The RISKS Digest
Volume 7 Issue 43

Friday, 2nd September 1988

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


o Statistical reliability estimation criticized
Brian Randell
o Calling party identification
Mark W. Eichin
o Automotive EMI - a personal experience
Scott C. Crumpton
o The mental tyranny of a cash register
Steven C. Den Beste
o Intoximeter risks
Andrew Vaught
o SSNs, Passports
Chris Hibbert
o Info on RISKS (comp.risks)

Statistical reliability estimation criticized (Jon Jacky, RISKS 7.40)

Brian Randell <>
Fri, 2 Sep 88 11:07:59 WET DST
Re: Jon Jacky's message, stating that:
>John Cullyer of the British Royal Signals and Radar Establishment ...
>said, "Let's throw out the 10 ** -9" - and many of the audience
>responded with enthusiastic applause.  Someone asked if he would accept a
>failure probability of only 10 ** -4 or 10 ** -5 for nuclear weapons safety.
>He responded, "In the weapons area there should be no room for probability.  
>If something is unthinkable, don't let it happen.  You either certify it or 
>you don't - one or zero."

I'm appalled by this comment, if it is reported as accurately as I fear it is!
Just because something is "unthinkable" doesn't mean that *any* particular
technology, such as certification, will *guarantee* that it will not happen,
and that no measures need be taken, or even considered, to allow for the
possibility of failure. (This is the sort of thinking which has "justified" the
reported lack of planning in the UK for dealing with Chernobyl-scale
catastrophes at nuclear power stations.)

I find the following attitude much more professional. (The quote comes from the
review by Tom de Marco of "Principles of Software Engineering Management", by
Gilb and Finzi, in IEEE Computer for August 1988):

 "We must quantify everything that matters to eventual project success or
 failure. Everything - particularly those product characteristics that we treat
 as unquantifiable (flexibility, "user-friendliness," net benefit, etc.) -
 must be scaled and targeted. Some of the quantifications will be "fuzzy"
 in Gilb's terms, but even fuzzy numbers are far better than no numbers at all.
 The very act of coming up with the best-effort quantification of these factors
 guides us towards success and knowing how well we are doing along the way."

Otherwise, how will the Cullyers of this world for example (i) choose between
rival certification techniques, (ii) know when certification is "complete", or
(iii) decide how to divide a finite budget between certification and
complementary approaches to reducing the likelihood of having to experience,
and apologise for, an "unthinkable" occurrence. (In fact I fear I know the
answer - by blind faith and misguided eloquence!)

All this is not to say that naive unjustifiable quantification, such as often
accompanies the bandying around of figures like 10 ** -9, any more
professional.  However the fact that such naivete occurs is no reason to
abandon attempts to find means of making, justifying and intelligently using,
quantified reliability assessments, even w.r.t. design errors, especially with
systems whose failures would be truly catastrophic.
                                                          Brian Randell

Calling party identification

Mark W. Eichin <eichin@ATHENA.MIT.EDU>
Thu, 1 Sep 88 22:22:08 EDT
>... It is my observation that most people believe that "tracing a call" is
>still a difficult, time consuming process that cannot be done routinely. This 
>story shows that it is a service phone companies offer to commercial 
>customers, although I have not seen any reports of it also being offered to 
>residential customers ...

I believe the New Jersey telco offered digital display of incoming number to
private subscribers a year ago; here at MIT, with the installation of a 5ESS
system with full ISDN support available to offices, the digital set
automatically displays the phone number the call came from (if it was within
MIT; apparently there isn't software in place to track calls from other
switches yet, the display merely indicates "Outside"). The documentation for
the dormitory phones included mention of a ``privacy code'' which meant dialing
65 before any phone number; the pamphlet with the phone didn't actually explain
what the privacy code *did* however.

