He asked his supervisor, and said yes.
I had given only the following information: my name, checking and savings
account-numbers, and the ATM-card-number.  Furthermore, he had called me
back at a number that was not my home phone.

The phone mediated account re-activation contrasts with their
conservative, automatic security policy; on the other hand, it seems
they have struck an interesting balance between security and customer
convenience.  That tradeoff is important to many computer RISKS.

David Honig, Dept of Info & Comp. Sci, Univ. of Ca., Irvine 92717

Please report problems with the web pages to the maintainer