Mark Eichin, SIPB Member & Project Athena ``Watchmaker'' 

Calling party identification Phone number tracing

Thu, 1 Sep 88 22:42 EDT
Our local cable company must use the same kind of connection to the phone
company that the pizza place mentioned in RISKS-7.42 does.  They have several
pay-by-view channels and a set of incoming phone numbers.  To order a
pay-by-view event all you do is dial something like 938-77xx where the xx is
the "ordering" code for the particular movie or live event (local sports, etc.)
you want.  A computer answers the call and is somehow told where the call was
from; it looks that up in a data base, finds the i.d.  of your cable box and
enables the show.  (It goes on your bill, of course.)  Rather clever, actually:
no human operators and it works from either a dial phone or a touch tone phone.
Don't use it much, and apart from misdialling the only "risk" I have is
remembering to use line 1 rather than line 2.
                                                         Ted Lee

Calling party identification

Thu, 1 Sep 88 19:57:52 xDT
While there is work going on to allow for the identification of calling parties
by the callee, such systems are not generally implemented and won't be for some
time to come.  There are some limited test projects, but I don't believe that
any large-scale operation of the sort implied is currently operational.

Most likely what is actually happening is that the first question people are
asked when they call the pizza folks is "what is your phone number?"  Then
the computer operator punches that in and up pops all the info from any
previous call.  It is unlikely that they are receiving the calling party's
number in realtime.  It IS true that with some long-distance carriers' 800
callers numbers are made available to the callee, but this is done on a
billing cycle basis (i.e., in the billing statement) and not in realtime.
If it turns out the pizza folks ARE receiving the number ID in realtime,
then they are in one of the test groups and one can't help but wonder how
many folks in the area realize the ramifications of this all (see below).

Now, in the middle future the issue of the callee being able to receive the
number of the caller will be a significant one for us all.  The technology is
being put into place.  At first glance, many people might say, "Gee, how neat,
I'll know the numbers of the phone solicitors who bother me."  But think again.
It would work both ways.  Do you really want YOUR phone number recorded (and
possibly later called back with solicitations, matched with addresses for
mailings, etc.)  whenever you call a business, possibly from your private line
you only intend to use for outgoing calls, or from some friend's house or
business from where you happened to make the call?  If you make a business call
from home, do you necessarily want the person receiving the call to immediately
have your home number?  Do they have any right to that number rather than
calling you back on the office number you might give them?  There are a variety
of complex ramifications.

Even worse, if YOU could see the callers' numbers on calls YOU receive, you
might be disappointed at much of what you'd see.  Most big solicitation
businesses use special outward-calls-only trunking groups; you would frequently
see undialable numbers like 012-4161 on your display.  Such info isn't going to
do you a lot of good without a lot of hassling with telco for info (which they
might well be unwilling to give you).

And what about obscene phone calls and such?  Won't this system help stop them?
Well, maybe some dummies would get caught, but there are one hell of a lot of
payphones out there and people could easily move from one to another

The issue of privacy of callers' numbers is thus more complicated than it might
appear at first.  Some proposals call for unlisted numbers not to routinely
display on callee displays.  Some other plans propose a control prefix (e.g.
"*21") which you could dial before dialing a phone number if you want to block
number display for that particular call.

All in all the issues involved are quite complex.  The time to start thinking
about them is now.

Automotive EMI - a personal experience

Fri, 26 Aug 1988 09:51:42 LCL
There is a section of road that I frequently drive which comes within about 600
feet of a TV (ch 20) transmitter tower.  Within a distance of approximately 1/4
mi of the tower, the cruise control on my 87 Volvo 240DL will not set properly.
The "set" button acts like "resume", causing a normal rate of acceleration up
to the previously set speed.  This behavior is repeatable in this location,
however I have not noticed any other symptoms or occurrences in other locations.

Considering the "success" that I have had getting minor problems (like cold
start stalling) fixed at the local Volvo dealer, I don't think I'll be taking
this one to them.  I will probably attempt to fix it myself with some ferrite
chokes and a little shielding.

The mental tyranny of a cash register

Mon, 29 Aug 88 12:01:58 -0400
Last Saturday I was in a local mall, and being thirsty I went to a cookie-
over-the-counter store which was handy, and ordered a "medium rootbeer", price
listed as $.75. I proffered a dollar, and was given $0.19 change.

[It should be explained at this point that Massachussetts has a 5% sales tax.
However, this would have fallen under the restaurant and meal tax, which also
happens to be 5%.]

"Wait a minute", I said, "The sales tax on this should be 4 cents, not 6."

"I know. The cash register is broken. But that is what it says to give you, so
that's what I have to do." [I suspect my memory may be making his words a bit
different - please bear with me.]

"Give me the rest of my change!"

"There's no way for me to do that." I walked away snarling.

Actually, of course, he could just have hit "No Sale" and gotten two more
pennies out of the till. But, having done so, at the end of the shift the till
would have contained less money than the cash register said it should, and he
would've had to make up the difference out of his own pocket. Given a choice
between it being his money and being mine, he wanted it to be mine.

Both of us were trapped by a cash register which had been programmed for an 8%
sales tax.

Now that I've cooled down, I'm not even sure that he thought it through to the
point I gave two paragraphs ago. I think his reaction was merely: Do what the
machine says, even if you KNOW it is wrong.

Editorial point: Shades of the Vincennes.
   We are the elite - we understand, at least in principle, what
goes on inside of virtually anything which is computerized. This makes us free
- we know enough to know that the computer can be just as wrong as a person
can, since a person decided ahead of time what it would do. It is only a
machine, and is just as fallible as its creators.
   But for those out there who truly have no idea what a computer is, it has
become a kind of oracle or demigod: You follow its orders and you DO NOT
QUESTION, because it is smarter than you. Perhaps this is why some people
flatly refuse to use automated tellers at banks, and literally refuse to touch
a computer keyboard even when urged. Those who mess with the gods get turned to
   When put in a job-related situation where interaction with a computer is
unavoidable, the computer truly becomes almost a deity: YOU DO NOT QUESTION.
("We are sorry, Mr. Thompson, but our computer says that you are dead. We do
not do business with corpses.")

[Maybe I HAVEN'T cooled down, after all.]

Intoximeter risks

Andrew Vaught <29284843%WSUVM1.BITNET@CUNYVM.CUNY.EDU>
Thu, 01 Sep 88 13:33:56 PLT
{Taken from the 24 August 1988 Spokesman-Review without permission}


  While official witnesses looked on, a Bonner County Jail prisoner swigged a
  paper cup full of gasoline last week in an effort to prove himself innocent
  of drunk driving.  Sagle resident Barry Joe Raynor, 20, claims he was
  siphoning gasoline just before he was arrested for drunken driving last Jan
  14, said his attorney Jonathon Cottrell.  When the case goes to trial in 1st
  District Magistrate Court next week, Cottrell and Raynor will argue it was
  gasoline on his breath that lit up the scoreboard on Bonner County's
  intoximeter the night he was arrested.

[The article goes on to say why drinking gasoline is not a real good idea and
how drinking a cup of gasoline showed a .28 percent blood alcohol level one
hour later.]

Although the article never mentions what kind of `intoximeter' is actually used
in the tests, it is pretty obvious that it is not directly measuring blood
alcohol content, but some other telltale that allows it to be fooled by

   [NPR this morning noted that when the tape recording of the arrest was
   played in court, Raynor sounded so intoxicated that he simply gave up on his
   gas defense.  OK.  This item thus appears to not be RISKS related, although
   the risk of false positives on such tests is always a risk that must be
   recognized.  PGN]

SSNs, Passports

Wed, 31 Aug 88 17:45:40 PDT
I was just looking through Robert Ellis Smith's "Report on the Collection and
Use of Social Security Numbers", and on the final page he added a note about
SSN's and the Passport office.  Since there was some unresolved discussion of
this at the beginning of the year, I thought I would forward the information.

Smith says that as of the beginning of this year, SSN's are required on
passport applications, and failure to include it may result in a $500 fine.
I'm as puzzled by this as the people who reported similar things in January.  I
don't know why the passport office doesn't refuse to handle applications
without SSNs and just forget about the fine.

The reason they want the number in the first place is apparently so that the
IRS can make sure that Americans living abroad file returns.

If there really is a fine, then it should be mentioned in the requisite Privacy
Act notice along with a statement as to whether disclosure has an impact on
you're getting a passport.

The "Report on the Collection and Use of Social Security Numbers" can be
ordered from the Privacy Journal, P.O. Box 15300, Washington DC 20003.  Their
phone number is (202) 547-2865.  I was dissapointed in the level of the report.
It's mostly a sampler of case histories of people who were burned in various
ways by abuse of their numbers.  It contains little in the way of privacy
advice that hasn't already appeared here.

Please report problems with the web pages to the maintainer